A Forensic Analysis of Android Network Traffic 5: Conclusions

Read previous: A Forensic Analysis of Android Network Traffic 4: Geolocation by Google

The presenter draws conclusions on the subject matter, speaking on possible usage areas for collected Android users’ data, and shares his further research plans.

All this private information is available, and companies are not protecting it, this is all sent in clear text. And I hope I am not giving these people ideas, this is just from my own head: imagine an idea where your Android is sharing all this information.

You happen to wander past a supermarket. And all of a sudden you are saying: “Oh, I really do feel hungry for Mountain Dew; I do really want some chips”. And all of a sudden I see an advertising that says: “Mountain Dew, really cool!” And I think to myself: “Oh, perfect timing. I’m gonna get myself some Mountain Dew”. But is that exactly right? I mean, I may have bought a Mountain Dew beforehand, but it’s almost abuse of trust and abuse of your privacy – to take a look into your private thoughts and your phone and share it out with the world.

Let’s apply this towards politics. All of this information is bought, sold, and traded. All of this information is being shared on your phone, which you don’t quite realize. And so I am into politics, and I am like: “You know, I want to be the perfect politician”. Well, I’ve got these advertisers over here that allow it on all these applications that you download and use. And you’re like: “Oh, sweet! I wanna use the free version, it’s ad supported rather than paying $1.99”. But when you do that, you give away a little bit of privacy. It’s not just that you are giving away “Oh, I’m gonna ignore that ad” – you are giving away your privacy.

And they take this information. They take what device version you have, where you are located, where you’ve been, what you like to buy, what you like to search for – and they correlate it all together. It’s their goal to find out who you actually are. These companies might say: “Hey, we don’t collect your real name”. But when someone else buys this data that’s in your unique ID, they correlate it with other public data, and they kind of jumble it all together. They know who you are, they know where you live, they know your favorite color.

So taking this along the political idea, imagine the future where politicians know every constituent in their district. They know this because their cell phones are in that district. They know this because all of those cell phones have exposed what everyone does. They know what people search for, they know whether they read ‘The Huffington Post’ or ‘Fox’. They know a percentage of people who do this. They know what grocery stores you shop at.

And they can take this data as it correlates along all these different avenues, they can combine it, and they can go: “Oh, hey, my district is 68% likely to vote Democrat, or Republican”.

Let’s get into this a little closer. It’s like: “Oh, my district is 55% likely to vote Republican. But some of those people, like 10%, are not likely to vote, which means I probably need to pitch myself towards the Democratic side. Well, okay, if I am pitching myself towards the Democratic side, I see that most of the people on this side are value shoppers. They like to shop for the value brands. Well, now I shop for the value brands. I talk about value when I talk to my constituents. I make them think: “Oh my gosh, this politician is me, I believe in him, I can affiliate with this person, I am going to vote for them!” But what they don’t realize is that whoever this person is, they have tailored themselves meticulously to look exactly like the person that these people are, that these people want to see. This is the power that correlating data has. This is the power that just using these applications on your cell phone by sharing out your device ID, your locations, your Wi-Fi access points – can share.

So, kind of going back to my hypothesis, I said software applications and operating systems transmit private user information to the author or third parties without the user’s knowledge and consent. Throughout this talk, I’ve stated personal data / identifying data is sent. Whether it’s encrypted or not – it can be SSLStripped.

I promised you a little bit about some of the applications I did. I did test Red Phone. I did take a look at “Hey, I know Moxie believes in privacy, but does he walk the steps that he talks?” And I actually couldn’t intercept his traffic. Fascinating… I and was like: “Well, let’s look into this”. Apparently, Moxie, having broken SSL, knows how to secure shit. And he does.

So it’s definitely doable. These companies can make your information private, they can make it so that I cannot intercept it on the wire. But the problem is – they don’t, they view it as not important data, but maybe not quite ‘not important’, but not sensitive. They don’t take the time to protect it. They don’t want to invest in servers that can encrypt it over the wire. And so I thought, okay, even if they do, it is still exploitable. For a Facebook application you can use SSLStrip, username and password – boom, done! Applications send usernames, passwords, contact lists, location data, usage statistics, timing of activities, and other content.

Privacy breach hypothesis confirmed

Privacy breach hypothesis confirmed

Were we right? Yes. We were right on all of those counts, all of them (see image). And this is only using very basic packet analysis on these applications. And when I say basic, I didn’t want to make this talk overly technical because I was hoping to make a bridge between kind of more technical field of network forensics, and the non-technical field of privacy, and kind of merge them together, so that there is a little bit for both sides.

But if you are a privacy advocate, I would highly recommend you taking a look at network forensics, being able to look and see what the applications are sharing, what these operating systems are sharing. When I go to Google.com, do I know my Wi-Fi access point is showing, do I know my IP address is showing, etc? And that is all with very basic testing.

Concluded facts

Concluded facts

And so to kind of conclude, I don’t think a lot of people realize – your smartphone erodes your privacy, and you agreed to it. And that’s the worst part – you agreed to it, it’s allowed. And until people start saying: “Hey, companies, we don’t want information shared, you don’t need to know the wireless access points around me when I am trying to look for something, specifically you don’t need location data sharing” – this will keep happening. But the problem is you agreed to it. You scrolled through the pages and pages of stuff and said ‘OK’.

And even beyond that, a lot of people don’t understand the importance of the data they are sharing. They don’t understand that when they are sharing this information, they are sharing it with everyone.

Essentially, what I wanted to say is that what can be seen as benign information that companies collect, can be intercepted, it can be correlated, it can be tied to you, and it can be used for nefarious purposes. And you should be aware of this.

Future research to carry out

Future research to carry out

And if you are curious about more applications, what I am trying to do is I am trying to build out from my original research. Essentially, what I did was a very manually intensive, time intensive process. I am working on automating that process. I would like to have an emulator that downloads and installs every application on the Android market, runs it and analyzes its packet capture data for passwords and other shiesty-looking, important information. And that’s what I’m gonna be working on.

What I’m also gonna be working on is advertising. It’s kind of another region, and maybe it is just me, but I don’t quite realize the fact that there are tons and tons of ad networks on every page, looking at everything you do. And you might think when you browse from Engadget over to Slashdot, those are two separate websites. But what you don’t realize is that one advertizing company has a cookie or an ad on both of those websites. And they are able to see: “Oh, when he was done on Engadget, he hopped over to Slashdot, this guy is a nerd. I am gonna advertise to him nerd products”. And it’s effective, there is a reason they do it. They do it because it’s more effective, and they make money out of it. And to a certain extent, having targeting advertisement is useful. But to another extent, it just gets creepy because of the way that information can be used.

And so in terms of all this, what I also would like to do is I would like to map out these ad networks. I would like to find out who is talking to whom, where the service is located at, who is accessing and what information, and what can happen from that. So that’s where I am hoping to go.

Like This Article? Let Others Know!
Related Articles:

Comments are closed.

Comment via Facebook: