Skip to content

re-ws.pl

ReverseEngineering WorkStation

  • Home
  • Tutorials
  • Random
  • About

How Android smartphone is spying on you?

Posted on November 20, 2019 - October 4, 2021 by Kamil (aka. v3l0c1r4pt0r)

The fact that Android knows a lot about its user and don’t keep that information for itself is quite well known. But how much data is sent to the outside world on first connection to WiFi? Which apps are responsible for pushing the data into the web? I will try to show that on example of Xiaomi Redmi Go.

For the purpose of the test, I created network that is not forwarding any packet outside. Before performing the test I installed few APKs. Only one is known to contact strange servers – File Manager (com.rhmsoft.fm). I marked them with (*) on a list. Rest should not have any influence on the results. They were: Termux, AFWall+, F-Droid, Magisk and Aurora Store.

Reconnaissance on DNS queries

The first thing to check is DNS queries, the phone is sending to its primary DNS server. At this point, we won’t be able to learn which app is responsible for particular query, but we should get a feeling of what to expect. I started tcpdump on my access point and this is the list of queries I received.

  1. time.android.com
  2. mtalk.google.com
  3. alt6-mtalk.google.com
  4. sdkconfig.ad.intl.xiaomi.com
  5. cmdts.ksmobile.com*
  6. ufs.adkmob.com*
  7. unconf.adkmob.com*
  8. pegasus.cmcm.com*
  9. ssdk.adkmob.com*
  10. www.googleapis.com
  11. play.googleapis.com
  12. alt7-mtalk.google.com
  13. android.clients.google.com
  14. alt2-mtalk.google.com
  15. alt4-mtalk.google.com
  16. fonts.gstatic.com
  17. xtrapath1.izatcloud.net
  18. xtrapath3.izatcloud.net
  19. xtrapath2.izatcloud.net
  20. alt1-mtalk.google.com
  21. graph.facebook.com
  22. ads.flurry.com
  23. ads.mopub.com*
  24. ups.ksmobile.net*
  25. ws.ksmobile.net*
  26. up.cm.ksmobile.com*
  27. alt6-mtalk.google.com

Let’s try to identify services one by one.

Details

File Manager

There are a lot of queries done by File Manager app (com.rhmsoft.fm). This proves that this is not the most privacy-friendly app, to say the least. Complete list of spoils it is making can be found on Androlyzer: https://www.androlyzer.com/app/com.rhmsoft.fm/20520480/4f7812eec05596573a03e1abd4091d1cb24bf48b.

Real impact on privacy cannot be learned, because this thing is encrypting some of data it uploads to its servers (in my case they were in mainland China).

My advice is to allow it only to local LAN (via AFWall+, if FTP server functionality is needed) or disallow it completely to access any network.

Play Services (GMS)

This one is even harder to analyze, without doing reverse engineering. This is because it uses certificate pinning mechanism, so it is not possible to do man in the middle attack on this app. Google Play Services or com.google.android.gms is preinstalled on every Android phone (beside those sanctioned by US govt). It is crucial for some apps to work (e.g. banking APKs). Therefore it is not an option to uninstall it using root privilege (without root it is impossible to do anything).

Fortunately it does not require internet access directly. Then it can be safely blocked on firewall completely. I haven’t noticed any problems with other services, when this one can’t talk to its servers.

Most likely it tries to contact mtalk-related domains. Probably incomplete and not verified list of domains is:

  1. mtalk.google.com
  2. alt*-mtalk.google.com
  3. auditrecording-pa.googleapis.com
  4. play.googleapis.com
  5. android.clients.google.com
  6. fonts.gstatic.com
  7. www.googleapis.com

Together with File Manager, that’s most of the list.

Spock

This one is one of the most interesting apps I found on my device. It is provided by Xiaomi and lacks any description. Its full name is com.miui.spock and VirusTotal shows few interesting things about it (see strings section). For sure it is trying hard to connect to its home at domain sdkconfig.ad.intl.xiaomi.com providing to server few mysterious IDs (I removed sensitive parts and replaced with <>):

GET /api/detail/<const-32b-id>?ts=1573409059486&nonce=<32b-id>&sign=<32b-id> HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Dalvik/2.1.0 (Linux; U; Android <x>.<x>.<x>; Redmi Go Build/<full-build-id>)
Host: sdkconfig.ad.intl.xiaomi.com
Connection: Keep-Alive


As can be seen, it is leaking system version, device model and exact firmware build in the first request it sends. And for sure there are more to come, if this one succeeds. Therefore, it might be worth investigating, if this can safely be removed from system. Fortunately this one respects firewall, proxy and hosts file, so it can be easily cut off from internet access.

Mi Drop

Another Xiaomi stuff, another bunch of connections attempted. None of them seem to be requested at boot, only after opening the app, but still it is leaking. This seems like useless app for a hacker, but it is not possible even to turn it off. I advice blocking and here is a list of domains worth adding to hosts file:

  1. graph.facebook.com
  2. settings.crashlytics.com
  3. sa.api.intl.miui.com
  4. data.mistat.intl.xiaomi.com
  5. app-measurement.com

Those using Facebook might want to leave first one unblocked. All in all DNS is not a huge problem.

NTP to time.android.com

This domain is used to update current time via NTP client running on the device. The only result of blocking ntp on firewall should be inability of a device to fix its current time, so user must do it manually. It does not respect proxy settings configured on WiFi connection, likely because it is based on UDP. When allowed on firewall, it should not leak any information about the device.

GPS

GPS service tries to connect to servers in domain izatcloud.net. They might be used for A-GPS (Assisted GPS) to make GPS faster and more precise. Other than that it should not have other consequences to block it. Request sent are for sure like below (xtrapath 1 to 3 were appearing in my case):

GET /xtra3grc.bin HTTP/1.1
Host: xtrapath1.izatcloud.net 
Accept: */*, application/vnd.wap.mms-message, application/vnd.wap.sic
x-wap-profile: http://www.openmobilealliance.org/tech/profiles/UAPROF/ccppschema-20021212#
User-Agent: A/<x>.<x>.<x>/Xiaomi/Redmi#Go/QC_Reference_Phone/unknown/QCX3/<lot-of-mysterious-data>


<x>.<x>.<x> is exact version number of Android. It is worth noting that this data, together with device model and a lot of numeric values of unknown meaning were sent with no encryption. So, access point administrator can easily spy on a device that sends this kind of requests. I recommend to unblock only in secure environment for the purpose of updating GPS data from time to time and block again.

More info on this can be found on Qualcomm website: https://www.qualcomm.com/site/privacy/services under XTRA chapter.

Additionally to that it also uses its own NTP server, independent of the one used by NTP client. Its address is time.izatcloud.net. Same as with primary NTP server, it does not leak anything, but may suggest that device is running Android.

Gboard

This is default keyboard app in my case. Its full name is com.google.android.inputmethod.latin.It is developed by Google, so I expect it is common to have this preinstalled. It does not send any request at startup, but while using it (so while typing something) it generates some requests from time to time. Its servers are at www.google.com and www.gstatic.com. Unfortunately it utilizes certificate pinning to secure its requests, so it is not possible to reveal contents with MitM attack.

Can be blocked and it works as usual afterwards.

Google Partner Setup

I was not able to catch what this app is sending, because it does not do it often. Certainly it does it in background from time to time. According to VirusTotal, it knows following domains:

  • accounts.google.com
  • www.facebook.com

Whatever the reason for connecting to Facebook is… It is safe to block it on firewall.

Dialer

Now its getting creepy. Yes. On Android even phone app is trying to send telemetric data to its server. Its home seems to be at ssl.google-analytics.com, but there is more of that. When started, it tries to get into fonts.gstatic.com constantly.

Messaging

SMS app also tries to connect to internet. This one is quieter, because it only tries usual fonts.gstatic.com, but still. It does not need it.

Clock

This is quite interesting. Clock app that tries to connect to internet. I was not able to see any requests, but AFWall+ seen some. For sure it knows ssl.google-analytics.com. Block, don’t hesitate.

F-Droid

First open source app in the list. This one by default tries to connect to its servers to check for updates. This feature can easily be disabled in settings. Despite that, it is better to use this one, than Google Play Store that does nobody knows what.

Magisk

Similarly to F-Droid, this could be silenced by editing its settings. However, when opened from app list, it is going to try checking for updates anyway. The best approach would be to block it and allow for the time of update.

Conclusion

Is it all? For sure not. Almost every app I tried to find on VirusTotal knew some domain names. Usually they don’t spill the requests all the time, though. Then, I was not able to see them. For sure I blocked those that were trying most often. The rest should be limited by block-by-default setting in AFWall+. But the conclusion is that it is impossible to reclaim privacy at the moment. It already went too far. Using old Nokia phone is the only way to reclaim privacy for the moment.

At last, I am posting a table, where I gathered most notorious apps and what can be done with them. Here it is:

APK behavior summary
App name Package
CaptivePortalLogin com.android.captiveportallogin Blocked Used Used Build No
File manager* com.rhmsoft.fm Blocked Used Used *** No
Spock com.miui.spock Blocked Used Used Build,? Yes
Google Play Services com.google.android.gms Blocked Used Used *** Yes
Mi Drop com.xiaomi.midrop Blocked Used ** *** Yes
ntp Blocked Ignored Used No –
gps Blocked Ignored Ignored Model No
Gboard com.google.android.inputmethod.latin Blocked Used ** *** Yes
Google Partner Setup com.google.android.partnersetup Blocked ? ? ? ?
Dialer com.google.android.dialer Blocked Used Ignored *** Yes
Messaging com.google.android.apps.messaging Blocked ? ? ? ?
Clock com.google.android.deskclock Blocked ? ? ? ?
F-Droid* org.fdroid.fdroid Blocked Used Used *** Yes
Magisk* com.topjohnwu.magisk Blocked Used ** *** Yes

* – not preinstalled
** – domains that might be needed by other apps or web browser
*** – certificate pinned, cannot be investigated with MitM attack

Keep in mind firewall is not completely reliable way of blocking access to internet. During the boot there is few seconds wide window, when it is disabled, so any app can send its data. Also all DNS traffic passes through the firewall.

Posted in UncategorizedTagged Android, English, hacking

Post navigation

LKV373A: radare2 plugin for easier reverse engineering of OpenRISC 1000 (or1k)
Hacking Android’s Bluetooth application to receive any file (outside whitelist)

5 Comments

  1. ChristineV says:
    March 29, 2020 at 14:42

    Merci pour ce travail! Thanks

    Reply
  2. bestboy says:
    April 10, 2020 at 21:07

    The linked Qualcomm document is a terrible read.

    From the “Qualcomm Location” location service terms:
    “Qualcomm Location periodically sends us a unique software ID, the location of your device (longitude, latitude and altitude, and its uncertainty) and nearby cellular towers and Wi-Fi hotspots, signal strength, and time (collectively, “Location Data”). As with any Internet communication, we also receive the IP address your device uses.”

    So it looks like the user is the one who’s providing a location service to the “Qualcomm Location” service. 🙂

    And from the Qualcomm Technology Reporting (QTR) section:
    “QTR may collect: (i) the names of the apps installed and/or running on the device, (ii) configuration information (such as make, model, operating system and version, firmware and versions, wireless carrier, mobile country code and network code, and chipset serial number (which does not identify you)), (iii) device performance statistics (such as CPU, GPU, or modem performance), and (iv) sensor data that won’t identify you, but that measures motion, orientation, and environmental conditions around the phone.”

    *lol* What does “sensor data that […] measures environmental conditions around the phone” mean exactly? Does this include “Hey, let’s enable the microphone for a bit and assess the ‘environmental conditions around the phone’.”

    Reply
    1. yep says:
      April 14, 2020 at 21:11

      ‘environmental conditions around the phone’ -> temperature, air pressure, compass direction? Trying to be generous, I can imagine that these data they might be useful to modem firmware technicians.

      Reply
  3. randomac says:
    July 31, 2020 at 15:24

    Nice post.
    Do you use LineageOS? Have you tested what servers it phones?

    Reply
  4. Robert says:
    November 17, 2020 at 23:14

    I wish I would of found this a year ago. Some I was aware but this is outright creepy and everything we accused communist governments of. Sad

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Tags

Android assembly busybox C CAN can-hacking cc-factory cmake compiler docker Dreamspark electronics English gcc hacking hardware JavaCard JCOP kernel KiCAD library Linux PC PCB pinout PKI polski programming Python radio Raspberry Pi Reverse Engineering RTL-SDR SDC SDM SDR smart card software tor tty UART UEFi Windows X.509 Xperia Pro

Recent Posts

  • PHP build for use bundled in Android applications
  • Running graphical apps inside Docker containers
  • Plugin architecture demo for Python projects
  • Authorizing adb connections from Android command line (and making other service calls from cli)
  • How to recover torrent from rtorrent meta files

Recent Comments

  • pomi on Playing with GF-07 GPS device
  • pomi on Playing with GF-07 GPS device
  • Hamdy Abumgata on Playing with GF-07 GPS device
  • Mousum Gogoi on Playing with GF-07 GPS device
  • Eason on Sniffing USB traffic with DSLogic logic analyzer into pcap file

Categories

  • News
  • Random
  • Reversing LKV373A
  • Setting up new v3 Hidden Service with ultimate security
  • Tutorials
  • Uncategorized
  • Understanding JCOP

Links

  • Me @ github
  • LKV373A Wiki
  • DevTomek

Archives

  • December 2024
  • November 2024
  • May 2024
  • July 2023
  • October 2022
  • August 2022
  • July 2021
  • June 2021
  • May 2021
  • December 2020
  • November 2020
  • October 2020
  • August 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • February 2019
  • November 2018
  • October 2018
  • June 2018
  • May 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • September 2017

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
Proudly powered by WordPress | Theme: micro, developed by DevriX.