The fact that Android knows a lot about its user and don’t keep that information for itself is quite well known. But how much data is sent to the outside world on first connection to WiFi? Which apps are responsible for pushing the data into the web? I will try to show that on example of Xiaomi Redmi Go.
For the purpose of the test, I created network that is not forwarding any packet outside. Before performing the test I installed few APKs. Only one is known to contact strange servers – File Manager (com.rhmsoft.fm). I marked them with (*) on a list. Rest should not have any influence on the results. They were: Termux, AFWall+, F-Droid, Magisk and Aurora Store.
Reconnaissance on DNS queries
The first thing to check is DNS queries, the phone is sending to its primary DNS server. At this point, we won’t be able to learn which app is responsible for particular query, but we should get a feeling of what to expect. I started tcpdump on my access point and this is the list of queries I received.
Let’s try to identify services one by one.
There are a lot of queries done by File Manager app (
com.rhmsoft.fm). This proves that this is not the most privacy-friendly app, to say the least. Complete list of spoils it is making can be found on Androlyzer: https://www.androlyzer.com/app/com.rhmsoft.fm/20520480/4f7812eec05596573a03e1abd4091d1cb24bf48b.
Real impact on privacy cannot be learned, because this thing is encrypting some of data it uploads to its servers (in my case they were in mainland China).
My advice is to allow it only to local LAN (via AFWall+, if FTP server functionality is needed) or disallow it completely to access any network.
Play Services (GMS)
This one is even harder to analyze, without doing reverse engineering. This is because it uses certificate pinning mechanism, so it is not possible to do man in the middle attack on this app. Google Play Services or
com.google.android.gms is preinstalled on every Android phone (beside those sanctioned by US govt). It is crucial for some apps to work (e.g. banking APKs). Therefore it is not an option to uninstall it using root privilege (without root it is impossible to do anything).
Fortunately it does not require internet access directly. Then it can be safely blocked on firewall completely. I haven’t noticed any problems with other services, when this one can’t talk to its servers.
Most likely it tries to contact mtalk-related domains. Probably incomplete and not verified list of domains is:
Together with File Manager, that’s most of the list.
This one is one of the most interesting apps I found on my device. It is provided by Xiaomi and lacks any description. Its full name is
com.miui.spock and VirusTotal shows few interesting things about it (see strings section). For sure it is trying hard to connect to its home at domain
sdkconfig.ad.intl.xiaomi.com providing to server few mysterious IDs (I removed sensitive parts and replaced with
GET /api/detail/<const-32b-id>?ts=1573409059486&nonce=<32b-id>&sign=<32b-id> HTTP/1.1 Accept-Encoding: gzip, deflate User-Agent: Dalvik/2.1.0 (Linux; U; Android <x>.<x>.<x>; Redmi Go Build/<full-build-id>) Host: sdkconfig.ad.intl.xiaomi.com Connection: Keep-Alive
As can be seen, it is leaking system version, device model and exact firmware build in the first request it sends. And for sure there are more to come, if this one succeeds. Therefore, it might be worth investigating, if this can safely be removed from system. Fortunately this one respects firewall, proxy and hosts file, so it can be easily cut off from internet access.
Another Xiaomi stuff, another bunch of connections attempted. None of them seem to be requested at boot, only after opening the app, but still it is leaking. This seems like useless app for a hacker, but it is not possible even to turn it off. I advice blocking and here is a list of domains worth adding to hosts file:
Those using Facebook might want to leave first one unblocked. All in all DNS is not a huge problem.
NTP to time.android.com
This domain is used to update current time via NTP client running on the device. The only result of blocking ntp on firewall should be inability of a device to fix its current time, so user must do it manually. It does not respect proxy settings configured on WiFi connection, likely because it is based on UDP. When allowed on firewall, it should not leak any information about the device.
GPS service tries to connect to servers in domain izatcloud.net. They might be used for A-GPS (Assisted GPS) to make GPS faster and more precise. Other than that it should not have other consequences to block it. Request sent are for sure like below (xtrapath 1 to 3 were appearing in my case):
GET /xtra3grc.bin HTTP/1.1 Host: xtrapath1.izatcloud.net Accept: */*, application/vnd.wap.mms-message, application/vnd.wap.sic x-wap-profile: http://www.openmobilealliance.org/tech/profiles/UAPROF/ccppschema-20021212# User-Agent: A/<x>.<x>.<x>/Xiaomi/Redmi#Go/QC_Reference_Phone/unknown/QCX3/<lot-of-mysterious-data>
<x>.<x>.<x> is exact version number of Android. It is worth noting that this data, together with device model and a lot of numeric values of unknown meaning were sent with no encryption. So, access point administrator can easily spy on a device that sends this kind of requests. I recommend to unblock only in secure environment for the purpose of updating GPS data from time to time and block again.
More info on this can be found on Qualcomm website: https://www.qualcomm.com/site/privacy/services under XTRA chapter.
Additionally to that it also uses its own NTP server, independent of the one used by NTP client. Its address is
time.izatcloud.net. Same as with primary NTP server, it does not leak anything, but may suggest that device is running Android.
This is default keyboard app in my case. Its full name is
com.google.android.inputmethod.latin.It is developed by Google, so I expect it is common to have this preinstalled. It does not send any request at startup, but while using it (so while typing something) it generates some requests from time to time. Its servers are at
www.gstatic.com. Unfortunately it utilizes certificate pinning to secure its requests, so it is not possible to reveal contents with MitM attack.
Can be blocked and it works as usual afterwards.
Google Partner Setup
I was not able to catch what this app is sending, because it does not do it often. Certainly it does it in background from time to time. According to VirusTotal, it knows following domains:
Whatever the reason for connecting to Facebook is… It is safe to block it on firewall.
Now its getting creepy. Yes. On Android even phone app is trying to send telemetric data to its server. Its home seems to be at
ssl.google-analytics.com, but there is more of that. When started, it tries to get into
SMS app also tries to connect to internet. This one is quieter, because it only tries usual
fonts.gstatic.com, but still. It does not need it.
This is quite interesting. Clock app that tries to connect to internet. I was not able to see any requests, but AFWall+ seen some. For sure it knows
ssl.google-analytics.com. Block, don’t hesitate.
First open source app in the list. This one by default tries to connect to its servers to check for updates. This feature can easily be disabled in settings. Despite that, it is better to use this one, than Google Play Store that does nobody knows what.
Similarly to F-Droid, this could be silenced by editing its settings. However, when opened from app list, it is going to try checking for updates anyway. The best approach would be to block it and allow for the time of update.
Is it all? For sure not. Almost every app I tried to find on VirusTotal knew some domain names. Usually they don’t spill the requests all the time, though. Then, I was not able to see them. For sure I blocked those that were trying most often. The rest should be limited by block-by-default setting in AFWall+. But the conclusion is that it is impossible to reclaim privacy at the moment. It already went too far. Using old Nokia phone is the only way to reclaim privacy for the moment.
At last, I am posting a table, where I gathered most notorious apps and what can be done with them. Here it is:
|Google Play Services||
|Google Partner Setup||
* – not preinstalled
** – domains that might be needed by other apps or web browser
*** – certificate pinned, cannot be investigated with MitM attack
Keep in mind firewall is not completely reliable way of blocking access to internet. During the boot there is few seconds wide window, when it is disabled, so any app can send its data. Also all DNS traffic passes through the firewall.