
My phone is spying on me, so I decided to spy on it - puffl
https://www.abc.net.au/news/2018-10-25/my-phone-is-spying-on-me-so-i-decided-to-spy-on-my-phone/10306586
======
proxygeek
This is really interesting! Have been doing something similar myself on my own
phone (Android) for about a month using the wonderful NetGuard app (
[https://f-droid.org/en/packages/eu.faircode.netguard/](https://f-droid.org/en/packages/eu.faircode.netguard/))
which allows one to see the source and destination for each request from all
apps.

It doesn't display the content type enough, afaik

~~~
victor106
Anyone know of a similar app for iPhone?

~~~
rickdg
Don't think such an app would be accepted by Apple. Why are using iPhone if
you want ownership over your device?

~~~
atburrow
This is a naive response I see given to iPhone users when they ask about how
to get a certain feature. It’s obvious no research was put into this answer as
a sibling comment to yours clearly helped out by suggesting Charles proxy
which is now available natively on iOS.

~~~
tinus_hn
Well, ‘VPN’ apps that are really ad blockers or data loggers are not allowed
on the App Store.

------
openplatypus
How does this work? If application has certificate pinning then MITM is not
feasible, correct?

Would love if someone could enlighten me :)

~~~
spondyl
A lot may have changed but here's a few blog posts on various MITM/cert
pinning bypasses that some people have done:

[https://blog.tendigi.com/starbucks-should-really-make-
their-...](https://blog.tendigi.com/starbucks-should-really-make-their-apis-
public-6b64a1c2e923)

[https://jeffhuang.com/extracting_my_data_from_the_hello_sens...](https://jeffhuang.com/extracting_my_data_from_the_hello_sense.html)

[https://blog.dewhurstsecurity.com/2015/11/10/mobile-
security...](https://blog.dewhurstsecurity.com/2015/11/10/mobile-security-
certificate-pining.html)

I just had these bookmarked from when I was wondering the same thing

------
Latteland
I am interested to see the result. I might pay for a vpn that I control that
blocked things.

~~~
pimeys
I'm using Blockada for that, which acts as a vpn, but just filters all
requests through a big hosts file.

[https://blokada.org/](https://blokada.org/)

~~~
curiousigor
This looks interesting. Is there something similar for iOS?

~~~
sirn
You can use DNSCloak[1] for this. It runs a local DNSCrypt client and acts as
iOS VPN. You can run your own DoH server that blocks tracking domains, or use
a public DoH server that does, or use a well-known provider that provides DoH
(e.g. Cloudflare DNS, Google DNS and OpenDNS does) with your own blacklist[2]

[1]: [https://itunes.apple.com/us/app/dnscloak-dnscrypt-doh-
client...](https://itunes.apple.com/us/app/dnscloak-dnscrypt-doh-
client/id1330471557)

[2]: [https://itunes.apple.com/us/app/dnscloak-dnscrypt-doh-
client...](https://itunes.apple.com/us/app/dnscloak-dnscrypt-doh-
client/id1330471557)

~~~
DavideNL
> You can run your own DoH server that blocks tracking domains

Do you mean your own dns server which will be accessible to (anyone on) the
public internet?

~~~
sirn
That's certainly an option if you want to run public DNS-over-HTTPS server,
but you don't have to do that – DNSCloak do provide a way to specify a local
blocklist.

DNS-over-HTTPS spec also mentioned that you can use a standard HTTP
authentication if you want to run a DOH server but want to keep it private
(although I've never tried this)

------
fit2rule
I'm seeing potential for VPN providers to bolt this reporting on as a regular
service. Maybe this is already set up in things like Streisand? Honestly, more
and more people need to have the ability to administer their phones this way -
for too long, its been a black box.

(If we still had real OS vendors, it'd be handy if this were builtin to the
OS, duh...)

~~~
newnewpdro
> (If we still had real OS vendors, it'd be handy if this were builtin to the
> OS, duh...)

RedHat, Canonical, and Microsoft are not "real" OS vendors?

~~~
mmjaa
RedHat, Canonical and Microsoft make phones?

~~~
ry_ry
Ubuntu Touch & Windows Mobile (heh) are/were a thing though.

~~~
fit2rule
Yeah, we all know these are dead in the water.

What I mean was, the old OS vendor ethos just doesn't exist any more - its no
longer about giving the user the tools required to get the best value out of
their computer, but rather give the computer the tools required to get the
best value out of the user... RedHat/Canonical are real OS vendors. Microsoft
is an also-ran ad-agency wannabe. Google: same. Apple: I give them a pass, but
only because they seem to be taking privacy seriously - if only they'd give
the user more control over what's going on with their devices, and stop doing
things designed, clearly, to just sell more hardware ..

------
blihp
re: opening up Safari on the iPhone 'any website you have in your bookmarks
can track that' I assume that's because it's checking/refreshing favicons? If
that's all it is there's nothing nefarious about it but he sure is opaque in
his statement.

~~~
HenryBemis
Owner of jailbroken & firewalled iPhone(s) for many years here.

"Safari" is the app that does the browsing.

"com.apple.Webkit.networking" is the app that works in the background doing
things like the icons refresh. Some other applications also use this "channel"
(app) to reach out, and I usually have it on "Deny all". I like it better when
apps do their own connections and don't hijack the "backroards".

The only two reasons I jailbreak ALL my idevices(s):

a. Firewall IP

b. Protect My Privacy (PMP)

You literally have no idea what goes in the background when you install and
run an app if you don't spy on your phone.

The disgusting part is that even my bank's (NatWest) app, as well as LastPass
talk to irrelevant companies when I fire them up, with (my) most hated being
Facebook (which is of course blacklisted and added on my hosts file).

For my Android devices I always run "NoRootFirewall" which is a pretty good
firewall.

Edit: Both FirewallIP (iOS) and NoRootFirewall (Android) have logging
mechanisms so you can track what goes in/out and what is rejected. I am really
looking forward to a NoRootFirewall-app for iOS. Something that creates an
internal VPN allowing you to manage it.

~~~
openplatypus
> LastPass talk to irrelevant companies

Please, do tell us more. Or write a post about it!

~~~
HenryBemis
As requested:

[https://pastebin.com/9g3B0rRB](https://pastebin.com/9g3B0rRB)

Also on my deny list I seek the following which do not appear in the logs
right now: _segment.com,_ fiksu.com, _youtube.com,_ redirector.gvt1.com

Other notes:

1) I never use the LastPass browser.

2) When a service has a "lastpass.com" AND amazon/cloudfront/azure, I prefer
the "lastpass.com" over the alternatives/load balancers.

Edit: if you see, these are the logs for only 10 seconds. I know that there
are multiple "Denied" since the poor thing keeps trying. It is amazing to see
it on many other apps (e.g. games) that talk to apjust, appsflyer,
doubleclick, duaps, feeldallapps, glispa, mobileapptracking, segment,
startappservice, taprica, app-measuremenet, and HUNDREDS more.

~~~
sparewalking
You keep using Lastpass? If so, why?

~~~
HenryBemis
I got it on all my devices, and I use both passowrd vault and secure notes. I
just make sure it behaves as I want it to and doesn't tell facebook when do I
use it.

A carefully managed firewall and an extensive hosts file is a must.

------
zeveb
This, BTW, is IMHO why recent Android versions refuse to use self-installed
certificates for all traffic: to prevent you from knowing what apps are
sending back home. It's not in Google's interest for you to control your phone
and know what it's doing.

~~~
jarito
Or it could be the reason they've said they did it - this was a primary vector
for malware authors to compromise user's information and devices. Not
everything is a conspiracy.

~~~
brokenmachine
Then why not offer a confirmation box to add certificates, and let the user
decide?

~~~
xnzakg
Probably because users will just follow instructions they found on some
sketchy website without actually reading the text in the confirmation box.

~~~
brokenmachine
Then a confirmation box saying, "only do this if you know what you're doing -
it can have dire security consequences".

Just because some people are idiots who don't read what's in front of them,
doesn't mean others should be impacted.

We all know the real reason it's not an option.

------
bennofs
Nice project. I considered doing something similar but in Android at least
some apps use certificate pinning and thus mitmproxy would break them. How
does this work in ios?

