

Android sniffing using tcpdump - syngres
https://dornea.nu/blog/2014/01/24h-android-sniffing-using-tcpdump

======
irgeek
Something isn't right here. 80MB of pcap data with 138k packets captured, but
over 5 million connections to googleapis.com. That's 36 connections per
packet. Also, if you add up the number of packets in the destination port
table and divide that into 80MB, it works out to 4 bytes per packet. Which is
a bit surprising considering IPv4 has a 20 byte header on every packet.

~~~
habales
Exactly the same what i thought. This would lead to 216 constant packets per
second over the 24h

------
buro9
It would be great to turn this into an app that tells you what is sending
requests to whom.

And then turn that into a game, see who can get the lowest amount of data
sent.

~~~
Paul_S
There are a lot of programs that already let you do that - look for a firewall
and a network logger, there are plenty to choose from.

I would be in the running for the main prize then as I use a firewall with a
whitelist policy. Everything is blocked (including the system) except the very
few applications that I want to communicate. I would still lose to all the
people who just disable the data connection.

~~~
buro9
I meant for a non-technical audience.

A game in which participation is to monitor your own data, and to actively
play the game you increase your privacy.

A game that educates people as to what your apps are doing and what your phone
is doing.

A game that to win (for some local definition of win) means to take control of
your privacy.

People like yourself, myself, and most of the HN audience will know how to run
firewalls, VPNs, hosts files, rooted phones, disable data, etc. But the layman
does not, or is unlikely to do those things as they're scary.

They care, but they don't have a concept on how bad it is and what they can do
to improve their lot.

~~~
Paul_S
I think we too often patronise average users. I think it's quite likely that
they understand the situation but simply have a different opinion about the
privacy/convenience trade-offs. Smacks a bit of "you'd agree with me if only
you could understand the problem as well as I do" argument which doesn't
account for people who have different values than us.

~~~
buro9
Now I feel bad as I was specifically thinking of my girlfriend and her
academic peers who all have expressed that they would like to be more active
in protecting their privacy but don't know where to begin. None of whom I'd
patronise in any way. When talks over dinner strays onto the news of the last
year it will inevitably end up with the question, "What can we do?".

Part of the answer to that is to take steps to protect your own privacy,
encrypt, reduce what you share with third parties, and operate a reasonably
sane set of defaults with regards to how one protects their data.

And I, who know how to take some steps, cannot realistically help, give
guidance and support to them all. And they all have slightly different and
nuanced perceptions of what their priority is, what they're seeking to
achieve. Everyone has their own reasons.

I personally am at the point in which I don't wish to become the 2010's
equivalent of the guy who can give computer support to Windows users, and yet
here are smart people wanting a simple way to explore their options and choose
what to act on.

I didn't mean game as in "cutesy candy stuff". Just a score would do, simple
game theory... do some action, increase your score.

A bit like the LastPass Security Check... which tests how many sites share the
same password, how many have weak passwords, etc.

------
devopstom
It's _way_ more fun if you put a SSL intercept in place too. I found mitmproxy
was probably the easiest to configure, for android.

You can turn up some seriously interesting (scary) things.

------
barbs
I'd not heard of the Debian on Android kit [1] before. Sounds interesting! I
had heard of using tcpdump to monitor traffic on Android though, and have used
this in the past to help debug some network problems we were having with our
app. We used a natively compiled version of tcpdump [2]. We still needed to
root our phones though.

[1] [http://sven-ola.dyndns.org/repo/debian-kit-en.html](http://sven-
ola.dyndns.org/repo/debian-kit-en.html)

[2] [http://gadgetcat.wordpress.com/2011/09/11/tcpdump-on-
android...](http://gadgetcat.wordpress.com/2011/09/11/tcpdump-on-android/)

~~~
gcp
tcpdump is pretty easy to crosscompile to Android with a standalone toolchain.

------
SAFAD
Interesting results, I am quite shocked that (from a rough general look) all
the applications only sent your location, android version, language and user-
agent, I was expecting more! Good Job sir :)

~~~
joosters
I don't think you can be sure of that, anything could have been sent over the
SSL connections.

------
yread
Great analysis. Interesting 10 times as many requests against 443 than 80. I
wouldn't expect that. (of course it doesn't mean it's all HTTPS but still)

~~~
slashdotaccount
Unfortunately the author didn't use mitmproxy (or sslstrip).

~~~
eli
One would hope sslstrip would not work against an app!

~~~
jiayo
You'd be surprised how much code out there "uses SSL" but to get it to "just
work", it outright ignores things like DN checking, certificate expiry, even
chain verification. It's on the faulty premise that encryption is the only
thing that's important.

------
_sabe_
This i found interesting: [http://intelcrawler.com/](http://intelcrawler.com/)

"Hacktivism, Illicit Drug trade, Cyber Attacks, Human Trafficking, Money
Laundering, and other areas - could have a set of predictive probabilities by
analyzing huge volumes of data in virtual space and narrowing the common
denominator IPs and other cyber prints."

