
Tracking my phone's silent connections - jaclaz
https://kushaldas.in/posts/tracking-my-phone-s-silent-connections.html
======
lbacaj
To clarify, outside of the CDN providers or AWS calls and the big 3 (Facebook,
Google, Apple), the vast majority of the calls seem to be to marketing
providers or developer tools

Branch - these guys provide deep links into phones and tools to analyze who
clicked on the links and if they worked.

mParticle, Appsflyer, Braze formerly Appboy, Appboy all provide internal app
marketing teams tools like mobile push or analytics from the app on the phone.

While NewRelic, letsencrypt (free SSL certificates), crashalytics etc are all
developer tools to monitor usage and issues with your app.

In summary majority are 3 classes of traffic: CDNs which cache data, Marketing
tools such as deep linking analytics etc, and finally developer tools.

Seems like a missed opportunity for Apple and Google to allow users to opt in
or out but send data back to one place and then push that out to all these
guys so the phone isn’t sending the same data over and over to so many
partners and wasting battery.

~~~
throwawaymath
With regard to your last paragraph: that would probably be an excellent
application of Ben Thompson's aggregation theory. It would increase Apple and
Google's moat by making them the hardware gatekeeper for all mobile app
analytics. And battery life is also a strong cover for the business reasons
for doing it.

But the public claim, "it saves battery life!" would not make it defensible
for most analytics companies, in my opinion. That would mean Google and Apple
get duplicated access to just about all mobile analytics data in the world
overnight. They already get vast data from the mobile phones through telemetry
and their own apps; I think the largest third party analytics providers would
revolt. They would all be at the mercy of Apple and Google's benevolence,
which is basically backing their business into a corner. You don't want to be
reliant on the whims of a giant tech company.

There are probably also some (maybe weak) anti-trust arguments against it,
because all analytics other than e.g. Google Analytics become literal second
class citizens on the phone. That would basically be telling app developers
they're not allowed to send requests to specific hosts within their apps, only
Apple and Google can do that (on their respective phones).

So I don't know if this is a missed opportunity, so much as Apple and Google
realizing it would burn their walled gardens to the ground.

~~~
hueving
>think the largest third party analytics providers would revolt

Would anyone care? I don't think a game company is going to refuse to publish
on iTunes or Google Play because some tool they use for analytics stops
working.

Nothing against analytics companies, but they just aren't a relevant party in
Apple's (or Google's) ecosystem.

~~~
alasdair_
> Would anyone care? I don't think a game company is going to refuse to
> publish on iTunes or Google Play because some tool they use for analytics
> stops working.

I don't see why these companies can't simply push all analytics to their own
servers then out to the analytics company, bypassing apple/google.

Most of the biggest mobile games companies have custom analytics engines and
likely do this anyway.

~~~
scrollaway
That doesn't really solve the battery life / analytics duplication problem.

Furthermore, from experience, duplication within a single app often happens
all on its own because, say, different departments use different toolchains
with different integrations, thus want different analytics providers and it's
easier to just have the app send to both. It's inefficiencies all the way down
because the only one to really pay for this is the user, and the user _doesn
't know_ they're paying for this (be it in battery life, PII leakage, etc).

------
HenryBemis
Regarding iOS: I stopped using iPhones and (edit typo) quot the ecosystem
altogether (apart from an app I still sell in apple app store) because with
the lack of an untethered Jailbreak I could no longer install "Firewall IP"
and I could not edit the hosts file.

Regarding Android: I switched to Android for the "NoRoot Firewall" and since
most Android phones are Root-able I can also edit my hosts file.

The article gives a very good analysis of what I have been telling friends,
and my constant complain towards that Cancer called Facebook: why does my
e-banking app or Booking.com or practically every air carrier's app, need to
alert FB that I am using this or that app?

Anyone with an Android can install that NoRoot Firewall and see in 60seconds
what their phones are doing when you are not looking. This in combination with
the applications running in the background 24/7 makes privacy a thing of the
past.

~~~
jabberthemutt
I can highly recommend NetGuard on android, it's non-root and free software.

I wish there was a system that lets me whitelist specific hosts per app.

~~~
kekebo
You can do that with NetGuard, but it's a pro feature you have to unlock

~~~
jabberthemutt
Oh oops! I bought it to support the developer and never even noticed that.
Thanks!

------
xg15
I'm not sure how the situation is with Apple, but it always bothered me that
on Android, apps can implement their own logic for TLS certificate validation.
Apps can use this to hardcode key-pinning and make it effectively impossible
(short of patching the app) to inspect an encrypted connection, even if you're
the owner of the device.

I feel the push for DoH will make this even worse - because then you won't
even know which servers your apps are connecting to.

~~~
Shaaaaaaare
Unfortunately Google both supports and recommends this. Recently they've even
made it easy for apps to automatically ignore any custom certificates added to
the trust store, so they don't even have to bother to implement pinning.

~~~
xg15
Yeah, I'm honestly not surprised. Apologies for the cynicism, but sometimes I
wonder if the pushes for HTTPS-everywhere, certificate transparency and DoH
are really more for the privacy of _app developers_ instead of the privacy of
users...

~~~
holri
If you care about the privacy of users, you need software that the user
controls, not the developer. Therefore free software.

------
ignoramous
Some patterns I've found useful that most of my non-tech savvy friends can use
(for Android) without going through hassle of setting up a VPN.

1\. Use AdGuard DNS.
[https://news.ycombinator.com/item?id=18788410](https://news.ycombinator.com/item?id=18788410)

2\. Do not install the app if there's a website equivalent you could use
(Facebook, Banking Apps).

3a. Force Stop or Disable apps you use frequently despite web equivalents
(Google Maps).

3b. Enable permissions required by apps used occasionally only when in use.
Disable them again, once usage is complete (Banking Apps).

4\. Use websites on mobile on Firefox with uBlockOrigin/uMatrix,
PrivacyBadger, CanvasBlocker, WebRTC blocker.

5\. Prefer using 'lite' versions of apps, if you must use an app (Uber Lite).

6\. Try to use apps that do not require GooglePlayService or slowly force
yourself to (OpenStreetMaps).

7\. Use privacy-oriented apps as a replacement to apps that you you use very
frequently (Signal, ProtonMail, DuckDuckGo) or use a separate user-profile for
those apps (WhatsApp) altogether.
[https://news.ycombinator.com/item?id=18873433](https://news.ycombinator.com/item?id=18873433)

8\. Use LawnChair as your default launcher (or some such privacy oriented
launcher).

\----

Of course there's a big matter of Google services running the show underneath,
and you couldn't get rid of that unless you went the microG+LineageOS route.
[https://news.ycombinator.com/item?id=15617615](https://news.ycombinator.com/item?id=15617615)

Also see:

EFF's Surveillance Self-defense
[https://ssd.eff.org/en#index](https://ssd.eff.org/en#index)

Dumber Phone: [https://nomasters.io/posts/dumber-
phone/](https://nomasters.io/posts/dumber-phone/)

~~~
eitland
> 3b. Enable permissions required by apps used occasionally only when in use.
> Disable them again, once usage is complete (Banking Apps).

Bouncer - Temporary app permissions seems to be a brilliant tool for this. I
installed it the other day together with Glasswire. Both are paid, and I
happily pay (reasonable amounts) for good tools.

Together they should hopefully mitigate the risk connected to useful apps with
broad permissions.

Haven't tested them too much yet, so if anyone knows problems with those apps,
feel free to let me know.

Bouncer is available here:

[https://play.google.com/store/apps/details?id=com.samruston....](https://play.google.com/store/apps/details?id=com.samruston.permission)

Glasswire is here;

[https://play.google.com/store/apps/details?id=com.glasswire....](https://play.google.com/store/apps/details?id=com.glasswire.android)

Of course, depending on your threat model some of you might never be safe with
a smartphone or any portable phone at all. Personally however I feel this
might solve it for me for now.

~~~
zcid
I will strongly second Bouncer. It's an amazing app for keeping permissions in
line on my phone. It's also a shame I rarely have to open the app itself
because Sam Ruston is a master of clean UIs.

------
DavideNL
Apple promotes privacy (which is great), but at the same time they behave like
a dictatorship by not providing an opt-out of the iOS walled garden, which
they do provide with System Integrity Protection on macOS.

What he is doing will not prevent apps from extracting information and
uploading it to their servers. For example, by using an ip address instead of
a hostname/domain, an app/service can exclude themselves from the "domain
graph" he created with this vpn. Sure you could eventually track down the
public ips an app communicates with and block those, but the app will always
keep collecting and storing your data, and at some point in time they update
their app and change the ip - by the time you notice this your data is already
uploaded to the new ip.

The only proper solution is an app firewall for iOS, which is not allowed by
Apple. Apple is crippling our freedom with their walled garden/dictatorship,
which makes me sad.

~~~
mr_toad
Apple could easily add a per-app permission for network access just like they
do with mobile data.

~~~
m463
I wish there was a true ios firewall.

and a way to turn off deep linking

and a way to turn off ble beacons

and the possibility of local location services only such as photo tags,
without all the rest.

sigh.

------
pw6hv
Actually would be interesting to see the content of the HTTP packets that are
not encrypted! I wonder what kind of information is shared by our smartphones
without it being properly secured...

~~~
kekebo
A lot. Running my phone traffic through mitmproxy was a rather sobering
experience, especially what leaks on boot before firewall and ad blocker are
ready. On Android you can even inspect a lot of encrypted traffic using
mitmproxy and the cert in generates, although some apps (like signal) use cert
pinning in a way that i haven't managed to get around yet.

~~~
therein
Same for Apple. Just add a root authority and you can even decrypt iCloud
traffic.

------
Havoc
Was surprised how much the xiaomis phone home. Enough to create a huge spike
in the pi hole stats.

92% (!!!) of the requests that phone generates got blocked. Laptop is at 5%
(admittedly with an adblocker too), iphones at 1%.

------
fisian
In my home network I use a hosts file to block unwanted tracking. I use a file
from this [1] project, which makes it easy to filter out the type of content
you don't want.

The nice thing about this is that it blocks requests from any device in my
network, especially from those which cannot be configured with a firewall or
adblocker.

[1]
[https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts)

~~~
chewz
What's the point? The moment you leave your home network your data would be
sent wherever it belongs anyway..

~~~
callalex
Under ideal conditions my “smart” tv, internet connected game console,
internet connected air filter, etc will never leave my home. At least not u
til I get around to documenting them for renters insurance.

------
throw2016
Android is designed to leak like a sieve but using an OS by the kingpin of the
surveillance industry and expecting privacy and things to be above board is
dissonance.

We live in a 'fantastic' world where the same people who have made a billion
dollar business model of behavioral targeting and creepily stalking people
24/7 aggressively push things like https claiming to care about user privacy
and security.

Where Android can be promoted as 'open' in-spite of abusing all the driving
principles of open source. Tech folks cannot be unaware of the massive and
ever growing surveillance ecosystem in operation and many are infact actively
building it, and pretense of surprise by such articles only serves to affect
some kind of fabricated normalcy.

------
ohnope
I've enjoyed using an app for iOS that installs a "VPN" which is configured to
run a local DNS proxy. It gives you a log of every request on the phone and
allows you to block domain wildcards.

It's fascinating to peer into the dark alleys of your iPhone.

~~~
krzbrg
Which app did you use? I’ve done similar things with Charles and Burp Suite.

~~~
ohnope
It's this one:
[https://itunes.apple.com/us/app/adblock/id691121579](https://itunes.apple.com/us/app/adblock/id691121579)

I've got it on my list to play with Charles proxy. I'm curious to peer into a
few of the requests if possible. But I've read that, especially with mobile
apps, they may use cert pinning which defeats something like Charles.

~~~
walterbell
Adblock? Don't they allow "approved ads"?

~~~
ohnope
It's an unfortunate naming coincidence. The app I linked has no affiliation
with _that_ Adblock

------
bobbyi_settv
Are the frequent apple.com requests the phone checking to see if it has a
working internet connection?

And if so are those responsible for the http (as opposed to https) traffic
because they want to see if you're on a captive portal?

------
saagarjha
It’s surprising to see that many HTTP connections, considering that Apple has
been pushing somewhat hard for apps to migrate to HTTPS connections…

~~~
sdwisely
from memory they recently wontfix'ed some issues about this saying they leave
things like updates on http so they can be cached on corporate networks.

------
amaccuish
Interesting. Though AFAIK Lookout is mostly useless on iOS, it's essentially
just another "Find my iPhone" service right?

I'd be interested to know what the Google queries were for. Does he use GMail?

~~~
baxtr
Maybe they’ve made connections into the insurance industry. For them it might
be interesting what your location profile looks like.

~~~
maxerickson
What substantial aggregate profit do you think they can make by analyzing
detailed location data?

I'm asking because I'd assume for most of their customers it just doesn't
reveal much. Everyone shops at supermarkets, Target vs Walmart isn't going to
reveal a whole lot more than a residential address.

~~~
dotancohen
If location is correlated with time, they could know the speed at which you
travel.

The car insurance could know if you visit dragstrips, which might imply
specific driving habits. Or how often you visit the gas station, from which
could be estimated your mileage. Or if you already report your mileage, might
be used to estimate you fuel consumption, which could imply specific driving
habits.

The health insurance might know if you visit the same bad-neighbourhood
address as some known-heroin-users do. Or if you just visit the tobacco shop.

~~~
maxerickson
You've not answered the question.

Car insurance gets a lot of information from past claims, age and sex/gender,
they aren't going to make a bunch of money turning away a few people that go
to dragstrips.

In the US, health insurers are specifically prevented from considering such
things in setting their premiums, they get to consider age and smoking.
Carriers that offer plans to the general public are also subject to a
"guaranteed issue" provision, they are not able to refuse coverage to anyone
that can pay.

------
mirimir
Whenever I read stuff like this, I'm reminded how user-hostile Android and iOS
are. Even compared to Windows. Or at least, to Windows XP and 7.

Not that many years ago, I had imagined that microcomputers and cellphones
would merge. But I was expecting something like Linux. Or at worst, like
Windows.

And it clearly didn't work out that way. We have smartphones that are never
really owned by users. They run apps that have more rights than they do. With
no practical way to change that.

It's sad, because I can't have a smartphone that I can trust. But so it goes.

~~~
jammygit
If the librem survives a few generations, it might change things

------
bil-20392039
I haven’t tried this but wouldn’t it be possible to block network connections
locally on the phone by making your own configuration profile and loading that
on each iOS device? [https://www.howtogeek.com/253325/how-to-create-an-ios-
config...](https://www.howtogeek.com/253325/how-to-create-an-ios-
configuration-profile-and-alter-hidden-settings/)

------
ghotli
Anyone know if a similar process is possible to see what the baseband
controller handling data transfer to the tower is doing? The method in this
article works as well as the host os can redirect traffic. The baseband chip
is often completely separate as I understand it. Likely would require a fake
tower implementation, but maybe there are more creative solutions.

------
Dahoon
That is a great idea. I'm going to try this myself on my Android phone (though
ads etc. are already blocked on it). Might be a good way to put a tripwire up
to catch if anything suspicious happens.

EDIT: OpenWRT's adblock package (which I already used) can create a DNS report
and each list has a Blacklist/Whitelist button. Superb!

------
drewg123
nflxso.net is not a tracker. It is a domain used by Netflix to refer to
"small" non-video downloadables (things like the images you see when browsing
titles on the web or in the app).

------
ozim
Use Pi-Hole, everything in article I got to know from looking at statistics
from it. It also blocks those bad ones but unfortunately I use phone outside
my home wi-fi as well.

------
z3t4
The CDN providers are also used for collecting data. Would be nice with a
graph that show both downloaded and _uploaded_ (data sent).

------
bigend
Same happens on your laptop. I like MacOS app called LittleSnitch, reveals
pretty much the same types of sites as in the article.

------
huxflux
Love the part about the "Bangkok IP"

