Network Monitoring: How to Get Started and Why You Should Consider it
Security and privacy are of the utmost importance when modifying your device or buying from a third party reseller. Of course, nothing will ever beat only buying or downloading from trusted sources but if you ever believe your device is sending or receiving information to/from a third party, there are several ways to check.
The method we’ll look at is primarily developed for Windows; however, official builds do exist for OSX and Linux via mono, alternate software options such as Wireshark are out there but we will be taking a look at Fiddler, which is a free web debugging proxy. To start you’ll want to download the client from here and (Mac and linux users can grab a build here). Once it has installed we can begin setup, head to Tools > Fiddler Options > Connections and ensure “Allow remote computers to connect” is ticked.
Then head across to the “HTTPs” tab and tick “Decrypt HTTPS traffic” if you would like to see encrypted traffic. Exit the settings and hover over the “Online” indicator which should be in the top right of your display, make a note of the IP address that appears.
The following instructions will differ slightly depending on your ROM or Android version, but for the most part should be similar enough to follow with ease. On your phone head to your WiFi settings and ensure you are connected to the same network as your PC, once connected long press on the connection name and select modify network, then tap show advanced options.
Set your Proxy settings to manual, under hostname type the IP address you copied down earlier and then under Proxy port enter 8888 unless you changed it in the connections menu of Fiddler. Hit save and then in your phone’s browser head to http://ipv4.fiddler:8888/ which should show the Fiddler Echo Service webpage. If you chose to enable decrypted HTTPS traffic earlier you will also want to click the FiddlerRoot Certificate link in your phone’s browser now and install. Once you have completed your testing you can revert your phone’s WiFi connection by heading back to WiFi settings and removing the proxy settings.
You are now all set up and should begin to notice the traffic from your phone appearing in Fiddler. If you are using your PC at the same time you can stop traffic from there showing in Fiddler by right clicking traffic you know is from your PC and then filter, followed by hide process; you should only need to do this for your browser and anything else that is actively connected to the internet. From here you can start testing your device, if you plan on testing your ROM you may want to leave the program running while you use your phone as normal for an extended period of time which should allow you to review the entire log at a later time, to check for any sporadic malicious connections. If, however, you are wanting to check an individual app this can be done quickly by simply using the app and monitoring which connections are made during this time. Fiddler will not prevent these connections, but it will show you what is being sent or received and from where, which brings us to investigating individual connections.
On the right-hand side of the Fiddler client, you will see several tabs, including but not limited to Composer, Log, Filters and Inspectors. Click any traffic that you wish to inspect in the main panel and then inspectors, in the new options that appear below ensure you are in Headers. This should display information such as the version of Android you are running, the make and model of phone you are running. Below this will be the host.
The entry in the main panel (above, left) shows the URL, host, file size and content type, for example, this .PNG from baidu has been picked up upon my opening of ES File Explorer Pro, the fallen king of file managers. The right-hand side of the client goes more in-depth As you can see from the top panel, I am using a Huawei-AL10 running Marshmallow, which is currently connecting to baidu.com. The bottom panel shows the data that is being sent which in this case can be viewed in the WebView tab, as you can see in this case ES File Explorer Pro is downloading a Christmas image, (Estrongs, if you are reading this thanks for wasting my data on Christmas images in April…). These logs can then be analyzed to determine a lot about the app in question, in this scenario the accumulation of data and the other traffic from ES file explorer shows that:
A) Even though the Pro version does not come with ads, several MBs worth are still being downloaded just not shown.
B) The app is built poorly with no regard for efficiency.
C) The app is communicating with Baidu constantly.
This method can be used to monitor any data your phone handles over the WiFi connection, thereby making it relatively simple to find out if an app or ROM is sending your data somewhere it shouldn’t be or downloading something that could be malicious. Give it a try sometime, you may be surprised at what you find out.
Just a bit of the pure filth uncovered from ES File Explorer during the network monitoring