Get out of my phone !
10 Mar 2015My LAN firewall logs were showing weird connexions at night from my phone, connected by WiFi, so I decided to play around and check how I could log network connections from Android.
My phone runs ParanoidAndroid version 4.4.4, which fortunately ships with iptables and all the nices kernel modules so I could just do:
iptables -A OUTPUT ! -o lo -j NFLOG --nflog-prefix "NFLOG " --log-uid
and see that it was logging stuff when browsing the web from my favorite app :
root@hammerhead:/ # dmesg | grep NFLOG
<4>[264504.310460] NFLOG IN= OUT=wlan0 SRC=10.0.2.141 DST=91.198.174.204 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=55084 DF PROTO=TCP SPT=56159 DPT=80 WINDOW=1550 RES=0x00 ACK URGP=0 UID=10057 GID=10057
<4>[264504.310930] NFLOG IN= OUT=wlan0 SRC=10.0.2.141 DST=91.198.174.204 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=55085 DF PROTO=TCP SPT=56159 DPT=80 WINDOW=1595 RES=0x00 ACK URGP=0 UID=10057 GID=10057
<4>[264504.311754] NFLOG IN= OUT=wlan0 SRC=10.0.2.141 DST=91.198.174.204 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=55086 DF PROTO=TCP SPT=56159 DPT=80 WINDOW=1641 RES=0x00 ACK URGP=0 UID=10057 GID=10057
Nice! Now to check what app is UID=10057
root@hammerhead:/ # grep -i "userId=\"10057" /data/system/packages.xml
<package name="org.mozilla.firefox" codePath="/data/app/org.mozilla.firefox-1.apk" nativeLibraryPath="/data/app-lib/org.mozilla.firefox-1" flags="572996" ft="14b3ba98788>
<shared-user name="org.mozilla.firefox.sharedID" userId="10057">
which indeed looks like firefox. The only issue is this weird timestamp 264504 which would be ~3 days but my phone was up for more than 19 days, oh well.
I store that log on a file on my phone :
cat /proc/kmsg | grep NL > /mnt/shell/emulated/log &
Make some stupid ruby script :
#!/usr/bin/ruby
require "resolv"
require "pp"
def load_app_ids(f)
res={}
File.read(f).each_line {|l|
case l
when /<package/
name = l[/name="([^"]+)"/,1]
suid = l[/sharedUserId="([^"]+)"/,1]
uid = l[/userId="([^"]+)"/,1]
if name
if uid
res[uid]=name
else
res[suid] = name
end
end
end
}
return res
end
$appsid=load_app_ids("packages.xml")
logfile = ARGV[0]
res={}
File.open(logfile,"r+").each_line do |l|
if l=~/\[([.0-9]+)\] "{NL}"IN=([^ ]*) OUT=([^ ]+) SRC=([^ ]+) DST=([^ ]+) LEN=([^ ]+) .+ PROTO=([^ ]+) SPT=([^ ]+) DPT=([^ ]+) .* UID=([0-9]+)/
entry={}
entry["time"] = $1
entry["ifin"] = $2
entry["ifout"] = $3
entry["ipsrc"] = $4
entry["ipdst"] = $5
entry["len"] = $6
entry["proto"] = $7
entry["spt"] = $8
entry["dpt"] = $9
entry["name"] = $appsid[$10]
key = "#{entry['ipdst']}:#{entry['dpt']}:#{entry['proto']}"
(res[key] ||= [] ) << entry["name"]
res[key].uniq!
end
end
res.each do |k,v|
ip = k[/^([^:]+):/,1]
key = k.dup
begin
name =Resolv.getname(ip)
key.gsub!(ip,name)
rescue Resolv::ResolvError => e
end
# Ignore 'normal' stuff
# next if key=~/1e100.net:(80|443)/
# next if key=~/mozilla\.(com|net):443/
# if v.include?("org.mozilla.firefox") and key=~/(80|443):TCP/
# next
# end
# next if key=~/239.255.255.250:1900:UDP/
puts "#{key} => #{v}"
endthe script gets started this way, once the phone is connected:
adb pull /mnt/shell/emulated/log .
adb pull /data/system/packages.xml .
ruby stuff.rb log
Some “weird” things happen :
"239.255.255.250:1900:UDP"=>["org.mozilla.firefox"],
Firefox does SSDP, it seems to discover second-screen devices.
"mygateway:4886:UDP"=>["org.mozilla.firefox"],
Now this is somewhat crazy. It looks like firefox will kinda hit your gateway on some randomly-chosen-then-hard-coded-UDP-port with a 0-length UDP packet to keep your wireless connection “live”.
And scarier :
"5.196.196.168:123:UDP"=>["com.lge.SprintHiddenMenu"]
WTF is that app ?!! There is no source code to be found, it seems the APK is slammed into the AOSP repo. It looks like it’s been removed for the future 5.0 release of AOSPA, and from what I could read it’s just some weird app for Sprint telco company that does stuff…. the apk has like half of all the possible permissions and tries to connect to some OVH IP (which actually might be a ntp.org pool server). I don’t want that ! The solution is:
root@hammerhead:/ # pm disable com.lge.SprintHiddenMenu
Package com.lge.SprintHiddenMenu new state: disabled
On further exploring, it looks like some kind of bloatware designed to make Sprint customers’ life a pain in the ass with weird activation process. It also hijack the telephony to catch magic numbers in order to do magical things.
UPDATE: this un-removeable app reboots your phone on recieving a specific intent… THANKS