Analyzing Android App Traffic

December 17, 2010

Android, the increasingly popular operating system (OS) for mobile phones, goes to great lengths to protect users' data. From applications that run as their own userid, in their own group, to the permission mechanism that alerts users to the information an application can access, Android is a far more secure platform than any desktop OS. However, there is a significant difference between informing a user what an application can access, and what the application actually does with the information. An Android app downloaded from the Market may request access to the internet and to the user's address book, for example, but beyond that the user has no idea what the application does with those permissions. How do we guarantee that a malicious app isn't making a copy of a user's private data, and sending it to a secret sever operated by the application's author?

This is a hands-on blog post describing how to capture and analyze internet traffic of an Android application. You will need a computer with Linux installed, and a wireless adapter that is supported by Kismet (see: 7. Supported capture source types). I assume that you know how to connect your Android device to a wireless network, and that you know how to download and install programming libraries and development packages in your Linux environment. This blog post was written based on my experiences with Ubuntu 10.10 on an IBM Thinkpad T42 using an upgraded Intel 2200ABG wi-fi adapter.

There are four phases to capturing Android traffic:

Connect the Android device to a wi-fi network
Install and configure Kismet
Capture a log with Kismet
Analyze the log with Wireshark

1 Connect the Android Device to a Wi-fi Network

I assume that you already know how to connect to a wi-fi network on your Android phone, though the choice of network is important. Because you will be capturing all wireless traffic on that network, you should make sure you have permission to do so - ideally, you'll be doing this at home, so the only people that can complain is your family or room mates. The network security is also a consideration. Wireshark can decrypt WEP and WPA/WPA2 (in personal mode only) traffic if you have the key, though WPA decryption also requires the capture of 4 EAPOL handshake packets. Since I don't know how to guarantee capture of those packets, I will recommend using WEP or no encryption for the purposes of this test.

At the same time, make a note of what channel your adapter is on, and the MAC addresses of your router and Android device.

2 Install and Configure Kismet

Kismet is a powerful, open-source application for capturing and analyzing IEEE 802.11 (wi-fi) traffic. I am new to the tool, and have only begun to scratch the surface of what can be done with it, but some of the uses include discovery of hidden wi-fi networks, passive WEP key cracking, identifying clients connected to a network (and monitoring their network usage), and logging all observed wireless traffic. The traffic logging feature is what we are interested in now, because we want to see what kind of data our Android applications are sending out over the internet.

The version of Kismet available in the Ubuntu repository is over two years old as of this post, so I recommend downloading the latest version from the website and compiling the program from source. Kismet uses the standard ./configure && make && make install pattern, making installation a snap, though it may require installing some libraries such as libpcap-dev and libnl-dev. The only gotcha is that it needs root access to configure the wireless adapter. For a short test in a safe environment, you can install and run the program as root, but it's important to be aware that the packet analysis code and all plugins will run with root privileges. Instructions to install and run Kismet more safely are available in the README file or on the Kismet documentation page.

By default, the Kismet configuration file can be found at /usr/local/etc/kismet.conf, though for this guide there is nothing in the configuration that needs to be changed.

3 Capture a Log with Kismet

Before launching Kismet on Ubuntu 10.10, I needed to manually disable wireless networking by right-clicking on the wi-fi icon on the Panel, and unchecking the "Enable Wireless" option.

Launch Kismet from the command line by running "kismet", or "sudo kismet" if you installed it as root. There will be several dialog boxes when you first run the application. Navigate through the dialogs using tab/enter, or with the mouse. If running as root, the first will warn you that running Kismet as root is unsafe. Next, Kismet will ask if it should automatically start the Kismet Server (choose "Yes", then "Start"). Finally, there should be a warning that no capture sources are configured. Choose "Add Source". Next to "Intf", type the name of the wireless interface (On Ubuntu, the default is eth1). The "Name" field can be anything, but I'd suggest naming it after the manufacturer of your wireless adapter. Next to "Opts", tell Kismet not to hop to different wi-fi channels, then specify what channel it should monitor by writing "hop=false,channel=xx".

On my machine, I eventually received a warning dialog stating that "All packet sources are in error state" - Kismet was unable to identify the type of wireless adapter I had, so I needed to manually specify this as an option when adding it as a source ("type=ipw2200").

Instead of adding the source on start-up, consider adding the source in Kismet's configuration file. Here is an example from my configuration file:


        # See the README for full information on the new source format
# ncsource=interface:options
# for example:
# ncsource=wlan0
# ncsource=wifi0:type=madwifi
# ncsource=wlan0:name=intel,hop=false,channel=11
ncsource=eth1:type=ipw2200,name=intel,hop=false,channel=1

Once the source is added, logging should begin automatically. By default, log files are saved in the directory that Kismet was started in, though this can be changed in the configuration file or through command line arguments. Start up the Android app to be tested and generate some traffic. When enough data has been captured, quit Kismet and kill the Kismet Server.

4 Analyze the Log with Wireshark

Install Wireshark if it isn't on your machine. On Ubuntu, the version in the repository is mostly up-to-date, so that building from source isn't necessary.

Start Wireshark, click File -> Open, then navigate to the directory where Kismet saved the log files. Find and select the log ending with the extension ".pcapdump" - this is dump of the raw 802.11 packets captured by your wireless adapter. If the traffic was captured from a WEP-protected network, the hex decryption key can be sent under Edit -> Preferences -> IEEE 802.11 (see The Wireshark Wiki - HowToDecrypt802.11).

To find the specific packets for the application you're interested in, try using Wireshark's display filters. The filter "wlan.addr == xx:xx:xx:xx:xx:xx" will limit the displayed packets to only those that were sent by or sent to the specified MAC address (note that the filter for wired MAC "eth.addr" is different from the filter for wireless MAC!). The traffic you're looking for would likely be TCP, so the filter "tcp" can narrow things down further. Eventually, you should be able to find the IP address of the server that the app is communicating with, so the filter "ip.addr == xxx.xxx.xxx.xxx" would give you only packets between the Android phone and the destination.

Happy hacking!