Detect What A Mobile App Is Sending To Its Servers

Recently there has been a lot of chatter about mobile apps uploading your entire address book to their servers. The app makers claim that their intentions are noble, yet they have no right to the data unless you give consent. As an informed consumer, we should learn how to detect that an app is phoning home and what information it is sending.

Apps Phoning Home

A lot of mobile apps that provide social networking features and connect you with your friends, upload information from your address book to their servers unbeknownst to you. Which apps are doing this? That is not the right question, the right question is WHY they are doing it? The main reason we have heard is that they want to have the information to notify you when a friend from your address book joins their service. I’m not sure if I prefer ease of use over violation of privacy. If an app specifically asks for your consent then by all means go ahead but don’t just steal my data! Yes, it is absolutely stealing if you are not asking for my permission.

What Can You Do?

Glad you asked. Firstly, you can learn how to detect these kinds of activities for yourself. All it takes is installing software and changing a few settings on your device.

The software for the job is known as a “man in the middle” or MITM proxy. As the name suggests, this utility stands in between your device and the server the app is trying to reach. The MITM proxy inspects the packets and provides you with useful information such as: request headers, parameters and data sent.

We are going to use a free tool called Paros proxy, but you could also use mitmproxy. The latter is only tested for OSX, Unix and Linux but I didn’t have much success with it. Paros is a cross-platform tool built in Java, which means you can install it regardless of your operating system.

Installing Paros Proxy

Before you can install Paros make sure that you have the Java runtime installed.

Download Paros proxy for your operating system. For Mac OSX users download the unix version and open up “paros.jar” file.

Next, find the IP address of your Wi-Fi connection.

  • Windows go to the command prompt and type ipconfig
  • Mac OSX open up the Terminal app, type ifconfig en1 | grep inet, or go to the System Preferences and click on Network

Wifi

Finally, open up that Paros proxy software, from the menu select Tools > Options > Local proxy and in the address field input the IP address that you found in the previous step. Leave the port at 8080.

Paros options

Setup Your Device

Open up settings, select Wi-Fi and tap the selected Wi-Fi network and scroll towards the bottom.

iPhone Wi-Fi proxy

Find A Suspecting App

For this tutorial, we will use an app called Path which has been known to upload your address book. However, to be fair to Path they have issued an official apology and added an opt-in feature for a future update.

Make sure you have the Paros proxy software running and then open up Path on your device. Once you sign-up or login to Path you can see the requests being made to the server in logs of the Paros proxy software.

Paros log

If you discover that an app is sending data that you have not consented to then please report it. Blog about it, let people know and make them change their policy to add an opt-in feature.

Free Workshops

Watch one of our expert, full-length teaching videos. Choose from HTML, CSS or WordPress.

Start Learning

Treehouse

Our mission is to bring affordable Technology education to people everywhere, in order to help them achieve their dreams and change the world.

Comments

7 comments on “Detect What A Mobile App Is Sending To Its Servers

  1. Thank You

    The Given information is very effective
     I will keep updated with the same 

  2. Thank You

    The Given information is very effective
     I will keep updated with the same 

  3. Great article!  I’ve actually been trying to find a way to get this information and thought that the solution would lie in modifying my router’s firmware.  Can’t believe I didn’t think of using a proxy service.