Recently there has been a lot of chatter about mobile apps uploading your entire address book to their servers. The app makers claim that their intentions are noble, yet they have no right to the data unless you give consent. As an informed consumer, we should learn how to detect that an app is phoning home and what information it is sending.
Contents
Apps Phoning Home
A lot of mobile apps that provide social networking features and connect you with your friends, upload information from your address book to their servers unbeknownst to you. Which apps are doing this? That is not the right question, the right question is WHY they are doing it? The main reason we have heard is that they want to have the information to notify you when a friend from your address book joins their service. I’m not sure if I prefer ease of use over violation of privacy. If an app specifically asks for your consent then by all means go ahead but don’t just steal my data! Yes, it is absolutely stealing if you are not asking for my permission.
What Can You Do?
Glad you asked. Firstly, you can learn how to detect these kinds of activities for yourself. All it takes is installing software and changing a few settings on your device.
The software for the job is known as a “man in the middle” or MITM proxy. As the name suggests, this utility stands in between your device and the server the app is trying to reach. The MITM proxy inspects the packets and provides you with useful information such as: request headers, parameters and data sent.
We are going to use a free tool called Paros proxy, but you could also use mitmproxy. The latter is only tested for OSX, Unix and Linux but I didn’t have much success with it. Paros is a cross-platform tool built in Java, which means you can install it regardless of your operating system.
Installing Paros Proxy
Before you can install Paros make sure that you have the Java runtime installed.
Download Paros proxy for your operating system. For Mac OSX users download the unix version and open up “paros.jar” file.
Next, find the IP address of your Wi-Fi connection.
- Windows go to the command prompt and type
ipconfig
- Mac OSX open up the Terminal app, type
ifconfig en1 | grep inet
, or go to the System Preferences and click on Network
Finally, open up that Paros proxy software, from the menu select Tools > Options > Local proxy and in the address field input the IP address that you found in the previous step. Leave the port at 8080.
Setup Your Device
Open up settings, select Wi-Fi and tap the selected Wi-Fi network and scroll towards the bottom.
Find A Suspecting App
For this tutorial, we will use an app called Path which has been known to upload your address book. However, to be fair to Path they have issued an official apology and added an opt-in feature for a future update.
Make sure you have the Paros proxy software running and then open up Path on your device. Once you sign-up or login to Path you can see the requests being made to the server in logs of the Paros proxy software.
If you discover that an app is sending data that you have not consented to then please report it. Blog about it, let people know and make them change their policy to add an opt-in feature.
Thanks for this valuable post, Can you please explain, If an app is installed on a PC based emulator for android, Can be see the traffic?
Great article, searching to get info on this, finally found it after ages !
Great article! I’ve actually been trying to find a way to get this information and thought that the solution would lie in modifying my router’s firmware. Can’t believe I didn’t think of using a proxy service.
If you’re so concerned about your privacy, maybe you should hide your Gmail Password… (Base64 is not encription)
A question: Shouldn’t you install a fake CA root certificate in your iOS device to make this hack work?
Thanks for pointing that out. It’s really not a hack just going through a proxy.
Thank You
The Given information is very effective
I will keep updated with the same
Thank You
The Given information is very effective
I will keep updated with the same