How and Why to Sniff Smartphone Network Traffic

Smartphone Network Connection Monitoring

Tools for monitoring and modifying connections between web browsers and web servers are essential for debugging, testing, optimizing performance, and assessing vulnerabilities of web-based applications and native applications. Developers, security professionals, and anyone with an interest in gaining insight into the lower levels of web traffic commonly use these tools.

There are many mature options for monitoring connections from desktop machines. Unfortunately, there are fewer tools to monitor connections on smartphones and these tools often require more complex configurations, as the monitoring software must run on a separate device. In this article, I present an overview of tools and methods for monitoring network connections on Smartphones including devices based on Apple’s iOS–iPhone, iPod Touch, iPad), Google’s Android OS, BlackBerry OS, and Symbian. This article focuses on inspecting HTTP and HTTPS traffic, although many of the tools and techniques described work equally well to analyze other protocols.

This article is the first part in a series: The articles in the series include:

  • An overview of the tools and techniques for monitoring smartphone network connection
  • Pros, cons, and limitations for monitoring smartphone network connections
  • Network monitoring for security analysis and self-defense

Why Monitoring is Useful

Potential use cases for monitoring HTTP and HTTPS traffic–the two primary protocols of the Web:

  • Inspecting network traffic often simplifies debugging AJAX XMLHttpRequest requests, compressed content encoding, and cookies.
  • Network connection details such as number of HTTP requests, DNS lookups, cache hits are also valuable for optimizing web application performance.
  • Many tools allow modifying requests and responses to simulate valid and invalid user input when testing applications for vulnerability analysis in addition to monitoring.
  • Network monitoring is an effective way to verify that a smartphone application securely handles user authentication and identify any inappropriate transmission of personally identifiable information such as unique identifiers and location.
  • Inspecting and modifying network traffic is essential for security analysis. For example, searching for Cross Site Scripting (XSS), SQL injection, and path traversal vulnerabilities.

Types of Monitoring Tools

Common network monitoring tools come in four major varieties: browser-based development tools, general purpose packet sniffers and network protocol analyzers, specialized HTTP/HTTPS sniffers, and specialized web proxies for debugging and security analysis.

Each type of tool has advantages and disadvantages, but there is no requirement to use a single type and combinations of tools may offer more power and flexibility. This list is in no way comprehensive, there are many specialized and hybrid tools for monitoring connections.

Two LiveCD Linux distributions contain a large number of tools optimized for penetration testing a subset of which is useful for network connection monitoring. BackTrack Linux is a very well-regarded distribution. AppSecLive the OWASP Live CD Project–soon to be known as the OWASP Web Testing Environment (WTE)–is another respected collection.

See the Top 100 Network Security Tools from SecTools.org provides a larger list.

Configurations for Monitoring

I’ll talk more about the constraints and pros and cons for each option in the second piece of this article, but briefly here are several potential configurations for monitoring.

  • Simulators allow the simplest configurations where the simulator and the monitoring software run on the same machine and share a common network interface.
  • Web proxies are a convenient option as all modern browsers supported them and only require a small change in the browser settings rather than a change in the network configuration.
  • Ad-hoc networks combined with internet connection sharing are one method to gain access to traffic. If the network monitoring host is located between the mobile device and the internet, it will typically require two network interfaces, usually one wired and one wireless.
  • Network hubs are one method to work around the problems with common switched network configurations.

Limitations for Monitoring

There are significant constraints for monitoring network connections. I’m specifically talking about WiFi-based traffic and not cellular traffic. Monitoring cellular traffic is substantially more complicated and requires specialized equipment. In nearly every case, all important web-related traffic will travel over WiFi if the cellular data connection is disabled on the device.

Limited software is one constraint. For example, there is currently no way to run Webkit Web Inspector, Firebug or LiveHTTPHeaders directly on a Smartphone. Limited networking options is adds another constraint as well as added complexity to the monitoring configuration. Typically, smartphones must communicate over wireless connections rather than wired connections, which eliminates some options for monitoring network traffic. Most modern network hardware is switched, which further limits the ability to access the traffic, even when an access point is plugged into a wired network. Additionally, wireless access points protected by WPA/WPA2 encryption employ per-user keys difficulties in sniffing are similar to switched networks.

Finally, monitoring connections encrypted with SSL/TLS also requires more complex configurations. The most straightforward option involves adding a new Certificate Authority to the trusted list in the browser. This effectively creates a man-in-the-middle attack for the browser that allows decryption of the HTTPS traffic. The browser will produce a series of warning messages, but it will be possible to view the encrypted traffic.

Smartphone Phishing Protection Needs Improvement

Recent versions of desktop Web browsers and email clients feature phishing and malware protection in addition to improved security notifications and indicators. Unfortunately, many of these improvements have not reached their mobile device counterparts. While the patterns of use and the threat model for Web browsing and email on mobile devices differ from desktop applications, as smartphones become more capable they present an increasingly attractive target. Institutions and services that wish to protect their mobile user base should seriously consider server-based filtering for both email and Web content on mobile devices. Currently, it is difficult–to nearly impossible–to verify the authenticity of email messages and the destination of hyperlinks on many common smartphones.

Many organizations employ network filtering and threat detection. Modern desktop browsers offer additional protection by displaying warnings for potential phishing sites, sites known to contain malware, and for invalid or expired SSL certificates. It is a rare organization or email provider that does not filtering their email for spam and viruses. Most modern Web browsers and desktop email clients can utilize third-party software and blacklists to display warnings for potential phishing attacks, viruses, and other types of malware. Blacklist-based security notifications have begun to appear in smartphone Web browsers, although they have been slow to arrive for mobile email clients.

In my column You Can Fool Some of the People All of the Time: Research on Usability, Security and Phishing, I summarized research papers on phishing vulnerabilities from both academia and industry. In closing the column, I discussed potential areas of weakness in mobile and embedded browsers found by researchers. One year later, these platforms face increased attacks. According to a 2009 study by Pew Internet and American Life, 55 percent of U.S. adults connect to the Internet via a WiFi enabled laptop, smartphone, or consumer device. Of U.S. adults, 39 percent connect wirelessly via a laptop, 32 percent with a mobile phone (19 percent on a typical day), 12 percent with a desktop computer, 9 percent with a game console, 7 percent with a PDA type device, 5 percent with an MP3 player, and 1 percent with an ebook reader. This means that a significant portion of any user base is likely to spend at least some time connected via insecure and unfiltered networks. Users with mobile devices are far more likely to connect via an unsecured WiFi network when they are outside of a standard enterprise network. VPN and enterprise WiFi security on mobile devices require complicated configuration and are typically only used when configured or provisioned by IT staff.

Although consumers increasingly use mobile devices for high value interactions such as online banking and making significant purchases, there has been little published research investigating authentication and authorization from these devices. Many mobile devices have reduced keyboards, which make long complicated passwords cumbersome and error prone. The small size of mobile screens may limit the ability to view credentials while typing, which creates further difficulties when logging in and provides fewer options to display security indicators. Advance Web browsers available on the iPhone, Android-based devices, and those using the Opera mobile browser are capable of rendering most modern Web pages. These browsers still involve tradeoffs; often requiring the user to pan and zoom or the browser to reformat the page due to limited screen size.

Given the constraints imposed by mobile devices, security indicators and warnings need more effective designs for a wide deployment. I attempt to provide a picture of the variation in current security indicators and warnings as and show the difficulty of verifying the authenticity of content. My test equipment included an iPhone 3GS running iPhone OS 3.1.3, an HTC Magic running Android 1.5, a Motorola Droid running Android 2.0, and a BlackBerry Bold 9000 running BlackBerry OS 4.6.304. All four devices left significant room for improvement. Security researcher Aviv Raff discovered many of the issues described here in 2008. Joshua Perrymon at PacketFocus provided more detail in his PhishCamp project in 2009.

Security indicators and additional warnings presented by desktop browsers, email clients, and most Web mail clients provide some additional protection to users, although usability research shows that few users notice security indicators without training and quickly cease to pay attention to frequent warnings. On desktop browsers, users can view the URL of a hyperlink by placing the mouse over the link and viewing the URL in the status bar. Most desktop email clients will display the same information in a mouse tooltip. Unfortunately, the status bar is often turned off by default in many browsers and must be enabled manually. Even though few people may take advantage of this feature, it is one of the only mechanisms to verify that a link that displays http://www.mybank.com/ does not in fact point to a clever facsimile that is a phishing site. None of the mobile email applications had the ability to display the full headers of an email, which is another method that can give an indication that an email might have been forged. Most Web mail services have an option to display full headers, although the feature is often difficult to locate.

Many mobile browsers also provide a feature to display the URL for a hyperlink. For example, on both the iPhone and the Android browsers, if the user clicks and holds a link in either the browser or email client the URL is then displayed in a separate window. The Blackberry is able to view the link by selecting a menu item. Both the iPhone and the Android devices truncated long URLs in the separate display. Only the BlackBerry browser was capable of displaying the full link, even for very long URLs. The iPhone display truncates the middle portion of long URLs and indicates the truncated portion with an ellipsis. The Android devices truncated the end of the URL, but provided no indication that the URL was truncated. Both the iPhone and the Android devices displayed more of the URL in landscape mode than portrait mode. The problem as described by Raff is more complicated as the phishing site may use a much longer URL that takes advantage of the truncated portion to hide the fact that the destination is not legitimate.

User testing shows that SSL certificate warnings are of limited use. The problem is described in detail in Crying Wolf: An Empirical Study of SSL Warning Effectiveness presented at the 2009 Usenix Security Symposium. There are currently so few means of verifying the authenticity of sessions on mobile sites, that these warnings should not be immediately discounted. Of the browsers on all three platforms tested, only the iPhone OS browser displayed an indicator that distinguished between standard SSL certificates and Extended Validation (EV) certificates. The Android and Blackberry devices did not make a distinction between the two types of certificates. All three browsers displayed warnings for mismatched SSL certificates. Every major desktop browser provides a mechanism to verify the authenticity of an SSL certificate, although only the Android browser provided this option on the mobile devices tested. The Android browser provided an additional indicator by displaying a lock with a question mark for sites where the hostname on the SSL certificate did not match the site.

The results from my limited test clearly indicate that the current generation of smartphones leaves much to be desired in terms of protection from phishing and other types of forged content. Support organizations should consider offering enhanced filtering for email and Web browsing on mobile devices until the situation improves. End-users should be even more critical of content viewed on a mobile device and should consider verifying the content via another channel when there is a high value transaction. This article provides an overview of a subset of the current problems on mobile devices. In future columns, I will cover additional problems with security on mobile devices including limited verification of SSL certificates in both email and for over the air provisioning mechanisms, and security concerns on devices such as the browsers available in hundreds of millions of gaming consoles.

* This article originally appeared as Smartphone Anti-Phishing Protection Leaves Much to Be Desired in the March 2010 issue of Messaging News

You should follow me on Twitter.