Stelios
Stelios Life-long learner, happy father, trying to do some software engineering on the side.

What does my smartphone really do?

What does my smartphone really do?

What is your phone really doing?
More specifically, what are the apps installed on your phone really doing?
Do they just sit there? Do they constantly send data to their servers?

Do you even know what is sending data where and how often?

I had to answer this question recently for a little pet project.

I had no intention of rooting my phone, nor did I have unlimited time to tinker with its internals (I still need it during the day).

So? How do I do it?

Enter Wireshark.

Jaws

Shark

Photo by David Clode on Unsplash

Wireshark is a communication packet analysis tool. It has been around for 20 years now and supports monitoring of almost any computer protocol known to man.
From Ethernet to Bluetooth to Token Ring and beyond. It can filter packets, correlate, introspect, import, export, book cinema tickets, you name it!

How to install it?
Very easily, with installers for Mac and Windows.

You have installed Wireshark on your computer and you are thinking…

And now what?

Observe

Photo by Franck V. on Unsplash

There are 2 ways to capture your mobile phone’s traffic.2 that the amateur guy writing this could quickly think of :-)

  • Capture wifi traffic
    Your phone and your laptop are part of the same wifi network.

  • Mobile phone uses your PC as access point
    Your phone connects to your laptop/machine to access the internet. (if your phone and OS support this)

Let’s see them in more detail.

Capture wifi traffic

Wifi

Photo by Bernard Hermant on Unsplash

To put it in very simplistic words, wireless network is just radio; anyone can listen in. However, if it is a password-protected network, then you need the wifi password to actually understand who is doing what.

IEEE 802.11 (a.k.a. WLAN, a.k.a. wifi) is the protocol for wireless network communications. Packets and traffic at this low level can be useful to trouble-shoot network problems. E.g. some device is flooding your local airwaves, packets keep dropping off,…
You need to know what you are doing and looking at at this low level.

Depending on your laptop and wireless card, you may need to tweak things to actually get some meaningful traffic, i.e. let Wireshark interpret the low-level stuff for you.

Note: All screenshots and settings are from a MacBook Pro, running MacOS Mojave and Wireshark 3.0.0.
Your settings and UI may differ slightly.

What is my laptop’s IP?

Wireless settings
In the settings screen of your wireless adaptor, select your wifi.

Wireless IP
Then note down your own IP. You will need this later on.

What is my phone’s IP?

Phone wireless settings
In the wireless networks of your phone’s settings screen , select your wifi.

Wireless IP
Then note down your phone’s IP. You will need this later on.

Launch Wireshark

Wireshark initial screen
Launching Wireshark, you will see

  1. A list of all potential sources of traffic
  2. If they are currently active or not
  3. A drop-down allowing you to show/hide sources

Fine-tune capture

Before we start we will need to fine-tune things a bit.

Settings
Select your wireless source and click the settings button

More settings
In the Input tab

  1. Select 802.11 plus radiotap
  2. Promiscuous mode, i.e. capture all traffic flying around
  3. …and be in Monitor mode

Even more settings
In the Options tab

  • Resolve MAC addresses: As Wireshark encounters network traffic identifying hardware it starts remembering and showing the names of devices
  • Resolve network names: On a similar manner, it remembers and shows host names (www.foobar.com), rather than IPs (2.1.1.234)

Wifi settings

There is one last thing to capturing wifi traffic: being able to decrypt it.

Wifi settings
Go to the Preferences menu

  1. In the Protocols list, find IEEE 802.11
  2. Select Yes - with IV (you may need a different setting for your machine!)
  3. (Only if your wifi has a password) Enable deryption and click Edit

Wifi password
Select WEP (really old) or WPA (most likely), according to your wifi’s settings.
The format of typing the wifi password is password:wifiName, e.g. ‘superman3:Netgear-3e45’.
This way you can have settings for more than one wireless network.

Start capture

Double-click the Wireless adapter from the list to start capturing traffic.

Traffic

  1. The top-left buttons allow you to start/stop/restart capture
  2. Each packet has an identified source and destination
  3. …according to its recognized protocol. This will help you identify what you are looking for
  4. Finally, bottom-right you can see the packets captured.

Unless you are in a really-really quiet network (home alone, no other devices), you will need to filter information.

Ignore 802.11 management packets

IP traffic
You can focus only on IP packets by filtering for that protocol.
Wireshark has a query language and thousands of fields to filter on.

Ignore my laptop’s traffic

Not my traffic
You can further filter by ignoring your own machine’s traffic (from and to).
Or you can just filter for the traffic from/to your mobile phone.
These are the IPs we noted down earlier.

You will now start seeing traffic coming in with locl and remote host names.

Are we ready to hack now?

Well, almost there!

The last thing to start properly seeing your phone’s (or any device’s) traffic is to ‘witness’ a full EAPOL handshake.
In plain English, the device has to (re-)join the wifi while you are capturing and you get all 4 packets of the handshake.

In the case of a phone that means switching on the wifi, when coming out of sleep mode. Even then there is chance that your device renegotiates and you have to switch off/on again.

PC as gateway

Gateway

Photo by Parth Vyas on Unsplash

The above is too much work.
A couple of planets need to align, plus the network needs to be quiet, esp. if you are grasping at straws.

An easier way is to use your laptop as a gateway, if your OS supports it.
In plain English, share your laptop’s internet connection with your phone (rather than the other way around).

Share laptop connection

After enabling your laptop’s Bluetooth connection…

Settings screen
In your Settings dialog, find the Sharing section.

Sharing
Select Internet sharing from Bluetooth (or another combination which would work for you).

Connect from phone

Data off
On your phone, switch off all connections, including mobile data.
Leave only Blueetooth on.

Connect to laptop
Connect to your laptop.

…and profit!

Capture
You can immediately see traffic from/to your phone.

You can now start filtering/dissecting for what you are looking for.

Parting thought

Looking at me?

Photo by Maria Teneva on Unsplash

For many of us, our phones may be worth much-much more than their monetary value.
Taking an occasional look on what goes in and out does not hurt.

Happy ‘sharking!

comments powered by Disqus