With whom is your App secretly communicating?

How to expose the hidden connections.

The new version of NetworkToolbox contains a Tool that shows all currently open or closing connections on your device. This can be very useful if you want to analyze which connections a particular App may have opened without your knowledge or permission.

The following is an example of how to use this tool using Shazam and DoodleJump.

First, start NetworkToolbox and open the Connections tool. The screen is divided into three different sections. The first, External TCP connections is the interesting one. The number on the right side of this line shows the number of connections. If there are too many (maybe more than five), just wait a while and press the refresh button at the top until this number decreases to less then five.

Connections Tool

Then, switch to the App you would like to inspect, in my case Shazam. Play around with the App and then switch back to NetworkToolbox. Then press the refresh button.
Now you will see many more connections, all caused by opening and using Shazam. Next, tap on the External TCP Connections and you will see a list of those connections like those shown below:

IMG_3699

Usually there are a lot of IP Addresses listed, starting with 17… This is Apple so don’t worry: Apple IP Addresses usually start with 17. Also Apple is still using akamai for some of its services so you can also similarly skip those akamai addresses.

In addition, on the screen above, you can see some Shazam addresses where the name of the IP address was resolved.

But what about the other addresses ?

For further analysis, you can tap on a corresponding entry to see the details. From the details screen you can then tap on the […] button next to the Remote address.

And now, just tap on Certificates which will bring up the following screen:

IMG_3702

So here, you can see how the Certificate Tool of my App helps to find out Server names even if it can not be resolved.

For Shazam, all seems to be fine as they only seem to connect to their own services (for now). However, let’s try DoodleJump:

IMG_3704

And here it gets interesting. As you can see, DoodleJump is using my friend Flurry (which now belongs to Yahoo by the way). It’s sometimes even interesting to visit the corresponding website by hitting […] again and selecting HTTP Connect. You can also do the same from inside the Certificate Tool which often also reveals other domains that are using the same IP address and gives you a good impression with whom one is dealing.

Conclusion:

Even though my App can’t provide a network-sniffing tool because such a tool would not pass Apple’s App Review process, it is possible to identify unwanted connections of evil or untrustworthy Apps with the new Connections Tool. Of course you can’t see which App exactly initiates a certain connection and what exactly gets transferred but if you follow the steps as described here in this Tutorial, you can be quite certain about the cause of a connection and hidden App communication and judge for yourself if it is a necessary connection or an unnecessary and undesirable one which is just being used to spy on your activities or generate ad traffic directed at you and consuming your bandwidth.

And you would now be in a position to react. You can either delete such an App or add the IP address in question to your firewall or router blacklist.

So, as I used to say, don’t trust the evil…