I have been a longtime iPhone user and decided recently to break out of the wallet garden and explore Android. I am specifically interested in the privacy and security aspect of this operating system. Along my investigations, I came across , an app which allows to monitor the network activity on the smartphone: Net Monitor Privacy Friendly Net Monitor and provides . The Connection’s local and remote socket information is displayed along with a resolved hostname information and protocol evaluation based on well-known ports. Known un-/encrypted protocols are automatically marked. This app belongs to the Privacy Friendly Apps group developed by the Universität Darmstadt, Germany. monitors active network activity information on the scanned connections and apps SECUSO research group I was astonished by the fact that the app to be able to monitor the network activity. I decided to explore this topic more in depth. did not need to ask any permissions Android realizes parts of its model for the apps with . SELinux blocks the access to resources on your device by default. You have to specifically write rules to grant access. It appears Android allows all apps the access to the directory by default. Some background information about : sandbox SELinux /proc/net proc The is a special filesystem in operating systems that presents information about and other system information in a hierarchical file-like structure, … ( ) proc filesystem procfs Unix-like processes , a directory containing , in particular /proc/net/nf_conntrack, which … /proc/net/ useful information about the network stack lists existing network connections This means that every app on your Android smartphone can monitor apps connect to the internet and also and they connect to, without having to ask permission do so. People familiar with will find the related rule in the policy file under : which when where SELinux untrusted_app.te android / platform / external / sepolicy # access /proc/net/xt_qtguid/statsr_dir_file(untrusted_app, proc_net) Untrusted apps means: In current AOSP, this domain is assigned to all non-system apps as well as to any system apps that are not signed by the platform key. This rule does not only give access to the file as indicated but also any other file under . stats /proc/net My next question was if apps take advantage of this possibility. To be able to observe if apps access resources under , I build my own custom rom where I disabled the above mentioned rule ( version 14.1). Removing this rule from the policy file blocks any access from apps to and also logs the failed attempts. /proc/net LineageOS /proc/net My app of choice to test this was the Facebook app and sure enough, it does access files under Right after I launched the app on my custom rom and even before I logged in the app, it tries to access resources: /proc/net. /proc/net 02–04 03:30:30.551 6722 6722 W : type=1400 audit(0.0:7): avc: denied { read } for name=” ” dev=” ” ino=4026535949 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 Bg_Shared3 iface_stat_fmt proc 02–04 03:30:30.718 6728 6728 W : type=1400 audit(0.0:8): avc: denied { read } for name=” ” dev=” ” ino=4026535946 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 Bg_Shared7 stats proc 02-04 03:30:32.241 6728 6728 W : type=1400 audit(0.0:9): avc: denied { read } for name="stats" dev=" " ino=4026535946 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 Bg_Shared7 proc 02-04 03:30:33.355 6728 6728 W : type=1400 audit(0.0:10): avc: denied { read } for name=" " dev=" " ino=4026535946 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 Bg_Shared7 stats proc 02-04 03:30:33.358 6728 6728 W : type=1400 audit(0.0:11): avc: denied { read } for name=" " dev=" " ino=4026535946 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 Bg_Shared7 stats proc (extract from the output_; Bg_Shared3_ and only appear after launching the facebook app on a fresh installed rom.) logcat Bg_Shared7 The file under provides information which services connect to the net and how much they transfer. stats /proc/net Conclusions: Android does not prevent the access to sensitive information, which apps connect to the internet and where they connect to, from third parties. This should be fixed as soon as possible. I see no reason why apps should have direct access to this information. The Facebook app takes advantage from this situation and retrieves information connect to the internet and they transfer. which apps how much information My recommendation: Use open source software, preferably from . At least you have the possibility to audit the software. F-Droid Use services like Facebook or Twitter in the web browser instead of the app version till the sandbox model from Android also respects your privacy.
