I have been a longtime iPhone user and decided recently to break out of the wallet garden and explore Android. I am specifically interested in the privacy and security aspect of this operating system. Along my investigations, I came across Net Monitor, an app which allows to monitor the network activity on the smartphone:
Privacy Friendly Net Monitor monitors active network activity and provides information on the scanned connections and apps. The Connection’s local and remote socket information is displayed along with a resolved hostname information and protocol evaluation based on well-known ports. Known un-/encrypted protocols are automatically marked. This app belongs to the Privacy Friendly Apps group developed by the SECUSO research group Universität Darmstadt, Germany.
I was astonished by the fact that the app did not need to ask any permissions to be able to monitor the network activity. I decided to explore this topic more in depth.
Android realizes parts of its sandbox model for the apps with SELinux. SELinux blocks the access to resources on your device by default. You have to specifically write rules to grant access. It appears Android allows all apps the access to the /proc/net directory by default. Some background information about proc:
The proc filesystem (procfs) is a special filesystem in Unix-like operating systems that presents information about processes and other system information in a hierarchical file-like structure, …
/proc/net/, a directory containing useful information about the network stack, in particular /proc/net/nf_conntrack, which lists existing network connections …
This means that every app on your Android smartphone can monitor which apps connect to the internet and also when and where they connect to, without having to ask permission do so. People familiar with SELinux will find the related rule in the untrusted_app.te policy file under android / platform / external / sepolicy:
# access /proc/net/xt_qtguid/statsr_dir_file(untrusted_app, proc_net)
Untrusted apps means:
In current AOSP, this domain is assigned to all non-system apps as well as to any system apps that are not signed by the platform key.
This rule does not only give access to the stats file as indicated but also any other file under /proc/net.
My next question was if apps take advantage of this possibility. To be able to observe if apps access resources under /proc/net, I build my own custom rom where I disabled the above mentioned rule (LineageOS version 14.1). Removing this rule from the policy file blocks any access from apps to /proc/net and also logs the failed attempts.
My app of choice to test this was the Facebook app and sure enough, it does access files under /proc/net. Right after I launched the app on my custom rom and even before I logged in the app, it tries to access /proc/net resources:
02–04 03:30:30.551 6722 6722 W Bg_Shared3: type=1400 audit(0.0:7): avc: denied { read } for name=”iface_stat_fmt” dev=”proc” ino=4026535949 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
02–04 03:30:30.718 6728 6728 W Bg_Shared7: type=1400 audit(0.0:8): avc: denied { read } for name=”stats” dev=”proc” ino=4026535946 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
02-04 03:30:32.241 6728 6728 W Bg_Shared7: type=1400 audit(0.0:9): avc: denied { read } for name="stats" dev="proc" ino=4026535946 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
02-04 03:30:33.355 6728 6728 W Bg_Shared7: type=1400 audit(0.0:10): avc: denied { read } for name="stats" dev="proc" ino=4026535946 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
02-04 03:30:33.358 6728 6728 W Bg_Shared7: type=1400 audit(0.0:11): avc: denied { read } for name="stats" dev="proc" ino=4026535946 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
(extract from the logcat output_; Bg_Shared3_ and Bg_Shared7 only appear after launching the facebook app on a fresh installed rom.)
The stats file under /proc/net provides information which services connect to the net and how much they transfer.
Conclusions:
- Android does not prevent the access to sensitive information, which apps connect to the internet and where they connect to, from third parties. This should be fixed as soon as possible. I see no reason why apps should have direct access to this information.
- The Facebook app takes advantage from this situation and retrieves information which apps connect to the internet and how much information they transfer.
My recommendation:
- Use open source software, preferably from F-Droid. At least you have the possibility to audit the software.
- Use services like Facebook or Twitter in the web browser instead of the app version till the sandbox model from Android also respects your privacy.