this post was submitted on 23 May 2024
4 points (55.9% liked)

Android

27946 readers
161 users here now

DROID DOES

Welcome to the droidymcdroidface-iest, Lemmyest (Lemmiest), test, bestest, phoniest, pluckiest, snarkiest, and spiciest Android community on Lemmy (Do not respond)! Here you can participate in amazing discussions and events relating to all things Android.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules


1. All posts must be relevant to Android devices/operating system.


2. Posts cannot be illegal or NSFW material.


3. No spam, self promotion, or upvote farming. Sources engaging in these behavior will be added to the Blacklist.


4. Non-whitelisted bots will be banned.


5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.


6. Memes are not allowed to be posts, but are allowed in the comments.


7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.


8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.


Community Resources:


We are Android girls*,

In our Lemmy.world.

The back is plastic,

It's fantastic.

*Well, not just girls: people of all gender identities are welcomed here.


Our Partner Communities:

!android@lemmy.ml


founded 1 year ago
MODERATORS
all 28 comments
sorted by: hot top controversial new old
[–] Toes@ani.social 28 points 5 months ago (1 children)

You could setup debugging and monitor all the traffic from the phone over a long period of time. Inspect it and confirm (or deny) your hypothesis.

[–] Socsa@sh.itjust.works 2 points 5 months ago (1 children)

This wouldn't be conclusive since it would be pretty easy to just hide these payloads in some other traffic stream to a compromised node, which is a super common way cyberthreat command and control functions. If the user never initiates a connection to the host, the payloads just wait around so as not to generate suspicious traffic.

Obviously the threat model for advertising is a bit different, but there's no reason someone trying to hide this functionality wouldn't take similar steps.

[–] Toes@ani.social 2 points 5 months ago

Oh sure, you could be extra careful and attempt to detect any obfuscation or encrypted payloads that weren't decrypted. Then there's the concern that the malware watches for this behaviour and you'll need to further modify the environment.

[–] Rustmilian@lemmy.world 16 points 5 months ago (1 children)
[–] Unforeseen@sh.itjust.works 8 points 5 months ago (1 children)

Wireshark won't show you anything if it's encrypted, other then a communication taking place. There's nothing stopping them from batching or otherwise obfuscating things through all kinds of means.

[–] Rustmilian@lemmy.world 4 points 5 months ago* (last edited 5 months ago) (1 children)

It entirely depends on how you set it up and where in the transport pipeline you're intercepting pockets from.

[–] kionite231@lemmy.ca 2 points 5 months ago (1 children)

how do you circumvent the HTTPS encryption?

[–] Rustmilian@lemmy.world 4 points 5 months ago* (last edited 5 months ago) (1 children)

By combining with other methods for intercepting HTTPS traffic, typically involving installing certificates or modifying system configurations like configuring your browser or operating system to log secret keys.

To break down the process of the cert method :

  • Device Trust: Install a trusted Root CA certificate (issued by you) on the Android device using Root permissions. This certificate tricks apps into trusting the proxy. Without Root level install the apps may reject the certificate as User Installed.
  • Device Routes Traffic : Configure the rooted Android device to route its traffic to the proxy on the separate system. This can be done through proxy settings.
  • Proxy Decryption : Configure the proxy to use the corresponding private key to decrypt the HTTPS traffic coming from your device, this key is generated when you created/issued the Root CA.
  • Traffic Inspection : With the traffic decrypted, you can use Wireshark configured to the proxy to inspect the traffic.
  • Proxy Re-encrypts and Forwards: After inspection, the proxy re-encrypts the traffic using a legitimate certificate and forwards it to the real website.
[–] Socsa@sh.itjust.works 2 points 5 months ago* (last edited 5 months ago) (1 children)

It would still be tedious to inspect every bit to ensure that a rogue service isn't just tacking chunks of noise onto a legitimate data stream. I'd argue that it's almost impossible to verify that every bit is legitimate unless you also control the host and know exactly what the traffic is supposed to look like.

[–] Rustmilian@lemmy.world 1 points 5 months ago

by "the host" you mean the server?
With the traffic decrypted it should be possible to automate the inspection process to some degree, but obviously milage may vary.

[–] 0_0j@lemmy.world 12 points 5 months ago

Should the notification tell you when an app uses your mic when not inside the app?

Oh wait, it can't if one bypasses the API.

[–] MedicPigBabySaver@lemmy.world 6 points 5 months ago

They are, so, why bother?

[–] henfredemars@infosec.pub 5 points 5 months ago

That depends on how conclusive you need your proof to be.

For example, you could run your phone software in an emulator and prove that your emulated microphone isn’t being accessed except when it should, because all attempts to access hardware are provided by your emulator. You would simply detect if this happens.

You could debug the kernel on device to detect request to access the microphone hardware and correlate this data with user activities to show that it’s quite unlikely you’re being monitored.

Perhaps you could insert physical probes into a real physical device to detect whether the application processor wakes up to service that data when you are speaking. If it doesn’t wake up, then you can reasonably argue that the data must not be getting stored or processed.

In general, irrefutable proof will be difficult to acquire. As far as we know, most phones don’t listen to the microphone and record audio while the screen is locked. They have a coprocessor that does this but it wouldn’t have the memory to record more than a second or two and is used mainly for hotword detection.

[–] bjoern_tantau@swg-empire.de 3 points 5 months ago (3 children)

You can't prove a negative.

[–] frightful_hobgoblin@lemmy.ml 21 points 5 months ago (3 children)

I can prove by evidence that there is no milk in this cup.

[–] GamingChairModel@lemmy.world 7 points 5 months ago (2 children)

Yes but can you prove by evidence that there is no milk in my cup, if I won't let you look inside?

[–] AndrewZabar@lemmy.world 5 points 5 months ago (1 children)

Someone wants a glass of milk :-)

[–] frightful_hobgoblin@lemmy.ml 3 points 5 months ago (1 children)

Proving the negative or positive would be equally hard then .

[–] GamingChairModel@lemmy.world 2 points 5 months ago (2 children)

Yes, but an absence of a proof of the positive is itself not proof of the negative, so if we're in the unprovable unknown, we're still back at the point that you can't prove a negative.

[–] AndrewZabar@lemmy.world 1 points 5 months ago

Well, if the conditions are such that the positive would be absolutely certain to leave evidence, then the lack of said evidence is good enough. Like, I say it’s not snowing where I live. Absolutely nobody in my town sees so much as a single snowflake. Also, it’s 72° out. Haven’t I proven to a reasonable degree that it’s not snowing where I live?

[–] frightful_hobgoblin@lemmy.ml 1 points 5 months ago* (last edited 5 months ago)

we’re still back at the point that you can’t prove a negative.

We were never at the point that you can't prove a negative. That's dumb & wrong.

A woman menstruating proves negative on pregnancy.

The existence of the largest prime was disproven thousands of years ago.

[–] catloaf@lemm.ee 4 points 5 months ago

If you enumerate each particle in the cup and verify that it is not a milk particle, yes.

(Milk is a complex colloid of multiple compounds, so good luck with that.)

[–] AndrewZabar@lemmy.world 7 points 5 months ago* (last edited 5 months ago)

That’s such a widely used concept and it’s erroneous. You can’t ALWAYS prove a negative. But if you’re able to prove a mutually exclusive positive to the negative condition, then you’ve proven it. For example, proving it is daytime where I’m standing also proves it is not nighttime where I’m standing.

There are circumstances where a negative cannot be practically proven, or without an absurd amount of work. But all you really need to do is empirically demonstrate the negative is the likeliest reasonable scenario and that’s usually good enough, except to someone obstinately trying to stay with their position and therefore demands absolute unequivocal proof - which is a rarity entirely.

[–] CrayonRosary@lemmy.world 4 points 5 months ago

You can't prove a universal negative.

You can prove specific negatives by providing counter evidence. Thing like "I am not a woman" by proving "I am a man".

[–] AstroLightz@lemmy.world 1 points 5 months ago

Put your phone in a Faraday bag for an extended period of time, then check what kind of ads you get.