So you have an iPhone/iPod/iPad, and you use it quite a bit. Every wonder just what data is sent to and from the device to remote servers over the Internet? Or are you worried after the whole Apple tracking scandal or the recent news that fraudulent malware apps are becoming increasingly discovered in the Android and Blackberry app stores?
I’ll show you exactly how you can view what data of yours is sent/received, with the technique here applicable to any other wireless mobile device – not just iPhones.
Sections:
- Why Be Concerned?
- How It’s Done
- Capturing iDevice Data
- Interpreting Wireshark’s iPhone Data
- Final Notes
Why Be Concerned?
It’s common knowledge that your iDevice (or any other wireless/mobile device) and its apps send and receive data to and from the Internet regularly. What’s less common knowledge is just what all is sent, and how such data could impact your privacy – recall the iPhone tracking scandal regarding users’ GPS coordinates (related to nearby WiFi hotspots) being stored and transmitted back to Apple.
Android users will also benefit from this with all the malware being discovered in the Android app store as well.
How It’s Done
If you ever want to know whether your device is sending more than you want to share, all you need is: A computer running Wireshark, your wireless/mobile device (here presumed to be an iDevice), a wireless Access Point you can configure, an Internet connection you can plug the WiFi access point into, and optionally/optimally an ethernet hub (NOT SWITCH – see below).
An ethernet router with a builtin WiFi access point will not work – you need a standalone access point. They are widely available and inexpensive.
First, disable 3G/any non-WiFi data link on your device and turn on WiFi if it’s off. This forces any data to be sent over WiFi and not a wireless provider’s network via the device’s (possible) internal antenna. It’s possible some apps that run in the background may send data over the mobile network even if WiFi is connected for load-balancing or to ensure link stability (e.g. Google Maps, iOS 5 widgets, location data etc.)
The next step optimally involves an old-style Ethernet hub, which are cheap and found for under $10 on eBay. You must use a hub and not it’s modern hardwired replacement, the switch. The reason is pretty technical, and has to do with how data received on one hub port is blindly broadcasted to every other port so it will eventually reach its destination, whereas switches “smartly” route data from endpoint to endpoint bypassing any unintentional receivers.
If you have a hub, plug it between your internet connection and your WiFi access point, and plug your computer into your hub via a regular Ethernet “patch” cable (Macbook Air users will be forced to use the alternative method). If you do not have a hub, then simply plug your Internet connection into the access point and connect to it with both your computer and device wirelessly.
At this point, your iDevice is connected to your access point, along with your computer if you do not have a hub – otherwise, the access point connects to the hub before being connected to the Internet link, with your computer also hardwired into the hub (so it receives all traffic coming from the access point that is intended to reach the Internet from your iDevice).
Capturing iDevice Data
Now you can fire up Wireshark on your computer and set it to listen on either the hub-connected Ethernet port or the WiFi-connected wireless card on your computer. It will print out all traffic your card receives, including traffic not send/received from your device, so keep this in mind and be mindful of how long you tell Wireshark to capture data so you will have less irrelevant junk to sift through later when analyzing the results.
Now you can use your iDevice as usual, focusing on apps you’re suspicious of sending more data then you want, and see exactly what that data is on your computer as it’s sent/received. You may need to look up your iDevice’s IP address within the WiFi settings to know which one to look for in the “Source” and “Destination” columns in the Wireshark data.
Interpreting Wireshark’s iPhone Data
By this point you should have a row/column list of data Wireshark captured. The data is listed in “packets,” the standard Ethernet transmission unit. Data may be split across several of said “packets,” but simply right-clicking any one within a larger stream of data gives the option to view the data as one continuous stream even if one segmented packet was interrupted by another.
As mentioned above, each packet has a “source” and “destination” IP address field you can sort to find what is sent and received from your iDevice, along with the packet type and a brief human-understandable description of what the packet on the far right column.
The actual data is sent in a variety of app-specific formats, but the typical ones are: XML data (recognizable by the encapsulating ‘<’ and ‘>’ characters around keywords, with a ‘
You’ll find that a lot of data, especially data that is sensitive (and potentially privacy-invasive) is encrypted using HTTPS/TLS transmissions. While such data is not easily decryptable or readable, you can however see where the data is going in the initial “handshake” packets (such as store-my-data.example.com) and use common deduction as to when the data was sent during an app’s usage.
For instance, if you’re in a Facebook app and click on some location-irrelevant icon and see data sent to maps.google.com shortly thereafter, then you know something’s fishy because there’s no need for such data to be exchanged outside of the “checkin” portion of the app or some other related element.
Final Notes
This method is extremely useful for viewing what data is being transmitted by your device, especially smartphones like the iPhone. The Blackberry and Android OS usually has icons that appear in the top status bar whenever data is being transceived, but most other (Apple) systems lack this except for the new Location icon that appears in iOS 5 whenever the GPS chip is being used, if enabled.
Vendors may get mad at me for posting this and blowing the whistle on their and their devices’ privacy invasions, but with the media coverage of Android app store malware and Apple location tracking, it’s no secret that people have a genuine reason to be concerned about what data is going where, and this is how you view that data or at least deduce what it is if it’s encrypted.
Likewise, the Wireshark program can offer the same service to your computer itself regarding its data if there’s an app on it that raises your suspicions. None of these techniques (combined) are new – Wireshark was used to teach students (including the highschool version of yours truly) about networking data and protocols, as well as professionals (including yours truly) to debug their/our own protocols. Hubs have been around and access points are common, I merely combined techniques to investigate a fairly new problem.
I encourage every conscious mobile device user to use this technique to investigate what data of theirs is being networked without their knowledge. Even use it when configuring a new device, you’ll be amazed about what Big Brother has its evil hands on.
Tags: 1984, Android, Big Brother, Blackberry, cool, data, ethernet, hacking, hub, iPad, iPhone, mobile, privacy, wireless