Packet captures of Android Dialers Stealing Your Stuff

In Android, most functionality of your phone is provided by apps. And this includes making phone calls as well. Android lets you replace the dialer app on your phone with a custom one. This can be amazing and horrifying at the same time. It is amazing because it allows programmers to create interesting ways to call people. But it also allows the creators of malicious apps to secretly send your private data to their servers.

For tech-savvy people this isn’t such a big issue, trust only your phone manufacturer and open source apps and you’re golden. But things aren’t always so simple when people who aren’t familiar with the best privacy practices see these apps on their app store. On top of that, things can get out of your hand when a phone update replaces the default telephone app on your phone with TrueCaller.

I wanted to see just how bad the situation was with my own eyes, so I equipped myself with a packet sniffer and started installing those apps on my phone. I know, I know, not the safest thing to do. But your choices are limited when your computer is too slow to emulate anything more complicated than an atari.

This article is also available in Turkish.

Drupe, our first test subject

When you first install this app, it greets you with a permission request for your contact list and refuses to start without being granted the permission. But that’s not too suspicious, an app that you use for calling people, an app that advertises itself as “Contacts Phone Dialer” can have tons of valid reasons for needing access to your contacts. But unfortunately, the first thing this app does after getting the permission is serializing all your contacts into a big string and sending it over to their servers.

<%= partial ‘layouts/center_image’, :locals => {:url => ‘/images/articles/android-dialer-packets/drupe-packet.jpg’, :width => 150} %>

Asus Dialer

Asus Dialer is the app that comes preinstalled with Asus phones. In my tests, it didn’t send anything from my contact list to their server. Also, no communication was observed when calling other numbers. It is consistent with the opening paragraph that a telephone app by a phone manufacturer wouldn’t steal your data carelessly, it’s just unnecessary risk for them.

An API call to an endpoint called ‘/report’ was made with every call I did. This API call included my email address, a token and the number I was calling. I assume a copy of my contact list was also sent but I was unable to take a screenshot of that.

<%= partial ‘layouts/center_image’, :locals => {:url => ‘/images/articles/android-dialer-packets/contactsplus.jpg’, :width => 150} %>

TrueCaller

TrueCaller, the telephone app which another blogger was suspicious of, is also guilty in this regard. It sends all your call start-end times and some more data such as outgoing call and number dialed events to an analytics server. On top of that, it keeps track of calls and reports to their server when they start and end, along with the number called and a client ID.

This extensive collection of information is enough to gather when you to talk with people, and who you talk with. Since these apps are installed by a lot of people and your name is in their contacts list, even if you don’t install the apps you can still be tracked to a degree.

The Sad State of Privacy

All the apps I tested were the top results for the search dialer. Some of them were given the Editor’s Choice branding and all of them had massive install numbers. If the most popular dialer apps, the ones that have been approved by “editors”, disregard our privacy like that; I can’t even imagine the kind of intrusion shady apps will do.

Thanks for reading my blog post. If you subscribe to my RSS feed in 10 seconds you will have good privacy for 10 years, I hope.