0

My goal is to analyze the traffic of an Android application, to check if it contacts any unofficial IPs.

Using PCAPRemote I created a connection log file and transferred it to the PC, where I am analyzing it with WireShark.

My problem is that there are dozens of different IPs, and I can't find any information about these IPs on the internet.

What do you recommend to understand if they are all official?

P.S. All these IPs are of the application only, not of the whole system P.P.S. Apparently the only protocols used are TCP and TLSv1.2 by the application

Sir Muffington
  • 1,447
  • 2
  • 9
  • 22
Momoa
  • 1
  • 1
  • What is an "unofficial IP"? –  Apr 16 '22 at 21:38
  • @MechMK1 the app I am talking about is a mod, by unofficial IP I mean any calls to servers not of the original application – Momoa Apr 16 '22 at 23:13
  • I don't understand the question then. If you have a list of "valid" IPs, just look at any new connection to an IP that is not in that list. What exacly is the *issue*? –  Apr 16 '22 at 23:19
  • OP, it sounds like you are saying that the application should connect to IP addresses of servers that are run by the company that created the application. If that's the case, then any IP address that the app connects to should have a PTR record that reverses to a FQDN within this company's domain. This FQDN should also then forward to the same IP. – mti2935 Apr 16 '22 at 23:45

1 Answers1

0

Here's one way to achieve your goal:

  1. Figure out the sending IP of the application
  2. Filter for messages from that IP
  3. Export a list of all of the receiving IP addresses
  4. whois <ip> to find out information about each IP
  5. Alternatively, you can find or create a blacklist of IPs and just check if your application is sending data or otherwise contacting 1 undesirable parties. Realistically the range of possibilities for that is quite large, so the contents of the blacklist will depend on your risk model and/or goal (you could use a list of advertisers, for example). You can also whitelist the "allowable" IPs, however that would require working knowledge of the necessary requests of the application.

1data is sometimes sent through non-traditional protocols such as DNS to avoid detection

belkarx
  • 1,207
  • 2
  • 18
  • 1
    the mod I am talking about is a mod of a music streaming application. As I wrote above it uses a lot of different IP addresses, and I don't find much information on whois. Perhaps the only way to understand which IPs are good is to first check those of the original application and then compare them with the modified one – Momoa Apr 19 '22 at 17:08
  • @Momoa Seems reasonable, given that the same servers are being queried (and it's not picking from a large pool or is p2p, in which case there would be too much discrepancy – belkarx Apr 19 '22 at 21:50