Android system captures packets by application/process

Preface

In daily scientific research life, there are many requirements for capturing pure data packets of specific applications on Android phones. The current common practice is to turn off the network access permissions of other non-target applications (including access to WLAN and traffic data) through application settings, and only turn on the network access permissions of the target application. This method has certain feasibility, but the disadvantage is that it cannot remove the traffic generated by shutting down the OS itself, which will still introduce some background clutter.

The method provided in this article can directly filter data packets by process/application, and can capture completely pure application data.

The technical route of this method is as follows:

1. After the user installs an APP, the Android system will assign a unique user id in the device to the APP. The life cycle of this user id is from the successful installation of the APP to the end of the APP being uninstalled by the user. The direct mapping relationship between the APP package name and its user id can be obtained in the system's /data/system/packages.xml file. The content of this file is similar to the following, and there is a mapping relationship between package name and userId.
   

2. Since Linux 2.6.14, the iptables extension has supported filtering data packets by the owner (user name or user ID of the process) of the outbound data packet [1], and marking the data packet with the corresponding kernel filtering label. Of course, only network packets generated using socket api have the so-called owner. ICMP is not what the application says.

3. In order to capture the inbound data packets of the application, you can use the connmark of iptables to label the stream.

4. Use iptables to drop INPUT and OUTPUT packets with flow labels into the message pool of NFLOG, and specify the label of the message pool.

5. Use tcpdump to obtain the corresponding data packets from the NFLOG message pool. The data packets of a specific NFLOG message pool will first be dropped by the content to a virtual network card named "NFLOG: label", and the required data packets can be obtained by specifying the packet capture from this specific virtual network card through the tcpdump -i parameter . For data packets captured from "NFLOG: label", the link layer header is the log header of NFLOG's linux kernel network filter, which is different from the created Ethernet header. The network layer, transport layer, and application layer are normal and have not been modified by NFLOG.

System Requirements

• libpcap 1.2.1 or newer (commit cc8520ff5294900d93509eaf843684c51af102a9)
• Linux Kernel with NFLOG (CONFIG_NETFILTER_XT_TARGET_NFLOG).
• Effective UID 0 (root) or the CAP_NET_ADMIN capability. You don’t want to root your own real device. Use a simulator, such as a lightning simulator, which is fast and the system comes with root.

Case explanation

1. Capture the traffic that Android's built-in browser (com.android.browser) accesses youtube.
   First, get the user ID of the Android browser: 10012
   
   Use adb to get the shell with root:

adb root
adb shell

Write iptables rules:

iptables -A OUTPUT -m owner --uid-owner 10012 -j CONNMARK --set-mark 10012
#把OUTPUT数据包里面，用户ID是10012的流打上10012的流标签
iptables -A INPUT -m connmark --mark 10012 -j NFLOG --nflog-group 10012
#把入站流中带有10012标签的数据包放到nflog消息池中，消息池的标号为10012
iptables -A OUTPUT -m connmark --mark 10012 -j NFLOG --nflog-group 10012
#把出站流中带有10012标签的数据包放到nflog消息池中，消息池的标号为10012

Finally capture the packet:

tcpdump -i nflog:10012 -w uid-10012.pcap

There are two pcap files in the attachment: browser-only.pcap is captured from nflog: 10012, and broswer-eth0.pcap is captured from the Ethernet card at the same time. They are all traffic when visiting youtube.com.
 
2. Capture the traffic when Spotify logs in.
Spotify’s package name: com.spotify.music, and its userID can be found to be 10157 by looking at the packages.xml file.

adb root
adb shell
iptables -A OUTPUT -m owner --uid-owner 10157 -j CONNMARK --set-mark 10157
#把OUTPUT数据包里面，用户ID是10157的流打上10157的流标签
iptables -A INPUT -m connmark --mark 10157 -j NFLOG --nflog-group 10157
#把入站流中带有10012标签的数据包放到nflog消息池中，消息池的标号为10012
iptables -A OUTPUT -m connmark --mark 10157 -j NFLOG --nflog-group 10157
#把出站流中带有10157标签的数据包放到nflog消息池中，消息池的标号为10157
tcpdump -i nflog:10157 -w uid-10157.pcap

There are two pcaps attached: uid-10157.pcap and uid-10157-eth0.pcap. You can compare them.

Resource link

[1] iptables-extensions document: http://ipset.netfilter.org/iptables-extensions.man.html

Pit

[1] If tcpdump frequently appears No buffer space avaiable error, consider: 1) upgrade tcpdump, 2) use -w to write data packets directly into files.
[2] Error:

tcpdump: Can't listen on group group index: Operation not permitted

This is because it takes time for the rules of iptables to be submitted to the netfilter kernel module!
Solution: After finishing the three iptables commands above, sleep for a few seconds and then tcpdump to capture nflog packets.