Android Dialers are Stealing Your Data

Packet captures of Android Dialers Stealing Your Stuff
Tags: reverse-engineering networking android
Reading time: about 2 minutes

In Android, most functionality of your phone is provided by apps. And this includes making phone calls as well. Android lets you replace the dialer app on your phone with a custom one. This can be amazing and horrifying at the same time. It is amazing because it allows programmers to create interesting ways to call people. But it also allows the creators of malicious apps to secretly send your private data to their servers.

For tech-savvy people this isn’t such a big issue, trust only your phone manufacturer and open source apps and you’re golden. But things aren’t always so simple when people who aren’t familiar with the best privacy practices see these apps on their app store. On top of that, things can get out of your hand when a phone update replaces the default telephone app on your phone with TrueCaller.

I wanted to see just how bad the situation was with my own eyes, so I equipped myself with a packet sniffer and started installing those apps on my phone. I know, I know, not the safest thing to do. But your choices are limited when your computer is too slow to emulate anything more complicated than an atari.

This article is also available in Turkish.

Drupe, our first test subject

When you first install this app, it greets you with a permission request for your contact list and refuses to start without being granted the permission. But that’s not too suspicious, an app that you use for calling people, an app that advertises itself as “Contacts Phone Dialer” can have tons of valid reasons for needing access to your contacts. But unfortunately, the first thing this app does after getting the permission is serializing all your contacts into a big string and sending it over to their servers.

Asus Dialer

Asus Dialer is the app that comes preinstalled with Asus phones. In my tests, it didn’t send anything from my contact list to their server. Also, no communication was observed when calling other numbers. It is consistent with the opening paragraph that a telephone app by a phone manufacturer wouldn’t steal your data carelessly, it’s just unnecessary risk for them.

Dialer+ / Contacts+

An API call to an endpoint called ‘/report’ was made with every call I did. This API call included my email address, a token and the number I was calling. I assume a copy of my contact list was also sent but I was unable to take a screenshot of that.

TrueCaller

TrueCaller, the telephone app which another blogger was suspicious of, is also guilty in this regard. It sends all your call start-end times and some more data such as outgoing call and number dialed events to an analytics server. On top of that, it keeps track of calls and reports to their server when they start and end, along with the number called and a client ID.

This extensive collection of information is enough to gather when you to talk with people, and who you talk with. Since these apps are installed by a lot of people and your name is in their contacts list, even if you don’t install the apps you can still be tracked to a degree.

The Sad State of Privacy

All the apps I tested were the top results for the search dialer. Some of them were given the Editor’s Choice branding and all of them had massive install numbers. If the most popular dialer apps, the ones that have been approved by “editors”, disregard our privacy like that; I can’t even imagine the kind of intrusion shady apps will do.

Thanks for reading my blog post. If you subscribe to my RSS feed in 10 seconds you will have good privacy for 10 years.

The following pages link here

Citation

If you find this work useful, please cite it as: 
@article{yaltirakli201705androiddialerpackets,
  title   = "Android Dialers are Stealing Your Data",
  author  = "Yaltirakli, Gokberk",
  journal = "gkbrk.com",
  year    = "2017",
  url     = "https://www.gkbrk.com/2017/05/android-dialer-packets/"
}
Not using BibTeX? Click here for more citation styles.
IEEE Citation
Gokberk Yaltirakli, "Android Dialers are Stealing Your Data", May, 2017. [Online]. Available: https://www.gkbrk.com/2017/05/android-dialer-packets/. [Accessed Dec. 17, 2024].
APA Style
Yaltirakli, G. (2017, May 15). Android Dialers are Stealing Your Data. https://www.gkbrk.com/2017/05/android-dialer-packets/
Bluebook Style
Gokberk Yaltirakli, Android Dialers are Stealing Your Data, GKBRK.COM (May. 15, 2017), https://www.gkbrk.com/2017/05/android-dialer-packets/

Comments

Comment by admin
2023-02-11 at 21:19
Spam probability: 0.038%

Hey gorkbork enjoyer! I fixed the article layout and put the images back. This is an old article and I didn't have the screenshots anymore, but the Internet Archive still had them. Thanks for letting me know about the issue. -- Average admin fan

Comment by gorkbork enjoyer
2023-02-05 at 18:57
Spam probability: 0.494%

your layout is messed up here. the images don't exist either

Comment by Guest
2022-08-09 at 09:00
Spam probability: 0.015%

Hi there, I've noticed that TrueCaller was trying to connect and sent something when my firewall caught its attempts to connect with some servers every time I used the phone while the phone was connected on internet. The only dialer/phone app that doesn't attempt to connect and send data is the Simple Mobile Tools dialer. All the rest even the native apps from Google or the phone's vendor ones are doing the same thing.

Comment by Guest
2022-08-07 at 20:16
Spam probability: 0.754%

The images wont load. 404

Comment by Guest
2021-10-05 at 07:52
Spam probability: 0.352%

Thank you. Continue the fight!

Comment by Toro
2019-08-30 at 21:53
Spam probability: 0.07%

A feature of droop is it socially Network caller ID so this doesn't seem too suspicious that they temperature are contacts or am I reading this wrong

Comment by Dennls
2019-08-13 at 16:32
Spam probability: 3.156%

Will provide comments at a later date

Comment by admin
2019-08-09 at 09:46
Spam probability: 0.03%

As I said in the article, open source or stock dialler applications that come with the phone are probably your best bets. For an app that prevents spam calls, I am not aware of an open database. Maybe a good project idea. I certainly wouldn't mind an open source app doing an API call to an open backend to check numbers that aren't in your contacts list.

Comment by Guest
2019-08-08 at 19:34
Spam probability: 0.03%

Is there any app you tested that respects privacy? it could work downloading the offline-database and then completely block truecaler from internet-access

Comment by User
2018-12-15 at 16:31
Spam probability: 0.03%

Thanks for this expose. I was suspicious of the permission requested by drupe caller app I installed and decided to search for more information. Now I know that they are saving my contact list on their server without warning. What a shame.

Comment by Guest
2018-10-31 at 04:41
Spam probability: 0.634%

Thanks for your insights and time

Search

More links

This page is valid HTML. Click to validate.

It's not actually valid? Send me an email.

© 2024 Gokberk Yaltirakli