Is your Android phone safe? nDPI will tell you

Posted · Add Comment

Weeks ago I have added support for GoogleServices detection in nDPI and thus I wanted to test the code with real traffic. For this reason I started to play with a few Android phones in order to test the code on various OS releases and implementations. This is what I found out. The testbed was very simple: disable 3G/4G, start a packet sniffer application such a tcpdump/wireshark so that I could dump all traffic, connect the phone to a WiFi hotspot and wait< 1 minute without doing anything (start applications or so). Then analyze the pcap with nDPI to see what the phone did just connecting it to the WiFi. Below I report the results of a two entry level phones:  a Samsung A5 and a Wiko Lenny 3.

Samsung A5

Detected protocols:
Unknown packets: 24 bytes: 2358 flows: 2
HTTP packets: 26 bytes: 14879 flows: 2
DHCP packets: 2 bytes: 1180 flows: 1
ICMP packets: 2 bytes: 3028 flows: 1
SSL packets: 36 bytes: 5220 flows: 4
Facebook packets: 44 bytes: 5594 flows: 6
Dropbox packets: 10 bytes: 1404 flows: 1
Google packets: 52 bytes: 7490 flows: 10
WhatsApp packets: 2 bytes: 363 flows: 1
Amazon packets: 10 bytes: 784 flows: 3
Telegram packets: 13 bytes: 1336 flows: 2
QUIC packets: 3 bytes: 4176 flows: 2
GoogleServices packets: 18 bytes: 2703 flows: 2

1 TCP 192.168.2.38:46556 <-> 192.168.2.1:80 [proto: 7/HTTP][13 pkts/987 bytes <-> 11 pkts/13766 bytes][Host: 192.168.2.1]
2 TCP 192.168.2.38:35056 <-> 52.210.33.72:5223 [proto: 91/SSL][10 pkts/1138 bytes <-> 7 pkts/2548 bytes][client: samsung.com][server: *.push.samsungosp.com]
3 TCP 192.168.2.38:45021 <-> 216.58.198.4:443 [proto: 91.126/SSL.Google][8 pkts/1745 bytes <-> 8 pkts/1347 bytes][client: www.google.com]
4 ICMP 192.168.2.38:0 <-> 192.168.2.1:0 [proto: 81/ICMP][1 pkts/1514 bytes <-> 1 pkts/1514 bytes]
5 TCP 192.168.2.38:41983 <-> 31.13.86.2:443 [proto: 91.119/SSL.Facebook][13 pkts/1967 bytes <-> 9 pkts/1015 bytes]
6 UDP 216.58.198.1:443 -> 192.168.2.38:54769 [proto: 188/QUIC][2 pkts/2784 bytes -> 0 pkts/0 bytes]
7 TCP 192.168.2.38:59877 <-> 108.177.96.188:5228 [proto: 91.239/SSL.GoogleServices][8 pkts/1554 bytes <-> 8 pkts/952 bytes][client: mtalk.google.com]
8 TCP 192.168.2.38:45494 <-> 31.13.86.34:443 [proto: 91.119/SSL.Facebook][7 pkts/1113 bytes <-> 5 pkts/643 bytes][client: mqtt-mini.facebook.com]
9 TCP 192.168.2.38:53058 <-> 162.125.66.1:80 [proto: 7.121/HTTP.Dropbox][5 pkts/645 bytes <-> 5 pkts/759 bytes][Host: www.dropbox.com]
10 UDP 216.58.198.1:443 -> 192.168.2.38:52545 [proto: 188/QUIC][1 pkts/1392 bytes -> 0 pkts/0 bytes]
11 ICMP 192.168.2.38:0 -> 216.58.198.1:0 [proto: 81.126/ICMP.Google][2 pkts/1180 bytes -> 0 pkts/0 bytes]
12 UDP 192.168.2.1:67 -> 192.168.2.38:68 [proto: 18/DHCP][2 pkts/1180 bytes -> 0 pkts/0 bytes]
13 TCP 192.168.2.38:38150 <-> 172.217.21.3:80 [proto: 7.126/HTTP.Google][5 pkts/670 bytes <-> 5 pkts/440 bytes][Host: connectivitycheck.gstatic.com]
14 TCP 192.168.2.38:33486 <-> 149.154.167.91:443 [proto: 91.185/SSL.Telegram][4 pkts/562 bytes <-> 2 pkts/318 bytes]
15 TCP 192.168.2.38:55213 <-> 172.217.17.46:80 [proto: 7.126/HTTP.Google][5 pkts/515 bytes <-> 3 pkts/289 bytes][Host: clients3.google.com]
16 TCP 136.243.146.196:443 <-> 192.168.2.38:59726 [proto: 91/SSL][8 pkts/714 bytes <-> 1 pkts/60 bytes]
17 TCP 52.210.33.72:5223 <-> 192.168.2.38:35029 [proto: 178/Amazon][3 pkts/352 bytes <-> 3 pkts/180 bytes]
18 TCP 149.154.167.91:443 <-> 192.168.2.38:32860 [proto: 91.185/SSL.Telegram][6 pkts/396 bytes <-> 1 pkts/60 bytes]
19 TCP 185.63.145.1:443 <-> 192.168.2.38:41318 [proto: 91/SSL][3 pkts/229 bytes <-> 3 pkts/180 bytes]
20 TCP 216.58.198.4:443 <-> 192.168.2.38:44774 [proto: 91.126/SSL.Google][5 pkts/330 bytes <-> 1 pkts/60 bytes]
21 UDP 192.168.2.38:25651 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][1 pkts/76 bytes <-> 1 pkts/287 bytes][Host: e15.whatsapp.net]
22 TCP 2.23.81.94:443 <-> 192.168.2.38:44761 [proto: 91/SSL][3 pkts/291 bytes <-> 1 pkts/60 bytes]
23 TCP 31.13.86.34:443 <-> 192.168.2.38:45466 [proto: 91.119/SSL.Facebook][2 pkts/163 bytes <-> 2 pkts/120 bytes]
24 UDP 192.168.2.38:14913 <-> 192.168.2.1:53 [proto: 5.119/DNS.Facebook][1 pkts/82 bytes <-> 1 pkts/127 bytes][Host: mqtt-mini.facebook.com]
25 UDP 192.168.2.38:30549 <-> 192.168.2.1:53 [proto: 5.119/DNS.Facebook][1 pkts/82 bytes <-> 1 pkts/122 bytes][Host: edge-mqtt.facebook.com]
26 UDP 192.168.2.38:32514 <-> 192.168.2.1:53 [proto: 5.126/DNS.Google][1 pkts/79 bytes <-> 1 pkts/119 bytes][Host: clients3.google.com]
27 UDP 192.168.2.38:9876 <-> 192.168.2.1:53 [proto: 5.239/DNS.GoogleServices][1 pkts/76 bytes <-> 1 pkts/121 bytes][Host: mtalk.google.com]
28 UDP 192.168.2.38:35465 <-> 192.168.2.1:53 [proto: 5.126/DNS.Google][1 pkts/89 bytes <-> 1 pkts/105 bytes][Host: connectivitycheck.gstatic.com]
29 UDP 192.168.2.38:44543 <-> 192.168.2.1:53 [proto: 5.126/DNS.Google][1 pkts/89 bytes <-> 1 pkts/105 bytes][Host: connectivitycheck.gstatic.com]
30 UDP 192.168.2.38:37248 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][1 pkts/74 bytes <-> 1 pkts/90 bytes][Host: www.google.com]
31 UDP 192.168.2.38:40550 <-> 8.8.4.4:53 [proto: 5.126/DNS.Google][1 pkts/74 bytes <-> 1 pkts/90 bytes][Host: www.google.com]
32 TCP 31.13.86.2:443 <-> 192.168.2.38:41957 [proto: 91.119/SSL.Facebook][1 pkts/100 bytes <-> 1 pkts/60 bytes]
33 TCP 52.222.146.9:80 <-> 192.168.2.38:52465 [proto: 7.178/HTTP.Amazon][1 pkts/66 bytes <-> 1 pkts/60 bytes]
34 TCP 52.222.149.122:80 <-> 192.168.2.38:36676 [proto: 7.178/HTTP.Amazon][1 pkts/66 bytes <-> 1 pkts/60 bytes]
35 TCP 151.101.114.202:80 <-> 192.168.2.38:57157 [proto: 7/HTTP][1 pkts/66 bytes <-> 1 pkts/60 bytes]

Wiko Lenny

  Unknown              packets: 6             bytes: 540           flows: 2            
  DNS                  packets: 30            bytes: 4348          flows: 15           
  HTTP                 packets: 9             bytes: 582           flows: 2            
  MDNS                 packets: 1             bytes: 439           flows: 1            
  SSDP                 packets: 33            bytes: 11765         flows: 3            
  DHCP                 packets: 5             bytes: 2281          flows: 2            
  QQ                   packets: 2             bytes: 220           flows: 1            
  IGMP                 packets: 1             bytes: 60            flows: 1            
  SSL                  packets: 104           bytes: 31401         flows: 6            
  ICMPV6               packets: 15            bytes: 1354          flows: 7            
  Dropbox              packets: 4             bytes: 2196          flows: 2            
  YouTube              packets: 95            bytes: 43326         flows: 8            
  Google               packets: 448           bytes: 171720        flows: 25           
  Spotify              packets: 2             bytes: 172           flows: 1            
  Amazon               packets: 130           bytes: 45409         flows: 11           
  PlayStore            packets: 432           bytes: 136001        flows: 8            
  GoogleServices       packets: 1681          bytes: 1118643       flows: 30           


Protocol statistics:
  1	TCP 192.168.2.49:52565 <-> 172.217.23.106:443 [proto: 91.239/SSL.GoogleServices][360 pkts/580391 bytes <-> 345 pkts/31695 bytes][client: play.googleapis.com]
  2	TCP 192.168.2.49:33912 <-> 216.58.205.138:443 [proto: 91.239/SSL.GoogleServices][127 pkts/19561 bytes <-> 142 pkts/184398 bytes][client: www.googleapis.com][server: *.googleapis.com]
  3	TCP 192.168.2.49:57865 <-> 172.217.23.106:443 [proto: 91.239/SSL.GoogleServices][129 pkts/86039 bytes <-> 151 pkts/29208 bytes][client: play.googleapis.com][server: *.googleapis.com]
  4	TCP 192.168.2.49:49034 <-> 216.58.198.3:443 [proto: 91.126/SSL.Google][77 pkts/5760 bytes <-> 75 pkts/98578 bytes][client: www.gstatic.com][server: *.google.com]
  5	TCP 192.168.2.49:33654 <-> 216.58.198.46:443 [proto: 91.228/SSL.PlayStore][80 pkts/20527 bytes <-> 96 pkts/34572 bytes][client: android.clients.google.com]
  6	TCP 192.168.2.49:36186 <-> 172.217.21.42:443 [proto: 91.239/SSL.GoogleServices][33 pkts/3444 bytes <-> 45 pkts/51108 bytes][client: playatoms-pa.googleapis.com][server: *.googleapis.com]
  7	TCP 192.168.2.49:50007 <-> 216.58.198.46:443 [proto: 91.228/SSL.PlayStore][31 pkts/18332 bytes <-> 41 pkts/9437 bytes][client: android.clients.google.com]
  8	TCP 192.168.2.49:42811 <-> 172.217.23.106:443 [proto: 91.239/SSL.GoogleServices][16 pkts/19096 bytes <-> 16 pkts/5144 bytes][client: play.googleapis.com][server: *.googleapis.com]
  9	TCP 192.168.2.49:35466 <-> 54.192.2.18:80 [proto: 7.178/HTTP.Amazon][23 pkts/2425 bytes <-> 21 pkts/21223 bytes][Host: api.ntracecloud.com]
  10	TCP 192.168.2.49:36148 <-> 216.58.198.46:443 [proto: 91.228/SSL.PlayStore][28 pkts/10959 bytes <-> 34 pkts/8169 bytes][client: android.clients.google.com]
  11	TCP 192.168.2.49:52066 <-> 216.58.198.46:443 [proto: 91.228/SSL.PlayStore][33 pkts/7237 bytes <-> 30 pkts/11619 bytes][client: android.clients.google.com][server: *.google.com]
  12	TCP 192.168.2.49:36262 <-> 216.58.198.3:443 [proto: 91.126/SSL.Google][14 pkts/1962 bytes <-> 13 pkts/12222 bytes][client: www.gstatic.com]
  13	TCP 192.168.2.49:56772 <-> 216.58.205.138:443 [proto: 91.239/SSL.GoogleServices][24 pkts/4408 bytes <-> 24 pkts/9647 bytes][client: www.googleapis.com][server: *.googleapis.com]
  14	UDP 192.168.2.49:54039 <-> 172.217.21.42:443 [proto: 188.239/QUIC.GoogleServices][13 pkts/8381 bytes <-> 10 pkts/5250 bytes][Host: youtubei.googleapis.com]
  15	TCP 192.168.2.49:60384 <-> 172.217.21.42:443 [proto: 91.239/SSL.GoogleServices][24 pkts/2597 bytes <-> 20 pkts/10078 bytes][client: chromecontentsuggestions-pa.googleapis.com][server: *.googleapis.com]
  16	TCP 192.168.2.49:35527 <-> 216.58.205.138:443 [proto: 91.239/SSL.GoogleServices][10 pkts/10641 bytes <-> 10 pkts/1930 bytes][client: www.googleapis.com]
  17	UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][30 pkts/11166 bytes -> 0 pkts/0 bytes]
  18	TCP 192.168.2.49:53793 <-> 64.233.167.81:443 [proto: 91.126/SSL.Google][18 pkts/3262 bytes <-> 17 pkts/7243 bytes][client: 9][server: sandbox.google.com]
  19	TCP 192.168.2.49:49444 <-> 216.58.198.13:443 [proto: 91.126/SSL.Google][21 pkts/3027 bytes <-> 16 pkts/6582 bytes][client: accounts.google.com][server: accounts.google.com]
  20	UDP 192.168.2.49:36491 <-> 172.217.17.238:443 [proto: 188.124/QUIC.YouTube][7 pkts/3698 bytes <-> 6 pkts/4932 bytes][Host: www.youtube.com]
  21	TCP 192.168.2.49:47901 <-> 13.250.83.167:443 [proto: 91/SSL][11 pkts/1873 bytes <-> 9 pkts/6688 bytes][client: s2ssn.toolkits.mobi]
  22	TCP 192.168.2.49:38412 <-> 13.250.83.167:443 [proto: 91/SSL][13 pkts/1673 bytes <-> 10 pkts/6755 bytes][client: s2ssn.toolkits.mobi]
  23	TCP 192.168.2.49:55740 <-> 216.58.198.42:443 [proto: 91.239/SSL.GoogleServices][19 pkts/2219 bytes <-> 14 pkts/5806 bytes][client: datasaver.googleapis.com][server: *.googleapis.com]
  24	UDP 192.168.2.49:59432 <-> 172.217.21.42:443 [proto: 188.239/QUIC.GoogleServices][7 pkts/3304 bytes <-> 5 pkts/4482 bytes][Host: youtubei.googleapis.com]
  25	UDP 192.168.2.49:34223 <-> 172.217.21.110:443 [proto: 188.124/QUIC.YouTube][7 pkts/3296 bytes <-> 5 pkts/4482 bytes][Host: i.ytimg.com]
  26	UDP 192.168.2.49:51529 <-> 172.217.21.110:443 [proto: 188.124/QUIC.YouTube][7 pkts/3296 bytes <-> 5 pkts/4482 bytes][Host: i.ytimg.com]
  27	TCP 192.168.2.49:57348 <-> 172.217.22.238:443 [proto: 91.228/SSL.PlayStore][13 pkts/1877 bytes <-> 11 pkts/5900 bytes][client: android.clients.google.com][server: *.google.com]
  28	TCP 192.168.2.49:35346 <-> 216.58.198.4:443 [proto: 91.126/SSL.Google][16 pkts/2296 bytes <-> 15 pkts/5237 bytes][client: www.google.com][server: www.google.com]
  29	TCP 192.168.2.49:45081 <-> 216.58.205.138:443 [proto: 91.239/SSL.GoogleServices][15 pkts/2187 bytes <-> 12 pkts/5337 bytes][client: www.googleapis.com][server: *.googleapis.com]
  30	TCP 192.168.2.49:41528 <-> 52.74.157.239:443 [proto: 91/SSL][11 pkts/1346 bytes <-> 8 pkts/6174 bytes][client: pks.a.mobimagic.com][server: a.mobimagic.com]
  31	TCP 192.168.2.49:37590 <-> 216.58.205.138:443 [proto: 91.239/SSL.GoogleServices][10 pkts/2199 bytes <-> 9 pkts/5060 bytes][client: www.googleapis.com][server: *.googleapis.com]
  32	TCP 192.168.2.49:52510 <-> 216.58.198.46:443 [proto: 91.228/SSL.PlayStore][16 pkts/2987 bytes <-> 15 pkts/3729 bytes][client: android.clients.google.com]
  33	TCP 192.168.2.49:41381 <-> 172.217.17.238:443 [proto: 91.124/SSL.YouTube][10 pkts/952 bytes <-> 8 pkts/5237 bytes][client: www.youtube.com][server: *.google.com]
  34	TCP 192.168.2.49:40804 <-> 172.217.21.110:443 [proto: 91.124/SSL.YouTube][10 pkts/948 bytes <-> 8 pkts/5238 bytes][client: i.ytimg.com][server: *.google.com]
  35	TCP 192.168.2.49:40814 <-> 172.217.21.110:443 [proto: 91.124/SSL.YouTube][10 pkts/948 bytes <-> 8 pkts/5238 bytes][client: i.ytimg.com][server: *.google.com]
  36	TCP 192.168.2.49:51964 <-> 172.217.23.66:443 [proto: 91.126/SSL.Google][11 pkts/1490 bytes <-> 7 pkts/4166 bytes][client: www.googleadservices.com][server: www.googleadservices.com]
  37	TCP 192.168.2.49:60891 <-> 172.217.17.226:443 [proto: 91.126/SSL.Google][10 pkts/1424 bytes <-> 8 pkts/4232 bytes][client: www.googleadservices.com][server: www.googleadservices.com]
  38	TCP 192.168.2.49:58471 <-> 172.217.17.234:443 [proto: 91.239/SSL.GoogleServices][10 pkts/961 bytes <-> 7 pkts/4298 bytes][client: translate.googleapis.com][server: *.googleapis.com]
  39	TCP 192.168.2.49:60391 <-> 172.217.21.42:443 [proto: 91.239/SSL.GoogleServices][9 pkts/894 bytes <-> 7 pkts/4299 bytes][client: youtubei.googleapis.com][server: *.googleapis.com]
  40	TCP 192.168.2.49:60395 <-> 172.217.21.42:443 [proto: 91.239/SSL.GoogleServices][9 pkts/894 bytes <-> 7 pkts/4299 bytes][client: youtubei.googleapis.com][server: *.googleapis.com]
  41	TCP 192.168.2.49:60388 <-> 172.217.21.42:443 [proto: 91.239/SSL.GoogleServices][9 pkts/894 bytes <-> 7 pkts/4297 bytes][client: youtubei.googleapis.com][server: *.googleapis.com]
  42	TCP 192.168.2.49:56231 <-> 216.58.213.228:443 [proto: 91.126/SSL.Google][12 pkts/2468 bytes <-> 13 pkts/2547 bytes][client: www.google.com]
  43	TCP 192.168.2.49:40628 <-> 35.156.170.184:80 [proto: 7.178/HTTP.Amazon][7 pkts/1319 bytes <-> 5 pkts/2979 bytes][Host: setting.rayjump.com]
  44	TCP 192.168.2.49:57549 <-> 35.158.23.155:80 [proto: 7.178/HTTP.Amazon][7 pkts/1319 bytes <-> 5 pkts/2979 bytes][Host: setting.rayjump.com]
  45	TCP 192.168.2.49:47091 <-> 34.209.7.180:80 [proto: 7.178/HTTP.Amazon][6 pkts/1718 bytes <-> 5 pkts/1719 bytes][Host: strategy.lmobi.net]
  46	TCP 192.168.2.49:52468 <-> 34.209.7.180:80 [proto: 7.178/HTTP.Amazon][6 pkts/1718 bytes <-> 5 pkts/1719 bytes][Host: strategy.lmobi.net]
  47	TCP 192.168.2.49:41006 <-> 14.215.138.67:443 [proto: 91/SSL][11 pkts/2577 bytes <-> 8 pkts/701 bytes]
  48	TCP 192.168.2.49:60319 <-> 13.250.83.167:443 [proto: 91/SSL][7 pkts/1534 bytes <-> 7 pkts/1091 bytes][client: s2ssn.toolkits.mobi]
  49	TCP 192.168.2.49:41343 <-> 64.233.166.114:80 [proto: 7.126/HTTP.Google][11 pkts/855 bytes <-> 13 pkts/1360 bytes][Host: check.googlezip.net]
  50	TCP 192.168.2.49:49508 <-> 35.158.23.155:80 [proto: 7.178/HTTP.Amazon][6 pkts/1261 bytes <-> 4 pkts/926 bytes][Host: setting.rayjump.com]
  51	TCP 192.168.2.49:51382 <-> 35.156.170.184:80 [proto: 7.178/HTTP.Amazon][6 pkts/1261 bytes <-> 4 pkts/926 bytes][Host: setting.rayjump.com]
  52	TCP 192.168.2.49:41344 <-> 64.233.166.114:80 [proto: 7.126/HTTP.Google][10 pkts/797 bytes <-> 6 pkts/890 bytes][Host: check.googlezip.net]
  53	UDP 192.168.2.1:67 -> 192.168.2.49:68 [proto: 18/DHCP][2 pkts/1180 bytes -> 0 pkts/0 bytes]
  54	UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][3 pkts/1101 bytes -> 0 pkts/0 bytes][Host: android-6f3c341a80a91fd2]
  55	UDP 192.168.2.20:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][2 pkts/1098 bytes -> 0 pkts/0 bytes]
  56	UDP 192.168.2.20:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][2 pkts/1098 bytes -> 0 pkts/0 bytes]
  57	TCP 192.168.2.49:59918 <-> 34.253.50.28:80 [proto: 7.178/HTTP.Amazon][5 pkts/565 bytes <-> 4 pkts/458 bytes][Host: wp.360overseas.com]
  58	TCP 192.168.2.49:42715 <-> 183.61.51.77:443 [proto: 91/SSL][5 pkts/588 bytes <-> 4 pkts/401 bytes]
  59	TCP 192.168.2.49:41345 <-> 64.233.166.114:80 [proto: 7.126/HTTP.Google][7 pkts/478 bytes <-> 4 pkts/288 bytes]
  60	TCP 192.168.2.49:56174 <-> 172.217.17.227:80 [proto: 7.126/HTTP.Google][4 pkts/457 bytes <-> 3 pkts/289 bytes][Host: connectivitycheck.gstatic.com]
  61	TCP 192.168.2.49:60385 <-> 172.217.21.42:443 [proto: 91.126/SSL.Google][5 pkts/338 bytes <-> 3 pkts/214 bytes]
  62	TCP 216.58.198.46:443 <-> 192.168.2.49:55897 [proto: 91.126/SSL.Google][7 pkts/462 bytes <-> 1 pkts/60 bytes]
  63	ICMPV6 [fe80::b2a2:e7ff:fed4:53eb]:0 <-> [fd00::5e49:79ff:fe75:4e6a]:0 [proto: 102/ICMPV6][3 pkts/258 bytes <-> 3 pkts/234 bytes]
  64	TCP 192.168.2.49:60392 <-> 172.217.21.42:443 [proto: 91.126/SSL.Google][4 pkts/272 bytes <-> 3 pkts/206 bytes]
  65	UDP 192.168.2.20:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/439 bytes -> 0 pkts/0 bytes]
  66	UDP 192.168.2.20:52355 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/432 bytes -> 0 pkts/0 bytes]
  67	TCP 13.229.191.253:443 <-> 192.168.2.49:37442 [proto: 91.178/SSL.Amazon][4 pkts/357 bytes <-> 1 pkts/60 bytes]
  68	TCP 192.168.2.49:40808 <-> 172.217.21.110:443 [proto: 91.126/SSL.Google][4 pkts/272 bytes <-> 2 pkts/140 bytes]
  69	UDP [fd00::b039:4ad6:2420:d62b]:31386 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5/DNS][1 pkts/99 bytes <-> 1 pkts/298 bytes][Host: api.ntracecloud.com]
  70	UDP [fd00::b039:4ad6:2420:d62b]:29094 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5.239/DNS.GoogleServices][1 pkts/107 bytes <-> 1 pkts/269 bytes][Host: playatoms-pa.googleapis.com]
  71	UDP [fd00::b039:4ad6:2420:d62b]:38428 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5.239/DNS.GoogleServices][1 pkts/104 bytes <-> 1 pkts/266 bytes][Host: datasaver.googleapis.com]
  72	UDP [fd00::b039:4ad6:2420:d62b]:18910 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5.239/DNS.GoogleServices][1 pkts/99 bytes <-> 1 pkts/261 bytes][Host: play.googleapis.com]
  73	UDP [fd00::b039:4ad6:2420:d62b]:56350 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5.239/DNS.GoogleServices][1 pkts/98 bytes <-> 1 pkts/260 bytes][Host: www.googleapis.com]
  74	TCP 13.229.191.253:443 <-> 192.168.2.49:42818 [proto: 91.178/SSL.Amazon][3 pkts/291 bytes <-> 1 pkts/60 bytes]
  75	UDP 192.168.2.49:35080 <-> 192.168.2.1:53 [proto: 5.239/DNS.GoogleServices][1 pkts/102 bytes <-> 1 pkts/248 bytes][Host: chromecontentsuggestions-pa.googleapis.com]
  76	UDP [fd00::b039:4ad6:2420:d62b]:52614 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5.228/DNS.PlayStore][1 pkts/106 bytes <-> 1 pkts/242 bytes][Host: android.clients.google.com]
  77	UDP 192.168.2.49:59979 <-> 192.168.2.1:53 [proto: 5/DNS][1 pkts/79 bytes <-> 1 pkts/251 bytes][Host: s2ssn.toolkits.mobi]
  78	UDP 192.168.2.49:65069 <-> 192.168.2.1:53 [proto: 5/DNS][1 pkts/79 bytes <-> 1 pkts/251 bytes][Host: s2ssn.toolkits.mobi]
  79	UDP [fd00::b039:4ad6:2420:d62b]:1066 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5/DNS][1 pkts/99 bytes <-> 1 pkts/231 bytes][Host: setting.rayjump.com]
  80	UDP [fd00::b039:4ad6:2420:d62b]:9270 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5/DNS][1 pkts/99 bytes <-> 1 pkts/231 bytes][Host: setting.rayjump.com]
  81	UDP [fd00::b039:4ad6:2420:d62b]:28384 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5/DNS][1 pkts/99 bytes <-> 1 pkts/231 bytes][Host: setting.rayjump.com]
  82	UDP [fd00::b039:4ad6:2420:d62b]:27354 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5/DNS][1 pkts/99 bytes <-> 1 pkts/227 bytes][Host: pks.a.mobimagic.com]
  83	TCP 14.17.43.118:80 <-> 192.168.2.49:42429 [proto: 7/HTTP][4 pkts/264 bytes <-> 1 pkts/60 bytes]
  84	UDP 192.168.2.49:15073 <-> 192.168.2.1:53 [proto: 5.239/DNS.GoogleServices][1 pkts/87 bytes <-> 1 pkts/233 bytes][Host: playatoms-pa.googleapis.com]
  85	ICMPV6 [fe80::5e49:79ff:fe75:4e6a]:0 -> [ff02::1]:0 [proto: 102/ICMPV6][2 pkts/316 bytes -> 0 pkts/0 bytes]
  86	UDP [fd00::b039:4ad6:2420:d62b]:16924 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5.239/DNS.GoogleServices][1 pkts/134 bytes <-> 1 pkts/181 bytes][Host: phonedeviceverification-pa-prod.sandbox.googleapis.com]
  87	UDP 192.168.2.49:51685 <-> 8.8.8.8:53 [proto: 5.239/DNS.GoogleServices][1 pkts/84 bytes <-> 1 pkts/230 bytes][Host: datasaver.googleapis.com]
  88	UDP 192.168.2.49:58121 <-> 192.168.2.1:53 [proto: 5.239/DNS.GoogleServices][1 pkts/84 bytes <-> 1 pkts/230 bytes][Host: datasaver.googleapis.com]
  89	UDP 192.168.2.49:50330 <-> 192.168.2.1:53 [proto: 5.239/DNS.GoogleServices][1 pkts/83 bytes <-> 1 pkts/229 bytes][Host: youtubei.googleapis.com]
  90	UDP 192.168.2.49:53840 <-> 192.168.2.1:53 [proto: 5.239/DNS.GoogleServices][1 pkts/83 bytes <-> 1 pkts/229 bytes][Host: youtubei.googleapis.com]
  91	UDP 192.168.2.49:57173 <-> 8.8.8.8:53 [proto: 5.239/DNS.GoogleServices][1 pkts/83 bytes <-> 1 pkts/229 bytes][Host: youtubei.googleapis.com]
  92	UDP 192.168.2.49:35247 <-> 192.168.2.1:53 [proto: 5.228/DNS.PlayStore][1 pkts/86 bytes <-> 1 pkts/222 bytes][Host: android.clients.google.com]
  93	UDP 192.168.2.49:51185 <-> 192.168.2.1:53 [proto: 5.124/DNS.YouTube][1 pkts/75 bytes <-> 1 pkts/221 bytes][Host: www.youtube.com]
  94	UDP 192.168.2.49:36133 <-> 192.168.2.1:53 [proto: 5.124/DNS.YouTube][1 pkts/71 bytes <-> 1 pkts/212 bytes][Host: i.ytimg.com]
  95	UDP [fd00::b039:4ad6:2420:d62b]:34377 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5/DNS][1 pkts/94 bytes <-> 1 pkts/169 bytes][Host: xvlczajjgoxwaw]
  96	UDP [fd00::b039:4ad6:2420:d62b]:20197 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5.126/DNS.Google][1 pkts/104 bytes <-> 1 pkts/158 bytes][Host: www.googleadservices.com]
  97	TCP 14.17.43.118:80 <-> 192.168.2.49:44735 [proto: 7/HTTP][3 pkts/198 bytes <-> 1 pkts/60 bytes]
  98	UDP [fd00::b039:4ad6:2420:d62b]:58378 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5/DNS][1 pkts/91 bytes <-> 1 pkts/166 bytes][Host: ltzilbhvwhv]
  99	UDP [fd00::b039:4ad6:2420:d62b]:56108 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5/DNS][1 pkts/88 bytes <-> 1 pkts/163 bytes][Host: aporeczc]
  100	UDP [fd00::b039:4ad6:2420:d62b]:36288 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5/DNS][1 pkts/104 bytes <-> 1 pkts/146 bytes][Host: xvlczajjgoxwaw.fritz.box]
  101	UDP [fd00::b039:4ad6:2420:d62b]:3062 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5/DNS][1 pkts/98 bytes <-> 1 pkts/146 bytes][Host: strategy.lmobi.net]
  102	UDP [fd00::b039:4ad6:2420:d62b]:42097 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5/DNS][1 pkts/101 bytes <-> 1 pkts/143 bytes][Host: ltzilbhvwhv.fritz.box]
  103	UDP [fd00::b039:4ad6:2420:d62b]:60852 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5/DNS][1 pkts/98 bytes <-> 1 pkts/140 bytes][Host: aporeczc.fritz.box]
  104	UDP [fd00::b039:4ad6:2420:d62b]:28941 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5/DNS][1 pkts/98 bytes <-> 1 pkts/130 bytes][Host: wp.360overseas.com]
  105	UDP 192.168.2.49:53682 <-> 192.168.2.1:53 [proto: 5.126/DNS.Google][1 pkts/84 bytes <-> 1 pkts/138 bytes][Host: www.googleadservices.com]
  106	UDP [fd00::b039:4ad6:2420:d62b]:1123 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5.48/DNS.QQ][1 pkts/94 bytes <-> 1 pkts/126 bytes][Host: mazu.3g.qq.com]
  107	UDP [fd00::b039:4ad6:2420:d62b]:50361 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5.126/DNS.Google][1 pkts/99 bytes <-> 1 pkts/115 bytes][Host: accounts.google.com]
  108	UDP 192.168.2.49:64356 <-> 192.168.2.1:53 [proto: 5.126/DNS.Google][1 pkts/89 bytes <-> 1 pkts/117 bytes][Host: connectivitycheck.gstatic.com]
  109	UDP [fd00::b039:4ad6:2420:d62b]:21466 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5.126/DNS.Google][1 pkts/95 bytes <-> 1 pkts/111 bytes][Host: www.gstatic.com]
  110	UDP [fd00::b039:4ad6:2420:d62b]:1325 <-> [fd00::5e49:79ff:fe75:4e6a]:53 [proto: 5.126/DNS.Google][1 pkts/94 bytes <-> 1 pkts/110 bytes][Host: www.google.com]
  111	UDP 192.168.2.49:48336 <-> 192.168.2.1:53 [proto: 5.126/DNS.Google][1 pkts/89 bytes <-> 1 pkts/105 bytes][Host: connectivitycheck.gstatic.com]
  112	UDP 192.168.2.49:39859 <-> 192.168.2.1:53 [proto: 5.239/DNS.GoogleServices][1 pkts/84 bytes <-> 1 pkts/100 bytes][Host: translate.googleapis.com]
  113	UDP 192.168.2.49:60478 <-> 192.168.2.1:53 [proto: 5.126/DNS.Google][1 pkts/79 bytes <-> 1 pkts/95 bytes][Host: check.googlezip.net]
  114	UDP 192.168.2.20:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][2 pkts/172 bytes -> 0 pkts/0 bytes]
  115	UDP 192.168.2.20:49606 -> 239.255.255.250:1900 [proto: 12/SSDP][1 pkts/167 bytes -> 0 pkts/0 bytes]
  116	UDP 192.168.2.49:48155 <-> 192.168.2.1:53 [proto: 5.126/DNS.Google][1 pkts/74 bytes <-> 1 pkts/90 bytes][Host: www.google.com]
  117	ICMPV6 [::]:0 -> [ff02::1:ffd4:53eb]:0 [proto: 102/ICMPV6][2 pkts/156 bytes -> 0 pkts/0 bytes]
  118	ICMPV6 [fe80::b2a2:e7ff:fed4:53eb]:0 -> [ff02::2]:0 [proto: 102/ICMPV6][2 pkts/140 bytes -> 0 pkts/0 bytes]
  119	TCP 54.230.0.218:80 <-> 192.168.2.49:47761 [proto: 7.178/HTTP.Amazon][1 pkts/66 bytes <-> 1 pkts/60 bytes]
  120	ICMPV6 [fd00::5e49:79ff:fe75:4e6a]:0 -> [fd00::b039:4ad6:2420:d62b]:0 [proto: 102/ICMPV6][1 pkts/86 bytes -> 0 pkts/0 bytes]
  121	ICMPV6 [fd00::b039:4ad6:2420:d62b]:0 -> [ff02::1:ff75:4e6a]:0 [proto: 102/ICMPV6][1 pkts/86 bytes -> 0 pkts/0 bytes]
  122	ICMPV6 [::]:0 -> [ff02::1:ff20:d62b]:0 [proto: 102/ICMPV6][1 pkts/78 bytes -> 0 pkts/0 bytes]
  123	IGMP 192.168.2.1:0 -> 224.0.0.1:0 [proto: 82/IGMP][1 pkts/60 bytes -> 0 pkts/0 bytes]

As you can see the results are pretty different. The Samsung phone is essentially behaving as I would expect:

  • The phone checked Internet connectivity (connectivitycheck.gstatic.com)
  • The installed apps connected home (e.g. FaceBook, Telegram, WhatsApp)
  • The phone connected to Samsung push services (push.samsungosp.com)

So in essence this is an expected behaviour, with no side effects.

The wiko phone instead is a totally different device as:

  • The apps installed by the manufacturer connected home (e.g. 360overseas.com)
  • Some analytics information was shared (ssl.google-analytics.com)
  • The phone connected a few times with the CPU manufacturer probably to check for updates (e.g. mepodownload.mediatek.com)
  • The phone, even though was in Europe, started to connect to chinese websites checking weather, location or other information (weather.jstinno.com, loc.map.baidu.com). Note that this was a stock phone with no baidu account whatsoever.
  • Even the time was checked against asian NTP servers (asia.pool.ntp.org).
  • The phone connected other unknown sites (pmir.3g.qq.com, t1.hshh.org, pks.a.mobimagic.com) I have no idea why.

Summary

Although this report cannot be considered exhaustive, the conclusion is that not all Android phones are alike. While the Samsung is a reasonable device that behaves how I would expect, the Wiko phone is doing things that I would not have expected. While it is questionable that a phone has to use Internet plan to connect to sites the user has not requested, this phone is probably leaking some information. For instance what is this connection to loc.map.baidu.com doing?

POST /offline_loc HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Accept-Charset: UTF-8
Accept-Encoding: gzip
Host: loc.map.baidu.com
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0; LENNY3 Build/MRA58K)
Connection: Keep-Alive
Content-Length: 137

req=uOup7PD47aPjrPD7htHUjZicmpmc4svrsbLDtbqw5JeGiqj_rN3fpITVjdGcgJOYiZGYx6m348-Kl5vEzc7ala64oqno6P_os_fnoPO0vrWtsK6p_D4frHb.|tp=3&qt=confHTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Encoding: gzip
Content-Length: 39
Content-Type: text/plain
Date: Tue, 16 Jan 2018 14:07:17 GMT
Expires: Wed, 17 Jan 2018 14:07:18 GMT
Http_x_bd_logid64: 14237345982061197261
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Server: nginx
Set-Cookie: BAIDUID=46A9A8928A9A7D17BF9672DB0DC1D421:FG=1; max-age=31536000; expires=Wed, 16-Jan-19 14:07:17 GMT; domain=.baidu.com; path=/; version=1
Vary: Accept-Encoding

{"ofl":0,"ver":"1"}

Bottom line, if you will plan to purchase a new Android phone, you better look at security and privacy rather than just limiting you to price and features.