One of Recon’s primary features is the ability to provide detailed insight into network devices and applications. Though you may have various applications installed on your devices, not all of them are as prominent on the network as you might expect. Some applications don’t use the network, while others use protocols whose signatures are difficult to tie to a specific application. The question then emerges—Given limited application presence on a network, can you still determine if an application is on a device using your network? Throughout our time as network analysts, we’ve noticed that applications can be detected by monitoring for streams associated with software updates. In the case of iOS, application updates must be downloaded from the iTunes store. These updates show up in the download streams present on your network like the one below:
By viewing one of these download streams in the Streams section of Network Monitor and clicking on the “Raw Stream” tab, the package name of the updated application is visible within the raw stream data. This unencrypted package name combined with the download host (iosapps.itunes.apple.com) provide enough of a signature to develop a rule that can extract and display the app names as they are updated.
To create the rule, click on the Rules icon in the top right corner of Network Monitor followed by the Insert Metadata tab on the left of the screen. This will allow you to create a rule that inspects specific metadata fields and searches for expressions that signify app updates. Here’s what the rule we’re creating looks like:
Use “Payload\/[-A-Z0-9a-z_]+.app\/UX” as the matching expression, and be sure to check the “Regex” box in the first line to denote that it’s a Regex expression. As for the application package names, we’ll extract the app name text into the metadata field app.update.name. Click on “Add Extraction” to open the metadata extraction window. Fill in the desired field (which in this case is “stream.content”) along with the matching expression, “Payload\/([-A-Z0-9a-z_]+).app\/UX “.
Once finished click on “OK” and then “Add” to save the rule to the dictionary. When added to the dictionary, this newly created rule will run every time you run Recon, searching for any updated iOS apps on your network devices.
Reload Recon to implement the new rule, and open the Data Explorer tab. Here you can create a new report that lists the iOS apps that have been updated from the app store based on the new metadata field you just defined.
Now that the iOS applications are visible, what about Android apps? After analyzing Android device traffic using Recon we discovered that the names of the updated application packages are encrypted in TLS streams. This demonstrates the benefit of encrypting network traffic even if it contains seemingly innocuous data.
Links to the pcap files for both iOS and Android devices are available below. Take a look at the app update (or lack thereof) in each one, and practice writing a rule for yourself!
iTunes update capture: itunesUpdate.pcap (1.4M)
Android update capture: androidUpdate.pcap (1.4M)
Note: The streams in these sample captures have been truncated to reduce file size
Questions? Comment below or contact us!