Apps and Sites Revealing Your Location?

While we all know that websites and applications are collecting personal information such as our locations when we use our mobile devices, it is shocking how often those websites fail to protect that information.

If an application doesn’t encrypt personal information while it is transiting the internet, you can safely assume that the company has not correctly prioritized protecting this information.  “Leaked” information, or information that is not encrypted when collected, is common not only among small companies, but major organizations fail to take this simple precaution.

Often times, the offense occurs in third party libraries that are integrated into an application to support advertising or mapping.  In a quick test, we found apps for AAA, the Weather Channel and various websites leaking our location, unencrypted, through various requests. You can use the same approach that we did to find leaky applications on your devices.

This post will walk you through the steps to define rules to detect your location in your traffic and reveal which sites and apps you may want to think twice about before using.

In this example, we’re going to use Network Monitor to analyze network traffic and tag streams that contain unencrypted coordinates of a particular location. There are several ways to match geo traffic, but here we’re going to use a rule to create a new “location” metadata tag which enables some interesting features.

To get started, open the Recon Network Monitor and click the rules icon in the upper right hand corner of the GUI,then click the “Insert Metadata” icon on the left.


We’re going to define a rule to identify streams containing unencrypted geo coordinates, and a new metadata field which will contain the detected values.

For this example, the GPS coordinates of our office are around 39 degrees latitude and -77 degrees longitude. Since the exact location of a device may fluctuate, we’ll need to write a Regex that allows for a small range of values. We’re basically defining a bounding box for our location using the following regular expression:

(3[89]\.[0-9]{3,10})[^0-9]*(-{0,1}77\.[0-9]{3,10})[^0-9]

First we need to create a rule to search the metadata field stream.content (the full content of a stream) for matches with the regular expression above. Adjust the numbers in this expression match to your location and click on the “regex” checkbox.

Now we’ll define new metadata fields to extract for all streams identified by the new rule. Click on “Add Extraction” to open the extraction dialog. Here we can enter another regular expression to extract whatever we want from the matching streams. Though in this case we’ll reuse the expression in the url to extract the values matched. Once the regex is entered, you’ll notice that the GUI detects two “tokens” which you can assign to new metadata fields. (These tokens are the portions of the regex contained within parenthesis, also known as “capture groups”) For this example. we’ll name the new metadata fields “location.latitude” and “location.longitude”.

Click “OK” to save the new extraction rules and close the dialog box. Finally click the “Add” button to add the rule to the rules dictionary.


The rule we just defined looks for our location’s latitude and longitude separated by any text. We’ll also create a rule that will match coordinates that are written with the longitude preceding latitude as this sequence is also commonly used. This rule can be created using the same steps as above, but using a modified regular expression:

(-{0,1}77\.[0-9]{3,10})[^0-9]*(3[89]\.[0-9]{3,10})[^0-9]

Be sure to also use this new regular expression for the metadata extraction associated with this new rule. Once the rules are created, make sure they’re enabled (The blue Dictionary icon on the left of the rule listing is visible).

Now that the new rules have been created it’s time to load some traffic to look for traffic leaking your location. You can load an existing PCAP file or run a live capture of your network.

Note: When processing traffic after modifying rule definitions, Recon needs to re-compile the rules dictionary. This process happens automatically after  clicking “process” and may take several minutes. 

Once your capture has been loaded the new metadata fields will be associated with relevant streams and can be used for filtering. Here we’ll take a look at creating a Data Explorer report with the new metadata. Open the Data Explorer by clicking the Data Explorer icon in the global nav on the left of the GUI. The Data Explorer allows you to create reports (Click “+ New Report”) using metadata fields and will be populated with streams containing this field. Here is the definition of a new report for the “location.latitude” and “location.longitude” fields we just created.

If any streams were identified as containing the location used to define the new rules, you will see the detected coordinates listed in the new Data Explorer Report.
Filtering by these coordinates allows you to find the streams that contain them. We ran a quick network capture with an iPad to test this for ourselves. After filtering to some of the location values, we found unencrypted streams containing our geo data for the AAA mobile app, a local NBC weather site, and Home Depot’s store locator.

When inspecting streams, it is not always obvious with what app or website they are associated. Clicking on that stream will display additional detail including http headers, and the User Agent. This information can be used to determine the stream’s purpose. In many cases the user agent will reveal a mobile app. Advertisers often publish geo data and http.referer metadata value will reveal which site generated the request to the advertiser.

By creating rules and extracting metadata pertaining to geographical coordinates, you’ll ensure that any streams containing your devices’ geographical locations will be flagged.

Questions? Comment below or contact us!

Network Monitor Professional Beta 0.2.0

Documents Extracted from PCAP

After months of development, we at Recon are excited to release version 0.2.0 beta of Network Monitor Professional! Like the impending production release, the new beta is a free, fully-featured standalone network forensics application. There is no trial period, no disabled features, no usage limit, and no pestering advertisements.

New Features since 0.1.0:

– Added document (SMB) and unencrypted email displays in the Content Explorer

– Added disk usage to file upload display

– Added support for software updates in the About section

Enhancements since 0.1.0:

– Improved scrolling performance on Devices, Streams, and Content Explorer

– Updated Streams, Devices, and Content Explorer pages to load data on user request

– Added item counts to Content Explorer tabs

– Improved Content Explorer rendering performance

– Updated Content Explorer to display images transferred over SMB or email

– Varied UI page rendering performance improvements

– Updated Memory Usage display on the Capture page

– Updated stream “info tray” implementation

– Fixed Geo display in Stream Details Info Tray

– Improved App Server data ingest performance from engine

– Resolved resource leaks impacting performance in the Application Server

– Improved engine detection of email attachments

Download and try version 0.2.0 from our downloads page.

If you have any questions or comments regarding downloading or using Network Monitor, reach out to us on our forums or contact us.

Detecting Apps on Mobile Network Devices

One of Recon’s primary features is the ability to provide detailed insight into network devices and applications. Though you may have various applications installed on your devices, not all of them are as prominent on the network as you might expect. Some applications don’t use the network, while others use protocols whose signatures are difficult to tie to a specific application. The question then emerges—Given limited application presence on a network, can you still determine if an application is on a device using your network? Throughout our time as network analysts, we’ve noticed that applications can be detected by monitoring for streams associated with software updates. In the case of iOS, application updates must be downloaded from the iTunes store. These updates show up in the download streams present on your network like the one below:

By viewing one of these download streams in the Streams section of Network Monitor and clicking on the “Raw Stream” tab, the package name of the updated application is visible within the raw stream data. This unencrypted package name combined with the download host (iosapps.itunes.apple.com) provide enough of a signature to develop a rule that can extract and display the app names as they are updated.

To create the rule, click on the Rules icon in the top right corner of Network Monitor followed by the Insert Metadata tab on the left of the screen. This will allow you to create a rule that inspects specific metadata fields and searches for expressions that signify app updates. Here’s what the rule we’re creating looks like:

Use “Payload\/[-A-Z0-9a-z_]+.app\/UX” as the matching expression, and be sure to check the “Regex” box in the first line to denote that it’s a Regex expression. As for the application package names, we’ll extract the app name text into the metadata field app.update.name. Click on “Add Extraction” to open the metadata extraction window. Fill in the desired field (which in this case is “stream.content”) along with the matching expression, “Payload\/([-A-Z0-9a-z_]+).app\/UX “.

Once finished click on “OK” and then “Add” to save the rule to the dictionary. When added to the dictionary, this newly created rule will run every time you run Recon, searching for any updated iOS apps on your network devices.

Reload Recon to implement the new rule, and open the Data Explorer tab. Here you can create a new report that lists the iOS apps that have been updated from the app store based on the new metadata field you just defined.

Detected iOS Application Report

Now that the iOS applications are visible, what about Android apps? After analyzing Android device traffic using Recon we discovered that the names of the updated application packages are encrypted in TLS streams. This demonstrates the benefit of encrypting network traffic even if it contains seemingly innocuous data.

Links to the pcap files for both iOS and Android devices are available below. Take a look at the app update (or lack thereof) in each one, and practice writing a rule for yourself!

iTunes update capture: itunesUpdate.pcap (1.4M)

Android update capture: androidUpdate.pcap (1.4M)

Note: The streams in these sample captures have been truncated to reduce file size

Questions? Comment below or contact us!