POST /c/ HTTP/1.1Alarming! I wasn't able to find any information about the IP address that seemed useful so, freaked out, I decided to factory reset my phone. I'm so busy during the semester that I thought it would be best to just be done with it.
Content-Length: 113
Host: infoc2.duba.net
Connection: Keep-Alive
q......L......................H.7.6.............
.......................
................X..V....................HTTP/1.1 200 OK
Server: Kingsoft Web Server
Date: Mon, 28 Sep 2015 00:10:05 GMT
Content-Type: text/plain
Content-Length: 36
Connection: keep-alive
[common]
result=1
time=1443399005.
Fast forward to yesterday, when after getting my IDS back online I saw this:
The RFC-1918 address listed is the internal IP address of my Android phone. So I did some more digging. I started a new Wireshark capture and watched all traffic from my phone overnight. I also installed the very handy Network Connections Android App. I paid for it too so I could capture for a longer time. What did I see? Several connections made to Chinese servers from the Airbnb app. I started to think that I was wrong to worry because it's perfectly reasonable for Airbnb to use international infrastructure (there's only one Internet, right?) Except here's a transcript of the conversation that caused the IDS alert:
POST /v2/report HTTP/1.1So what, you say? Here's what you get when you unzip the data the app sent to the server:
Accept: application/json
Accept-Encoding: gzip
Content-Encoding: gzip
X-App-Key: 9f6627a3f8efaa87b929071c
Authorization: Basic MjgwNzY0MzQ1Mjo4ZTcyZasdfASH234yehereSAJfaA4MDc3ZTVmNDFiNQ==
Content-Length: 427
Host: stats.jpush.cn
Connection: Keep-Alive
.............j.0...E...d.......(...q.zec;
K.w..$iJ..B.....3..W........J.....q....D*2l..KL.#.5TV$..eZN......C.Jlrc...5Fk^..c.eH..>;.........q..,.&AQ..C...nK...D.N.....B...'(.4.7.%......m...%..M.. .C.f..L.. 0p....x
.o......@[...?&.o..oB......B..BY.?...o<P...}..o...>..+..8..*.........YK..a..[.k....[....
c..s.......{.?._m0.>...u.1:|E...b.(...1g..Zsl.Qp'.^......hL_..hFB..3......d.V.....s{..<.I).].LL...Yn.f.l-.._q)..
>..o&.......HTTP/1.1 200 OK
Server: nginx/1.4.0
Date: Wed, 25 Nov 2015 16:43:28 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip
14
....................
0
{"content":[{"type":"loc_info","itime":1448462400,"network_type":"WIFI,","local_dns":"10.2.5.2","wifi":[{"mac_address":"cc:b2:55:91:15:60","signal_strength":-72,"age":0},{"mac_address":"cc:b2:55:91:15:60","signal_strength":-72,"age":0},{"mac_address":"72:75:48:3e:e1:d4","signal_strength":-69,"age":0},{"mac_address":"64:0f:28:c5:2f:0a","signal_strength":-70,"age":0},{"mac_address":"cc:35:40:c8:4d:17","signal_strength":-72,"age":0},{"mac_address":"f0:99:bf:05:50:64","signal_strength":-74,"age":0},{"mac_address":"14:5b:d1:ac:f2:b0","signal_strength":-81,"age":0},{"mac_address":"08:86:3b:79:da:42","signal_strength":-84,"age":0},{"mac_address":"e4:f4:c6:01:ad:a9","signal_strength":-94,"age":0},{"mac_address":"ce:35:40:c8:4d:19","signal_strength":-73,"age":0},{"mac_address":"0a:86:3b:79:da:43","signal_strength":-85,"age":0}],"cell":[{"cell_id":00000000,"location_area_code":14950,"mobile_country_code":0,"mobile_network_code":0,"signal_strength":-111,"age":0}],"gps":[{"lat":00.000000,"lng":-000.000000,"alt":-24,"bear":0,"acc":4}]}],"platform":"a","uid":2807643452,"app_key":"9f6627a3f8efaa87b929071c","sdk_ver":"1.8.2"}
Look closely and you'll notice that the MAC addresses and the signal strength of all the clients on my WiFi as well as my local DNS server were all uploaded to the server along with my location and cellular ID (which I've blanked out with zeros). Here is the result of the Network Connections capture:
| 10.2.5.2 | 49994 | 58.67.203.149 | 7007 | com.airbnb.android:10113 | 11/24/2015 9:27 PM |
| 192.0.0.4 | 51390 | 119.90.34.198 | 7004 | com.airbnb.android:10113 | 11/24/2015 9:29 PM |
| 10.2.5.2 | 44554 | 58.67.196.172 | 7000 | com.airbnb.android:10113 | 11/24/2015 9:41 PM |
| 10.2.5.2 | 34173 | 58.67.196.172 | 7006 | com.airbnb.android:10113 | 11/25/2015 9:01 AM |
| 10.2.5.2 | 39308 | 58.67.196.188 | 7004 | com.airbnb.android:10113 | 11/25/2015 8:51 AM |
| 10.2.5.2 | 33237 | 183.232.42.227 | 80 | com.airbnb.android:10113 | 11/25/2015 8:51 AM |
| 10.2.5.2 | 38221 | 58.67.203.152 | 7004 | com.airbnb.android:10113 | 11/25/2015 9:01 AM |
| 10.2.5.2 | 43747 | 183.232.29.247 | 80 | com.airbnb.android:10113 | 11/25/2015 9:01 AM |
Airbnb does this even after you kill it's background processes. My conclusion: Airbnb is tracking my every move. I'm uninstalling the app and complaining to Google.
