Android background activity, connecting to WiFi, recorded with Pi-Hole

-Sony Xperia Android phone with all Google apps disabled (via app manager), except for Play Services, which can’t be disabled.

-No Google account.

-Apparent Android system-required apps/functions not disabled.

-Most installed apps are from F-Droid, with a few from Amazon, and a few pre-installed from Sony.

-DNS provider is Cloudflare 1.1.1.2, 1.0.0.2 via Pi-Hole application on a Raspberry Pi.

The following activities were triggered by connecting to home WiFi:

|2021-06-05 13:59:50 |connectivitycheck.gstatic.com| Retried|
|2021-06-05 13:59:50 |www.google.com| OK (forwarded to 1.0.0.2#53)|
|2021-06-05 13:59:51 |mtalk.google.com| OK (forwarded to 1.0.0.2#53)|
|2021-06-05 13:59:55 |connectivitycheck.gstatic.com| Retried|
|2021-06-05 14:00:00 |connectivitycheck.gstatic.com| Retried|
|2021-06-05 14:00:05 |connectivitycheck.gstatic.com| Retried|
|2021-06-05 14:00:10 |connectivitycheck.gstatic.com| Retried|
|2021-06-05 14:00:15 |connectivitycheck.gstatic.com| Retried|
|2021-06-05 14:00:20 |connectivitycheck.gstatic.com| Retried|
|2021-06-05 14:00:25 |connectivitycheck.gstatic.com| OK (forwarded to 1.0.0.2#53)|

(Email and Signal background app connections removed from above table)

I will add to this thread as I test specific apps and actions over WiFi and observe the attempted background connections as recorded in the Pi-Hole app.
(Only a small sampling of apps, though, as this kind of thing is no doubt a very deep rabbit hole!):rabbit2:

-The “gravity” entry refers to the ad-blocking list in Pi-Hole.

4 Likes

Opening Sony Album (photo management app):

|2021-06-05 14:41:32 |se.social.sc.sonymobile.com|OK (forwarded to 1.1.1.2#53)|
|2021-06-05 14:41:32 |www.googletagmanager.com|Blocked (gravity)|

Opening Hotels.com app (which was installed from Amazon):

|2021-06-05 14:50:00 |1.pool.ntp.org|OK (forwarded to 1.1.1.2#53)|
|2021-06-05 14:50:00 |2.pool.ntp.org|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 14:50:00 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:50:00 |md-a-c.apptimize.com|Blocked (gravity)|
|2021-06-05 14:50:01 |om.hotels.com|Blocked (gravity)|
|2021-06-05 14:50:01 |mas-ext.amazon.com|OK (forwarded to 1.1.1.2#53)|
|2021-06-05 14:50:01 |consumer.exacttargetapis.com|Blocked (gravity)|
|2021-06-05 14:50:02 |kinesis.us-east-1.amazonaws.com|OK (forwarded to 1.1.1.2#53)|
|2021-06-05 14:50:16 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:50:24 |device-metrics-us.amazon.com|Blocked (gravity)|
|2021-06-05 14:50:24 |api.amazon.com|OK (forwarded to 1.1.1.2#53)|
|2021-06-05 14:50:26 |device-metrics-us.amazon.com|Blocked (gravity)|
|2021-06-05 14:50:31 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:50:46 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:50:57 |www.googletagmanager.com|Blocked (gravity)|
|2021-06-05 14:51:01 |186232.engine.mobileapptracking.com|Blocked (gravity)|
|2021-06-05 14:51:01 |graph.facebook.com|Blocked (exact blacklist)|

(I should note that Facebook is not something I would ever willingly interact with.)

Not interacting with the Hotels.com app in any way, then closing it:

|2021-06-05 14:51:01 |186232.engine.mobileapptracking.com|Blocked (gravity)|
|2021-06-05 14:51:15 |consumer.exacttargetapis.com|Blocked (gravity)|
|2021-06-05 14:54:07 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:54:22 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:54:37 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:54:51 |brahe.apptimize.com|Blocked (gravity)|
|2021-06-05 14:54:52 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:56:35 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:56:50 |186232.engine.mobileapptracking.com|Blocked (gravity)|
|2021-06-05 14:56:50 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:57:05 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:57:20 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:58:53 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:58:54 |om.hotels.com|Blocked (gravity)|
|2021-06-05 14:58:55 |ssl.hotels.com|OK (forwarded to 1.1.1.2#53)|
|2021-06-05 14:58:55 |www.hotels.com|OK (forwarded to 1.1.1.2#53)|
|2021-06-05 14:58:55 |consumer.exacttargetapis.com|Blocked (gravity)|
|2021-06-05 14:59:08 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:59:11 |consumer.exacttargetapis.com|Blocked (gravity)|
|2021-06-05 14:59:23 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:59:38 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 14:59:53 |mas-ext.amazon.com|OK (forwarded to 1.1.1.2#53)|
|2021-06-05 14:59:53 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 15:00:08 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 15:00:23 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 15:00:38 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 15:00:45 |186232.engine.mobileapptracking.com|Blocked (gravity)|
|2021-06-05 15:02:35 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 15:02:43 |device-metrics-us.amazon.com|Blocked (gravity)|
|2021-06-05 15:03:41 |graph.facebook.com|Blocked (exact blacklist)|

-The term “exact blacklist” refers to an item that I manually blocked.

Attempted connections continuing even after I left the Hotels.com app:

|2021-06-05 15:16:11 |graph.facebook.com|Blocked (exact blacklist)|
|2021-06-05 15:16:11 |brahe.apptimize.com|Blocked (gravity)|

2 Likes

Launching the Startpage app (from Amazon’s app store), searching for “news” and selected BBC News Home:

|2021-06-05 15:27:17 |mas-ext.amazon.com|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:27:32 |startpage.com|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:27:33 |www.startpage.com|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:28:57 |gn-web-assets.api.bbc.com|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:28:57 |polling.bbc.co.uk|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:28:57 |idcta.api.bbc.co.uk|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:28:57 |ichef.bbci.co.uk|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:28:57 |mybbc-analytics.files.bbci.co.uk|Blocked (gravity)|
|2021-06-05 15:28:57 |www.bbc.com|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:28:58 |fundingchoicesmessages.google.com|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:28:58 |cdn.permutive.com|Blocked (gravity)|
|2021-06-05 15:28:58 |securepubads.g.doubleclick.net|Blocked (gravity)|
|2021-06-05 15:28:58 |bbc.gscontxt.net|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:28:59 |sb.scorecardresearch.com|Blocked (gravity)|
|2021-06-05 15:28:59 |me-ssl.effectivemeasure.net|Blocked (gravity)|
|2021-06-05 15:28:59 |pagead2.googlesyndication.com|Blocked (gravity)|
|2021-06-05 15:28:59 |static.chartbeat.com|Blocked (gravity)|
|2021-06-05 15:29:00 |edigitalsurvey.com|OK (forwarded to 1.0.0.2#53)|

1 Like

Sorry to interuprt your flow, did you disable any of the Google apps via ADB or just through the app manager in settings?

Dont know if it would make a difference, mainly curious is all (don’t currently have a device with Google to test) but am assuming the gstatic calls on WiFi are part of the passive collection as mentioned here:

2 Likes

I only disabled them through the app manager. (Edited the original post to reflect this.)
Thanks for the links.

2 Likes

Launching the DuckDuckGo app (from F-Droid), searching for “news” and selecting BBC News Home:

|2021-06-05 15:43:20 |duckduckgo.com|OK (cached)|
|2021-06-05 15:43:20 |improving.duckduckgo.com|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:43:20 |staticcdn.duckduckgo.com|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:43:39 |links.duckduckgo.com|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:43:40 |external-content.duckduckgo.com|OK (cached)|
|2021-06-05 15:43:51 |device-metrics-us.amazon.com|Blocked (gravity)|
|2021-06-05 15:44:43 |gn-flagpoles.api.bbci.co.uk|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:43 |m.files.bbci.co.uk|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:43 |news.files.bbci.co.uk|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:43 |ichef.bbci.co.uk|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:43 |mybbc-analytics.files.bbci.co.uk|Blocked (gravity)|
|2021-06-05 15:44:43 |nav.files.bbci.co.uk|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:43 |static.files.bbci.co.uk|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:43 |www.bbc.com|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:44 |fundingchoicesmessages.google.com|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:44 |bbc.gscontxt.net|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:44 |mybbc.files.bbci.co.uk|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:44 |polling.bbc.co.uk|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:44 |idcta.api.bbc.co.uk|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:44 |gn-web-assets.api.bbc.com|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:44 |ychef.files.bbci.co.uk|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:45 |push.api.bbci.co.uk|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:45 |improving.duckduckgo.com|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:47 |edigitalsurvey.com|OK (forwarded to 1.0.0.2#53)|
|2021-06-05 15:44:47 |me-ssl.effectivemeasure.net|Blocked (gravity)|

I use xperia also, and have Android 10 on a ~2016 model thanks to the Sony Open Devices program and project treble you can get more control and block Play Services but the OS is quite heavily hamstrung - notifications about texts don’t work on my phone since I blocked it but I think its worth it to see what a tight grip google has.

See if your exact model is on this list


or read more about the project in general here
1 Like

There was research published this year that both android and iphones connect every couple of minutes to the internet and transfer data independent from user interaction and privacy settings.

Also there is an app “Exodus” or “Exodus privacy” in f-droid. It searches for known tracker classes in installed apps. It will blame apps that have the trackers inside but don’t use them and it can’t show unknown trackers or trackers with other techniques. So the evidence is different from what you are doing.

I thought both point match the topic.

1 Like

My model is on the list.
At some point I’ll probably install LineageOS, though (if I can learn how to do it). Which do you think is a better option, considering usability and privacy?

Thanks. I just took a look and it says it only works with apps installed from Google Play, which I don’t use. I like the concept, though. Plus, it can block trackers over the cellular network, I guess, whereas Pi-Hole only works on my WiFi network.

I’ve been using Blokada for a while now, I’ve been pretty happy with it.

1 Like

I blew some stimulus money and bought 2 brand new Pixel 4a’s , one with Lineage 18.1 and the other one with Graphene. There’s tutorials to do it yourself but I’m too lazy and probably to stupid to do it myself. Lineage is okay. Haven’t fired up the Graphene yet though.

1 Like

That looks very interesting. I’ll give it a spin soon, as it’s available on F-Droid. Thanks.

I would love to see what kind of background connections go on in these two operating systems. I’m sure lots of commercial apps will make, or attempt to make, nefarious connections, but it would be interesting to know if the OS themselves do.

You could run them through Pi-Hole on your home network and check them out.

Doing nothing but turning the phone on after it has been off overnight, Pi-Hole logs connections or attempted connections to:

alt1-mtalk.google(dot)com
android.googleapis(dot)com
brahe.apptimize(dot)com
connectivitycheck.gstatic(dot)com
firebaseremoteconfig.googleapis(dot)com
graph.facebook(dot)com
md-a-c.apptimize(dot)com
mtalk.google(dot)com
ntp.nict(dot)jp
oneclient.sfx(dot)ms
safebrowsing.googleapis(dot)com
settings.crashlytics(dot)com
time.izatcloud(dot)net
www.google(dot)com
www.googleapis(dot)com
www.googletagmanager(dot)com
xtrapath1.izatcloud(dot)net

The “ntp.nict(dot)jp” apparently refers to Network Time Protocal from this Japanese institute: https://en.wikipedia.org/wiki/NICT

Note that my phone is still attempting to contact freakin’ Facebook, even after my phone was turned off for hours, probably because I blocked it yesterday when I noticed it was triggered by the Hotels.com app…and it just keeps trying again and again. (And obviously Facebook has never been installed on my phone!)

Edit: Another thing I noticed yesterday, while my phone was idle, was a couple of blocked attempts to contact telemetry.api.swiftkey.com. Swiftkey is the default keyboard… Time to switch, I guess!

All kinds of apps talk to that Facebook site. I first noticed Spotify doing it. I’m not exactly sure what it’s for, though.

1 Like

As far as I’m concerned, if it says “facebook” on it, it’s automatically Evil.

P.S. I’m now running Blokada with the Exodus Privacy list, Developer Dan’s Hosts, and the default OISD list. Nice!

Edit: See https://discourse.pi-hole.net/t/curious-graph-facebook-com/2178

1 Like

I like Blokada, though others prefer DNS66 (also on fdroid, does the same thing as far as I know).

I find Facebook a lot of places, especially in email (companies include the logo/tracking pixel on the page).

Have fun tweaking your setup and watching the blocked counter go up an up!

1 Like

This especially irks me.

“Hey, (My)Bank…please poison your messages with Facebook trackers whenever you contact me! Because you care.”

(Actually, I’m not sure if those track anything. I think they’re just links, but in any case I keep remote content disabled in Thunderbird. Because I definitely care! Lol!)

2 Likes

A lot of apps are build with the facebook sdk as that includes all kinds of features to track usage, display ads (and implement facebook specific features if needed).

1 Like