GrapheneOS Default Network Connections

The testing methodology was practically the same as our LineageOS test.

Testing methodology.

  • A Computer was used as a Hotspot running both Network Miner 2.8 and Wireshark to log all network request
  • Pixel 5 was installed with the latest version of GrapheneOS (August 2023)
  • Setup was completed without connecting to WiFi or a cellular network
  • There was no SIM card in while installing, setting up, or testing
  • After setup was complete, WiFi was connected to the computer running the Hotspot
  • After a base line was logged, we turned on GPS

Screenshot of Wireshark with DNS filter.

  • connectivitycheck.grapheneos.network
  • time.grapheneos.org
  • apps.grapheneos.org
  • releases.grapheneos.org

Total bandwidth sent and received for each IP

Some of the IP’s are used for different services. For instance the apps and releases sub domains use the same IP address.

  • connectivitycheck.grapheneos.network and time.grapheneos.org – 25.794 KiB
  • apps.grapheneos.org and releases.grapheneos.org – 39.468 KiB
  • Total – 65.262 KiB

Turning on GPS

After turning on the GPS toggle, there was a DNS query for

qualcomm.psds.grapheneos.org

This will download the files needed to speed up the GPS speed and accuracy. You can turn this off in the Settings -> Location -> Predicted Satellite Data Service (PSDS)

You can also enable/disable the Secure User Plan Location (SUPL)

You can read more about PSDS and SUPL on the GrapheneOS website https://grapheneos.org/faq#other-connections

LineageOS Default Network Connections

This was a fairly simple test to see what network connections a fresh LineageOS install on a Google Pixel 5 makes. During the initial setup, GPS was disabled. After we set it up and got a base line, we turned GPS on to see what DNS requests it made.

Testing methodology.

  • A Computer was used as a Hotspot running both Network Miner 2.8 and Wireshark to log all network request
  • Pixel 5 was installed with the latest version of LineageOS 20 (August 2023)
  • Setup was completed without connecting to WiFi or a cellular network
  • There was no SIM card in while installing, setting up, or testing
  • After setup was complete, WiFi was connected to the computer running the Hotspot
  • After a base line was logged, we turned on GPS
  • GApps were not installed.

Fresh Install Network Requests

After setup was complete, we connected the Pixel 5 to the PC running NetworkMiner and Wireshark. It immediately made a handful of requests to the following 5 domain names

  1. www.google.com
  2. connectivitycheck.gstatic.com
  3. time.android.com
  4. g.co
  5. firebaseinstallations.googleapis.com

connectivitycheck.gstatic.com is used to detect if the current network has internet and also to detect if there is a captive portal that you need to log into.

time.android.com would be to check the time and make sure it is correct.

Not sure what the extra 3 are used for. It is possible that firebaseinstallations.googleapis.com is used for the Android System Intelligence, or some other app that comes by default on LineageOS.

The following NetworkMiner screenshot shows all the IP addresses that were returned for the DNS queries. Note that a DNS query can return multiple IP addresses for a domain name, and then the device only use one of those IP addresses to transmit traffic.

A couple of normal network broadcast, multicast, and gateway addresses are blurred out as they are normal for devices on a local network.

Here is a Wireshark screenshot for all the DNS requests.

Total bandwidth sent and received for each IP

Using Wireshark, we were able to get a total amount of data sent and received for each of the domains.

  1. www.google.com – 12.976 KiB
  2. connectivitycheck.gstatic.com – 1.497 KiB
  3. time.android.com 270 bytes
  4. g.co – 21.883 KiB,
  5. firebaseinstallations.googleapis.com – 16.225 KiB
  6. Total for Pixel 5 – 52.851 KiB

Turning on GPS

Turning on GPS immediately led to a connection to xtrapath5.xboxprod.izatcloud.net.

The four lines are just different IP’s for the same domain.

From the Location settings, we can toggle on or off the “Use assisted GPS”.

The settings say the following about Assisted GPS “Download satellite assistance data from the internet which can greatly improve the GPS startup performance. For emergency calls, assisted GPS is always allowed”

Essentially, it will download some files that help your phone find satellites faster which will get you a faster GPS lock. Without it, it can take awhile to find your position.

During the initial setup (First screenshot below), you can toggle on/off Assisted GPS. By default, Android System Intelligence and the Browser are allowed to use Location.

Hopefully that is a helpful overview of the default LineageOS network connections and what some of them are used for.

How to Bubble and Unbubble Conversations on Android

How to Bubble a conversation

Make sure Bubbles is on in the system settings. When you receive a message that supports bubbles, there should be a little button on the notification. Tap it to pop the message out into a bubble.

How to pop the bubbled “Unbubble” conversation

Unbubbling a conversation is the exact same steps. When you receive a notification, tap the unbubble button. That conversation will now not bubble.

The acropalypse Vulnerability

First what is acropalypse?

Acropalypse is a vulnerability in Google’s markup editor (and Windows Snipping Tool). It allows an attacker to recover parts of a cropped or marked up image.

https://en.wikipedia.org/wiki/ACropalypse

There are a couple specific steps you have to follow for the bug to happen.

  1. Take a screenshot
  2. Save screenshot
  3. Crop or markup screenshot in Google Markup or the Windows Snipping Tool
  4. Save screenshot with the same name as original screenshot

The bug is when you save the cropped screenshot with the same name, it overwrites the original file, but the markup tools are not resizing or truncating the file. Meaning that there is extra data in the screenshot.

For example in the following two screenshots, notice the size and dimensions

Here is the first screenshot

The second screenshot shows smaller dimensions because it was cropped, but the size is still the same.

Am I affected?

Potentially. Most images are reprocessed if they are being uploaded to a web service. Discord only started doing that in January. So if you have images on Discord before then, you may want to look into that.

You also have to specifically overwrite the original screenshot image. If you don’t normally save the image first you may be fine. Never hurts to check though.

https://acropalypse.app/

Is macOS or iOS affected?

macOS and so presumably iOS, appear to properly resize the image after cropping has taken place. That would lead me to suspect that iOS and macOS devices are not vulnerable to a variant of apocalypse.

Twitter Post about acropalypse.

Using ADB to Pull APKs off Device

ADB Help for pull and shell

It is sometimes helpful to pull an APK from a working device so you can install it on a different device. These commands should work on an emulator, phone, tablet, or other Android device. You just need to be able to connect with ABD.

  • Connect to device with ADB
  • View installed apps
  • Find path for APK
  • Pull/Download APK

View Installed Apps

This will display a list of all the installed packages.

adb shell pm list packages 

Find path for specific App/APK

Replace com.android.apk with the app of interest.

adb shell pm path com.android.apk

Pull APK to local machine

Pull/Download the APK of interest to your local machine with the following command. Change the path “/data/app/…” to the path returned from the previous command.

adb shell pull /data/app/info/base.apk

You can view the following link for more information.

https://stackoverflow.com/questions/4032960/how-do-i-get-an-apk-file-from-an-android-device

Advanced Tricks

What if you need to get an APK off a secondary profile, or would like to download all the APKs off a system? And what about split APKs?

Multiple User Profiles

Run the following command to list the users.

adb shell pm list users

Example return

Users:
        UserInfo{0:User:a41} running
        UserInfo{11:User:439} running

In this case our second user id is 11. To get a list of APKs installed for our second user we would specify the –user= option

adb shell pm list packages --user=11

To get the path for the app we would run it with

adb shell pm path --user=11 com.android.apk

Split APKs

Split APKs can be slightly more difficult to manage, mainly due to the fact that there are multiple APKs to keep track of.

When you run the “pm path” command, it should return multiple APKs. Use the pull command like normal, but download each APK.

You’ll need to use a split APK installer to install all the APKs.

PowerShell script for Pulling/Downloading all APKs on Device

The following PowerShell script will download all APKs for a specific user and put them in their own folders.

  • Copy the contents to a .ps1 file
  • Enable ps1 execution policy if not already enabled
  • Run PowerShell script.

This script will pull all the APKs off of a device and put them in the current folder.
It will also download split APKs.

# adbapkbackup uses adb to get a list of all the APKs you have on a phone and then
# Creates folders for each app and downloads the APKs for those apps.

# Copy and save code as a ps1 file

# Enable ps1 scripts to run on your computer by launching an Admin promopt and running
# set-executionpolicy remotesigned

# If you are in a secondary profile, add and/or modify
#  "--user 15"
# to your user id
# adb shell pm list users

# If in secondary profile, add "--user 15" after packages before > apklist.txt
adb shell pm list packages --user 15 > apklist.txt

 $apks = ((Get-Content .\apklist.txt)) -replace 'package:',''

 ForEach ($apk in $apks) {
    echo "APK is $apk"
    md $apk
    # If in secondary profile, add "--user 15" after path, before $file
    adb shell pm path $apk
    $filepath = ((adb shell pm path --user 15 $apk | % {$_.replace("package:","")}))
    ForEach ($lapk in $filepath | % {$_.replace("package:","")}) {
        echo "pulling $lapk $apk"
        adb pull $lapk $apk
    }
 }

no permissions (user in plugdev group; are your udev rules wrong?)

While trying to use ADB on a Linux Computer, I received the following error from “adb devices”

no permissions (user in plugdev group; are your udev rules wrong?);

Not exactly sure what causes the above error, but the information in the following Stack Exchange link was helpful.

https://stackoverflow.com/questions/53887322/adb-devices-no-permissions-user-in-plugdev-group-are-your-udev-rules-wrong

I was able to get around the issue by putting the USB option to “File Transfer Mode” from the notifications menu

How to Restore Pixel to Factory Image

Restoring a Pixel to the factory image is a pretty straight forward operation if you are familiar with fastboot and adb. This guide assumes you have fastboot already installed and setup in your user path. If not you can refer to the following link for more information.

WARNING – THESE STEPS WILL DELETE ALL USER DATA OFF THE DEVICE.

https://developers.google.com/android/images#instructions

1. Download OTA Image

Go to the following link and download the Factory Image for your device

https://developers.google.com/android/images

Extract the file and then open a terminal or command prompt in that directory.

2. Boot up Pixel in recovery

You can do this with “adb reboot recovery” or with the volume key to boot into the Android boot menu.

3. Flash Image

On Windows you can flash the firmware with

flash-all.bat

Or on Linux

./flash-all.sh

Should take it a couple of minutes to complete.

Next we can lock bootloader with

fastboot flashing lock

You will need to confirm the lock on your phone.

Android Button – Remove Shadow and Border from Button with Image on it

We can remove the border and shadows from a button by adding the following style code in your activity_main.xml file. Or what ever your XML file is.

style="?android:attr/borderlessButtonStyle"

Code for button. We are setting an image as the background.

  <Button
        android:id="@+id/button"
        style="?android:attr/borderlessButtonStyle"
        android:layout_width="48dp"
        android:layout_height="48dp"
        android:background="@drawable/gear"
        android:onClick="launchSettings"
        android:textSize="12sp"/>

Comparison of buttons. One on the left still has the shadow on it

Difference between border and borderless buttons

More info here

https://stackoverflow.com/questions/28756035/how-to-remove-button-shadow-android
https://stackoverflow.com/questions/27867284/remove-shadow-effect-on-android-button/30856094

Getting Android WiFi state in Kotlin

In Kotlin you can request if the WiFi adapter is on or off with the following code
This changes the text on a textbox, replace with your textbox.

wifiManager = this.applicationContext.getSystemService(Context.WIFI_SERVICE) as WifiManager
textBox.text = "WiFi State = ${wifiManager.wifiState}"

The important part is

wifiManager.wifiState

It will return a number from 0-4 which indicates if it is on or off.

0 = WiFi is being disabled
1 = WiFi Disabled
2 = WiFi is being enabled
3 = WiFi is Enabled
4 = Error

https://developer.android.com/reference/kotlin/android/net/wifi/WifiManager#WIFI_STATE_DISABLED:kotlin.Int