Project

General

Profile

Actions

Bug #787

closed

Unauthorized attempt to access stun.l.google.com and play.google.com

Added by Air Yes 9 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Next Release
Start date:
12/04/2021
Due date:
12/11/2021
% Done:

0%

Estimated time:

Description

Hi all yesterday a well known firewall app registered 2 unauthorized attempts to access 2 google domains by PB v 3.8.1 running on g980f A12 oneui 4 beta 1. I was browsing the web, but nothing close to google. Anybody experienced similar behavior?


Files

Actions #1

Updated by Soren Stoutner 9 months ago

  • Priority changed from 3.x to Next Release

To help troubleshoot the problem and diagnose the root cause, please post the following information.

1. A copy of About > Version from Privacy Browser.
2. A description of the firewall you are using that detected the attempted communication. Logs or screenshots from the firewall would be helpful.
3. A list of all the URLs open in Privacy Browser when this occurred. The most likely explanation is that one of the pages you were visiting attempted to make resources requests to stun.l.google.com and play.google.com, so that needs to be ruled out. For example, if one of the pages you visited displayed an ad for an app on Google Play it would not surprise me if communication attempts were made to these domains.

Updated by Air Yes 9 months ago

1. A copy of About > Version from Privacy Browser:

- See below:

Privacy Browser
Version 3.8.1 (version code 56)

Hardware
Brand: samsung
Manufacturer: samsung
Model: SM-G980F
Device: x1s
Bootloader: G980FXXUCZUK1
Radio: G980FXXUCZUK1,G980FXXUCZUK1

Software
Android: 12 (API 31)
Security Patch: 2021-11-01
Build: SP1A.210812.016.G980FXXUCZUK1
WebView Provider: com.google.android.webview
WebView Version: 93.0.4577.82
Orbot: 16.4.0-RC-2a-tor-0.4.4.6

Memory Usage
App Consumed Memory: 14.05 MiB
App Available Memory: 6.05 MiB
App Total Memory: 20.10 MiB
App Maximum Memory: 256.00 MiB
System Consumed Memory: 4,402.20 MiB
System Available Memory: 3,042.43 MiB
System Total Memory: 7,444.63 MiB

Blocklists
EasyList: 202106261237
EasyPrivacy: 202106261237
Fanboy’s Annoyance List: 202106262100
Fanboy’s Social Blocking List: 202106261237
UltraList: 1
UltraPrivacy: 2

Package Signature
Issuer DN: CN=FDroid, OU=FDroid, O=fdroid.org, L=ORG, ST=ORG, C=UK
Subject DN: CN=FDroid, OU=FDroid, O=fdroid.org, L=ORG, ST=ORG, C=UK
Start Date: 17 Apr 2016 04:14:13 GMT-04:00
End Date: 3 Sept 2043 03:14:13 GMT-05:00
Certificate Version: 3
Serial Number: 166629308
Signature Algorithm: SHA256withRSA

2. A description of the firewall you are using that detected the attempted communication. Logs or screenshots from the firewall would be helpful.

- Netguard 2.9.8 Pro proxied to SOCKS5 Orbot.
Screenshots attached

3. A list of all the URLs open in Privacy Browser when this occurred. The most likely explanation is that one of the pages you were visiting attempted to make resources requests to stun.l.google.com and play.google.com, so that needs to be ruled out. For example, if one of the pages you visited displayed an ad for an app on Google Play it would not surprise me if communication attempts were made to these domains.

- Not sure how to aquire the list of URLs for that time frame, let me know how pls.

Even without me interacting with that ad?

On screenshots you can see some system apps trying to access the domains in question too. Is it possible that system apps trigger PB to access google's destination?

Also i saved PB log from then if it helps, but i cannot locate it. Where is the saved log being stored?

Actions #3

Updated by Soren Stoutner 8 months ago

Thanks for the additional info.

WebView Version: 93.0.4577.82

That is a pretty old version of WebView. 96.0.4664.45 is currently out. Before doing anything else, I would try updating your WebView and see if the problem persists.

Even without me interacting with that ad?

Yes, ads tend to load a number of resources without any interaction. Note that I wouldn't be surprised that an ad is loading a play.google.com URL, but I would be a little more surprised to see it load stun.l.google.com. However, it isn't impossible.

On screenshots you can see some system apps trying to access the domains in question too. Is it possible that system apps trigger PB to access google's destination?

That is possible. If that is what is happening, I would like to find some way from stopping it from happening.

Also i saved PB log from then if it helps, but i cannot locate it. Where is the saved log being stored?

That is unlikely to be helpful. For privacy reasons, I specifically do not log any browsing information into the log (although certain WebView errors will log URLs, which is outside of what I can currently control). The log is helpful for troubleshooting crashes, but that doesn't apply to this situation.

The best way to troubleshoot this is to try to narrow down the behavior. For example, if you can detect this behavior when only connecting to a single URL, then I can try to replicate the same behavior on my end. Once I can replicate it I can figure out the root cause and stop it if Privacy Browser is behaving inappropriately. If you can narrow it down to one URL, post it along with any changes you have made to the default settings (like JavaScript) and the contents of Domain Settings for that URL (if applicable). Particularly interesting would be if you have disabled any of the blocklists for that URL. You might also want to update to the just-released Privacy Browser 3.9 which ships with updated blocklists. If the root causes is that the website (or an ad on the website) is instructing Privacy Browser to make those requests, you should see them show up in the Requests activity. If it is something that WebView is doing outside of instructions from the website, then it will probably not appear in the Requests activity.

Actions #4

Updated by Soren Stoutner 8 months ago

  • Status changed from New to In Progress

Reviewing the screenshots, Screenshot_20211205-141956_NetGuard.jpg stands out to me because the calls to stun.l.google.com comes after a dns lookup to one.one.one.one, which comes after a DNS lookup to dns9.quad9.net, which comes after a call to ipleak.net. stun.l.google.com can be used for lots of different things (https://en.wikipedia.org/wiki/STUN), but one of them can be to attempt to reveal your true IP address. As ipleak.net runs tests to see if websites can leak your real IP address, it wouldn't surprise me that they are using stun.l.google.com as part of those tests.

I don't know if that is what is going on here, but it is one possibility.

Actions #5

Updated by Air Yes 8 months ago

In screenshot below are setting dor DNS in Netguard.

Regarding ipleaks.net I do use it from time to time when changing some settings. But in this case ipleaks was reached out 30 min later, and actually i went to ipleaks.net after i saw those stun.l.google.com queries in the log.

The webview is my main concern in this case too. This version came with the undate to A12 oneui 4 beta 1. I know there is a 96x version out, just thought since most recent os update came with 93x it should be ok. I will update tbe webview and keep monitoring following your instructions.

While using PB for months on g950f on A9 Pie i have never experience such events.

Actions #6

Updated by Air Yes 8 months ago

Ok, i can confirm now that stun.l.google.com was accessed because I visited browserleakscom. I reproduced this separately and observed same behavior. stun.l.google.com is out of question.

Actions #7

Updated by Soren Stoutner 8 months ago

That is good to know.

Are you still experiencing unexplained access attempts to play.google.com?

Actions #8

Updated by Soren Stoutner 8 months ago

  • Assignee changed from Air Yes to Soren Stoutner
Actions #9

Updated by Soren Stoutner 6 months ago

  • Tracker changed from Feature to Bug
  • Status changed from In Progress to Closed

I am going to close this bug report as there have been no further updates from the submitter. If anyone has further information to add please do so and I will reopen the bug report.

Actions

Also available in: Atom PDF