Android Riddle

Here is a riddle: Based on application logs, you find that the android application you are testing is running a HTTP server, listening on a socket and is responding to requests all over HTTP. You can see the request and response in the logs. Strangely when you check for listening ports using adb shell you find nothing. When you try to sniff traffic from the application using tcpdump, you find nothing. You decompiled the app, you find HTTP Request handlers and response header construction etc. So, you are confident that the application is running a HTTP server. What do you think is going on?

<Scroll down for answer>

:

:

:

:

:

:

:

:

:

:

:

It took me a while to figure this out. The HTTP server was not running on TCP sockets. It was running on domain sockets. Two things that was not obvious:

  1. Android supports Unix domain sockets. The classes are unintuitively named LocalServerSocket(Server) and LocalSocket(client).
  2. You can run a HTTP Server on top of domain sockets.

Few quick notes

  1. On Android abstract domain sockets can be found at /proc/net/unix/.
  2. To send requests, instead of writing Android apps, socat seems to be the easiest way. There are cross-compiled versions of socat for Android out there
  3. You can authenticate the client. getPeerCredentials function used to get UID of the caller that can be then verified.
  4. This paper on Android domain sockets is handy:

http://www.cs.ucr.edu/~zhiyunq/pub/ccs16_local_socket.pdf