Is TCP packet filtering possible on mobile platforms?

Question

I'm interested on having my mobile app run in the background and filter TCP packets.

I know I'll face restrictions due to sandboxing, each OS privilege levels and how iOS handles background tasks so I want to confirm if it's possible to do it on iOS and Android.

Do Android and iOS allow you to analyze and modify packets going through TCP ports? If it's possible how? Could I do it while my app remains on the background?

Answer 1

iOS

I don't think it is possible on iOS.

I didn't find a public API for network monitoring/packet filtering. There is a possibility that such API exists but it's hidden. But in that case Apple App Store review guidelines states:

2.5 Apps that use non-public APIs will be rejected

If you need one specific quote to show that it is not possible, you can use this:

iOS does not support packet tracing directly. However, if you connect your iOS device to a Mac via USB...

from official Apple Technical Q&A QA1176.

Alternatives

The next best thing is to a configure a proxy server manually in Settings and then filter the traffic on the server-side. Running the proxy locally, on the device is not an option because of limitations of iOS background tasks:

2.16 Multitasking Apps may only use background services for their intended purposes: VoIP, audio playback, location, task completion, local notifications, etc.

Also, this post suggests it might be possible to set-up a VPN connection programmatically on iOS 8. It would also require to send the traffic of the device and I'm not sure about compliance of this method with guidelines.

Non-alternatives

Some apps provide functionality of measuring the network traffic. But they use dedicated API for network statistics: iPhone Data Usage Tracking/Monitoring.

There are also ways to packet trace on iOS via USB cable described here.

Android

On Android you can configure the device to use your app as a VPN service. But:

• It requires you to display a dialog describing the consequences of giving a permission to act as a VPN.
• You have to show a persistent notification while VPN is active. An example of app that does it is tPacketCapture.

To ask for user permission, you call VpnService.prepare:

public void onClick(View v) {
     Intent intent = VpnService.prepare(getApplicationContext());
     if (intent != null) {
          startActivityForResult(intent, 0);
     } else {
          onActivityResult(0, RESULT_OK, null);
     }
}

and handle the result, starting your VpnService.

protected void onActivityResult(int requestCode, int resultCode, Intent data) {
    if (resultCode == RESULT_OK) {
        Intent intent = new Intent(this, MyVpnService.class);
        startService(intent);
    }
}

Your VpnService have to implement public int onStartCommand(). The service is treated as a foreground service and should not get killed by the OS.

This question: Android VpnService to capture packets won't capture packets and it's comments shed some light on the packet handling itself.

Answer 2

This answer is for Android only

Generally YES it is possible!
There are some problems though.

Here is a List what works and what problems you will encounter.

Filtering via VPN Service

• Very High impact on Battery
• Proxy support won't work
• Allows modifiying of traffic

Filtering via libpcap

• Requires root
• Does not allow to modify traffic

Filtering with IPTables/PFTables/libnetfilter

• Requires root
• Needs a kernel module
• Won't work on any devices where you have not the kernel source or it is not integrated

Filtering using Xposed Framework

• Requires root
• Will only work with Dalvik Systems
• Won't work with Applications build with NDK

Filtering with Cydia Substrate

• Requires root
• Will only work with Dalvik Systems
• Currently in Beta state

So Yes it is possible, but at what costs?
If you need it just for yourself, you are good by using Cydia Substrate as it supports 100% of Applications but it requires a dalvik system.

If you want to publish it to the Store you should use the VPN Service. It might be possible to create the service using the NDK, then you might have lowered the battery problems.

I hope I have helped you in some way.