Mobile Surfers Beware

laptop computer on the table with notepad and coffee cup with Ntrepid logo in foam

Share this post

Mobile Surfers Beware

It’s become common knowledge that mobile Internet Service Providers (ISPs) are violating customers’ privacy by adding tracking IDs or permacookies to all unencrypted HTTP traffic. While mitigation steps discussed below exist to combat this, our goal was to explore other non-obvious approaches.

Our experiments (discussed further here) were to attempt invalidating the data sent along by the ISPs, or to halt the sending of such data/headers at all. Our respective approaches were to send packets that already had the HTTP header populated with the appropriate name but with alternate values (i.e. adding a random but valid tracking ID to each packet, thus making the traffic inaccurate and unusable), as well as exploration of ways to get the ISPs’ blackbox technology to stop providing any tracking header at all.

Short of getting our hands on the type of device where this code/logic executes and the respective documentation, which would surely be another viable attack angle, all we could do was fuzz blindly with educated guesses to attempt to alter their behavior.

At least with our initial attempts, we were unsuccessful to both ends. ISPs ignored our spoofed headers, and in the latter experiments we were unable to introduce any additional or altered headers that caused the ISP to not include the tracking header. What we learned aided in our understanding of what is in place, and we think the sharing of the approach and knowledge gained could aid the respective public dialog.

Fortunately, there are proven, though imperfect, methods to avoid this particular tagging by ISPs, which enables tracking by others.

For instance, limiting browsing to SSL sites and resources is one of those methods. However, the problem with this approach is that not all sites are SSL, and requests inside these sites might also not be encrypted.

Additionally, it would be feasible to utilize a trusted anonymous HTTPS proxy that strips these headers. However, this requires a special proxy tuned to remove these headers, and in this case the ISP is still tracking your use, though destination sites would be prevented from seeing such.

Using a trusted VPN is the best approach, as you gain an all-ports, all-protocols tunnel from you to VPN node, while the ISP is in the dark and prevented from seeing/modifying any requests. But, this requires the user to constantly connect to a VPN.