WhisperMonitor is a new software firewall and dynamic egress filtering tool from WhisperSystems. It comes pre-installed with the latest beta release of WhisperCore. The software lets you decide which outgoing connections to allow and deny as they happen, and create rules that permit specific apps to connect to the ports and addresses you want. Stuart Anderson, co-founder of WhisperSystems — who developed the software — gave us a demonstration of the major features of WhisperMonitor and answered a few questions about the software.

Because it depends on modifications to the Android OS that exist only in WhisperCore, WhisperMonitor is only available bundled with that product. To install WhisperCore, visit http://www.whispersys.com/whispercore.html and download the installer for your operating system (Windows, OSX, or Linux) and device (only Nexus S or Nexus One at this time) to your computer. When run, the installer will ask you to connect your phone, and will then install WhisperCore to the device.

According to Anderson, whenever an Android phone makes an outgoing connection, WhisperMonitor displays a dialog box that tells you which app is trying to connect, what server it’s connecting to, and the port on which it’s connecting. By default, clicking ‘allow’ or ‘deny’ will affect only the current connection attempt. Using the two dropdown menus you can configure a rule that lasts until the phone is rebooted, or lasts until you manually delete the rule. You can also generalize the rule to apply to all outgoing connections from this app, or to connections to a particular server or port. For example, you might want to allow the Browser app to connect to any server on port 80, while restricting apps that don’t actually need network connectivity from connecting to any server.


Allowing a connection in WhisperMonitor


Connection location options


Connection duration options

Because Android is a multitasking operating system, Anderson added, it’s possible for processes running in the background, or the OS itself, to make an outgoing connection at any time. If you’re using a different app when this happens, you may prefer not to configure a rule for the event immediately. In this case, the ‘back’ arrow will move the dialog box to the notification bar, where a new alert icon is displayed to remind you that there is a pending outgoing connection.


Note the blue WhisperMonitor alert in the upper left corner

You can select the blue alert icon at any time to finish configuring the rule. The outgoing connection request will remain pending until you do so.

You can access the WhisperMonitor app itself from the notification bar, or from the main launcher. The app lets you review and modify the rules you’ve configured, and review a log of the outgoing connections that have been permitted and denied. From the “Filter Rules” tab you can expand a list of rules for each app — clicking of these rules will display detailed information about the rule. Long clicking on a rule will bring up a menu that allows you to alter the permanence of a rule, or delete it entirely. If connection tracking is enabled, the “Connection History” tab displays a list of all outgoing connection or connection attempts, clicking on an entry in this list will display additional details about the connection. Connection history logging can be disabled from the settings activity, which is accessed from the menu. The menu also lets you enable or disable WhisperMonitor entirely.


WhisperMonitor Rules Menu


WhisperMonitor Connection History


Changing the rules in WhisperMonitor

Does WhisperMonitor detect traffic sent from apps or just the browser?

WhisperMonitor detects connections from anything and everything, including the Android OS itself and every app on the system.

What are the plans to support additional Android devices?

Right now we only support the Nexus One and Nexus S. We’ll add support for more devices soon.

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

Does the device need to be rooted for this to work?

WhisperMonitor only runs on a device with WhisperCore installed. The WhisperCore installer unlocks the phone and reflashes the Android OS.

What have you detected connecting to with WM that is suspicious? Have you discovered any malware or spyware in any apps?

There’s a lot of curious activity on the phones, but I haven’t gone searching for suspicious apps. Some of the system level processes, like the GPS driver, try to make outgoing connections more often than I’d expected to see. Any app that displays ads is going to be making connections to ad-servers to download ads and send information about the user.