Get via App Store Read this post in our app!
OS Fingerprinting for Android
Are traditional OS-fingerprinting techniques effective in identifying Android smartphones (OS version) on a network. From my research I found most Android network mappers can be only run from Android platforms and tools such as nmap are unsuccessful.
- Android 1.5 Cupcake Linux kernel 2.6.27
Android 1.6 Donut Linux kernel 2.6.29
What are the best ways of identifying a smartphone or any other WiFi enabled smart devices on a network? Secondly how can I differentiate between smart devices and actual physical machines (server/desktop)?
From a passive OS fingerprinting stand point you have 2 main ways to differentiate the Android OS while it is on a wifi network.
Use the User Agent on the web client at noted in another answer. This is fairly straight forward on earlier versions to get the exact version. As you got into the 2.0 and later ones you could also use the name, such as ECLAIR, FROYO, GINGEBREAD, etc.
If you can pick up on their DHCP traffic you can utilize this to tell the difference between some versions, but not all. Some utilize the same basic fingerprint (1.5-2.1 for example). In some cases you can differentiate between brands of devices running android as the underlying system appears to have been tweaked to request specifics for their system.
Both of these fingerprinting techniques are done by Satori (http://chatteronthewire.org).
While Android is the “official” OS on the device, the underlying OS on all Android phones is Linux. It’s also the most popular Linux OS currently in use on smartphones. So if you see a phone that gets identified as running Linux, then it’s probably Android.
The catch is that Android phones typically have NO network listening ports open at all, unless there’s an app running that does. So a portscan will reveal nothing.
Instead, you’d have to intercept any device-initiated traffic and watch for any clues, such as the User-Agent on an unencrypted web request.