------

Persistent Connection Demo February 19, 2012
------

 

Clicking on a picture should allow you to see the (too big) full-size version...

 

The easiest way to navigate this demo is probably to keep clicking the Next links when ready to go to the next picture. Or just use the scroll bar.

 



Important notes:

"File Expert" is undergoing constant updates, and details of some behaviour may differ from platform to platform.

Over time, there seem to have been occasions when "File Expert" would actually terminate when you select "Exit".

If you find that to be the case, the persistent connection phenomenon can still be created by using the "house" hotkey.

If you enter setup within "File Expert" and then leave via the "house" hotkey, it seemed (at one time, anyway) to leave "File Expert" running with no indicator in the Status Bar, similar to the old behaviour.

Change logs at http://www.xageek.com/en/Product.html do not note any changes regarding this behaviour. One would expect them to have some incentive to avoid leaving persistent connections. One might also expect that they would not want to advertize whether they leave persistent connections, or have ever done so.

It's also possible some of the changes in behaviour occur because of operating systems changes and not changes to "File Expert" per se.

It is interesting that other similar apps ("File Manager", stock "Files", "AndSMB") still remain running on "Exit" (if you check the "Running Apps" page), but that they appear to timeout SMB connections with a shortish timeout (order of a minute) as opposed to "File Expert" which appears to either have no timeout, or a timeout greater than 20 minutes. (Actually my record using "File Expert" is a 40 minute connection).

Indeed, I had assumed I'd finish the one demo, and then quickly run through with other apps indicating that they could exhibit the same behaviour. But, in fact, that is not the case.





Previous...    Next

Persistent Connections; Or How Your Computer Can Leave False Indicators

Suppose you connect to a fileserver to which you should really not have connected, and see nothing because there was nothing to see. This demo illustrates how doing that can cause your Android device to leave a connection open for much longer than you were actually doing anything with the fileserver.

Someone casually perusing the resulting logs may incorrectly assume that the lengthy connection corresponded to activity on your part. Or intrusion detection software could give messages making a similar false implication.

In fact, using the "File Expert" tool, you do not even need to open the connection; the scanning operation itself apparently opens a full (idle) connection.

Note: At the time of writing, this obscure feature seemed unique, among the tools I tried, to the "File Expert" Android app.

Photographs have been used rather than screen dumps or session transcripts. Partly because you don't seem to be able to screen dump a non-rooted Android phone, but primarily because these poor-quality photographs would be almost impossible to doctor. The idea of this demo is that, up until such time as the "File Expert" author changes the obscure feature which causes it to keep persistent connections, readers can verify the demo themselves with their own run-through.

Note: following the February 27 update to "File Expert", it appears you may need to use the "house" hotkey to forcibly leave the app running; use that if you find the app does not remain running when you select "Exit". As a refinement, you can enter "Settings" before "Exit", and that appeared avoid the "File Expert" notification icon in the status bar.

Transcript of Server-side session

Transcript ("script") of the complete server-side terminal session is here.

SMB process logs

When I initially did the demo for the photographs, I had not set the log level high enough to accumulate anything useful in the logs. Later I redid similar experiments under a higher log-level, and have logs of some identified client sessions here.





Previousp0667ServerPlus.jpg    Next
[IMG]

This is just setup for the demo on the Ubuntu server running "samba" (large screen).

"sudo" for super-user access (needed for "lsof").

~/bin/setdemoprompt.bash was then source'd to cause command numbers and the current time to appear in the command prompt.

Contents of ~/bin/seesmbctp are shown to indicate how it shows smbd processes and TCP lines which correspond to connections.


   #!/bin/bash -f
   date
   lsof -p `ps -ae | grep smbd | awk '{print $1}' | tr '\n' ',' | sed 's/,$//' \
       |& egrep '/usr/sbin/smbd|TCP'

The "date" command is called to show when each invocation started. "lsof" (list open file descriptors) will then be called on the given list of processes, with "egrep" called to select, from the output, those lines that match "/usr/sbin/smbd" (that is, the binary opened to execute the command; that makes sure each smbd shows up), or "TCP" which indicates TCP connection lines.

Processes selected are "smbd" ("samba") daemons which implement the CIFS filesystem. The processes are grepped from "ps -ae" output, and then the PID is printed. Spaces are changed to commas, and the last comma removed so that the result can be used as an argument to the "-p" option of "lsof".

The Android phone is not in focus, but is at the top level of the Android "File Expert" "Network=>Windows/Samba sharing" screen.



Previousp0668Android.jpg    Next
[IMG]

Shows the detail of that Android screen



Previousp0669Android.jpg    Next
[IMG]

"Search Existing Servers" was selected



Previousp0670Android.jpg    Next
[IMG]

(cheap camera, no tripod, auto-focus leads to bad focus) But this indicates the scanning process continuing.



Previousp0671ServerPlus.jpg    Next
[IMG]

Almost 15:29

This is a very crucial screen. The scanning can be seen to be continuing on the Android (background has dimmed due to user inactivity). The mere process of scanning for and finding the server (at 192.168.2.4) has actually initiated a connection, which connection will persist.

The new connection can be seen at the bottom of the output of the "seesmbtcp" command executed at 15:28:52, Note that the Android phone has been assigned IP address 192.168.2.3 by DHCP. This can actually be seen later in p0677Android.jpg.


   smbd    3669 nobody   26u  IPv6  29544      0t0    TCP xsbook2.local:microsoft-ds->192.168.2.3:58890 (ESTABLISHED)

That indicates that an "smbd" process is running as PID 3669, and has a TCP connection established to IP address 192.168.2.3 (the Android phone). The microsoft-ds service is port 445, or SMB ("samba"). The process 3669 appears to flip between users "nobody" and "root", depending on the permissions it needs. (Its behaviour, of course, is limited by the protocol).



Previousp0672ServerPlus.jpg    Next
[IMG]

The scan continues.



Previousp0673Android.jpg    Next
[IMG]

After the scan has finished, File Expert has now found two new servers; the dummy on the particular Belkin router (192.168.2.1; no disks were attached), and the samba server at 192.168.2.4 which is the server whose screen is shown in the pictures.

(To emulate the behaviour of the following three screens, you may need to use the "house" hotkey to explicitly leave "File Expert" running in the "background"; when the demo was photographed, "Exit" had the behaviour as shown, however).



Previousp0674Android.jpg    Next
[IMG]

The "File Expert" menu and then "More" were selected.



Previousp0675Android.jpg    Next
[IMG]

From "More" "Exit" was selected.



Previousp0676Android.jpg    Next
[IMG]

And we have apparently exited "File Expert". However, "File Expert" is a large Java program, and so, perhaps to avoid startup costs, it is actually left running even after "Exit".

(For a number of days following a software update on February 27, 2012, "Exit" appeared to actually exit, that is terminate the app and therefore the connection. To get similar behaviour, however, you could press the "house" hotkey, second from the left, and explicitly leave "File Expert" running in the "background". But, in fact, behaviour sometimes changes change update-to-update, and the the app later reverted to its old behaviour).



Previousp0677Android.jpg    Next
[IMG]

15:32

Off we go to do other things. Note that the phone's assigned IP address (192.168.2.3) is indicated in the widget near the bottom left-hand corner of this screen.



Previousp0679ServerPlus.jpg    Next
[IMG]

But that shot of the previous screen, together with another refresh of of the smbd connections shows the same connection remains even after the request to "Exit" "File Expert". The fact the PID (process id; 3669) remains the same indicates the connection was maintained; the connection was not dropped and re-initiated.



Previousp0680ServerPlus.jpg    Next
[IMG]

A nice clock, paralleling the on-screen times, as the connection scan is repeatedly refreshed.



Previousp0682ServerPlus.jpg    Next
[IMG]

And so-on.



Previousp0683ServerPlus.jpg    Next
[IMG]

15:38

Let's run the Commodore 64 Emulator. "File Expert" remains running, keeping its established connection open.



Previousp0684ServerPlus.jpg    Next
[IMG]

15:39

More time passes; no more "File Expert" use, but the output of the "~/bin/seesmbctp" command indicates connection remains open.



Previousp0686ServerPlus.jpg    Next
[IMG]

15:47



Previousp0687Android.jpg    Next
[IMG]

Corresponding phone detail.



Previousp0688ServerPlus.jpg    Next
[IMG]

15:48

Home Overview Screen on the Android device. New output of the "~/bin/seesmbctp" command still indicates the same smbd connection remains established.



Previousp0689Android.jpg    Next
[IMG]

15:49

Home Overview Screen phone detail. FWIW.



Previousp0690Android.jpg    Next
[IMG]

15:49

That's a good 20-minute connection which did nothing.

Let's now terminate "File Expert" to demonstrate that the connection does go away if the app is really stopped. It should be noted that, during the experiment, a WiFi hiccup could also have terminated the connection. That did not happen during this photograph session.

Begin procedure to terminate "File Expert" by selecting "Menu", and then "Manage apps".



Previousp0691Android.jpg    Next
[IMG]

Initial "Manage apps" screen.



Previousp0693Android.jpg    Next
[IMG]

Selected "Running", and then scrolled down to "File Expert". If "File Expert" were not running, it would not be listed here. But it is listed.



Previousp0694ServerPlus.jpg    Next
[IMG]

With overhead of photography, it's 15:51 now, and the connection is still open. Phone is beside, ready to select the "File Expert" app.



Previousp0696Android.jpg    Next
[IMG]

"File Expert" has been selected. But no action taken yet.



Previousp0698ServerPlus.jpg    Next
[IMG]

Previous state with server screen. One last view of the open connection.



Previousp0702Android.jpg    Next
[IMG]

15:52

"Force stop" has now been selected for "File Expert", causing it to really terminate (different from the "Exit" action).



Previousp0703ServerPlus.jpg    Next
[IMG]

15:52

"Force stop" on Android, together with server screen showing another update. Note that the "smbd 3669" lines have now gone; that smbd process, and its persistent open connection, have now (finally) terminated over 22 minutes after starting.



Previousp0705ServerPlus.jpg    Next
[IMG]

15:54

Back out of "Manage apps".



Previousp0706Android.jpg
[IMG]

15:55

Phone detail. FWIW.

Ready to cause myself further damage.

End of Demo.



Parenthetical Notes

Other similar applications, even though they similarly do not terminate when "exit" is selected, do not have the same phenomenon of persistent connections.

Examples of these are Android "File Manager" and "AndSMB", and even the "File" app included as stock with the phone.

In many cases their connections will even terminate spontaneously while you are still in the middle of viewing one set of browsing results. That is, they have a short timeout to avoid keeping open unused connections, expecting to reinitiate them if more activity is requested.

"File Expert" will similarly seamlessly reinitiate a connection if it terminates, for example if WiFi hiccups, but it does not actively attempt to timeout unused connections.



Appendix 1: Looking at a Server...

With User Authentication



Previousp0716Android.jpg    Next
[IMG]

(as before) Open "File Expert" and choose "Network".



Previousp0717Android.jpg    Next
[IMG]

(as before) From "Network" choose "Windows/Samba sharing"



Previousp0718Android.jpg    Next
[IMG]

Now choose now known server "192.168.2.4".



Previousp0719Android.jpg    Next
[IMG]

Long press allows selection of "Edit", which can view or change settings.



Previousp0721Android.jpg    Next
[IMG]

A working "User Name" and "Password" will give a different view from "Anonymous".



Previousp0722Android.jpg    Next
[IMG]

If I did not know the "User Name" and "Password" for "arpepper" I would not see the share named "arpepper".

For all these demos I have been connected to a protected WiFi (WPA2) LAN with SSID "LuckyPotato". The password (or Pre-Shared Key) used to allow access to that Lan has no means to confer CIFS (Samba/SMB) credentials.



Previousp0723Android.jpg    Next
[IMG]

Because the device has authenticated with "User Name" "arpepper", home directory files for that user are visible.



Previousp0725Android.jpg    Next
[IMG]

One can browse down and view a jpeg, for example.



Previousp0724Android.jpg    Next
[IMG]

A jpeg for example.

Really perceptive readers might notice that this picture was actually taken before the previous one. I failed to take a picture of the containing directory before the jpeg, but the demo reads more naturally in this order.

Without User Authentication (Anonymous)

If we redo the case with no "User Name" or "Password", but select "Anonymous", then we will see nothing but the mysterious "IPC$" share.



Previousp0727Android.jpg    Next
[IMG]

Select "Anonymous", and then open the server.



Previousp0728Android.jpg    Next
[IMG]

The mysterious "IPC$" share is not really a file share. It never reveals anything.



Previousp0729Android.jpg
[IMG]

The mysterious "IPC$" share cannot be opened.

It is possible to have shares which are anonymously accessible, but not browseable. In this case, the name of the share acts as a password. Without knowing the name beforehand, the share cannot be selected. Furthermore, it appears that "File Expert" itself provides no means to specify such shares, although they can be accessed by, for instance, "AndSMB".

Anonymously browseable shares are strongly discouraged by security experts, let alone shares which are anonymously readable and/or writeable as well as browseable.

Another means of protection would be to restrict access to the shares based on the identity of the machine used (probably inferred by IP address, or possibly MAC address).

End of Appendix 1.




Appendix 2: Our "File Expert" Change Diary...

"File Expert" is under development, and its detailed behaviour can change from update to update. Here we try to keep track of historical changes to the app.

A Motorola MB860 (Atrix) is the Android platform on which we tested the demonstration. Details here might also help people attempting the demonstration on other platforms.

Update February 27, 2012: On this date, it seemed that "File Expert" changed so that it did actually terminate when you select "Exit". The persistent connection phenomenon could still be created by using the "house" hotkey. And, in fact, if you enter setup within "File Expert" and then leave via the "house" hotkey, it seems to leave "File Expert" running with no indicator in the Status Bar, similar to the old behaviour. That's not really as contrived as it sounds, either.

My hope when creating the page was that it would be a demo which people could work through (on networks with appropriate permission, of course) to demonstrate the phenomenon. I had realized that the "File Expert" author would perhaps eventually fix the arguable deficiency. But that seemed to actually happen only about a week after I managed to get my photo session done. I didn't expect it to happen so soon (that is, before I had the commentary ready). It was still (February 28, 2012) the case that a running "File Expert" keeps its SMB/CIFS/"samba" file server connections open longer that other similar apps which appear to time them out relatively quickly.

In fact, however, when I was first made aware of the discrepancy between intrusion detection logging and my actual actions, I had initially assumed I must have used the "house" to exit the application, but was relieved when I started experimenting to discover that "Exit" exhibited the behaviour it did, since it seemed a more natural thing to have done.

March 7, 2012: An update on March 7 to the "File Expert" app seemed to revert the behaviour, and "Exit" could be used to leave the app running, and a connection open. Change logs at http://www.xageek.com/en/Product.html do not note any changes regarding this behaviour. One would expect them to have some incentive to avoid leaving persistent connections. One might also expect that they would not want to advertize whether they leave persistent connections, or have ever done so.

It's also possible some of the changes in behaviour occur because of operating systems changes and not changes to "File Expert" per se.

March 12, 2012: Another update to the "File Expert" app on March 12 seemed to leave things so "Exit" would leave a persisent connection.

March 24, 2012: Another update to the "File Expert" app on about March 24 seemed to leave things so "Exit" would leave a persisent connection. This, and the previous change, did not make it into the change log until March 26. And in the change log, it is implied this (currently) most recent change happened on March 26, when it was in fact distributed via Google Play (sic) some time near the end of the previous week.

March 28, 2012: Another update to the "File Expert" app on about March 28 seemed to leave things so "Exit" would leave a persisent connection. The log entry suggested following at
Twitter: https://twitter.com/#!/Filexpert
Weibo: http://weibo.com/fileexpert (Chinese)

April 16, 2012: Another update to the "File Expert" app on April 13 seemed to leave things so "Exit" would leave a persisent connection. No notice yet at Twitter or change log.

But over the weeked I discovered you can leave a persistent connection which the server times out after twenty minutes by turning the phone off while the connection is open. That method even works for File Manager if done at just the right time. That suggests Android 2.2 (at least) doesn't properly close such connections for each task at shutdown.

May 11, 2012: Another update to the "File Expert" app (4.1.8) on May 4 again seemed to leave things so "Exit" would leave a persisent connection. This release was announced at
Twitter: https://twitter.com/#!/Filexpert, but it looks like they may have stopped updating their on-site change log.

Jul 30, 2012: Since my last update here, the "File Expert" app seems to have progressed to version 4.2.6. I have been busy with other things, but the couple of times I tried the demo since then, I seemed to need to use the "house" key to keep the connection open, using the "Settings" dodge to make it less obvious the app was still running. I didn't actually manage to get the "shutdown" phenomenon to work either.

It really does appear they have stopped updating their on-site change log, which is a shame, because the twitter feed https://twitter.com/#!/Filexpert, gets cluttered with noise. In fact, if all releases are logged there, it's not obvious where all the announcements are.

------


So, in short, if the demo does not work as outlined when "Exit" is pressed, try using "house" to explicitly go to the home screen without exiting the "File Expert" app.

End of Appendix 2.





Appendix 3: Further Observations Diary...

March 28, 2012: Examining the samba logs suggests that the persistent connection is due to more than just a forgotten "close".

It would seem an active "keepalive" protocol is being maintained. However: most of the chatter probably is indicative of only server-side activities, and not actually a conversation.

April 3, 2012: Last weekend I tried the test on a KROSS tablet running Android 2.3 ("Gingerbread"). Previous tests have all been on a Motorola Atrix running Android 2.2 ("Froyo"), except for one brief incomplete test on an Asus tablet running 2.3 or 3.0.

The test appeared to progress much the same. An odd difference is that the "Running" apps page shows very few apps, but if you track down "File Expert" elsewhere it will appear to be running (have "Force Stop" selectable), and server side tests and logs do indicate that it is maintaining the persistent connection.

April 16, 2012: Over the weeked I discovered you can leave a persistent connection by turning the phone off while the connection is open. The server does not detect the absence of a client until a timeout occurs. The (maximum) length of the timeout is obviously server software dependent, and seems to be about twenty minutes in the case of my "samba" setup.

Starting the phone back up tends to close the connection during the startup process (although once I think it might have crashed my phone?).

That method even works for File Manager if done at just the right time. That suggests Android 2.2 (at least) doesn't properly close such connections for each task at shutdown. Or perhaps File Manager, although it generally manages the connection well, does not correctly handle a signal at shutdown.

April 17, 2012: Last night I successfully tested the "shutdown" method of the demo with the Kross Android 2.3 tablet.

May 11, 2012: Today I confirmed that a WiFi hiccup appears to occur and close the connection when you unlock the phone after it has "locked". That is, given a reasonably good WiFi connection, the persistent connection will be maintained even if the phone does lock itself, but is likely to be terminated by the process of unlocking the phone up. In my demo the purpose of actively using the phone was to prevent it from locking itself, but an(other) alternative easier way to conduct the demo is just to allow the phone to lock itself, but not unlock it until after a reasonably long time.

------


It is interesting that other similar apps ("File Manager", stock "Files", "AndSMB") still remain running on "Exit" (if you check the "Running Apps" page), but that they appear to timeout SMB connections with a shortish timeout (order of a minute) as opposed to "File Expert" which appears to either have no timeout, or a timeout greater than 20 minutes.

Indeed, I had assumed I'd finish the one demo, and then quickly run through with other apps indicating that they could exhibit the same behaviour. But, in fact, that is not the case. (Unless you can use the "shutdown" technique).

------

End of Appendix 3.





Appendix 4: Perhaps a Simpler Demo...

Realizing that shutting down a phone can leave a persistent connection suggests a simpler way to conduct the demo.

The demo I created goes to some length to keep the phone active while "File Expert" is running in the background. That was because inactivity would seem to cause the phone to sleep, and waking it up would seem to cause the connection to be dropped.

However, if you simply turn the phone off at the right time (any time while the connection can still be observed) the connection persists until the server itself decides there is nobody listening. Implementation details of the server will determine how long that actually takes.

------

End of Appendix 4.