How to determine who is sending ads

edit

"Hello, That's an interesting question! Identifying the precise source of ads in an app using Wireshark requires a bit of investigation. Here's an approach you can follow: * Capture the app's network traffic: * Launch Wireshark before opening the app in question. * Select the network interface used by your device (Wi-Fi or mobile data). * Start the capture. * Open and use the app for a while, until the ads appear. * Stop the capture in Wireshark. * Filter the traffic for the app: * To simplify analysis, try filtering for app-specific traffic. You can try filtering by: * Device IP address: If you know the IP address of your phone or tablet, you can specify it as the source or destination. * Specific ports: Some adware applications may use well-known ports (HTTP: 80, HTTPS: 443, but this can vary). * Hostname or domain: If you notice suspicious or ad-related domain names in your traffic, you can use them as a filter (e.g., http.host contains "adserver.com"). However, identifying these domains in advance can be difficult. * Analyze traffic for suspicious requests: * Look for HTTP/HTTPS requests: Filter by http or tls. Examine GET and POST requests. * Examine HTTP headers: Look at the Host, User-Agent, and response content headers (if you can decrypt them for HTTPS). Unknown domain names or URL paths that resemble ad servers could be clues. * Pay attention to responses: The content of responses may contain images, scripts, or other elements that constitute advertising. The size of the responses can also be an indicator. * Look for redirects: Sometimes, ad requests pass through multiple servers. Follow the redirects (HTTP status code 3xx). * Use online analysis tools: * If you identify suspicious IP addresses or domain names, you can search for them on websites that specialize in IP address and domain information to see if they are known to host advertising or malicious content. Important points to consider: * HTTPS: Much of the traffic is encrypted with HTTPS, which makes inspecting the content (such as the exact URLs of the ads) more difficult without decryption (which is an advanced procedure and requires keys). You will still be able to see the domain names contacted via the TLS (Server Name Indication - SNI) header. * Multiple sources: An app can load ads from many different servers. * Advertising SDKs: Apps often use advertising SDKs (Software Development Kits) that handle ad retrieval and display in complex ways. It can be difficult to trace the exact source of the underlying server. * Constant traffic: Apps often communicate with many servers for purposes other than advertising, so you'll need to be methodical in your analysis. In summary, with Wireshark, you can observe the network connections established by the app and potentially identify the servers it communicates with when displaying ads. However, identifying the exact "source" (the specific advertising company behind the server) may require additional research into the IP addresses and domains found. Feel free to share screenshots (with sensitive information redacted) or specific details of the traffic you're observing if you have ... (more)