All posts by Hossein Doroud

I am a Telematic PhD student at Carlos 3 de Madrid. Network measurement and doing research on privacy are my interesting topics.

Looking at NTP usage by Android apps

A recent post by Dan Drown in the official NTP community forum reported that NTP IPv4 traffic has increased significantly since December 2013: 5x-20x previous traffic levels. Unfortunately, this unusual high load has a direct effect on NTP server performance.

Further investigations by Dan Drown and other researchers revealed that the traffic originated from mobile devices. More detailed analysis that leveraged on-device packet captures allowed them to better identify the actual origin: Snapchat for iOS.

Those findings motivated us to analyse whether any Android application is also responsible for NTP activity and how they use this critical network protocol. The Lumen Privacy Monitor offers us a unique vantage point to capture and analyse accurate traffic traces collected by crowd-sourcing mechanisms in user space. We have access to anonymised network flows generated by more than 3000 mobile apps with real user-stimuli.

According to our records, 84 applications use NTP. This covers popular application with more than 100M installs such as whatsapp, games like subway surfers, audio players like shazam, and tools like battery doctor and officesuit + pfd editor. We provide the full list of application and their number of installation, according to Google Play, at the end of this post.

If we classify the applications by their application category, using public information available on Google Play, we could identify 20 different application categories listed in the Table below.

Category Num. of Instal
preInstalled 30
Educational 16
Tools 8
Communication 6
Travel & Local 3
Travel & Local 3
Video Players & Editors 2
Lifestyle 2
Business 2
Social 2
Arcade 2
Food & Drink 2
Productivity 2
Shopping 1
Entertainment 1
Puzzle 1
Racing 1
Casual 1
Sports 1
Maps & Navigation 1

Note that the preInstalled category covers both pre-installed services and applications as well as apps not available in Google Play (either because they were removed or because they are available on alternative app stores). Excluding those, most apps relying on NTP fall in the “Educational”, “Tools” and “Communication” categories.

WHAT NTP POOLS DO MOBILE ANDROID APPS USE?

Most applications use the NTP server infrastructure provided by ntp.org. Some exceptions are applications using NIST’s time servers and Qualcomm’s server time.izatcloud.net, possibly associated with A-GPS services.

We validated with active measurements from a machine under our control in Spain that those domains host actual NTP servers. All machines replied to our NTP queries but s2m.time.edu.cn, which is under the control of the “China education and research” authority. We are unsure if this is an artefact implemented by the Great Firewall of China.

Although there is a specific NTP pool for android applications, recommended by the NTP community, only 15% of the application seem to communicate with it. However, if we compute the volume of requests for each pool, Android’s dedicated NTP server accounts for 64.5% of the total NTP requests in our records. This fact suggests that a limited number of android applications with high number of installs, mainly communication apps, use the right NTP pool for Android.

NTP Domain NTP Query  (%) # requesting app
2.android.pool.ntp.org 64.54 12
pool.ntp.org 13.15 12
1.cn.pool.ntp.org 5.58 20
north-america.pool.ntp.org 3.98 3
asia.pool.ntp.org 2.99 4
0.asia.pool.ntp.org 2.59 10
ntp.nict.jp 1.79 1
time-a.nist.gov 1.79 1
2.asia.pool.ntp.org 1.0 5
time.izatcloud.net 0.6 2
0.pool.ntp.org 0.4 2
0.us.pool.ntp.org 0.4 1
europe.pool.ntp.org 0.2 1
2.us.pool.ntp.org 0.2 1
s2m.time.edu.cn 0.2 1
1.us.pool.ntp.org 0.2 1

We extended our analysis by investigating the geographical distribution of the NTP pool and the geographical location of the clients performing NTP requests. Note that we do not have accurate geo location of our clients due to our efforts to avoid user tracking. The following table reports the percentage of requests by their geographical region for each NTP server.

The results show that multiple NTP pools often receive queries from devices located out of their supposed region. This is probably caused by the fact that app developers hardcode the NTP pools to be used by their apps rather than selecting the right one for a given user location. For instance asia.pool.ntp.org pool received a considerable percentage of requests (82.62%) from devices located in Europe. Two pre-installed LG services, com.lge.sync and com.lge.qmemoplus, use the pool independently of the device location. Further, “0.us.pool.ntp.org” presents a similar behaviour: 50% of its queries originated in Europe.

Not using the right NTP server may have a negative impact on the accuracy of the returned time value. It has been reported that a client-server latency above 20 ms is not recommended.

NTP Pool “Europe” “North america” “South america” “Asia” “Oceania”
2.android.pool.ntp.org 45.88 30.97 18.46 4.28 0.42
pool.ntp.org 36.0 32.0 8.0 24.0 _
asia.pool.ntp.org 82.61 _ 4.35 13.04 _
time-a.nist.gov _ 100.0 _ _ _
ntp.nict.jp 69.23 30.77 _ _ _
time.izatcloud.net 20.0 80.0 _ _ _
3.time.crdcloud.com _ 100.0 _ _ _
0.pool.ntp.org 50.0 50.0 _ _ _
0.us.pool.ntp.org 50.0 50.0 _ _ _
n1.netalyzr.icsi.berkeley.edu _ 50.0 _ 50.0 _
north-america.pool.ntp.org _ 100.0 _ _ _
2.us.pool.ntp.org _ 100.0 _ _ _
2.time.crdcloud.com _ 100.0 _ _ _
ro.pool.ntp.org 100.0 _ _ _ _
1.time.crdcloud.com _ 100.0 _ _ _
us.pool.ntp.org 100.0 _ _ _ _
1.us.pool.ntp.org _ 100.0 _ _ _

FINAL REMARKS

This short study confirms that NTP traffic is commonly used by mobile applications, including pre-installed services, many of which are highly popular and heavily used by mobile users all over the world. Unfortunately, we are unable to answer to which extent those apps contribute to the total increase of NTP queries reported by Dan Drown in his article. We hope, nevertheless, to shed some more light on the unknown usage of NTP traffic by mobile apps and the role that application developer may have in server loads and also in the final accuracy of the NTP request.

Category package_Name pool(s) num_Installation
Communication air.com.oak.walkoffame 1,000,000,000 – 5,000,000,000
Communication com.sinyee.babybus.kindergarten ‘1.cn.pool.ntp.org’ 1,000,000,000 – 5,000,000,000
Communication com.whatsapp ‘2.android.pool.ntp.org’, ‘ntp.nict.jp’, ‘asia.pool.ntp.org’ 1,000,000,000 – 5,000,000,000
Communication com.sinyee.babybus.cars ‘1.cn.pool.ntp.org’, ‘0.asia.pool.ntp.org’ 1,000,000,000 – 5,000,000,000
Arcade com.kiloo.subwaysurf 500,000,000 – 1,000,000,000
Music & Audio com.shazam.android ‘asia.pool.ntp.org’ 100,000,000 – 500,000,000
Tools com.ijinshan.kbatterydoctor_en ‘pool.ntp.org’ 100,000,000 – 500,000,000
Arcade com.nordcurrent.canteenhd 50,000,000 – 100,000,000
Music & Audio ru.org.amip.clocksync 50,000,000 – 100,000,000
Racing com.topfreegames.bikeracefreeworld 50,000,000 – 100,000,000
Music & Audio com.clearchannel.iheartradio.controller ‘time-a.nist.gov’ 50,000,000 – 100,000,000
Video Players & Editors com.mobitv.client.tmobiletvhd 10,000,000 – 50,000,000
Social tv.periscope.android ‘pool.ntp.org’ 10,000,000 – 50,000,000
Entertainment com.verizonmedia.go90.enterprise 10,000,000 – 50,000,000
Tools com.tmobile.pr.mytmobile ‘0.pool.ntp.org’ 10,000,000 – 50,000,000
Tools org.hola ‘pool.ntp.org’ 10,000,000 – 50,000,000
Travel & Local com.airbnb.android ‘pool.ntp.org’ 10,000,000 – 50,000,000
Communication com.cmcm.whatscall ‘pool.ntp.org’, ‘2.android.pool.ntp.org’ 10,000,000 – 50,000,000
Tools com.lbe.parallel.intl 10,000,000 – 50,000,000
Travel & Local com.hcom.android 10,000,000 – 50,000,000
Educational com.sinyee.babybus.care ‘0.asia.pool.ntp.org’, ‘2.asia.pool.ntp.org’, ‘1.cn.pool.ntp.org’ 10,000,000 – 50,000,000
Travel & Local com.makemytrip ‘pool.ntp.org’ 10,000,000 – 50,000,000
Sports de.motain.iliga 5,000,000 – 10,000,000
Communication com.google.android.wearable.app 5,000,000 – 10,000,000
Lifestyle ch.bitspin.timely ‘2.android.pool.ntp.org’ 5,000,000 – 10,000,000
Educational com.sinyee.babybus.shopping ‘1.cn.pool.ntp.org’ 5,000,000 – 10,000,000
Food & Drink com.application.zomato 5,000,000 – 10,000,000
Shopping com.target.socsav ‘north-america.pool.ntp.org’ 5,000,000 – 10,000,000
Maps & Navigation me.lyft.android ‘0.us.pool.ntp.org’, ‘2.us.pool.ntp.org’, ‘1.us.pool.ntp.org’ 5,000,000 – 10,000,000
Productivity com.drippler.android.updates 5,000,000 – 10,000,000
Educational com.sinyee.babybus.animal ‘1.cn.pool.ntp.org’, ‘0.asia.pool.ntp.org’ 1,000,000 – 5,000,000
Educational com.sinyee.babybus.moonexplorer ‘1.cn.pool.ntp.org’ 1,000,000 – 5,000,000
Educational com.sinyee.babybus.takecar ‘1.cn.pool.ntp.org’ 1,000,000 – 5,000,000
Educational com.sinyee.babybus.travelsafety ‘1.cn.pool.ntp.org’, 1,000,000 – 5,000,000
Educational com.sinyee.babybus.fireman ‘1.cn.pool.ntp.org’ 1,000,000 – 5,000,000
Communication com.snrblabs.grooveip ‘pool.ntp.org’ 1,000,000 – 5,000,000
Productivity me.bluemail.mail ‘2.android.pool.ntp.org’ 1,000,000 – 5,000,000
Educational com.sinyee.babybus.flowers ‘1.cn.pool.ntp.org’ 1,000,000 – 5,000,000
Educational com.sinyee.babybus.shoes ‘1.cn.pool.ntp.org’, ‘0.asia.pool.ntp.org’ 1,000,000 – 5,000,000
Educational com.sinyee.babybus.birthdayparty ‘1.cn.pool.ntp.org’ 1,000,000 – 5,000,000
Food & Drink com.done.faasos 1,000,000 – 5,000,000
Educational com.sinyee.babybus.dining ‘2.asia.pool.ntp.org’, ‘1.cn.pool.ntp.org’, ‘0.asia.pool.ntp.org’ 1,000,000 – 5,000,000
Tools com.koushikdutta.tether 1,000,000 – 5,000,000
Social com.cmcm.live ‘pool.ntp.org’, ‘north-america.pool.ntp.org’, ‘europe.pool.ntp.org’ 1,000,000 – 5,000,000
Business system ‘time.izatcloud.net’ 1,000,000 – 5,000,000
Educational com.sinyee.babybus.truck ‘0.asia.pool.ntp.org’, ‘2.asia.pool.ntp.org’, ‘1.cn.pool.ntp.org’ 1,000,000 – 5,000,000
Lifestyle com.nest.android 1,000,000 – 5,000,000
Educational com.sinyee.babybus.toilet ‘1.cn.pool.ntp.org’ 1,000,000 – 5,000,000
Puzzle com.disney.disneyrestaurant_goo 1,000,000 – 5,000,000
Educational com.sinyee.babybus.organized ‘1.cn.pool.ntp.org’, ‘2.asia.pool.ntp.org’, ‘0.asia.pool.ntp.org’ 1,000,000 – 5,000,000
Video Players & Editors com.plexapp.android ‘2.android.pool.ntp.org’ 1,000,000 – 5,000,000
Casual app.fotopalabra ‘pool.ntp.org’ 1,000,000 – 5,000,000
Communication com.trtf.blue ‘2.android.pool.ntp.org’ 1,000,000 – 5,000,000
Educational com.sinyee.babybus.photostudio ‘0.asia.pool.ntp.org’, ‘2.asia.pool.ntp.org’, ‘1.cn.pool.ntp.org’ 500,000 – 1,000,000
Educational com.sinyee.babybus.share ‘1.cn.pool.ntp.org’, ‘0.asia.pool.ntp.org’ 500,000 – 1,000,000
Music & Audio com.shazam.encore.android 500,000 – 1,000,000
Educational com.sinyee.babybus.dayandnight ‘1.cn.pool.ntp.org’, ‘0.asia.pool.ntp.org’ 500,000 – 1,000,000
Business com.microsoft.windowsintune.companyportal ‘0.pool.ntp.org’ 100,000 – 500,000
Tools edu.berkeley.icsi.netalyzr.android ‘glue.glue1u19589.n1.netalyzr.icsi.berkeley.edu’, ‘n1.netalyzr.icsi.berkeley.edu’ 50,000 – 100,000
Communication com.rdx.kyanuserinterface 10,000 – 50,000
preInstall com.fingerprints.fingerprintsensortest Not Available
preInstall com.qualcomm.embms Not Available
preInstall com.huawei.android.airsharing ‘time.izatcloud.net’, Not Available
preInstall com.qualcomm.timeservice ‘ntp.nict.jp’ Not Available
preInstall com.samsung.android.fingerprint.service Not Available
preInstall air.com.oak.oddsocksmob ‘pool.ntp.org’ Not Available
preInstall com.android.keychain Not Available
preInstall com.sinyee.fruit.activity ‘1.cn.pool.ntp.org’ Not Available
preInstall com.android.development ‘2.android.pool.ntp.org’ Not Available
preInstall com.amazon.connectivitydiag Not Available
preInstall com.sonymobile.screenrecording Not Available
preInstall com.mediatek.providers.drm Not Available
preInstall com.lge.qmemoplus ‘asia.pool.ntp.org’ Not Available
preInstall com.jide.networkconn ‘s2m.time.edu.cn’ Not Available
preInstall com.lge.sync ‘asia.pool.ntp.org’ Not Available
preInstall com.android.location.fused ‘2.android.pool.ntp.org’ Not Available
preInstall com.lge.sprinthiddenmenu Not Available
preInstall com.sonymobile.simlock.service Not Available
preInstall com.motricity.verizon.ssodownloadable ‘2.android.pool.ntp.org’ Not Available
preInstall com.google.android.backuptransport ‘pool.ntp.org’, ‘2.android.pool.ntp.org’ Not Available
preInstall com.android.vending ‘pool.ntp.org’ Not Available
preInstall com.qualcomm.atfwd ‘2.android.pool.ntp.org’ Not Available
preInstall com.samsung.helphub Not Available
preInstall com.sec.knox.switcher ‘north-america.pool.ntp.org’ Not Available