Is Google Service Framework doing this?

Byku

I've had sandboxed Google Play Services installed for push notifications. I have it isolated with Rethink app to only connect to mtalk.google.com. This setup worked well thus far. Recently however I've been seeing connections made from an unknown (according to Rethink) app to www.googleapis.com using different protocols (usually I only see HTTPS or TCP). Thus far I've seen COVIA, TACACS-DS, SQL-NET, BOOTPS, BOOTPC, TFTP, GOPHER, NETRJS-1/2/3/4, ICMP, VETTCP, FINGER, ISO-TSAP, GPPITNP, ACR-NEMA, CSO, 3COM-TSMUX. It's like something is trying out every possible protocol. I have currently blocked connections from unknown sources via Rethink, but what is causing this? My bet is GSF doing this, since these are IP addresses it usually tries to connect to. Of Google made apps that have network access granted there is only that plus Google Maps. Has anyone encountered this behaviour?

ignoramous

rdns dev here

Byku I've been seeing connections made from an unknown (according to Rethink) app to www.googleapis.com

If these are ICMP requests, Rethink will show the owner UID (app) in the next version, v055o.

Byku Thus far I've seen COVIA, TACACS-DS, SQL-NET, BOOTPS, BOOTPC, TFTP, GOPHER, NETRJS-1/2/3/4, ICMP, VETTCP, FINGER, ISO-TSAP, Getting, ACR-NEMA, CSO, 3COM-TSMUX. It's

Most likely those are ICMP requests? If it is TCP or UDP, the suspect app is trying to connect to over "reserved" ports (a common middleware/firewall bypass attempt).

Byku

ignoramous Checked and yes, these are ICMP requests. So my guess would be it is pinging www.googleapis.com to diagnose lack of connection? Interresting. When the next version of Rethink lands we'll see if it is indeed sanboxed Google Play Services doing this. And btw thank you for all your wonderful work on this app!