🌐 Network & Security Tools

1.1 Domain Checker

Service: DomainSecurityCheckerService

What it does: Performs real DNS and SSL security checks on domains.

Technical Implementation

• DNS Lookup (Forward): Uses CFHostCreateWithName and getaddrinfo to resolve domain names to IP addresses (supports both IPv4 and IPv6)
• Reverse DNS: Performs getnameinfo to find hostname from IP address
• SSL Certificate Validation: Connects to domain via HTTPS and retrieves certificate chain with SecTrust

What is Checked

• DNS resolution (can domain be resolved to IP?)
• Reverse DNS (does IP address have PTR record?)
• SSL certificate validity
• Certificate issuer (CA)
• Expiry date and days until expiry
• TLS version
• Complete certificate chain

Security Score: Calculated based on DNS status, SSL validity, and certificate lifetime (0-100).

↑ Back to top

1.2 URL Scanner (15 Security Checks)

Service: URLScannerService

What it does: Analyses URLs for security threats, tracking parameters, and phishing indicators with 15 comprehensive security checks.

Technical Implementation

• Follows redirect chains manually (up to 10 redirects)
• Analyses HTTP status codes (301, 302, 303, 307, 308)
• Checks for meta-refresh and JavaScript redirects
• Uses DomainSecurityCheckerService for SSL validation
• Performs WHOIS lookup via RDAP API (rdap.org)
• Levenshtein distance algorithm for typosquatting detection
• Punycode/IDN decoding for internationalised domain analysis
• HTML content scanning for mixed content detection

All 15 Security Checks

• 1. Protocol check: HTTP vs HTTPS (insecure connection detection)
• 2. Redirect chain analysis: Up to 10 redirects, meta-refresh, JavaScript redirects, cross-domain redirects, HTTP→HTTPS downgrade
• 3. Homoglyph detection: Cyrillic/Latin mixing (e.g., "pаypal" with Cyrillic 'а')
• 4. Tracking parameter detection: 18 types including utm_*, fbclid, gclid, mc_eid, msclkid, twclid, etc.
• 5. Phishing indicator detection: Suspicious keywords, @ symbol in URL, data:/javascript: schemes
• 6. SSL certificate validation: Certificate validity, issuer, and chain verification
• 7. WHOIS/domain age: Via RDAP/WHOIS with smart mitigation (new domains = higher risk)
• 8. Suspicious domain pattern matching: Known malicious patterns and URL shorteners (bit.ly, t.co, goo.gl, tinyurl, etc.)
• 9. Punycode/IDN attack detection: Decodes xn-- domains and checks if they impersonate known brands using internationalised characters
• 10. Subdomain spoofing: Detects patterns like apple.com.evil-site.xyz where brand names are used as subdomains of unknown domains
• 11. Open redirect exploitation: Flags when a redirect chain starts at a legitimate domain but ends at an unknown or suspicious destination
• 12. Typosquatting detection: Levenshtein distance comparison against 20 popular domains (e.g., gogle.com, amazn.com, facbook.com)
• 13. Excessive subdomains: Flags 5+ subdomain levels and multiple security-themed subdomains designed to appear trustworthy
• 14. Suspicious TLD check: .zip, .mov (confused with file types), .tk, .ml, .top, .buzz, .icu, and 20+ high-abuse TLDs
• 15. Mixed content detection: Scans HTML for HTTP resources (images, scripts, iframes) loaded on HTTPS pages

Risk levels: Low, Medium, High based on findings.

↑ Back to top

1.3 Network Scanner

Services: NetworkScannerService, SSDPDiscoveryService, BonjourDiscoveryService, OUILookupService, NetworkScanCacheService

What it does: Comprehensive local network scanning with multiple discovery methods for accurate device identification.

Technical Implementation

• Gets local IP via getifaddrs() on en0 interface
• Scans IP range (x.x.x.1-254) with TCP connections
• Uses NWConnection for port scanning
• SSDP/UPnP Discovery — Multicast M-SEARCH for TVs, media servers, routers
• Bonjour/mDNS Discovery — Apple devices, printers, AirPlay
• HTTP Banner Grabbing — Server headers and HTML titles for identification
• OUI Database — 1,800+ MAC prefixes from 49 vendors
• Scan Caching — Remembers devices with "last seen" timestamps

Discovery Methods

• TCP Port Scan: Active connection attempts to common ports
• SSDP/UPnP: Discovers smart TVs, media servers, routers via multicast
• Bonjour: Apple devices, printers, AirPlay, smart-home hubs
• HTTP Banner: Identifies devices by web server headers
• MAC OUI: Manufacturer lookup from MAC address prefix

OUI Database (1,800+ entries)

Consumer Electronics: Apple (378), Samsung (299), LG (81), Sony (85), Xiaomi, Roku, Nvidia

Networking: Cisco (140), TP-Link (67), Netgear (51), ASUS (74), D-Link, Linksys, Ubiquiti

Smart Home: Philips Hue, Nest, Sonos, LIFX, Ring, Arlo, Eufy, Tuya, IKEA

Appliances: Bosch, Siemens, Miele, Electrolux, Whirlpool

Printers: HP (140), Epson, Canon, Brother

Security Cameras: Hikvision, Dahua, Reolink

NAS: Synology, QNAP

What is Checked

• Active IP addresses on network
• Open ports (22, 80, 443, 554, 8080, etc.)
• Hostname via reverse DNS and Bonjour
• Device manufacturer via MAC address (OUI) and SSDP
• Device type categorisation (TV, router, camera, NAS, etc.)
• UPnP device descriptions (friendly name, model, serial)
• HTTP server headers for device identification

Scan Caching

• Stores scan results locally
• Shows "last seen" timestamp for each device
• Identifies new vs previously seen devices
• Persists across app restarts

↑ Back to top

1.4 Camera & IoT Detector

Service: IPDeviceAnalyzerService

What it does: Finds WiFi cameras and IoT devices on the network using multiple discovery methods.

Technical Implementation

• Scans specific ports for different device types
• Analyses HTTP headers for device identification
• HTTP body analysis — identifies camera login pages (Hikvision, Dahua, Axis, Reolink, etc.) from HTML content
• Checks RTSP streams (port 554, 8554, 7070)
• ONVIF WS-Discovery — UDP multicast probe on port 3702 to find ONVIF-compatible cameras that don't respond to Bonjour
• ARP/OUI enrichment — reads system ARP table to map IP addresses to MAC addresses, then matches against 60+ known camera manufacturer OUI prefixes
• Uses full OUI database for manufacturer identification of all devices
• Hostname analysis — detects camera-related hostnames (cam, ipc, nvr, dvr)

Ports Scanned

• Camera: 80, 443, 554, 8080, 8443, 8554, 37777, 34567, 9000, 8899 (ONVIF), 7070, 6667
• IoT: 80, 443, 1883 (MQTT), 8883, 5683 (CoAP), 8080
• Printer: 9100, 515, 631
• NAS: 5000, 5001, 139, 445, 548
• Smart Home: 8123, 1400, 8008, 10001
• Discovery: 49152 (UPnP), 3702 (ONVIF WS-Discovery)

Known Camera Manufacturers (60+ OUI prefixes)

Hikvision, Dahua, Axis, ACTi, Vivotek, Bosch, Panasonic, Foscam, Reolink, Amcrest, Wyze, Ring, Nest/Google, Arlo, Eufy, TP-Link (Tapo/Kasa), D-Link, Ubiquiti (UniFi Protect), Hanwha/Samsung Wisenet, FLIR, Mobotix, Pelco, Avigilon, Geovision, Lorex, Swann, Xiaomi/Yi, Wansview, Ezviz

Camera Detection Methods (layered)

• Port-based: RTSP (554/8554/7070), Hikvision (37777), Dahua (34567), ONVIF (8899)
• ONVIF WS-Discovery: Multicast probe finds cameras that advertise via ONVIF protocol
• HTTP body analysis: Matches 30+ camera login page signatures in HTML content
• OUI/MAC matching: Identifies cameras by manufacturer from ARP table MAC addresses
• Hostname patterns: Detects camera-related DNS names
• HTTP header analysis: Server headers revealing camera firmware

Privacy Risk Assessment

• Camera = +40 points
• RTSP stream available = +30 points
• IoT device = +20 points
• Telnet open (port 23) = +25 points
• No authentication on HTTP = +15 points

↑ Back to top

1.5 Traceroute / Locate Data

Services: TracerouteEngine + GeoIPService

What it does: Traces network path to destination and visualises on map.

Technical Implementation

• Uses ICMP Echo Request with increasing TTL (1-64)
• TraceroutePinger sends packets and measures RTT
• GeoIPService geolocates each hop
• Binary GeoIP database (memory-mapped for performance)

What is Checked

• Network path (all routers between you and destination)
• Response time (RTT) for each hop
• Geographic location of each hop
• Cloud provider detection (AWS, Azure, GCP, Cloudflare, Akamai, etc.)
• Anycast detection (based on RTT vs distance)
• Routing loops (consecutive duplicate IPs)
• Firewall blocking (consecutive timeouts)

GeoIP Database

• Binary format v2 with city-level resolution
• O(log n) lookup via binary search
• LRU cache for repeated lookups
• Supports both IPv4 and IPv6

Cloud providers detected: AWS, Azure, Google Cloud, Cloudflare, Akamai, Fastly, DigitalOcean

↑ Back to top

1.6 Network Security Checker

Service: NetworkSecurityScoringService

What it does: Checks SSL certificates and secure connections.

What is Checked

• SSL/TLS certificate validation
• Certificate chain integrity
• Certificate pinning
• Network security score

↑ Back to top

1.7 Network Security Audit

Service: NetworkSecurityAuditService

What it does: Comprehensive security audit of your current network connection with 11 configurable checks.

Security Checks

• DNS Leak Test — Detects if DNS queries are exposed to your ISP. Integrates with Encrypted DNS to verify protection.
• Captive Portal Detection — Identifies networks that intercept HTTP traffic (hotels, airports, cafés).
• Router Port Security — Scans gateway for open admin ports (Telnet, FTP = critical risk). Off by default for guest networks.
• DNS Encryption — Checks if DNS-over-HTTPS or DNS-over-TLS is active via NEDNSSettingsManager.
• Network Type & Encryption — Detects WiFi/cellular/VPN via network interfaces, proxy configuration.
• ARP Spoofing Detection — Reads ARP table for duplicate MAC addresses (MITM indicator). Tracks gateway MAC changes between scans.
• Rogue DHCP Detection — Identifies unauthorised devices with gateway-like IPs and HTTP servers.
• SSL/TLS MITM Detection — Verifies certificate chains against apple.com, google.com, cloudflare.com. Detects SSL inspection.
• Latency & Stability — 3 measurements per target with average, min, max, and standard deviation.
• IPv6 Leak Check — Detects if IPv6 traffic bypasses VPN tunnel.
• Configuration Profiles — Checks for proxy/MDM configurations that could inspect traffic.

Scoring System

• Overall score 0-100 with rating (Excellent/Good/Fair/Poor/Critical)
• Each finding rated: Pass, Info, Warning, or Critical
• Actionable recommendations for each finding
• Audit history stored for trend analysis (last 20 audits)

User Controls

• Each check can be toggled on/off before starting
• Router port scan disabled by default (respect for guest networks)
• Re-run audit with different check combinations

↑ Back to top

1.8 Encrypted DNS

Service: EncryptedDNSService

What it does: Configures system-wide encrypted DNS (DoH/DoT) to protect all DNS queries on the device.

How It Works

• Uses NEDNSSettingsManager to install DNS configuration
• Configuration persists even when app is closed or device restarts
• Protects ALL apps on the device, not just the browser
• User activates in iOS Settings after installation (iOS security requirement)
• Built-in verification to confirm encryption is active

Supported Protocols

Protocol	Port	Best For
DNS-over-HTTPS (DoH)	443	Harder to block (looks like normal HTTPS traffic)
DNS-over-TLS (DoT)	853	Slightly lower latency, dedicated protocol

Available Providers

Provider	Servers	Features
Cloudflare	1.1.1.1, 1.0.0.1	Fastest, no IP logging, APNIC audited
Cloudflare Family	1.1.1.3, 1.0.0.3	Blocks malware and adult content
Quad9	9.9.9.9	Non-profit (Swiss), blocks malware domains
Google	8.8.8.8, 8.8.4.4	Global infrastructure, DNSSEC validation
AdGuard	94.140.14.14	Blocks ads, trackers, and phishing
Mullvad	194.242.2.2	Maximum privacy, Swedish jurisdiction

Integration with Network Audit

The Network Security Audit automatically detects when Encrypted DNS is active and reports it as "Pass" in both the DNS Leak Test and DNS Encryption checks.

↑ Back to top