The use of cellular data networks is increasingly popular as net-work coverage becomes more ubiquitous and many diverse user-contributed mobile network applications are available. The grow-ing cellular traffic demand means that cellular network carriers arefacing greater challenges to provide users with good network per-formance and energy efficiency, while protecting networks frompotential attacks. To better utilize their limited network resourcesfor securing the network and protecting client devices, the carriershave already deployed various network policies to influence traf-fic behavior. Today, these policies are mostly opaque, though theydirectly impact application designs and may even lead to networkvulnerabilities. In this paper, we present NetPiculet, the first system that auto-matically unveils carriers’ NAT and firewall policies by conductingintelligent measurement. By running NetPiculet on the major U.S.cellular providers as well as deploying it as a smartphone based ap-plication in the wild for more than 100 cellular ISPs, we identifiedthe key policies associated with NAT and firewall with direct im-plications on performance, energy, and security. For example, bothNAT boxes and firewalls have different timeout mechanisms forinvalidating TCP packets, which directly influence application de-signs. Although most carriers today deploy sophisticated firewallsin their networks, they are still vulnerable to various attacks such asbattery draining and denial of service. These findings can informmobile application designers in constructing better interfaces to thenetwork and also provide suggestions to carriers on how to improvetheir network configurations.