Lmst

Weil es Rückfragen gab: Tracktor wird aktuell nicht weiterentwickelt. Die Website ist buggy und die Trackerliste nicht mehr aktuell. Experten können die Beschwerdetexte aber sicher anpassen an neue Gesetzesnamen und Technologien.

Ich finde gerade nicht die Zeit 🤷‍♂️.

Die Kollegen von @datenanfragende haben ein tolles ähnliches Projekt für Apps aufgesetzt (#tweasel). Mit ihnen war von Beginn an abgesprochen, dass sie die Tracktor-Funktionalität gerne übernehmen können, soweit das möglich ist.

Android: Der Beitrag stellt die Vorbereitung des Testgeräts sowie Werkzeuge (Frida, Magisk) zur Analyse des Datensendeverhaltens von Apps vor. Reinschauen! ✌️ 👇

https://www.kuketz-blog.de/in-den-datenstrom-eintauchen-ein-werkzeugkasten-fuer-analysten-von-android-apps/

#share #android #frida #objection #tweasel #pirogue #tls #ssl #CertificatePinning #mitmproxy #proxy #intercepting #analyse #datenschutz #sicherheit #privacy #security #dsgvo

New data in our open request database!

I've just finished another monkey run on 2,358 #Android apps. That's another 70k requests from April 2024 that can be used for understanding and researching #tracking. ^b

#tweasel #privacy

We’re back after the summer with our fourth #tweasel devlog: https://www.datarequests.org/devlog/tweasel-update-4/

A few highlights: We’ve been busy improving the documentation of our TrackHAR adapters to provide better reasoning on why we think properties contain certain data types. We’ve also written a script for debugging our adapters, which allows us to run them against all matching requests in our open request database.

We already announced the database in a previous toot: https://chaos.social/@dev_at_datarequestsORG/111006402859017611 ^b #privacy #tracking

Screenshot of the debug script being run in a terminal. It shows properties (manfacturer, model, isRooted, carrier, screenHeight, etc.) being matched to values. For example, the values for osVersion are 11 and 13, for isEmulator: true and false, for timezone: 3600000.

Die „pseudonyme Messung“ nutzt dabei den Endpunkt https://de.ioam.de/tx.io (vgl.: https://docs.infonline.de/infonline-measurement/integration/web/checkliste_web_allgemein/#uberprufung-der-einbindung).

Schauen wir doch mal in den #tweasel-Daten, ob sich alle Apps an die Vorgaben von INFOnline gehalten haben und nach dem 1. Dezember 2021 keine Daten mehr ohne Einwilligung an den Endpunkt gesendet haben:
https://data.tweasel.org/data/requests?runType__exact=no-interaction&endpointUrl__exact=https%3A%2F%2Fde.ioam.de%2Ftx.io&startTime__gte=2021-12-01

Ach Mensch. Haben sie nicht.

Our open request database is online: https://data.tweasel.org/ \o/

We regularly run #traffic analyses on thousands of #Android and #iOS apps. As we want to enable as many people as possible to look into the inner workings of trackers, we are publishing our datasets for other researchers, activists, journalists, and anyone else who is interested in understanding #tracking. There are already 250k requests from between January 2021 and July 2023, with more to come in the future. ^b
#tweasel #privacy

Screenshot of data.tweasel.org, showing a query that returns multiple requests.

The screenshot shows seven rows, with the following columns: initiator (e.g. com.amazon.dee.app@2.2.453377.0, com.opera.app.news@11.1.2254.67011), platform (android or ios), endpointUrl (e.g. https://us-u.openx.net/w/1.0/cm, https://csi.gstatic.com/csi), content (one requests has a base64-encoded binary content, another one has an XML document, for the others, the content is blank), and headers.

We have just published our third #tweasel devlog. You can read it here: https://www.datarequests.org/devlog/tweasel-update-3/

One of the major changes we have made is switching to the @httptoolkit #Frida unpinning script for bypassing certificate pinning on Android. We had run an analysis comparing its performance to the script we used before and found that it works better for our use case. As a bonus, this change allowed us to close two related issues. ^b #privacy #Android #iOS

We published our first update blog post for #tweasel. Our plan is to do these biweekly from now on.

https://www.datarequests.org/devlog/tweasel-update-1/

A lot has happened since our last update in January. We have released a set of tools and library for mobile #tracking analysis.

First up: appstraction (https://github.com/tweaselORG/appstraction), an abstraction layer for instrumenting #Android and #iOS. It allows you to install, uninstall, start, stop apps, manage emulator snapshots, clipboard, proxy, and certificates, etc. ^b

Screenshot from the appstraction README showing an example of how to reset an Android emulator and install an app in it.

Full text:

Example usage

The following example shows how to reset an Android emulator and then install an app on it:

import { platformApi } from 'appstraction';

(async () => {
const android = platformApi({
platform: 'android',
runTarget: 'emulator',
capabilities: []
});

await android.ensureDevice();
await android.resetDevice('<snapshot name>');
await android.installApp('</path/to/app/files/*.apk>');
})();

Introducing #tweasel. @zner0L and I (@baltpeter) will be working on fighting #tracking in mobile #apps thanks to #NLnet funding (https://nlnet.nl/project/TrackingWeasel/). Our goal is to automate complaints against tracking under the #GDPR and #ePrivacy directive.

We don't have a website yet (this is our behind-the-scenes account, after all), but all code will of course be FOSS (https://github.com/tweaselORG) and we'll report here.

First overview in our #FireShonks talk: https://media.ccc.de/v/fire-shonks-2022-49115-tracking-in-apps-ist-das-legal-eine-bersicht-ber-die-mobile-trackinglandschaft (DE with EN dub). ^b

#tweasel

Client Info