A comprehensive guide to tracker protection on Android

Transcript

Comprehensive guide to tracking protection on Android David González -

Software Engineer DuckDuckGo Øredev - 8 Nov 2022

Agenda 1. What is a tracker? 2. Web vs App

trackers 3. Why should I care? 4. How to block them

Did you know that 90% of Websites and apps are

tracking you?

Piece of software whose task is to gather information on

the person using the application or website

Types of trackers 1. Crash reporters 2. Analytics

Types of trackers 1. Crash reporters 2. Analytics 3. Profiling

4. Identification

Types of trackers 1. Crash reporters 2. Analytics 3. Profiling

4. Identification 5. Ads

Types of trackers 1. Crash reporters 2. Analytics 3. Profiling

4. Identification 5. Ads 6. Location

(https://www.washingtonpost.com/technology/2022/09/22/health-apps-privacy/)

A R • DuckDuckGo Tracker Radar is a data set about trackers that is automatically generated and maintained through continuous crawling and analysis. • This data set is publicly available in (https:// github.com/duckduckgo/tracker-radar) to use for research and for generating tracker block lists. And, the code behind it is open source

Generating a blocklist for Android 21 • Top 300 apps

from https://androidrank.org/ • Install root certi fi cate • Start using apps • Record tra ff i c • Looks for inputs

Blocking web trackers

Block web trackers class BrowserWebViewClient() : WebViewClient() { override fun

shouldInterceptRequest( webView: WebView, request: WebResourceRequest ) : WebResourceResponse? { private fun blockRequest( trackingEvent: TrackingEvent, request: WebResourceRequest, webViewClientListener: WebViewClientListener? ) : WebResourceResponse { trackingEvent.surrogateId ?. let { surrogateId -> val surrogate = resourceSurrogates.get(surrogateId) if (surrogate.responseAvailable) { Timber.d("Surrogate found for ${request.url}") webViewClientListener ?. surrogateDetected(surrogate) return WebResourceResponse(surrogate.mimeType, "UTF-8", surrogate.jsFunction.byteInputStream()) } } Timber.d("Blocking request ${request.url}") privacyProtectionCountDao.incrementBlockedTrackerCount() return WebResourceResponse(null, null, null) }

Block web trackers class BrowserWebViewClient() : WebViewClient() { override fun

shouldInterceptRequest( webView: WebView, request: WebResourceRequest ) : WebResourceResponse? { private fun blockRequest( trackingEvent: TrackingEvent, request: WebResourceRequest, webViewClientListener: WebViewClientListener? ) : WebResourceResponse { trackingEvent.surrogateId ?. let { surrogateId -> val surrogate = resourceSurrogates.get(surrogateId) if (surrogate.responseAvailable) { Timber.d("Surrogate found for ${request.url}") webViewClientListener ?. surrogateDetected(surrogate) return WebResourceResponse(surrogate.mimeType, "UTF-8", surrogate.jsFunction.byteInputStream()) } } Timber.d("Blocking request ${request.url}") privacyProtectionCountDao.incrementBlockedTrackerCount() return WebResourceResponse(null, null, null) }

Block web trackers class BrowserWebViewClient() : WebViewClient() { private fun

blockRequest( trackingEvent: TrackingEvent, request: WebResourceRequest, webViewClientListener: WebViewClientListener? ) : WebResourceResponse { trackingEvent.surrogateId ?. let { surrogateId -> val surrogate = resourceSurrogates.get(surrogateId) if (surrogate.responseAvailable) { Timber.d("Surrogate found for ${request.url}") webViewClientListener ?. surrogateDetected(surrogate) return WebResourceResponse(surrogate.mimeType, "UTF-8", surrogate.jsFunction.byteInputStream()) } } Timber.d("Blocking request ${request.url}") privacyProtectionCountDao.incrementBlockedTrackerCount() return WebResourceResponse(null, null, null) } }

Block web trackers class BrowserWebViewClient() : WebViewClient() { private fun

Blocking third party cookies

Block third party cookies private suspend fun processThirdPartyCookiesSetting( webView: WebView,

uri: Uri ) { val host = uri.host ?: return val domain = authCookiesAllowedDomainsRepository.getDomain(host) withContext(dispatchers.main()) { if (domain != null && hasUserIdCookie()) { Timber.d("Cookies enabled for $uri") cookieManagerProvider.get().setAcceptThirdPartyCookies(webView, true) } else { Timber.d("Cookies disabled for $uri") cookieManagerProvider.get().setAcceptThirdPartyCookies(webView, false) } domain ?. let { deleteHost(it) } } }

Block third party cookies private suspend fun processThirdPartyCookiesSetting( webView: WebView,

None

App Tracking Protection

Identify calling app private fun getPackageIdForUid(uid: Int) : String {

val packages: Array<String>? try { packages = packageManager.getPackagesForUid(uid) } catch (e: SecurityException) { Timber.e(e, "Failed to get package ID for UID : $uid due to security violation.") return "unknown" } if (packages.isNullOrEmpty()) { Timber.w("Failed to get package ID for UID : $uid") return "unknown" } return packages.f i rst() }

Identify calling app private fun getPackageIdForUid(uid: Int) : String {

val packages: Array<String>? try { packages = packageManager.getPackagesForUid(uid) } catch (e: SecurityException) { Timber.e(e, "Failed to get package ID for UID : $uid due to security violation.") return "unknown" } if (packages.isNullOrEmpty()) { Timber.w("Failed to get package ID for UID : $uid") return "unknown" } return packages.f i rst() }

Blocking an app tracker

Blocking an app tracker // Called from native code private

fun isAddressAllowed(packet: Packet) : Allowed? { packet.allowed = (callback.get() ?. isAddressBlocked(packet.toAddressRR()) == false) return if (packet.allowed) Allowed() else null }

Blocking an app tracker /** * Called by the VPN

network to know if a particular IP address is blocked or not. * This can be combined with the [onDnsResolved] callback, to get the hostname of the * [addressRR] and then decide whether that hostname should be blocked or not * @param addressRR is the address record */ fun isAddressBlocked(addressRR : AddressRR) : Boolean

Blocking an app tracker override fun isAddressBlocked(addressRR : AddressRR) :

Boolean { val hostname = addressLookupLruCache[addressRR.address] ?: return false val domainAllowed = shouldAllowDomain(hostname, addressRR.uid) return !domainAllowed }

Blocking an app tracker private fun shouldAllowDomain(name: String, uid: Int)

: Boolean { val packageId = getPackageIdForUid(uid) val type = appTrackerRepository.f i ndTracker(name, packageId) if (type is AppTrackerType.ThirdParty && !isTrackerInExceptionRules(packageId = packageId, hostname = name)) { val trackingApp = appNamesCache[packageId] ?: appNameResolver.getAppNameForPackageId(packageId) // if the app name is unknown, do not block if (trackingApp.isUnknown()) return true VpnTracker( trackerCompanyId = type.tracker.trackerCompanyId, domain = type.tracker.hostname, trackingApp = TrackingApp(trackingApp.packageId, trackingApp.appName) ).run { appTrackerRecorder.insertTracker(this) } return false } return true }

A comprehensive guide to tracker protection on Android

A comprehensive guide to tracker protection on Android

More Decks by David González

Other Decks in Technology

Featured

Transcript