Comprehensive guide to tracking protection on Android David González - Software Engineer DuckDuckGo Øredev - 8 Nov 2022

Agenda 1. What is a tracker? 2. Web vs App trackers 3. Why should I care? 4. How to block them

Did you know that 90% of Websites and apps are tracking you?

What is a tracker?

Piece of software whose task is to gather information on the person using the application or website

Types of trackers 1. Crash reporters 2. Analytics

Types of trackers 1. Crash reporters 2. Analytics 3. Profiling

Types of trackers 1. Crash reporters 2. Analytics 3. Profiling 4. Identification

Types of trackers 1. Crash reporters 2. Analytics 3. Profiling 4. Identification 5. Ads

Types of trackers 1. Crash reporters 2. Analytics 3. Profiling 4. Identification 5. Ads 6. Location

Web trackers

No content

App trackers

No content

Why should I care?

No content

No content

(https://www.washingtonpost.com/technology/2022/09/22/health-apps-privacy/)

Knowing what to block

T R A C K E R R A D A R • DuckDuckGo Tracker Radar is a data set about trackers that is automatically generated and maintained through continuous crawling and analysis. • This data set is publicly available in (https:// github.com/duckduckgo/tracker-radar) to use for research and for generating tracker block lists. And, the code behind it is open source

Generating a blocklist for Android 21 • Top 300 apps from https://androidrank.org/ • Install root certi fi cate • Start using apps • Record tra ff i c • Looks for inputs

Blocking web trackers

Block web trackers class BrowserWebViewClient() : WebViewClient() { override fun shouldInterceptRequest( webView: WebView, request: WebResourceRequest ) : WebResourceResponse? { private fun blockRequest( trackingEvent: TrackingEvent, request: WebResourceRequest, webViewClientListener: WebViewClientListener? ) : WebResourceResponse { trackingEvent.surrogateId ?. let { surrogateId -> val surrogate = resourceSurrogates.get(surrogateId) if (surrogate.responseAvailable) { Timber.d("Surrogate found for ${request.url}") webViewClientListener ?. surrogateDetected(surrogate) return WebResourceResponse(surrogate.mimeType, "UTF-8", surrogate.jsFunction.byteInputStream()) } } Timber.d("Blocking request ${request.url}") privacyProtectionCountDao.incrementBlockedTrackerCount() return WebResourceResponse(null, null, null) }

Block web trackers class BrowserWebViewClient() : WebViewClient() { override fun shouldInterceptRequest( webView: WebView, request: WebResourceRequest ) : WebResourceResponse? { private fun blockRequest( trackingEvent: TrackingEvent, request: WebResourceRequest, webViewClientListener: WebViewClientListener? ) : WebResourceResponse { trackingEvent.surrogateId ?. let { surrogateId -> val surrogate = resourceSurrogates.get(surrogateId) if (surrogate.responseAvailable) { Timber.d("Surrogate found for ${request.url}") webViewClientListener ?. surrogateDetected(surrogate) return WebResourceResponse(surrogate.mimeType, "UTF-8", surrogate.jsFunction.byteInputStream()) } } Timber.d("Blocking request ${request.url}") privacyProtectionCountDao.incrementBlockedTrackerCount() return WebResourceResponse(null, null, null) }

Block web trackers class BrowserWebViewClient() : WebViewClient() { private fun blockRequest( trackingEvent: TrackingEvent, request: WebResourceRequest, webViewClientListener: WebViewClientListener? ) : WebResourceResponse { trackingEvent.surrogateId ?. let { surrogateId -> val surrogate = resourceSurrogates.get(surrogateId) if (surrogate.responseAvailable) { Timber.d("Surrogate found for ${request.url}") webViewClientListener ?. surrogateDetected(surrogate) return WebResourceResponse(surrogate.mimeType, "UTF-8", surrogate.jsFunction.byteInputStream()) } } Timber.d("Blocking request ${request.url}") privacyProtectionCountDao.incrementBlockedTrackerCount() return WebResourceResponse(null, null, null) } }

Block web trackers class BrowserWebViewClient() : WebViewClient() { private fun blockRequest( trackingEvent: TrackingEvent, request: WebResourceRequest, webViewClientListener: WebViewClientListener? ) : WebResourceResponse { trackingEvent.surrogateId ?. let { surrogateId -> val surrogate = resourceSurrogates.get(surrogateId) if (surrogate.responseAvailable) { Timber.d("Surrogate found for ${request.url}") webViewClientListener ?. surrogateDetected(surrogate) return WebResourceResponse(surrogate.mimeType, "UTF-8", surrogate.jsFunction.byteInputStream()) } } Timber.d("Blocking request ${request.url}") privacyProtectionCountDao.incrementBlockedTrackerCount() return WebResourceResponse(null, null, null) } }

Block web trackers class BrowserWebViewClient() : WebViewClient() { private fun blockRequest( trackingEvent: TrackingEvent, request: WebResourceRequest, webViewClientListener: WebViewClientListener? ) : WebResourceResponse { trackingEvent.surrogateId ?. let { surrogateId -> val surrogate = resourceSurrogates.get(surrogateId) if (surrogate.responseAvailable) { Timber.d("Surrogate found for ${request.url}") webViewClientListener ?. surrogateDetected(surrogate) return WebResourceResponse(surrogate.mimeType, "UTF-8", surrogate.jsFunction.byteInputStream()) } } Timber.d("Blocking request ${request.url}") privacyProtectionCountDao.incrementBlockedTrackerCount() return WebResourceResponse(null, null, null) } }

Block web trackers class BrowserWebViewClient() : WebViewClient() { private fun blockRequest( trackingEvent: TrackingEvent, request: WebResourceRequest, webViewClientListener: WebViewClientListener? ) : WebResourceResponse { trackingEvent.surrogateId ?. let { surrogateId -> val surrogate = resourceSurrogates.get(surrogateId) if (surrogate.responseAvailable) { Timber.d("Surrogate found for ${request.url}") webViewClientListener ?. surrogateDetected(surrogate) return WebResourceResponse(surrogate.mimeType, "UTF-8", surrogate.jsFunction.byteInputStream()) } } Timber.d("Blocking request ${request.url}") privacyProtectionCountDao.incrementBlockedTrackerCount() return WebResourceResponse(null, null, null) } }

Blocking third party cookies

Block third party cookies private suspend fun processThirdPartyCookiesSetting( webView: WebView, uri: Uri ) { val host = uri.host ?: return val domain = authCookiesAllowedDomainsRepository.getDomain(host) withContext(dispatchers.main()) { if (domain != null && hasUserIdCookie()) { Timber.d("Cookies enabled for $uri") cookieManagerProvider.get().setAcceptThirdPartyCookies(webView, true) } else { Timber.d("Cookies disabled for $uri") cookieManagerProvider.get().setAcceptThirdPartyCookies(webView, false) } domain ?. let { deleteHost(it) } } }

Block third party cookies private suspend fun processThirdPartyCookiesSetting( webView: WebView, uri: Uri ) { val host = uri.host ?: return val domain = authCookiesAllowedDomainsRepository.getDomain(host) withContext(dispatchers.main()) { if (domain != null && hasUserIdCookie()) { Timber.d("Cookies enabled for $uri") cookieManagerProvider.get().setAcceptThirdPartyCookies(webView, true) } else { Timber.d("Cookies disabled for $uri") cookieManagerProvider.get().setAcceptThirdPartyCookies(webView, false) } domain ?. let { deleteHost(it) } } }

Block third party cookies private suspend fun processThirdPartyCookiesSetting( webView: WebView, uri: Uri ) { val host = uri.host ?: return val domain = authCookiesAllowedDomainsRepository.getDomain(host) withContext(dispatchers.main()) { if (domain != null && hasUserIdCookie()) { Timber.d("Cookies enabled for $uri") cookieManagerProvider.get().setAcceptThirdPartyCookies(webView, true) } else { Timber.d("Cookies disabled for $uri") cookieManagerProvider.get().setAcceptThirdPartyCookies(webView, false) } domain ?. let { deleteHost(it) } } }

No content

App Tracking Protection

Identify calling app private fun getPackageIdForUid(uid: Int) : String { val packages: Array? try { packages = packageManager.getPackagesForUid(uid) } catch (e: SecurityException) { Timber.e(e, "Failed to get package ID for UID : $uid due to security violation.") return "unknown" } if (packages.isNullOrEmpty()) { Timber.w("Failed to get package ID for UID : $uid") return "unknown" } return packages.f i rst() }

Identify calling app private fun getPackageIdForUid(uid: Int) : String { val packages: Array? try { packages = packageManager.getPackagesForUid(uid) } catch (e: SecurityException) { Timber.e(e, "Failed to get package ID for UID : $uid due to security violation.") return "unknown" } if (packages.isNullOrEmpty()) { Timber.w("Failed to get package ID for UID : $uid") return "unknown" } return packages.f i rst() }

Blocking an app tracker

Blocking an app tracker // Called from native code private fun isAddressAllowed(packet: Packet) : Allowed? { packet.allowed = (callback.get() ?. isAddressBlocked(packet.toAddressRR()) == false) return if (packet.allowed) Allowed() else null }

Blocking an app tracker /** * Called by the VPN network to know if a particular IP address is blocked or not. * This can be combined with the [onDnsResolved] callback, to get the hostname of the * [addressRR] and then decide whether that hostname should be blocked or not * @param addressRR is the address record */ fun isAddressBlocked(addressRR : AddressRR) : Boolean

Blocking an app tracker override fun isAddressBlocked(addressRR : AddressRR) : Boolean { val hostname = addressLookupLruCache[addressRR.address] ?: return false val domainAllowed = shouldAllowDomain(hostname, addressRR.uid) return !domainAllowed }

Blocking an app tracker private fun shouldAllowDomain(name: String, uid: Int) : Boolean { val packageId = getPackageIdForUid(uid) val type = appTrackerRepository.f i ndTracker(name, packageId) if (type is AppTrackerType.ThirdParty && !isTrackerInExceptionRules(packageId = packageId, hostname = name)) { val trackingApp = appNamesCache[packageId] ?: appNameResolver.getAppNameForPackageId(packageId) // if the app name is unknown, do not block if (trackingApp.isUnknown()) return true VpnTracker( trackerCompanyId = type.tracker.trackerCompanyId, domain = type.tracker.hostname, trackingApp = TrackingApp(trackingApp.packageId, trackingApp.appName) ).run { appTrackerRecorder.insertTracker(this) } return false } return true }

Blocking an app tracker private fun shouldAllowDomain(name: String, uid: Int) : Boolean { val packageId = getPackageIdForUid(uid) val type = appTrackerRepository.f i ndTracker(name, packageId) if (type is AppTrackerType.ThirdParty && !isTrackerInExceptionRules(packageId = packageId, hostname = name)) { val trackingApp = appNamesCache[packageId] ?: appNameResolver.getAppNameForPackageId(packageId) // if the app name is unknown, do not block if (trackingApp.isUnknown()) return true VpnTracker( trackerCompanyId = type.tracker.trackerCompanyId, domain = type.tracker.hostname, trackingApp = TrackingApp(trackingApp.packageId, trackingApp.appName) ).run { appTrackerRecorder.insertTracker(this) } return false } return true }

Blocking an app tracker private fun shouldAllowDomain(name: String, uid: Int) : Boolean { val packageId = getPackageIdForUid(uid) val type = appTrackerRepository.f i ndTracker(name, packageId) if (type is AppTrackerType.ThirdParty && !isTrackerInExceptionRules(packageId = packageId, hostname = name)) { val trackingApp = appNamesCache[packageId] ?: appNameResolver.getAppNameForPackageId(packageId) // if the app name is unknown, do not block if (trackingApp.isUnknown()) return true VpnTracker( trackerCompanyId = type.tracker.trackerCompanyId, domain = type.tracker.hostname, trackingApp = TrackingApp(trackingApp.packageId, trackingApp.appName) ).run { appTrackerRecorder.insertTracker(this) } return false } return true }

No content

App breakage

No content

github.com/duckduckgo/Android

Thank you