Skip to content

privacy-tech-lab/gpc-android

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

132 Commits

apps_csv

apps_csv

 
 

gpc-android-app

gpc-android-app

 
 

research

research

 
 

scripts

scripts

 
 

.gitignore

.gitignore

 
 

FUNDING.yml

FUNDING.yml

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

maastricht_law_tech.svg

maastricht_law_tech.svg

 
 

nsf.png

nsf.png

 
 

plt_logo.png

plt_logo.png

 
 

sloan_logo.jpg

sloan_logo.jpg

 
 

wesleyan_shield.png

wesleyan_shield.png

 
 

wifi.svg

wifi.svg

 
 

Repository files navigation

GitHub release (latest by date) GitHub Release Date GitHub last commit GitHub issues GitHub closed issues GitHub GitHub watchers GitHub Repo stars GitHub forks GitHub sponsors


GPC Android Image

GPC Android

This repo contains code and analysis scripts for GPC on Android.

GPC Android is developed and maintained by Nishant Aggarwal (@n-aggarwal), Zachary Liu (@zatchliu), Konrad Kollnig (@kasnder), and Sebastian Zimmeck (@SebastianZimmeck) of the Law and Tech Lab of Maastricht University and the privacy-tech-lab of Wesleyan University. Wesley Tan (@wesley-tan) contributed earlier.

1. Research Publications
2. Repo Overview
3. GPC Android App
4. Scripts
5. Apps CSV
6. Downloading APKs
7. Thank You!

1. Research Publications

2. Repo Overview

This repo contains the following directories:

  • gpc-android-app: GPC Android app written in Java
  • scripts: Code for intercepting and analyzing network traffic
  • app-csv: App lists sorted by Google Play Store categories

3. GPC Android App

The gpc-android-app directory contains the code for an app with the following features:

  1. Directing people to the AdID setting, where they can disable tracking
  2. Directing people to DuckDuckGo or Brave, two browsers with GPC enabled

You can run the app by cloning this repo and running it in Android Studio.

4. Scripts

The scripts can be used in conjunction with mitmproxy SOCKS5 mode to intercept network traffic.

Run the scripts as follows:

  1. Install and configure mitmproxy on your computer.

  2. Install the mitmproxy certificate in your computer's Root Certificate directory and to the User Certificate directory of your android phone.

  3. Install the SOCKSdroid app to reroute traffic from your phone to the proxy server.

  4. Start a SOCKS5 proxy on your computer. To do so, execute the following command in your computer:

    mitmdump --mode SOCKS5 -p $PORT_NUMBER

  5. Enter the IP-address and port number of the SOCKS proxy in the SOCKSdroid app and enable the proxy on your phone. You should now be able to intercept network traffic.
    Note: To avoid problems make sure that your phone and computer are connected to the same wifi network.

  6. To use the GPC header the terminal command is

    mitmdump --mode SOCKS5 -p $PORT_NUMBER -s mitm-script.py

    mitm-script.py is available in the scripts folder.

Notice that the above instructions may not allow you to view all network data because of various reasons. To view more of the data you will have to do make a few more changes:

  • Most apps don't accept user installed certificates. The suggested way to get around this is to root the device and install the MagiskTrustUserCerts Module to install the certificate into system store. Rooting a device depends on the version of Android you may be using and the manufacturer of your phone; as such we can't provide any instructions on this. Nevertheless, it is encouraged that you use Magisk to root the device.

    • The alternative method, without rooting the phone, is to apply the apk-mitm to the apps you want to analyze.

  • Some apps may still not accept the certificate because of SSL Pinning. To get around this, install the Frida server on your device, and run the SSL-Unpinning-script on the desired app. Follow the HTTP ToolKit Frida guide for instructions on installing and setting up Frida.

  • On Rooted devices, Chrome Certificate Transparency prevents network capture of browser data. To fix this issue, install the MagiskBypassCertificateTransparencyError Module.

Note that you still may not be able to intercept network traffic for some apps. This is because the SSLUnpinning script we used is not foolproof. There are apps like Instagram that use custom pinning libraries that are very tough to workaround. Nevertheless, this should give you access to network traffic of most of the apps on the Google Play Store.

5. Apps CSV

For our research, the Google Play applications will be downloaded through the google-play method through apkeep, a way to automate the downloading of Google Play applications. If this fails, we will consider alternatives such as Raccoon or downloading from the Play Store manually.

The apps_csv directory contains a collection of CSV files, each representing a category of apps on the Google Play Store. Each file contains a list of the top 40 free apps for a category.

5.1 Directory Contents

The directory contains the following files:

  • Multiple CSV files named as apps_<CATEGORY>.csv where CATEGORY is the category name from the Google Play Store
  • A JavaScript file, trial-play-scraper.js, which is used to scrape app data from the Google Play Store
  • A bash shell script play-store-downloader.sh, which reads a CSV file and downloads the corresponding apps

Each CSV file is named after a category on the Google Play Store, for example apps_ART-AND-DESIGN.csv. Each CSV file contains the following columns:

  • APP_ID: the unique ID of the app on the Google Play Store
  • TITLE: the title of the app
  • DEVELOPER: the developer of the app
  • SCORE: the score of the app on the Google Play Store
  • Each CSV file contains the top 45 free apps for that category

5.2 How to Use

  1. Clone the repo to your local machine and navigate to the app_csv directory.

  2. To scrape app metadata from the Google Play Store for a particular category, use the trial-play-scraper.js file run

    node trial-play-scraper.js

  3. Download APKs from the Google Play Store with

    chmod +x play-store-downloader.sh
./play-store-downloader.sh

    Before running the downloader script replace email@gmail.com and password in the play-store-downloader.sh file with your Google Play Store email and password, respectively. Then, give the script execution permissions and run it. Doing so will download all the apps listed in the apps-ART_AND_DESIGN.csv file. To download apps from a different category, replace apps-ART_AND_DESIGN.csv with the desired CSV file name in the script.

6. Downloading APKs

APKs can be manually downloaded with Raccoon as follows:

  1. Make sure to have a US-based IP address (e.g. via VPN)
  2. Set up an account with the US Play Store
  3. Get Raccoon and a Raccoon Premium license, and use Raccoon's DummyDroid to extract the configuration from a real Android device
  4. Choose "Import Apps" in Raccoon and paste all apps' links in there (e.g. market://details?id=com.fishbrain.app)
  5. Sit and wait ...

7. Thank You!

We would like to thank our financial supporters!


Major financial support provided by the National Science Foundation.

National Science Foundation Logo

Additional financial support provided by the Alfred P. Sloan Foundation, Wesleyan University, and the Anil Fernando Endowment.

Sloan Foundation Logo Wesleyan University Logo

Conclusions reached or positions taken are our own and not necessarily those of our financial supporters, its trustees, officers, or staff.

privacy-tech-lab logo Logo of Maastricht University Law and Tech Lab

About

Code and analysis scripts for GPC on Android

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

4 stars

Watchers

7 watching

Forks

1 fork
Report repository

Releases

No releases published

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Contributors 8

Languages