Our tweasel updates are back after the summer. We have made our request data publicly available, such that anyone can run SQL queries against our datasets. We have also better documented many of our TrackHAR adapters. Furthermore, we have begun doing legal research to inform our decisions on how to establish tracker IDs as personal data in our complaints.
The third installment of our semi-regular updates on the development of the tweasel project. This time, we have switched to a different certificate pinning bypass script and fixed various bugs on different platforms and devices. We have also continued working on our documentation and outreach, and collected new traffic data for our TrackHAR adapters.
I gave an update on our progress with the tweasel project. We have released first versions of our libraries and tools for instrumenting and analyzing mobile apps and their traffic. We have worked on automating the installation of dependencies and device setup. We have launched our documentation website for tracking endpoints and their data. We have also given a talk at the FireShonks event and a presentation to the EDPB tech advisory board.
Tracking and consent dialogs have become ubiquitous with seemingly every website and app pleading users to agree to their personal data being processed and their behaviour being tracked, often with the help of tens or even hundreds of third-party companies. But the bar for legally performing tracking in the EU is high. In this post, I detail both the legal requirements for tracking and collecting consent in general and present a comprehensive list of criteria for a legally compliant consent dialog.
I analyzed the new data safety section on the Google Play Store for datarequests.org and found popular apps admitting to collecting and sharing highly sensitive data for advertising and tracking. More than one quarter of apps transmitted tracking data not declared in their data safety label.
For my mobile privacy research, I need to know which Android apps are the most popular. I reverse-engineered an undocumented
batchexecute API endpoint that the Play Store website uses internally to programmatically access the top charts. Based on that, I created the
parse-play NPM package.
An investigation for datarequests.org showed that the free browser extension Honey doesn’t just collect coupon codes. Using the GDPR’s right to access, we confirmed that they also permanently store their user’s history data on a large scale. That’s why we have submitted complaints.
RCE in Jitsi Meet Electron prior to 2.3.0 due to insecure use of shell.openExternal() (CVE-2020-25019)
I discovered a remote code execution vulnerability in Jitsi Meet Electron versions prior to 2.3.0 (CVE-2020-25019). This post contains a write-up of the problem which was caused by an insecure use of Electron’s shell.openExternal().
Passing user-controlled input to Electron’s shell.openExternal() function is commonly warned against for security reasons. But what are the actual possible attacks in this scenario? This post introduces some potential attacks.
This post contains a translation of the model constitution for a registered tax-priviledged association under German law (“eingetragener steuerbefreiter Verein”). It is licensed as CC0.