Projects

Consent dialogs have become ubiquitous with seemingly every website and app pleading users to agree to their personal data being processed and their behaviour being tracked, often with the help of tens or even hundreds of third-party companies. They are an effort by website and app publishers to comply with data protection legislation like the GDPR, which imposes strict limits on how companies can process data. Previous research has established that companies often apply dark patterns to illegally nudge users into agreeing and that at the same time tracking is more common than ever with both websites and apps regularly automatically transmitting telemetry data.

But so far, there has been almost no research into consent dialogs on mobile. For my master’s thesis, I studied consent dialogs on Android and iOS in an automated and dynamic manner, analysing 4,388 popular apps from both platforms. I identified different types of consent elements in the apps and analysed their prevalence. I also identified dark patterns and violations by the apps based on a list of criteria for a legally compliant consent dialog that I have compiled. Finally, I measured the effect of the user’s choice in the consent dialog by comparing the traffic from before any interaction with the traffic after accepting and rejecting the dialog and analysing contacted trackers and transmitted data types. The results show that more than 90 % of consent dialogs implement at least one dark pattern and that a majority of apps transmits tracking data regardless of consent status.

As a follow-up project to the Android privacy research, I also looked at the iOS ecosystem. At the time, research into data protection on iOS had been scarce and outdated and there was no prior art for automatically acquiring and analysing apps. The presentation details the many dead ends I ran into on the way to a working solution and my process of reverse-engineering how to programmatically grant permissions on iOS.

I ended up analysing 1,001 apps from the top charts of the German App Store as of May 2021. The results are very similar to those on Android. I found that apps on iOS also frequently perform tracking even without user input (or much less consent), collecting the same data types. Even the list of the most common trackers is almost identical.
Finally, I also had a quick look at Apple’s then new privacy labels. Most of the declarations were correct but I did find some apps transmitting data they omitted in their privacy label.

The tools I developed for this project were also used for the “Keeping Privacy Labels Honest” paper (10.56553/popets-2022-0119, source code, talk recording), published at PETS’22.

To get a grasp of how common and extensive data collection in Android apps really is, Malte and I developed a series of scripts to download, install and start Android apps in an emulator and to collect and analyse their network traffic. HTTPS-encrypted traffic is also considered and certificate pinning is circumvented.

In total, we analysed 1,296 popular apps. The apps were run for 60 seconds without any user input, meaning that no consent was given. We found that a large fraction of apps still transmits telemetry data, including device details (model, settings, battery status, etc.), sensor data, events (which pages are opened and buttons are clicked), or even the geolocation and which data is entered in the app, to third-party servers.
The presentation also gives an insight into why this is problematic from a legal perspective under the GDPR.

Electron applications require new security considerations and a widened threat model: While web applications are strictly isolated from the operating system, Electron apps can be given full access to the Node.js APIs. Thus, many of the well-known attack vectors of the web still apply to Electron applications, but they may be a lot more severe given full access to the system.

My bachelor’s thesis explores known attacks for Electron apps. It also presents an analysis of 1,204 open and closed source Electron applications for various security indicators to give an insight into the state of Electron security in the wild. The results show that while the situation is improving with more developers becoming aware of the necessary security considerations and secure defaults starting to be introduced, many apps don’t take advantage of Electron’s security features and use of dangerous functions is common.

Code snippets on displays are usually shown using syntax highlighting to make reading and understanding them easier. Thus, it would make sense to apply the same treatment to code snippets in books and other print documents. Unfortunately, Adobe InDesign doesn’t come with such a feature.

This script aims to provide a primitive means of applying syntax highlighting to code snippets in InDesign documents. It is basically a port of Lars Jung’s lolight for InDesign.

A project with the mission of helping people exercise their right to privacy. Through our website, we offer a generator for GDPR requests as well as access to our company and supervisory authority database and comprehensive articles on the GDPR and privacy in general.

To manage the project, we have founded Datenanfragen.de e. V., a registered non-profit in Germany. I am currently a chairman for that association.

yace aims to provide a comment engine that can be easily deployed to AWS using Terraform.

It is simple both in terms of the code that powers it and the APIs it provides. It can easily be integrated into existing websites and is ideal for static websites, making almost no assumptions about the structure of the website. The frontend can be entirely customized as it only provides a simple API for submitting and retrieving comments. In addition, yace sets the focus on privacy, collecting no unnecessary data about the user.

Out of my own need, I created this simple static website that acts as a reference for Standardkontenrahmen (accounting templates for German businesses and non-profits), offering an Algolia-powered search engine for SKR 03, SKR 04 and SKR 49. As accounting templates tend to be very comprehensive, it can be difficult to find the correct account. This project aims to make that process easier.

The data is taken from the GnuCash project. This XML data is then converted to JSON for Algolia.

My personal docs archive for various topics. These are mostly kept for myself but as I think that some of the entries could also be useful for others, I have decided to publish them.

The docs themselves are written in Markdown and then compiled into a static website using Hugo.

My forary into the world of print publishing. These are two publishing labels. Through them, I published several books authored by my mother (through SomePublisher) as well as a number of reprints of classical German literature (through Damnick Verlag). All Damnick ebooks are available for free on the website.

While I haven’t published any new books in a while, this has always been a passion project for me and I would love to revisit it in the future.

This was one of my first projects: A tech blog with an accompanying YouTube channel. Over the course of seven years, I published various posts and videos.

With time, my focus shifted to different projects and I stopped updating Professor PC. So in late 2017, I decided to end the project. The website is now in an archived status with most posts still being online but not indexed by search engines anymore. While the original website was built first on Joomla and later WordPress, for the archive I moved to a nice efficient static site built with Hugo.