This repo contains code and analysis scripts for GPC on Android.
GPC Android is developed and maintained by Nishant Aggarwal (@n-aggarwal), Wesley Tan (@wesley-tan), Konrad Kollnig (@kasnder), and Sebastian Zimmeck (@SebastianZimmeck) of the Law and Tech Lab of Maastricht University and the privacy-tech-lab of Wesleyan University.
1. Repo Overview
2. GPC Android App
3. Scripts
4. Apps CSV
5. Thank You!
This repo contains the following directories:
gpc-android-app: GPC Android app written in Javascripts: Code for intercepting and analyzing network trafficapp-csv: App lists sorted by Google Play Store categories
The gpc-android-app directory contains the code for an app with the following features:
- Directing people to the AdID setting, where they can disable tracking
- Directing people to DuckDuckGo or Brave, two browsers with GPC enabled
You can run the app by cloning this repo and running it in Android Studio.
The scripts can be used in conjunction with mitmproxy SOCKS5 mode to intercept network traffic.
Run the scripts as follows:
-
Install and configure mitmproxy on your computer.
-
Install the mitmproxy certificate in your computer's Root Certificate directory and to the User Certificate directory of your android phone.
-
Install the SOCKSdroid app to reroute traffic from your phone to the proxy server.
-
Start a SOCKS5 proxy on your computer. To do so, execute the following command in your computer:
mitmdump --mode SOCKS5 -p $PORT_NUMBER -
Enter the IP-address and port number of the SOCKS proxy in the SOCKSdroid app and enable the proxy on your phone. You should now be able to intercept network traffic.
Note: To avoid problems make sure that your phone and computer are connected to the same wifi network. -
To use the GPC header the terminal command is
mitmdump --mode SOCKS5 -p $PORT_NUMBER -s mitm-script.pymitm-script.pyis available in the scripts folder.
Notice that the above instructions may not allow you to view all network data because of various reasons. To view more of the data you will have to do make a few more changes:
-
Most apps don't accept user installed certificates. The suggested way to get around this is to root the device and install the MagiskTrustUserCerts Module to install the certificate into system store. Rooting a device depends on the version of Android you may be using and the manufacturer of your phone; as such we can't provide any instructions on this. Nevertheless, it is encouraged that you use Magisk to root the device.
- The alternative method, without rooting the phone, is to apply the apk-mitm to the apps you want to analyze.
-
Some apps may still not accept the certificate becuase of SSL Pinning. To get around this, install the Frida server on your device, and run the
SSL-Unpinning-scripton the desired app. Follow the HTTP ToolKit Frida guide for instructions on installing and setting up Frida. -
On Rooted devices, Chrome Certificate Transparency prevents network capture of browser data. To fix this issue, install the MagiskBypassCertificateTransparencyError Module.
Note that you still may not be able to intercept network traffic for some apps. This is because the SSLUnpinning script we used is not foolproof. There are apps like Instagram that use custom pinning libraries that are very tough to workaround. Nevertheless, this should give you access to network traffic of most of the apps on the Google Play Store.
The apps_csv directory contains a collection of CSV files, each representing a category of apps on the Google Play Store. Each file contains a list of the top 40 free apps for a category.
The directory contains the following files:
- Multiple CSV files named as
apps_<CATEGORY>.csvwhere CATEGORY is the category name from the Google Play Store - A JavaScript file, trial-play-scraper.js, which is used to scrape app data from the Google Play Store
- A bash shell script play-store-downloader.sh, which reads a CSV file and downloads the corresponding apps
Each CSV file is named after a category on the Google Play Store, for example apps_ART-AND-DESIGN.csv. Each CSV file contains the following columns:
- APP_ID: the unique ID of the app on the Google Play Store
- TITLE: the title of the app
- DEVELOPER: the developer of the app
- SCORE: the score of the app on the Google Play Store
- Each CSV file contains the top 40 free apps for that category
-
Clone the repo to your local machine and navigate to the app_csv directory.
-
To scrape app metadata from the Google Play Store for a particular category, use the trial-play-scraper.js file run
node trial-play-scraper.js
-
Download APKs from the Google Play Store with
chmod +x play-store-downloader.sh ./play-store-downloader.sh
Before running the downloader script replace
[email protected]andpasswordin the play-store-downloader.sh file with your Google Play Store email and password, respectively. Then, give the script execution permissions and run it. Doing so will download all the apps listed in the apps-ART_AND_DESIGN.csv file. To download apps from a different category, replace apps-ART_AND_DESIGN.csv with the desired CSV file name in the script.
We would like to thank our financial supporters!
Major financial support provided by the National Science Foundation.
Additional financial support provided by the Alfred P. Sloan Foundation, Wesleyan University, and the Anil Fernando Endowment.
Conclusions reached or positions taken are our own and not necessarily those of our financial supporters, its trustees, officers, or staff.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent