/gpc-android

Code and analysis scripts for GPC on Android

Primary LanguageJavaScriptMIT LicenseMIT

GitHub release (latest by date) GitHub Release Date GitHub last commit GitHub issues GitHub closed issues GitHub GitHub watchers GitHub Repo stars GitHub forks


GPC Android Image

GPC Android

This repo contains code and analysis scripts for GPC on Android.

GPC Android is developed and maintained by Nishant Aggarwal (@n-aggarwal), Wesley Tan (@wesley-tan), Konrad Kollnig (@kasnder), and Sebastian Zimmeck (@SebastianZimmeck) of the Law and Tech Lab of Maastricht University and the privacy-tech-lab of Wesleyan University.

1. Repo Overview
2. GPC Android App
3. Scripts
4. Apps CSV
5. Thank You!

1. Repo Overview

This repo contains the following directories:

  • gpc-android-app: GPC Android app written in Java
  • scripts: Code for intercepting and analyzing network traffic
  • app-csv: App lists sorted by Google Play Store categories

2. GPC Android App

The gpc-android-app directory contains the code for an app with the following features:

  1. Directing people to the AdID setting, where they can disable tracking
  2. Directing people to DuckDuckGo or Brave, two browsers with GPC enabled

You can run the app by cloning this repo and running it in Android Studio.

3. Scripts

The scripts can be used in conjunction with mitmproxy SOCKS5 mode to intercept network traffic.

Run the scripts as follows:

  1. Install and configure mitmproxy on your computer.

  2. Install the mitmproxy certificate in your computer's Root Certificate directory and to the User Certificate directory of your android phone.

  3. Install the SOCKSdroid app to reroute traffic from your phone to the proxy server.

  4. Start a SOCKS5 proxy on your computer. To do so, execute the following command in your computer:

    mitmdump --mode SOCKS5 -p $PORT_NUMBER
  5. Enter the IP-address and port number of the SOCKS proxy in the SOCKSdroid app and enable the proxy on your phone. You should now be able to intercept network traffic.
    Note: To avoid problems make sure that your phone and computer are connected to the same wifi network.

  6. To use the GPC header the terminal command is

    mitmdump --mode SOCKS5 -p $PORT_NUMBER -s mitm-script.py

    mitm-script.py is available in the scripts folder.

Notice that the above instructions may not allow you to view all network data because of various reasons. To view more of the data you will have to do make a few more changes:

  • Most apps don't accept user installed certificates. The suggested way to get around this is to root the device and install the MagiskTrustUserCerts Module to install the certificate into system store. Rooting a device depends on the version of Android you may be using and the manufacturer of your phone; as such we can't provide any instructions on this. Nevertheless, it is encouraged that you use Magisk to root the device.

    • The alternative method, without rooting the phone, is to apply the apk-mitm to the apps you want to analyze.
  • Some apps may still not accept the certificate becuase of SSL Pinning. To get around this, install the Frida server on your device, and run the SSL-Unpinning-script on the desired app. Follow the HTTP ToolKit Frida guide for instructions on installing and setting up Frida.

  • On Rooted devices, Chrome Certificate Transparency prevents network capture of browser data. To fix this issue, install the MagiskBypassCertificateTransparencyError Module.

Note that you still may not be able to intercept network traffic for some apps. This is because the SSLUnpinning script we used is not foolproof. There are apps like Instagram that use custom pinning libraries that are very tough to workaround. Nevertheless, this should give you access to network traffic of most of the apps on the Google Play Store.

4. Apps CSV

The apps_csv directory contains a collection of CSV files, each representing a category of apps on the Google Play Store. Each file contains a list of the top 40 free apps for a category.

4.1 Directory Contents

The directory contains the following files:

  • Multiple CSV files named as apps_<CATEGORY>.csv where CATEGORY is the category name from the Google Play Store
  • A JavaScript file, trial-play-scraper.js, which is used to scrape app data from the Google Play Store
  • A bash shell script play-store-downloader.sh, which reads a CSV file and downloads the corresponding apps

Each CSV file is named after a category on the Google Play Store, for example apps_ART-AND-DESIGN.csv. Each CSV file contains the following columns:

  • APP_ID: the unique ID of the app on the Google Play Store
  • TITLE: the title of the app
  • DEVELOPER: the developer of the app
  • SCORE: the score of the app on the Google Play Store
  • Each CSV file contains the top 40 free apps for that category

4.2 How to Use

  1. Clone the repo to your local machine and navigate to the app_csv directory.

  2. To scrape app metadata from the Google Play Store for a particular category, use the trial-play-scraper.js file run

    node trial-play-scraper.js
  3. Download APKs from the Google Play Store with

    chmod +x play-store-downloader.sh
    ./play-store-downloader.sh

    Before running the downloader script replace email@gmail.com and password in the play-store-downloader.sh file with your Google Play Store email and password, respectively. Then, give the script execution permissions and run it. Doing so will download all the apps listed in the apps-ART_AND_DESIGN.csv file. To download apps from a different category, replace apps-ART_AND_DESIGN.csv with the desired CSV file name in the script.

5. Thank You!

We would like to thank our financial supporters!


Major financial support provided by the National Science Foundation.

National Science Foundation Logo

Additional financial support provided by the Alfred P. Sloan Foundation, Wesleyan University, and the Anil Fernando Endowment.

Sloan Foundation Logo Wesleyan University Logo

Conclusions reached or positions taken are our own and not necessarily those of our financial supporters, its trustees, officers, or staff.

privacy-tech-lab logo

Logo of Maastricht University Law and Tech Lab