What is this about?

The App Check is a tool we’ve been missing for a very long time. Now we are going to build it. We have secured the resources – what we need is your expertise! Wonder who we are? Learn more.

Whether you are looking to do development work (which we are going to commission), want to support the project because you like it, or are simply curious to find out what we are up to – every constructive engagement is welcome.

We have been analyzing apps for Android and iOS for privacy and security issues for several years. See the published results here. We did it by setting up a man-in-the-middle attack and looking at the data the app sends over the internet on a case-by-case basis.

Now, we will automate this process, in order to test thousands of apps and feed the results into a database that is searchable for everybody.

How?

This is what we have in mind. Some steps are easy and should not be a problem. Some are not. Check it out. We will build this for Android-Apps first, hence the Example includes the Playstore. If feasible, we will also include iOS-Apps

All steps in detail

Developers

All actual coding work will be commissioned and payed by the App-Check-Team. If you are interested to join, please email our coordinator, Miriam: m.ruhenstroth@mobilsicher.de with details of what you can and want to do.

Step 1

Manually define a list of +/- 3000 apps we want to test. Collect the files (.apk) from the Playstore automatically. Several projects have implemented this step before. We would be happy to build on this work, i.e. the database Exodus Privacy.      

Step 2

Install .apk file (one at a time) on a mobile device automatically for testing. We will use real devices because some apps detect emulated environments.

Step 3

Start app and simulate user interaction to cause the data flow the app would show in normal use. We have Appium in mind to do this. But there are lots of challenges here. Test-automation specialists please? More details in our forum on app automation.

Step 4

Channel dataflow from the device through a proxy and record logfiles. In our experience, it is sufficient to analyze http/https-traffic for most apps. We used Charles Proxy in manual testing. For the automated version, we were thinking about using mitmproxy. Other ideas welcome.    

Step 5

Analyze logfiles: Which servers does the app call? Which data does it send? Search for identifiers like Ad-ID, Device-ID, Android-ID; strings of user-content we have entered, like email, username, password, look for location data and entries from the addressbook - a script that is basically searching for all sort of strings. Would be nice to have a GUI, so that non-coders can insert new strings or search rules when needed. Ideas? Output should be a structured data format.

Step 6

From the results, we generate a readable report, that will be published in a searchable database. We have already found partners for the report generation.

Step 7

For each tested app, we regularely check for updates. If there is an update, we repeat the test.

Want to join?

Check out our repository
git