Running Privado Scan on Mastodon
First, we started with cloning the mastodon-android repository using the following command:
git clone https://github.com/mastodon/mastodon-android.git
Then we installed Privado OSS:
curl -o- https://raw.githubusercontent.com/Privado-Inc/privado-cli/main/install.sh | bash
With this, we then ran the Privado OSS tool on the mastodon-android:
privado scan mastodon-android
After pruning the results to remove false positives, we get the following result:
We saw that the application uses only a few data elements, which are required for the normal functioning of the app. We didn't detect any third-party integrations. As a truly decentralized application, it just communicates to its servers, which are distributed all over the world. However, the Privado Open Source tool could not detect the internal APIs used to communicate with independent nodes. This was mainly due to the decentralized nature of the app. As we will see later, Mastodon uses a custom API communication implementation due to the node server’s location variability and how we can detect those APIs via Privado by adding a simple rule.
As we dug more through the results, we could see the Data Flows of these data elements and better understand the application's structure. Soon we stumbled across the internal communication APIs of the application. This is where we saw the custom API communication implementation that needed to be detected.
The Mastodon app had all its APIs in the <span class="code">/src/main/java/org/joinmastodon/android/api/requests</span> folder as separate Java Classes. Therefore, we just needed to mark these classes as sinks (of data) in Privado to detect these data flows. To do that, we created a rule to detect all API requests of the application.
sinks: - id: ThirdParties.SDK.MastodonAPI name: Mastodon Internal APIs patterns: - "org.joinmastodon.android.api.requests.*" tags:
After adding the above rule, we scanned the code again to get the following results:
Once we could identify all the flows in the application, we dug into the data flow analysis of some data elements, like the email address as shown below:
Prashant is the CTO & Founder of Privado