
Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.
Thank you!
Please check your email to view the guide.

First, we started with cloning the mastodon-android repository using the following command:
Then we installed Privado OSS:
With this, we then ran the Privado OSS tool on the mastodon-android:
After pruning the results to remove false positives, we get the following result:

We saw that the application uses only a few data elements, which are required for the normal functioning of the app. We didn't detect any third-party integrations. As a truly decentralized application, it just communicates to its servers, which are distributed all over the world. However, the Privado Open Source tool could not detect the internal APIs used to communicate with independent nodes. This was mainly due to the decentralized nature of the app. As we will see later, Mastodon uses a custom API communication implementation due to the node server’s location variability and how we can detect those APIs via Privado by adding a simple rule.
As we dug more through the results, we could see the Data Flows of these data elements and better understand the application's structure. Soon we stumbled across the internal communication APIs of the application. This is where we saw the custom API communication implementation that needed to be detected.

The Mastodon app had all its APIs in the <span class="code">/src/main/java/org/joinmastodon/android/api/requests</span> folder as separate Java Classes. Therefore, we just needed to mark these classes as sinks (of data) in Privado to detect these data flows. To do that, we created a rule to detect all API requests of the application.
After adding the above rule, we scanned the code again to get the following results:

Once we could identify all the flows in the application, we dug into the data flow analysis of some data elements, like the email address as shown below:

Need to try this yourself? Download our OSS tool here [Github]