Updates

Running Privado Scan on Mastodon

running-privacy-scan-on-mastodon-open-source-code
Prashant Mahajan
November 28, 2022

First, we started with cloning the mastodon-android repository using the following command:

git clone https://github.com/mastodon/mastodon-android.git

Then we installed Privado OSS:

curl -o- https://raw.githubusercontent.com/Privado-Inc/privado-cli/main/install.sh | bash

With this, we then ran the Privado OSS tool on the mastodon-android:

privado scan mastodon-android

After pruning the results to remove false positives, we get the following result:

Analysis

We saw that the application uses only a few data elements, which are required for the normal functioning of the app. We didn't detect any third-party integrations. As a truly decentralized application, it just communicates to its servers, which are distributed all over the world. However, the Privado Open Source tool could not detect the internal APIs used to communicate with independent nodes. This was mainly due to the decentralized nature of the app. As we will see later, Mastodon uses a custom API communication implementation due to the node server’s location variability and how we can detect those APIs via Privado by adding a simple rule.

As we dug more through the results, we could see the Data Flows of these data elements and better understand the application's structure. Soon we stumbled across the internal communication APIs of the application. This is where we saw the custom API communication implementation that needed to be detected.

API communication package structure

The Mastodon app had all its APIs in the <span class="code">/src/main/java/org/joinmastodon/android/api/requests</span> folder as separate Java Classes. Therefore, we just needed to mark these classes as sinks (of data) in Privado to detect these data flows. To do that, we created a rule to detect all API requests of the application.

sinks:
  - id: ThirdParties.SDK.MastodonAPI
    name: Mastodon Internal APIs
    patterns:
      - "org.joinmastodon.android.api.requests.*"
    tags:

Results

After adding the above rule, we scanned the code again to get the following results:

Complete Data Flows of the Mastodon Application

Once we could identify all the flows in the application, we dug into the data flow analysis of some data elements, like the email address as shown below:

Data Flow analysis of an email address in Mastodon


Need to try this yourself? Shoot us a message over at our community. Download our OSS tool here [Github]

running-privacy-scan-on-mastodon-open-source-code
Posted by
Prashant Mahajan
in
Updates
on
November 28, 2022

Prashant is the CTO & Founder of Privado

Get started with Privado

Thank you for subscribing, we have sent a confirmation email to your inbox.
Oops! Something went wrong while submitting the form.