 and welcome to this internet thingy. We are on the part of the RC3, the remote chaos experience. And this is the RC3, the R3S stage, which is the remote Reinhardt stage. So this talk will be about solitude a tool for privacy analysis. And our speaker today is Dan. So before we start, a short, a few housekeeping things. First of all, if you have questions for our speaker, please head over to Twitter and or master on and use the hashtag RC3R3S. The again, the hashtag RC3R3S on Twitter or master on the FDWERS. Also, you can contact our signal, angels on RC3-R3S on Hackint on IRC. Again, it's the channel's name is RC3-R3S. Also, if you have something that you would like to share, that you would like us to communicate with the others, then please contact our news team with the email address newsshowatrc3.world or write them in our blog newsshow.rc3.world. And this talk will be translated in German. This talk will be translated into German. You will find corresponding links and notes in your web player. Should this talk not be available for whatever reason, DDoS or something like that on the media CCCDE, then you could try heading over to Twitch or YouTube, which we are streaming to too. So the channel's name there is remote Reinhuhr stage. So search us there and you will find what you are seeking. Okay, so much for that and off to Dan. Thank you very much. Hi, my name is Dan Hastings. Today I'm gonna talk about Solitude, which is a privacy analysis tool. Before I get started, I just wanna make sure that I acknowledge my co-author, Emmanuel Flores. He had a lot to do with this project and is still currently developing it with me, as well as Michael Roberts, who is an advisor to this project. So like I mentioned, my name is Dan Hastings. I work for a company called NCC Group. I'm a senior security consultant and focus mainly on web applications and mobile pen testing. However, lately mobile privacy has been my main interest in particularly iOS. This talk and this tool can work with web applications. However, I will be focusing mainly on mobile, as that was the inspiration for a lot of this project. And you can find me at ubiquitous underscore H is my handle for Twitter. So the way this talk is gonna work is, first I'll talk about why, where the motivation to develop Solitude came from. What does Solitude do? So a breakdown of the technical features, as well as how to demo and how Solitude works and how to use and configure Solitude, because a lot of how the tool works is actually from how you configure it. And a couple of instances of bugs from the wild that involve the pace board. So first, actually there was a talk at 35C3 titled how Facebook tracks Android users even without Facebook accounts. This was from Privacy International. So they looked at several, I think it was like a hundred or so Android apps that were very popular. And noticed a lot of them sent data to Facebook if you had an account, if you did not have an account or if you had an account. And oftentimes they would send data to third parties or Facebook before you even accepted an in-app privacy policy. I thought this was really interesting. I wanted to do similar research on iOS. And so I looked at a subset of apps, in particular Robocall blocking apps, so spam blocking apps. And to see if they were doing similar, had similar behaviors. And I spoke at the DEF CON 27, Crypto and Privacy Village, with my talk was titled Ironically iOS, Robocall blocking apps are violating your privacy. And what the main goal for this research was just to see Apple had put up a, they were requiring that you had to have a privacy policy if you wanted to get your app into the app store. And they also had guidelines for privacy policies. And I wanted to see what would happen if I found that there was discrepancies in the data that the app was actually collecting and whom it was sharing with versus what the privacy policy actually said. And I found out that there were discrepancies in the privacy policy versus the data collection practices. So I brought these to Apple and said, hey, these app developers are not following what the privacy policy says according to your guidelines and brought this to the app developers. I found that there was a few apps that sent your phone number to third parties as well as data being sent to Facebook and third parties prior to accepting an in-app privacy policy. So actually after doing this research, I was thinking and it was one thing that came to mind was that if you're not very technical, you can't really sort of head inside or transparency into what happens with your private data when you use a mobile app or a web application. And the only way you can actually do this is if you read a privacy policy which are mostly a lot of times unreadable or you take advantage of laws such as CCPA, California Consumer Privacy Act. These are ways that you can request access to your data or read or view in just plain text what is happening with your personal data. However, we still don't know and as we saw with my previous research if this is the actual truth of what's happening and the only real way to inspect this is actually if you do an investigation into the app yourself and it's a bit difficult if you don't have the technical knowledge. So the goal here was to develop a tool that would make it easier so people have more transparency into what happens with their private data when they use a mobile app. And so most recently in the fall of 2020, Apple has now made it mandatory for developers to submit a questionnaire which then they fill out about any data the data collection practices of the app and if any of that data is being used to track you this is really great and even more transparency into what happens with your data when you use an app what data is being collected about you yet there's still no way to verify this and so using a tool such as Solitude would help in verifying that the data that the app developers are providing that they're collecting about you is actually what is happening when you use the app. So like I mentioned, Solitude is a privacy analysis assessment tool to help perform privacy assessments of mobile and web applications. The basic high-level overview you take all the data about yourself your email address, your phone number you put it into a configuration file which is then read by Solitude you use the mobile app to the way that you normally would and you input this data and then you'll have a user interface where it's displayed that this what data you've configured Solitude to search for where it's being sent to what domains it's being sent to. So the goal that we had in mind here was to make it as easy as possible to configure and set up however you do need some technical knowledge you'll have to know how to install Docker how to run a command from the command line how to install a VPN profile on your mobile device and then also how to install a certificate or a profile onto your mobile device so you can proxy all your traffic through Solitude. So the graphic on the right displays how the architecture of Solitude works. So what we've done is we've allowed you to run it in two ways you can either run it just on your laptop by itself locally or you can run it in a Docker container on your laptop and the idea and thanks to Sid because this was his I used his scripts here to help build this was you run a Docker container which runs an open VPN server along with Solitude and you connect your mobile device to the Docker container and then all of your traffic goes through the container via the VPN and into Solitude and then into the user interface where you can actually view all of this data. So this is an easier way to proxy traffic. It's very difficult with mobile devices to proxy traffic if you've ever attempted to do this. There are ways to do it but I think this is actually one of the better ways that you can do it and you can also just proxy traffic through your standard way of proxying web application traffic through Solitude if you run it locally you don't necessarily have to use the Docker container open VPN server. So we've built in some features out of the box and we're looking to add more to this and so I'm gonna talk about those. We recursively to code basic 64 and URL encoded data. These are two often very common data encoding schemes that you see on the internet in mobile and web applications. If someone were to try to like off you skate a piece of data by trying to decode it multiple times say it's a base 64 encoded string that's then URL encoded then base 64 encoded and then URL encoded Solitude would be able to do a code all of these layers and then search for whatever data is inside to see if there's any of the strings that you've configured Solitude to look for. And we also support ProtoBuff and Gzip only at the first layer. So, yep. And then we also have some built in searches for GPS coordinates internal IP addresses and MAC addresses. These don't are not guaranteed to work to find everything. I wanna make sure that's really clear. There's some regular expressions that we've configured in there that automatically look for GPS coordinates. We've tested several hundred apps and they do work fairly well. You do get some false positives with the IP addresses and MAC addresses but it's pretty accurate and works. The goal of this is it's an open source project that hopefully more people will contribute more types of searches and regular expressions so we can find data automatically easier for now configuring it yourself is gonna give you the best results or more results. I'll say that. So, behind the scenes we use YARA. YARA is a way that you can create a rule set where you can search for specific strings using regular expressions and conditionals and it's often used for malware analysis. However, we've thought that this would be a good use case here. If you don't have the knowledge how to write YARA rules, we've created a JSON configuration file which then converts all of the key value pairs that you put in the JSON configuration file to convert to YARA for you and then also we also hash SHA1, SHA2, VDX and MD5, all of the data that you configure in your configuration file to search for those hashes of the strings that you've configured. And lastly, we support web seconds. So, gonna do a quick demo here of what Solitude looks like. So, if you look here, this is the web UI. We have a domain counter as well as a violation counter. And then before I show how the UI works in real time, this is actually just the JSON configuration file here with all the different types of data that you would configure. You can just open up your text editor and add the key value pairs that you wanna search for. Eventually, we're gonna turn this into a settings page in the UI. But for now, you just have to use the text editor to configure it. And then as you browse your mobile app, traffic will filter in in real time or of different violations. So, what I've just clicked on here is oops, go back. This is a decoder object. So, if you wanna inspect more about the certain request, you can click on the decoder object there and there's a JSON object here which you can look at which has more detailed information about the request. So, say a piece of data was actually encoded, you can look at the different layers of how we've decoded it and searched for different strings. If there's request data headers, cookies, all of that information you can look at inside of this object. It's for those who wanna get more technical and dive into what the request structure looks like. You can do that for each individual violation of a piece of data that you've configured solidly to search for and the domain it's being sent to, you can click on the decoder object to look at it there. And then here we have a live demo of just a mobile app. Just to be very clear, this is not a vulnerability. This is just a random app that we chose. We gave it access to our location and browse the app as we normally would. So, this isn't the intended behavior that we expected. I just wanted to use an app to show you how what the different types of data we automatically search for and how it's displayed in the user interface like your mobile provider and your name and all of that type of data as well. So that's just a demo of how solitude works. Okay, so types of data that you can configure solitude with. I mentioned before and showed in the example that you would configure it with a lot of your personal information or test data if you just wanna use test data, however you'd like to do it. But we suggest and on the GitHub there'll be an example probably the same one that you saw there with just fake data that you can use to give you an idea of the types of data you should configure. Pretty much anything that you put into a mobile app when you register a new account, you'd wanna put your password, your username, all in the solitude configuration file. You'd wanna make sure that you're checking for all types of data. You should not just assume that just because your password might not get sent to another third party, it's very possible it has happened in the past. Another thing that we suggest is creating a unique identifier that you can use to test messaging apps or the paste board, which I'll talk in a second. So this is a more dynamic string that you wanna configure to search for. Usernames and email addresses are usually in form fields that are validated. So we suggest being creative and creating a unique ID. So having this GWID tracer, which you can then put into say you're sending a message in a messaging app and that way it's easier for you to keep track of the specific data points that you're tracing. And then another thing that we suggest that you test for, which I'll talk about in a second is the paste board. If you copy and paste something into an app, the app may access the paste board where that data exists that you've copied. It's very possible that the app might send that to another domain or their own domain. So that's something we suggest that you look for. So speaking of the paste board, I'm gonna talk about some vulnerabilities that we found with the paste board and talk about how you could use Solitude to search for those. So the paste board's an IPC mechanism to share data from one app to another. The real high level basic explanation is just copying from one app and pasting into another. When you do this, the data that you copy exists in a place called the paste board. In iOS it's a paste board and Android is a clipboard. They're interchangeable. So I'll be saying paste board here because I'll be talking more specifically about iOS. However you can, this is transferable also to Android for the clipboard. So the paste board often contains a lot of sensitive data. So if you think about any time that you've ever used a mobile app and you've copied something, think about that's where it exists is on the paste board. And a lot of the times this data stays on the paste board for a very long time. And we can think about all the different types of data we've copied with the copy and paste feature on our phones such as passwords, credit card numbers, phone numbers, addresses or text messages. So Apple actually implemented this great feature in iOS 14 where they alert you when data from the paste board is copied into an app. So in this example here, if we copied something from Safari like a link we wanted to share and we pasted it into messages, an alert would show up on the phone that says messages pasted from Safari. This is great because there was actually some researchers that found that TikTok, every few keystrokes would actually be silently in the background accessing your paste board every single time you typed. And TikTok actually fixed this but it was really informative because prior to this notification, you would have no idea if data in the paste board was actually being accessed behind your back from an app that you're using, that you had no idea that this might be happening. Thought this was really interesting. I was like, this is a great feature. If you're unaware that your paste board's being accessed, you now have that notification that tells you and it's led to discovery such of what was happening with TikTok. And however, you still don't know if that actual, if that data, just because the app is accessing the data from the paste board, what are they doing with it? Are they sending it somewhere else? It would be really bad if you were to use an app and whether it's intentionally or unintentionally silently grabbing data from the paste board and then sending it to either a third party or even the app servers of that app. Either one would be pretty bad. And so I discovered that this was actually true with a specific class of apps. And unfortunately, I'm going through, or fortunately, the disclosure process right now. And so until that's complete, I can't reveal which apps these are until they're patched. However, I discovered that one of the apps I was using when you booted the app, as soon as you started, it would take any data from the paste board and then send it to their servers. I think this was just a mistake and I don't think it was completely intentional. And however, that doesn't mean that this could still happen intentionally or not with other apps. So what I did was I used Solitude here and took a unique identifier, copied it from the paste board and then used a whole bunch of different apps and then noticed if any of that data was sent from the paste board to the app servers. And like I mentioned earlier with unique identifier, this was in a way that I was able to check for this. So the new feature that iOS 14 implemented is great. It gives us transparency into when you copy and something on the paste board and if an app had accesses that data, so it's not silent. However, you still don't know if that data is being sent anywhere, which could be pretty problematic and kind of scary. It would be really great if there was an OS level configuration where you actually could disable the paste board or even set a time limit. Oftentimes we find vulnerabilities or issues with mobile apps where the developers allow you to copy a sensitive piece of data from the app, however they never expire it. And here's a good example of where that data if it never expires could be accessed by another app and potentially sent outbound. And if the app developers fail to set an expiration date, this would allow you if you had this OS level configuration where you could actually disable the paste board or even set a time limit where the data would be completely cleared from the paste board in a certain amount of time. So for recap, Solitude is a privacy assessment tool. It's meant to empower people to inspect their favorite apps to see where the data the app collects about them goes and to make it easier for them to do privacy investigations into their favorite apps. And we have a lot of future plans to develop for Solitude. One is that right now Solitude doesn't search for any encrypted strings. So what I mean by that is if an app is encrypting data and then sending it elsewhere so you can't see what that data is contained in that encrypted string, it's very difficult for us to search for that. We could do this potentially but you would need to have a jailbroken device. Right now, you don't need to have a jailbroken device to use Solitude, but if you wanted to use this feature, you would. I'm not recommending at all that you jailbreak a personal device but you get a testing device that you might jailbreak to use for doing more deeper dives. We'd also like to develop an Android and iOS app that you could use that would then export all of the information on your phone like device data on your phone to a configuration file which would then be read by Solitude. So you could actually search for all of this device data and it would be a lot easier to do that. Right now, it'd be really hard for us to programmatically just keep trying to include all the different types of device data, all the carriers, MAC address, all this types of stuff. We do search for MAC addresses but more hardware information might be more difficult. So this way it would be neat to your phone and you could import that configuration into Solitude which we'd then search for any of that device data. We're gonna continue working on the UI. Right now, the configuration for the features that you want for the settings that you wanna configure for Yara rules or for the data that you want Solitude to look for is all done in a configuration file. So like you'd have to use a text editor. We'd like to port this over to the UI to make it easier. And then lastly, like I mentioned, it's not required that you have a jailbroken device to use Solitude. However, if certain SDKs and apps are using certificate pinning, then you're not gonna be able to see certain traffic and search through certain requests because they will not be going through due to certificate pinning or not being sent to outbound. And if you do have a jailbroken device and you do use Solitude, you can possibly disable certificate pinning which would then make it so you can see almost all the traffic or all the traffic that's being sent out of the phone. However, you can't really do that now. So for those who are not that technical and wanna know if some data did not make it out, it would be great if we could have a feature in the user interface where it would actually say, hey, the connection failed to this domain potentially because of certificate pinning. And last is that Solitude is gonna be open sourced hopefully by the end of this week, probably by the end of this week. And you can find the repository for Solitude here. So take note of this and it's not live yet but we will be releasing the code. So you can install it and use it and contribute and give us feedback. It's just github.com slash NCC group slash Solitude. And then lastly, I have to thank all these people. Again, I'm sorry if I missed you but I work with amazing people at NCC group and former NCC group folks who've all helped me in some way or another. Like I said, Emmanuel is a co-author here. Sid has been a huge advisor. And then I honestly could have done any of this without Jennifer Furnick who is the head of research here at NCC group. And we have a wonderful research wing here and none of this would have been possible without her help and all of my other colleagues. So I just wanna make sure that they get the proper recognition and thank yous. So thank you for listening to my talk and now I'll take questions. Oh, and yeah, there we go. Thanks. So thank you very much, Dan. Unfortunately, we did have somehow that there seems to be an issue with your connection on your side and the quality was fluctuating. I hope there is... There are some questions. The first one was, is there a link to Solitude? It's... I think you showed it's on your Github page, is that correct? Yeah, yeah. I just went back to the slide if you're able to see it. It's not released yet, but by the end of the week, we'll have this will be live. So if you wanna take this down, we'll live. Okay, so stick to this link. Also, I would kindly ask you to stop your screen share so that we have a chance that you are somehow not a pixel soup. So a person on IRC asks, are encrypted data streams somehow decrypted at the other end of the VPN, example by forcing an own certificate for SSL streams? Yeah, yes. So we are approaching all TLS traffic the same way you would proxy HTTP traffic using HTTP proxy like Burf Suite. So you have to trust the certificate that's used by the... We're using Minimproxy library, and so you have to trust the certificate for Minimproxy and then, yeah, we're able to view all of the TLS traffic. Okay, another person on IRC asks, have you thought about having a standard to define how an app is allowed to behave? I guess I'm not entirely sure in terms of how it collects data about its users or... Yeah. Like some data that I would expect from the app, like I haven't asked the question myself, so to the person, please feel free to clarify, and the signal angel will relay to me. So are there any other questions? Again, you can post those questions over Twitter or Mastodon with the hashtag RC3R3S or go to RC3-R3S on Hackint. I think the person on RC could not specify further. As I understand it, as I would interpret it, if there is a possibility to say, this are things that I expect from the app to collect, like I don't know if I have Facebook, I would expect it to have my name, but I wouldn't expect them to have my social security number, for example. I see. Yeah, I mean, the way that, I guess that's what the built-in search is that we're trying to look for, you might... I think if I'm understanding what you're saying is, maybe the app doesn't have permissions to collect certain data about you and you can look to see if it does collect that data, that would be a goal of ours. So you should configure Solitude with all types of data, and then you can test apps that may not ask for those permissions to see if they are indeed collecting that data or sending it elsewhere, and you can look for that sort of thing. That's where some of the built-in searches come into handy and just how you can figure the app itself. Okay, sure. You can look for it.