apppets / privacykit Goto Github PK

We use badly documented low-level functions for performing TLS operations required to support Shalon. There we set the default ATS profile:

Which is better than the default. It should be configurable like the high-level URLSession connections via ATS configuration in the information property list (Info.plist) of the application.

See RFC 7469 for recommendations and knowns privacy issues.

This issue was migrated from https://gitlab.prae.me/apppets/PrivacyKit/issues/6.

The URL httpss://shalon1.jondonym.net/services.app-pets.org will not be supported, as the port for the proxy server is missing. The default HTTPS port 443 should be used in this case.

Issue migrated from https://gitlab.prae.me/apppets/PrivacyKit/issues/1.

URLs of the kind httpss://proxy:port/destination:port/index.htm could be used as a custom URL handler that triggers Shalon to be used and first connect to proxy:port and then establishing a tunnel to destination.port. Depending on how many proxies should be used, the URL scheme could be httpss+.

Alternatively there could also be a configuration file that sets up the proxy.

This issue was migrated from https://gitlab.prae.me/apppets/PrivacyKit/issues/5.

The implementation of Shalon is just a proof-of-concept and does not support downloading "big" files. As soon as the response headers could be parsed, the response is immediately returned. The Content-Length header should be read and additional bytes received should be attached to the response.

This issue was migrated from https://gitlab.prae.me/apppets/PrivacyKit/issues/4.

Jain et al. [1] proposed a location API that nudges developers to use location data in a more privacy-friendly manner. We should definitely implement this to make this accessible to more developers.

1. S. Jain and J. Lindqvist, Should I Protect You? Understanding Developers' Behavior to Privacy-preserving APIs in Workshop on Usable Security (USEC '14), 23 February, San Diego, CA, USA, 2014

Ideally a GUI should be added, like the photo chooser that is already present on iOS, that in addition to selectively providing access to user-chosen photos, should also strip EXIF meta data from the accessed photos by default.

The privacy issues caused by EXIF metadata are demonstrated nicely by Felix Krause [1].

1. Felix Krause, iOS Privacy: detect.location - An easy way to access the user's iOS location data without actually having access, 2017

According to Apple Developer Documentation: Networking Overview: Making HTTP and HTTPS Requests: Retrieving the Contents of a URL with Delegates:

An NSURLSession object manages multiple tasks, each of which represents a single URL request and any follow-on requests. You usually create a session when your app launches, then create tasks in much the same way that you would create NSURLConnection objects.

This issue was migrated from https://gitlab.prae.me/apppets/PrivacyKit/issues/3.

Some tests (HttpTest.testHeadRequest, HttpTest.testConnectRequest) fail randomly, since the order of the HTTP headers does not match.

The key-value storage provider could exchange values. Integrity of single values is protected by authenticated encryption, but values can still be decrypted if assigned to another key of the same user. If the provider has access to the users reactions, swapped values can be linked.

Fix this by adding the key to the value before encrypting it. Integrity violation can be detected if the key used for retrieving the value does not match with the retrieved key stored alongside the value.

See AppPETs/PrivacyService@fdb53ac.

I tried setting:

• request.allHTTPHeaderFields = [:], see URLRequest.allHTTPHeaderFields
• request.setValue(nil, forHTTPHeaderField: "User-Agent"), see URLRequest.setValue(_:forHTTPHeaderField:)
• sessionConfiguration.httpAdditionalHeaders = nil and sessionConfiguration.httpAdditionalHeaders = [:], see URLSessionConfiguration. httpAdditionalHeaders

These methods could be used to override default HTTP headers, but none of them prevents the header from being sent.

The Shalon implementation gives way more control over which HTTP headers are sent.

This issue was migrated from https://gitlab.prae.me/apppets/PrivacyKit/issues/2.

The bad behaviour of the P-Service now needs to be explicitly enabled (see AppPETs/PrivacyService#5). Add configuration option to the API to enable it for a given application. This must not be the default.