DNS queries leak ip and user-agent to external feed servers

[Perflyst]

Currently this app leaks IP address, useragent etc to each feed's server. This is because the images of the previews are downloaded directly from them.

Please proxy the images either through tt-rss or provide an option to disable image previews (or just block connections to anything else except the tt-rss instance domain)

[nilsbraden]

This is not true!

Please have a look at https://github.com/nilsbraden/ttrss-reader-fork/blob/master/ttrssreader/src/main/java/org/ttrssreader/controllers/Controller.java#L354 where the URL for downloading the icon is generated. It is constructed by using the base URL of your server, adding the icon folder and the feed-ID. No other Servers are called at all.

[Perflyst]

Thanks for the reply. I can see DNS queries to the domains of subscribed feeds, I did not analyzed further but there are at least data-leaking DNS queries.

[nilsbraden]

Ah I see. Ok since they don't originate from fetching the icons we should investigate further. It might be some part of the android webview does it or I don't know. Can you pinpoint the exact time where they happen and acquire logfiles with adb?

[Perflyst]

The DNS query does not leak the data to the feed server but it leaks the information that you access feedserver.com to your DNS server.

I will try to get logcat informations.

[Perflyst]

Monitored with Net Monitor I can see https connections to the feed servers. I cleary notice that if I click on a feed a new connection to the feed server is made. It is HTTPS encrypted so I cannot see if it is the icon or something else.

Logcat is here:

``` 08-29 16:32:03.802 4894 4913 I ActivityManager: START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=org.fox.tttrss/org.fox.ttrss.LaunchActivity bnds=[1142,872][1423,1248] (has extras)} from uid 10032 on display 0 08-29 16:32:03.845 4894 5388 I ActivityManager: START u0 {cmp=org.fox.tttrss/org.fox.ttrss.OnlineActivity} from uid 10078 on display 0 08-29 16:32:03.987 23721 23721 D setupWidgetUpdates: interval= 900000 08-29 16:32:04.001 4894 4913 W ActivityManager: Unable to start service Intent { act=android.support.customtabs.action.CustomTabsService pkg=com.android.chrome } U=0: not found 08-29 16:32:04.038 23721 23721 D OnlineActivity: m_isOffline=false 08-29 16:32:04.094 23721 23721 D OnlineActivity: intent action=null 08-29 16:32:04.128 23721 27067 D NetworkSecurityConfig: Using Network Security Config from resource network_security_config debugBuild: false 08-29 16:32:04.130 23721 27067 W System : ClassLoader referenced unknown path: /system/framework/tcmclient.jar 08-29 16:32:04.171 23721 27068 I OpenGLRenderer: Initialized EGL, version 1.4 08-29 16:32:04.171 23721 27068 D OpenGLRenderer: Swap behavior 1 08-29 16:32:04.189 23721 27068 D mali_winsys: EGLint new_window_surface(egl_winsys_display*, void*, EGLSurface, EGLConfig, egl_winsys_surface**, egl_color_buffer_format*, EGLBoolean) returns 0x3000, [1440x2560]-format:1 08-29 16:32:04.224 23721 23723 I art : Do partial code cache collection, code=22KB, data=25KB 08-29 16:32:04.225 23721 23723 I art : After code cache collection, code=22KB, data=25KB 08-29 16:32:04.225 23721 23723 I art : Increasing code cache capacity to 128KB 08-29 16:32:04.226 23721 23723 I art : Compiler allocated 6MB to compile void android.widget.TextView.(android.content.Context, android.util.AttributeSet, int, int) 08-29 16:32:04.258 4894 4924 D LuxLevels: bright hysteresis constant= 0.1, threshold=143.10597, lux=130.09633 08-29 16:32:04.258 4894 4924 D LuxLevels: dark hysteresis constant= 0.2, threshold=104.077065, lux=130.09633 08-29 16:32:04.368 4894 4922 I ActivityManager: Displayed org.fox.tttrss/org.fox.ttrss.OnlineActivity: +486ms (total +549ms) 08-29 16:32:04.592 23721 23721 D OnlineActivity: Authenticated! 08-29 16:32:04.592 23721 23721 D OnlineActivity: Received API level: 14 08-29 16:32:04.598 4894 4913 I ActivityManager: START u0 {flg=0x10000 cmp=org.fox.tttrss/org.fox.ttrss.MasterActivity} from uid 10078 on display 0 08-29 16:32:04.677 23721 23721 D setupWidgetUpdates: interval= 900000 08-29 16:32:04.695 4894 5388 W ActivityManager: Unable to start service Intent { act=android.support.customtabs.action.CustomTabsService pkg=com.android.chrome } U=0: not found 08-29 16:32:04.699 23721 23721 D MasterActivity: m_isOffline=false 08-29 16:32:04.717 23721 23721 D MasterActivity: intent action=null 08-29 16:32:04.731 23721 23721 D MasterActivity: m_smallScreenMode=true 08-29 16:32:04.734 23721 23721 D MasterActivity: is_shortcut_mode: false 08-29 16:32:04.749 23721 23723 I art : Do partial code cache collection, code=62KB, data=56KB 08-29 16:32:04.749 23721 23723 I art : After code cache collection, code=60KB, data=55KB 08-29 16:32:04.749 23721 23723 I art : Increasing code cache capacity to 256KB 08-29 16:32:04.816 4894 4954 D SntpClient: request time failed: java.net.SocketTimeoutException: Receive timed out 08-29 16:32:04.861 23721 23721 D HeadlinesFragment: maxImageSize=512 08-29 16:32:04.882 4894 4952 D SntpClient: request time failed: java.net.SocketTimeoutException: Receive timed out 08-29 16:32:04.901 23721 23721 D HeadlinesFragment: onCreateView, feed=org.fox.ttrss.types.Feed@658e0a 08-29 16:32:04.912 23721 23721 D HeadlinesFragment: allowForceUpdate=false userInitiated=false 08-29 16:32:04.913 23721 23721 D HeadlinesFragment: [HP] request more headlines, firstId=0 08-29 16:32:04.947 23721 27068 D mali_winsys: EGLint new_window_surface(egl_winsys_display*, void*, EGLSurface, EGLConfig, egl_winsys_surface**, egl_color_buffer_format*, EGLBoolean) returns 0x3000, [1440x2560]-format:1 08-29 16:32:04.973 4894 4952 W ConnectivityExtension: ConnectivityExt jar file not present 08-29 16:32:05.111 4894 4922 I ActivityManager: Displayed org.fox.tttrss/org.fox.ttrss.MasterActivity: +460ms 08-29 16:32:05.310 23721 23721 D : firstID=214099 firstIdChanged=false 08-29 16:32:05.513 23721 23723 I art : Do full code cache collection, code=116KB, data=114KB 08-29 16:32:05.513 23721 23723 I art : Starting a blocking GC JitCodeCache 08-29 16:32:05.513 23721 23723 I art : After code cache collection, code=107KB, data=94KB 08-29 16:32:05.524 23721 23723 I art : Do partial code cache collection, code=109KB, data=99KB 08-29 16:32:05.524 23721 23723 I art : After code cache collection, code=109KB, data=99KB 08-29 16:32:05.524 23721 23723 I art : Increasing code cache capacity to 512KB 08-29 16:32:05.613 23721 23723 I art : Compiler allocated 6MB to compile boolean org.jsoup.parser.HtmlTreeBuilderState$7.process(org.jsoup.parser.Token, org.jsoup.parser.HtmlTreeBuilder) 08-29 16:32:05.727 23721 23721 D FeedsFragment: A:netzpolitik.org false 7 08-29 16:32:05.727 23721 23721 D FeedsFragment: .... 08-29 16:32:05.727 23721 23721 D FeedsFragment: ... 08-29 16:32:05.727 23721 23721 D FeedsFragment: ..... < here are more subscribed feeds > ```

[nilsbraden]

Oh dear. You're on the wrong project page. I just noticed there is no FeedsFragment in my project, please have a look at this line:

HeadlinesFragment: onCreateView, feed=org.fox.ttrss.types.Feed@658e0a

Youre looking for this project: https://github.com/abelgomez/tt-rss-android