search

privacy-tech-lab / gpc-android

Code and dynamic analysis scripts for GPC on Android
https://privacytechlab.org/
MIT License
5 stars 1 forks source link

Look into LineageOS #41

Closed bella-tassone closed 3 years ago

bella-tassone commented 3 years ago

If we want to implement GPC into the LineageOS operating system, we need a better understanding of LineageOS in general. Let's use this issue to document questions and/or answers we have about LineageOS.

SebastianZimmeck commented 3 years ago

Here are some initial notes @chunyuema provided on Gerrit.

SebastianZimmeck commented 3 years ago

Nolen Johnson of LineageOS says:

Our Gerrit instance is open for contributions, the process for which is desribed on our wiki. You're welcome to push up patch-sets, and add our Gerrit group "Reviewers" to it (which will add me as well). Once a few submissions are up, we can get you invited to our internal chat and such.

Excited to see your contributions! You'd probably be looking at our Browser, Jelly for your modifications. Please add me to the gerrit changes as a reviewer once they're up! Or, maybe a toggle in settings, connections? However you'd like to do it.

Nolen here again, a contributor of ours pointed out that you can also build and use the emulator if you don't want to buy hardware!

https://wiki.lineageos.org/emulator.html

luca020400 of LineageOS says:

Hi, I'm one of the directors, and I happen to have written most of Jelly and being the maintainer. I'm completely fine to have it added there ( I was planning to do it when you opened the issue, I just got busy and forgot about it )

Now, I don't think a global setting is feasible. As much as I'd like a global setting to opt-out for any tracking or what you're trying to achieve. It's simply not possible.

There isn't a single source of truth when it comes to HTTP connections. I have myself used quite a few on Lineage and other apps I've written. There is the standard HttpURLConnection part of java.net library that is provided by Android itself, but now days it's not the go-to library used by developers ( especially the ones that actually care about HTTP ) that rather use Volley or OkHttp. Each of these handles the connection internally and we just can't touch them.

The only places I'm willing to touch is our own apps, and maybe MAYBE the webview.

If we were to instead hack every request somewhere in the native side of Android it's very likely we'll break something. It's very dangerous to automatically hijack a request to introduce our own parameters. I don't ever want to deal with the possibility of breaking an app because the server can't handle it or the app itself uses http as an IPC mechanism. I don't really want to introduce something I know will break.

I'm always eager to introduce some privacy/security oriented feature when there's a possible cost in compatibility.

SebastianZimmeck commented 3 years ago

@chunyuema set up a document to discuss details here.

SebastianZimmeck commented 3 years ago

Putting this repo on ice. We may pick up the work again at a later time ...