Closed baltpeter closed 3 months ago
I don't know whether we can get the data out of that app
Yes, we can. It has an NDJSON export!
Example export: App_Privacy_Report_v4_2023-01-25T12_33_27.txt (renamed from .ndjson
, otherwise GitHub wouldn't let me upload it)
TrackerControl may be an option on Android?
https://github.com/TrackerControl/tracker-control-android#network-traffic-analysis
On iOS, it seems like developers can choose to mark connections as "user-initiated": https://developer.apple.com/documentation/network/privacy_management/indicating_the_source_of_network_activity
Another App Privacy Report NDJSON export for testing: App_Privacy_Report_v4_2024-04-05T10_39_41.json
On iOS, it seems like developers can choose to mark connections as "user-initiated": developer.apple.com/documentation/network/privacy_management/indicating_the_source_of_network_activity
That isn't a problem, though. Those entries do still end up in the export, they just have initiatedType": "NonAppInitiated"
. (ref: https://developer.apple.com/documentation/network/privacy_management/inspecting_app_activity_data#3845757)
A few example lines from report I just attached above:
{"timeStamp":"2024-04-05T10:08:16.541+02:00","initiatedType":"NonAppInitiated","context":"","domain":"p67-caldav.icloud.com","contextVerificationType":0,"type":"networkActivity","domainType":2,"firstTimeStamp":"2024-04-05T10:06:14.696+02:00","bundleID":"com.apple.mobilecal","domainOwner":"","hits":2,"domainClassification":1}
{"timeStamp":"2024-04-05T10:32:36.521+02:00","initiatedType":"NonAppInitiated","context":"revenueuniverse.com","domain":"unlock.revenueuniverse.com","contextVerificationType":2,"type":"networkActivity","domainType":2,"firstTimeStamp":"2024-04-05T10:32:36.521+02:00","bundleID":"com.apple.mobilesafari","domainOwner":"","hits":1,"domainClassification":1}
And here's an example of a CSV export from TrackerControl: trackercontrol_log_20240405.csv
Newer iOS versions have a feature that collects the DNS hostnames an app contacts. I don't know whether we can get the data out of that app, but in the worst cast, we can just have the user make screenshots of the list.
That would be a really low-barrier-of-entry way for users to attach data from their actual device to the complaint!
see e.g.: https://app.urlgeni.us/blog/new-research-across-200-ios-apps-hints-surveillance-marketing-may-still-be-going-strong