DEF CON Forum Site Header Art
DEF CON Forum Site Header Art


No announcement yet.

Solitude Demolab at DEF CON 29

  • Filter
  • Time
  • Show
Clear All
new posts

  • Solitude Demolab at DEF CON 29

    Tool or Project Name: Solitude: A privacy analysis tool

    Short Abstract:
    Solitude is an open-source privacy analysis tool that aims to help people inspect where their private data goes once it leaves their favorite mobile or web applications. Whether a curious novice or a more advanced researcher, Solitude makes the process of evaluating an app’s privacy accessible for everyone without the need for time-consuming app instrumentation and analysis, which we’ve abstracted away from the user.

    Privacy policies are often difficult to understand when trying to identify how your private data is being shared and with whom it's being shared. My previous research1 has even shown that privacy policies don't always tell the truth of what an app’s actual data collection practices actually are. What’s more, prior to Solitude, tooling to find this out efficiently didn’t exist for security researchers, let alone nontechnical users. Solitude was built to help give users more transparency to understand where their private data goes by the process of proxying HTTP traffic and inspecting HTTP traffic more straightforward, and can be configured to look for arbitrary datatypes captured by a mobile or web application. In its early release, this tool has already been used by journalists to help investigate privacy abuses by mobile app vendors.

    Short Developer Bio:
    Dan Hastings is a senior security consultant at NCC Group. He spends his time performing mobile and web application penetration tests for fortune 500 companies. Dan has spoken at the Defcon Crypto and Privacy village on his research on discrepancies in iOS Robocall blocking apps privacy policies and their actual data collection practices.

    URL to any additional information:

    Detailed Explanation of Tool:
    Solitude can be run in two different ways; either as a stand-alone web application/HTTP intercept proxy, or in a more mobile-friendly docker container that runs an Open VPN server along with the Solitude web application and intercepting HTTP proxy.

    Users of Solitude can configure what data they want Solitude to search for in the Solitude web application. Solitude automatically searches through all websockets and HTTP requests using yara rules based upon what users have configured to search for. Solitude recursively decodes base64 and URL encoded data, searches for sha1,sha256 and md5 hashes of all configured data and supports protobuf and gzip. Several built-in searches are pre-configured to search for GPS coordinates and internal IP addresses. Once a configured piece of data is found the data and domain that the data is being sent to is displayed in the Solitude web application.

    Supporting Files, Code, etc:

    Target Audience:
    Mobile, Offense, Privacy enthusiasts.

    Solitude makes the process of gaining transparency into where your private data goes when you use your favorite apps easier than reading and trusting a privacy policy. App users deserve more insight the data collection practices of the apps they use. Solitude is unique in that it aims to make an otherwise technical process easy and empower people to make informed decisions about the applications they choose to use.
    PGP Key: