Title: Solitude: A privacy analysis tool

Discord Channel: #dl-solitude

Location: virtual Video 1

When: Fri 12:00 – 13:50

Presenter(s): Dan Hastings

Abstract: Solitude is an open-source privacy analysis tool that aims to help people inspect where their private data goes once it leaves their favorite mobile or web applications. Whether a curious novice or a more advanced researcher, Solitude makes the process of evaluating an app’s privacy accessible for everyone without the need for time-consuming app instrumentation and analysis, which we’ve abstracted away from the user. Privacy policies are often difficult to understand when trying to identify how your private data is being shared and with whom it's being shared. My previous research1 has even shown that privacy policies don't always tell the truth of what an app’s actual data collection practices actually are. What’s more, prior to Solitude, tooling to find this out efficiently didn’t exist for security researchers, let alone nontechnical users. Solitude was built to help give users more transparency to understand where their private data goes by the process of proxying HTTP traffic and inspecting HTTP traffic more straightforward, and can be configured to look for arbitrary datatypes captured by a mobile or web application. In its early release, this tool has already been used by journalists to help investigate privacy abuses by mobile app vendors.

Audience: Mobile, Offense, Privacy enthusiasts.

Links: https://github.com/nccgroup/Solitude

Bio(s): Dan Hastings is a senior security consultant at NCC Group. He spends his time performing mobile and web application penetration tests for fortune 500 companies. Dan has spoken at the Defcon Crypto and Privacy village on his research on discrepancies in iOS Robocall blocking apps privacy policies and their actual data collection practices.