Dark Arrow Left
All Articles
Privacy Engineering

Running Privado Scan on Mastodon

privacymatters
PrivadoHQ
running-privacy-scan-on-mastodon-open-source-code
Prashant Mahajan
November 28, 2022
IN THIS ARTICLE
SHARE ARTICLE

https://www.privado.ai/post/running-privacy-scan-on-mastodon-open-source-code

🎉 Link Copied
Share Article on Linkedin
Share Article on Twitter
Share Article on Facebook

First, we started with cloning the mastodon-android repository using the following command:

git clone https://github.com/mastodon/mastodon-android.git

Then we installed Privado OSS:

curl -o- https://raw.githubusercontent.com/Privado-Inc/privado-cli/main/install.sh | bash

With this, we then ran the Privado OSS tool on the mastodon-android:

privado scan mastodon-android

After pruning the results to remove false positives, we get the following result:

Analysis

We saw that the application uses only a few data elements, which are required for the normal functioning of the app. We didn't detect any third-party integrations. As a truly decentralized application, it just communicates to its servers, which are distributed all over the world. However, the Privado Open Source tool could not detect the internal APIs used to communicate with independent nodes. This was mainly due to the decentralized nature of the app. As we will see later, Mastodon uses a custom API communication implementation due to the node server’s location variability and how we can detect those APIs via Privado by adding a simple rule.

As we dug more through the results, we could see the Data Flows of these data elements and better understand the application's structure. Soon we stumbled across the internal communication APIs of the application. This is where we saw the custom API communication implementation that needed to be detected.

API communication package structure

The Mastodon app had all its APIs in the <span class="code">/src/main/java/org/joinmastodon/android/api/requests</span> folder as separate Java Classes. Therefore, we just needed to mark these classes as sinks (of data) in Privado to detect these data flows. To do that, we created a rule to detect all API requests of the application.

sinks:
  - id: ThirdParties.SDK.MastodonAPI
    name: Mastodon Internal APIs
    patterns:
      - "org.joinmastodon.android.api.requests.*"
    tags:

Results

After adding the above rule, we scanned the code again to get the following results:

Complete Data Flows of the Mastodon Application

Once we could identify all the flows in the application, we dug into the data flow analysis of some data elements, like the email address as shown below:

Data Flow analysis of an email address in Mastodon


Need to try this yourself? Download our OSS tool here [Github]

running-privacy-scan-on-mastodon-open-source-code
Posted by
Prashant Mahajan
in
Privacy Engineering
on
November 28, 2022

Prashant is the CTO & Founder of Privado

Continue Reading

Company News

The State of Website Privacy Report 2024
Ben Werner
Product Marketing Manager, Privado

US Privacy Laws

Why Headway was sued for sharing personal data with Google Analytics
Prashant Mahajan
CTO & Co-founder, Privado

Privacy Engineering

Learning from big tech: Why Meta invested heavily in privacy code scanning
Ben Werner
Product Marketing Manager, Privado
View All Resources

Subscribe to our email list

Thank you for subscribing, we have sent a confirmation email to your inbox.
Oops! Something went wrong while submitting the form.