[guardian-dev] "HTTPS Everywhere" for Android itself (not just the browsers)

Hans-Christoph Steiner hans at guardianproject.info
Sat Jan 17 13:37:19 EST 2015


I've been playing around with techniques of catching location sharing on
Android, and finding way to remove privacy leaks.  Android's IntentFilters
power to match URLs makes this quite easy to do system-wide.

That work got me thinking: maybe it makes sense to have something like "HTTPS
Everywhere" as an Android app.  It could claim all HTTP links, then the app
would check if it has an HTTPS rewriting rule.  If yes, it rewrites it and
passes it on.  If no, it either passes it on, or blocks access with a popup
(this could be a preference).

As an example use case, there are lots of apps that share location, and
basically all of them use a HTTP URL.  Some links, like http://maps.google.com
or http://openstreetmap.org, can easily be rewritten to HTTPS links.  Others
like amap.com or map.baidu.com do not offer HTTPS.  A shared location link can
often be a unique ID, so any network observer could use that to de-anonymize a
device.

You can find raw work here:
https://github.com/eighthave/LocationPrivacy

.hc

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81


More information about the Guardian-dev mailing list