/299$37c3-talk-12133

Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles oder https://chat.rc3.world/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!

Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles or https://chat.rc3.world/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!

======================================================================

[Music]
our next speakers Claud austi and Gano a priori are going to be talking about mobile reverse engineering to empower the gig economy workers and labor unions claudo was investigating platform power and influence even before the Cambridge analytica Scandal and he's Travis kik's biggest unknown Nemesis Gano is a wannabe cell phone hacker a wannabe Pizza cooker we'll see and he's also Travis kak's biggest unknown Nemesis please give a warm welcome on day four to Claudia and Gano hi everybody thank you for me here thank you for who uh see us in the future and in streaming and not thank you to the AI that is going to trained over this mp4 file the accent is strong in order to uh screw up with their english comprehension but I believe your blame plasticity will catch up so let's start with some definition we can use the term gig economy or platform workers interchangeably uh we acknowledge that this growing of apps that enable worker to get quick task quick job has created a new job market and new opening and as after all give something good to people that may need those kind of jobs but in this talk we argue that there are some problems because those apps those platform after all the Shand from the surveillance capitalism style of processing data and organize the people and the tasks what we focus on is mostly apps meant for worker so the typical gloal app that you use has 50 million download is the one used to buy Services the app that the worker are using is different who are we um simply back in time we were trying to investigate the power of platform and of algorithm of the Black Box because it's not acceptable that something without telling you why and how decide for you and if this is true in Facebook in Google in in most of the service we use this is even less acceptable in the work environment because as a user you may have less right as a worker you have a lot of rights that should be protected when you are actually working we began this investigation in um 2019
tracking Expos was the name at the time and now we are operating under the reversing works new uh umbrella this talk may not contain anything that groundbreaking for you if you are an expert in one of these three topic reverse engineering labor unionism or that production Authority U but what is innovative here is the multidisciplinary approach because those three Fields rarely work together the overlapping area you see that reversing engineering and labor union are methods that don't work together normally labor union try to defend um the contract obligation that I to see the safety of the worker but we have to consider that if now um the worker life is determinated by an app perhaps investigating technology is getting to be necessary reverse engineering production Authority we also not really working together because this kind of Investigation may be too much in invasive for the power of administrative Authority and labor union tendentially protect Collective rights rights that are for a class of people while privacy is a personal right and has never been used a privacy right to defend a class of people but in this talk we are doing the effort to put them together and try to make a sense out of it because at the end is a form of resistance will be great if there is a regulation or a directive like for example a platform directive that last week has been synced by some political pressure and because there is not a institutional kind of protection of those U figures let's try to U be a bit adversarial and think new ways to use the tools in our disposal and for the tools hi everyone uh well now I would like just to tell you how this story began well some time ago there was this friend of mine who let's say asked to me for a favor just to look some at this kind of particular story that happened to me basically uh he was a rider he worked with globo and uh he and other people participated in a strike and the day after in which they basically tried to log into the appl
ication they saw that their account was deleted which basically if you work with an app basically means that you have been fired uh they try to contact the company to understand why they have been fired and they blamed a socalled generical technical error on the server side now these and other things went toow suit they tried to basically blame the company because they illegally uh fired them because they participate in a strike and one of the lawyers who who was a bit savy on uh the uh gdpr tried to make the so-called data subject access request to to the company to basically get the data of that INF famous Sunday in which they participate into the strike to understand what really happened unfortunately the company answered with sorry we have nothing just registration data which seems strange I don't know for a company which you know you have an account have to do stuff also I mean you have a rating of how much you behave how well you have done your stuff etc etc etc so how can we understand more uh well we we Tred to for example look at how the app work inside and try to understand better what could happen What which kind of data does this kind of thisa pertains what data sent where it sent Etc fortunately to get an helping on this uh we have found a volunteer who agreed to basically share his credential with us to make a a better assessment uh now unfortunately we cannot analyze the the data of an user which has been banned because you know the Ser will just tell you that oh sorry I have nothing uh also we cannot travel back in time at least the last time that I check we cannot not also reproducing the same conditions with the valid credential that we have was impossible because well I mean you have you know so many PE things that happen that reproducing all of them could be Troublesome to say the least uh so we decided to switch to something that was a bit easier to do so we Tred to say okay let's try to make a simple privac assessment of this app see if there i
s any viation in the context of the gdpr of the labor laws of course the labor law in the context of the Italian code of law and um let's do this in I don't know in the way in which we can actually look at how Android application work fortunately for this there are many tools that actually work uh to introduce them to introduce this awesome ecosystem I will make as more introduction for some people I mean it will be obvious stuff as I mean this is like really really basic stuff uh for others it might be interesting so I don't know maybe I will waste some minutes for you so the first of all we will try to run the glob application in an Android device that we own that we can control in which we can record basically everything that the app does and everything that the app sends through the internet also um we will just let the app run for we we choose to let to let it run for two days because we thought that it was enough to gather enough data uh without any user interaction so without taking orders without tapping into the app we try to avoid any kind of interaction with the application also to do it in um let's say in a more remote friendly whatever way I prefer to use a Raspberry Pi with lineage installed uh there are some Builds on the internet you can find them and they work quite quite well and they also integrate VNC for for remote control so that you can actually look at at the screen um so what we can see from from Andro application generally the first thing that you want to look is to the Android manifest because there we can see the the So-Cal permissions that in Android are enforcement on every application that is installed so that any so that if for example if an application needs some particular permissions they actually need to pop up the user and ask them for the permission as it is called uh probably many of you already know this as many uh also this stage is quite important because here we can understand for example what the application is actually lo
oking at which kind of devices it is it is reading so for example here we can see that it's accessing the GPS so it will be nice to log GPS accesses uh for example if we don't see that the app is actually accessing the micro the microphone sorry it doesn't make any sense to to log the access to the to the microphone um after this we look at the at the Java code of the app uh as many of you might know there are some tools to actually actually they compile an an APK an Android package and actually look at the the Java code um this might be useful to understand how the app works how it makes some things if there is something in them somewhere that I want to look at and also to look at libraries SD Cas as there usually is this is where the nasty things from thirdparty trackers is actually implemented of course third party trackers are the JY part if who are actually looking for privacy violations also I mean for me here is important to actually say that uh I usually don't spend too much time here as actually reading uh the the compile code of an application line by line doesn't makes any sense also it doesn't give really any evidence because maybe yeah here I can see that it makes a request to a server with some data that it might be interesting but how do I know if that actually makes that request or if it's actually populated with data and this is the part where the soall magic tool of this talk will actually come in mind which is called Freda I mean you probably have already seen a a tun of presentation about Freda so I will not bother you again with that um there are many many many many good tutorials and mentation about this tool that you can look at if you are interested I mean they also explain much better that I could possibly do just to give an quick overview Freda is an instrumentation framework that actually allows us to inject code in an ongoing and running application so that we can for example add logging and the bugging features to an app that actually do
es not contain them so that we can actually you know enrich the application with functions that maybe can be useful for us so which is the first usage of this amazing feature that we can think at well as we said before we are we know that the app actually access the GPS okay let's see when the app access this feature well let's see when the app access this device so that I can get the the time the number of times that it's done etc etc etc Etc and of course this might be unuseful information last but not least uh we are in 20123 for a couple of days more so you know as many probably you more um most of the internet traffic now is encrypted is encrypted on the transport with tros security and so just you know doing a passive analysis of the network traffic is not enough anymore we actually need to intercept traffic using for example a TLS proxy uh for these analysis I used mid proxy which is also which I mean you can also look at the documentation to actually know how set it how to set it up it also has a very very good tutorial in which they will actually tell you every step that you need to do to install a certificate Authority on your Android device so that you can basically do everything that uh that is needed to to get traffic um also this here uh we just need to make some a a bit let's say a bit of of anounces as we need for example to log the network traffic so that we have actually a copy of that and also it will be smart to and we will see afterwards to check a bit the logs of the tool to see if there are any problems during um during the traffic interception um let's see some of the so-called results well the first result that we gained when we did the first analysis in J in July sorry 2021 was that the location of the users uh was accessed around one time every hour for the whole day even outside working hours so generally the worker was constantly monitor for their location even outside their shifts basically uh second result which uh was a bit interestin
g but we never really explained and we didn't have enough hints to actually get an idea besides that was that the application was rating users uh based on a score which was also transparent to the worker so they know their their pointage they know for every order how much how how many points they made and the points were basically based on the review of uh the the client the review of the restaurant and other metrics um but there was in a request another um another called rating which we didn't really expect and we were not really able to explain uh it seems like a a feature of an hidden score in the app but we we really were not able to to explain it but last but not least the most interesting result was that with a thirdparty Tracker known as braze they share basically all the data that they had about the user constantly and this data include the personal personal identification data of the worker including for example their their fiscal code uh their location which whenever it was gain it was sent back to this third party tracker and uh this result was quite relevant as this this tracker was not meant and it was not mentioned anywhere in their um their privacy policy uh we tried to to repeat this test about an year after in uh September 2022 and uh looking at the logs of mid proxy which has you can see as this very Aur and color uh user interface which I mean it looks very very elite if you if you look at it um actually showed us that they were not able to connect to this server identity. and particle. comom uh we knew by looking at the application code that the M particle SDK was actually included in the glow app so we expected to see traffic towards that end point uh also we noticed that it was let's say that the connection was reseted by the client which seems strange but actually is the default behavior of many Android applications that are smart enough to avoid the traffic interception uh traffic interception sorry because basically what they do is that they
save a fingerprint of the server certificate that they are expecting of course the server certificate signed by a trusted CER certificate Authority so that whenever a proxy with an arbitrary certificate Authority tries to sign an arbitrary certificate made for that server this check will fail uh this technique is called as certificate pinning is uh nothing um is nothing new and also there are some standard under libraries and also some let's say some standard code code patterns that you can find in the code to see how how it is implemented in in this case it was implemented using the trust manager um at this summer Camp there was a presentation uh called leveraging the use of dynamic instrumentation for pentesting mobile apps in which basically Dynamic instrumentation with Freda was PR was presented and if you see it you probably know that one of the scenarios in which the usage of Freeda was actually shown up was to actually bypass this kind of stuff so to actually bypass certificate pinning uh uh in this case is uh in this case we have shown up a small snippet in which we make the the check from the trust manager to fail every time also this script is actually available from the internet they have like a huge Library so it's nothing too fancy nothing AR probably uh you will find it for sure so the final result that we gain at the end of this second analysis was that we were able to intercept also the traffic from this other thirdparty tracker so also from M particle and also there we have seen that the location of the worker was constantly shared with them together with personal data and of course also this was not mentioned in their privacy policy or whatever now why we think that these results are meaningful ful because as we have seen before uh in this case the company to a DSR to a data subject data subject access request sorry uh would have never actually uh shown up all this stuff uh so it's something that we need to if we really want to look at at it and w
e really want to look inside this black box we actually have to find a way to grasp inside of that and uh you know some standard reverse engineering techniques can be a quite useful tool uh also it's nice to mention that we have replicated these analysis in July 2021 September 2022 and July 2023 finding almost similar results and that we have published a paper at Y where you can have a better look at them also this resulted in a report today the Italian data protection authority which I don't know maybe it might seem interesting or not to give a better perspective I'll give back the mic back to claudo um what we seeing here is a sort of timeline of what we tested during the time because it was full of new experiences blocking time or problems we were not expecting at the beginning we were thinking to use article 22 of the GD PR because uh it talks about automated uh decision making and this is a case where a system decide automatically what you're going to do but in order to demonstrate some kind of violation we have to actually find some worker that can talk about this violation and so we build a survey and when you build a survey with a form full of question is not that the typical um uberit Global driver deliver fudora you name it kind of Rider want to answer about question on on their perception so initially we had some struggle in getting answers that's why only after um in 2020 uh with IRP media a group in Italy that was making also investigation on this new form of work uh especially because during the covid it displayed to be a quite important kind of service for the society this survey get answered by uh more contributors that has helped to collect evidence but not yet something to move forward meanwhile we found this important Courier willing to cooperate so someone that want to give the login and password that's was a complexity that we were thinking to solve quicker instead we took 18 months to find one person then we start to make test we make test in J
uly February September and then we bring the data to Authority sadly the data initially was considered too old we will see later why it may be a good reason and what we did in one week at that point was to repeat the test with the last version make a simple technical assessment of what were the problem that you already saw in this presentation and give uh to the authority this material and at the moment this has been accepted and who knows what's going to happen after in October there was the report published uh the report has been covered in different language the main um title that you see around this gloo app for Courier share location of the worker outside of the working shift to thir party that has been the main message that emerg from these titles but what is fun to see is that there was the first strike in Milan with riders calling for algorithmic transparency why um the data May looks too old because the first time Gano start to make this analysis it tooks two weeks to understand how to investigate the app and the app release a new version every week so you see that there is a potentially um blocking Factor if you produce evidence for an app that is already not the last version that is running on people phone we were afraid that the justification of oh this is just a mistake WIll will appear again instead um as first we get quicker so if at the first test two weeks were necessary at the last test one day was necessary to restart and second we saw that the violation were present for two years so we're not mistakes that were part of the of the design another contextual information that was unrelated to what we did but we cannot ignore is that in 2019 The Authority in Italy start to make some investigation on many uh ge economy apps and in 2021 they give a huge fine to glob foodin with also prescriptive measure so how they need to change their up to be compliant in 22 globo won the appeal so they have not to pay the fine but we were expecting that we they shoul
d still implement the proceptive measure and in 23 this Italian Supreme Court reverted the appeal so Global also to pay the fine what is the point when in 2021 we start to get the evidence we were afraid that the app will change in one day and lose all its violation or expected violation because there was already a cause against them instead what we document is that in those two years they never implemented any update to became actually uh more safer now thinking to The Next Step because if the global case is is Meaningful to show what are the problem that happen in these apps um is not for us a victory if one group in Europe do a test against one up expend four five years and maybe score a victory that is not Victory the victory is when it's easier to analyze those app it's easier to find worker that are eager to collaborate with a group like ours is easier to talk with the labor union to make them understand why data processing is a problem so we have to lower the entrance barrier in those three bubble of the event diagram we have to make it easier to uh make clear to the people working there that that those things happen and there are some tools I want to point out Exodus privacy is a system um that do static analysis of many of the apps into the Google Play Store with static analysis as Gan was explaining you cannot prove that the trackers is actually containing um personal information revealed to a third party but can be an indicator PR International also released the data inter interception environment which is a virtual machine um with a M proxy that can help you to assess the network traffic and um what we understood uh by looking at the biggest moment where we were blocked is that we should not try to work with workers and bring the evidence to get an impact we should be the technical provider for other more specialized infield organization so for example working with the Union so they have a lot of worker that potentially can collaborate and having them us
ing those evidence one of the thing that we didn't get through but a couple of those problems displaying the results were privacy violation another one like the rating can also be not a privacy violation but for sure is an information that in the hand of the Union that are doing their Collective bargain they can also understand which kind of data and the labeling and attribute get added to the worker because this will impact the uh the worker Dynamic and and yeah and treatment at the Privacy camp that will happen in the 24th of January there will be streamed also a talk organized by us that try to again Lower the interest barrier talk to different actor stakeholders of these um domains because U should be a a fight um let's say that the AI act got 100 time the coverage that the platform directive got but the platform directive was already addressing something that is a problem now was a problem years ago and is going to be a problem also in the next years now we are not alone and uh we hope that many other organization will start uh shootout to those four groups similar to us they are doing a interdisciplinary effort um work info Exchange and personal datao both of them are using data subject access request um for workers to get details on the data that the company has on the worker and try to understand how much this is um realistic with their payment and try to do this kind of comparison the workers algorithm Observatory is active in the US and they're doing data donation from mobile app and uh T Opticon is instead a an effort to measure and evaluate the kind of task given to worker of Amazon mechanical torque what you can see is that some organization may be platform specific like T Opticon other can be more generic uh in general we are not alone we need to be more I hope that this talk has inspired some of you there are some times for question and answer but we will be later at the te house in the case you want to meet and talk more about it thank you so much cl
audo and Gano so as mentioned we do have time for questions we have installed monitoring sdks on the four microphones in the room and we have a gig worker Angel the signal Angel who is monitoring The Matrix the IRC as well as Mastadon we are in the Z zusa so if you use the appropriate hashtag our analytics sdks will pipe that to our gig worker I see already someone at microphone number two please yeah thank you for your talk um so what I noticed is that there is a power disbalance of who uses my data and if I should uh well I imagined how could this be leveled so I guess a political demand could be uh every data of myself which goes out of the device it has to be locked on my request by the OS which is installed um so all these hoops you had to go through to just get the data that is sent this would just be erased to zero and you could check and use tools and so on because if I put a a little um sim card with 128 gig there is a lot of room for a lot of locks so if I request it from this app I want to know what's going on maybe even incoming traffic but well it might be more difficult legally to to get access to this can you express in a in a one question that is not the question it's just a suggestion for political demand if I to get access to what personal identify information and other data is going out of my device and have a lock on my device so yeah that's it thank you I see a suggestion more than a question so in in in the future please try to keep it to questions and not so commentaries so as mentioned the speakers are available later uh to chat and give such fantastic suggestions but right now I see that our gig worker from the internet has found that the internet has questions yes the internet wants to know if you have any evidence or um if you came across the fact that um GW workking companies listen to personal conversations or collect data about the imotion aspects of the workers do you think this is plausible or do you find anything in this direction uh
in this direction honestly not there have been some research about that about the uh in which they basically try to look at how decoded data that was actually ex filtrated from the device by just doing network analysis but I will never get the name of the paper right now in my mind unfortunately but um it's something that never came in our cases as as we said before uh we mainly look at apps that were not even requesting access to the microphone and uh that kind of stuff is actually monitored by Android by the Android operating system using Sal Linux which I mean there are very strong jails and unless you have some apocalyptic Zero Escape whatever from the kernel you cannot actually bypass that and so I it's not it's not cases that we have actually found so unfortunately not or fortunately maybe maybe it will be better to say fortunately yeah sorry so the gig economy has not yet been infected by the Doon Isa but maybe our microphone number four can uh bring a new question hello thank you for the presentation uh question would be um did you have a did actually the workers had any uh civil lawsuits filed against the the company or any labor cases against the company and are you suggesting to the yeah uh there were many of them uh there were many of them which were quite unrel related to to this topic they were mostly related to be actually being recognized as employees and other things as we said before there was that particular case about um some people that were actually fired collectively uh without notice um after a strike so which was let's say aggravated by two things um this kind of analysis uh we have to see how it goes how it goes so far uh there are it was not actually used in um in a specific lawsuit but maybe if there is any r i mean maybe the results can be used for for that let's say or can be integrated in another one also I mean it could be a a usage for for the future that for sure let's say there are cases but what we hope is that there will be more
cases especially that consider the technical domain because that give additional tools to and reason to a hugle thank you I see that the internet has another question yes the internet wants to know if you know any tools that make it possible for non-technical users to monitor outgoing traffic the um data interception environment of privacy International I share the link in the presentation uh want to assist exactly for that reason it cannot do the complex certificate pinning hacking but that is not present every time most of the apps don't use it and that would be a a good beginning to intercept traffic and um inspect what an app is leaking outside according to my analytics microphone three has a question uh thank you for the great talk um I know that you guys invested iated uh the gloo app um I'm curious for Germany there's uh gorillas and Vault and many other gig economy apps that are supposed to uh help the workers there are you aware of any investigations into those apps to verify that those workers are also being uh protected and looked up looked out for um so we know that there are movement that want to investigate it but what we explain is also what is the complexity be behind an investigation as first we need to have someone that want to do reverse engineering that maybe is not only Gano but he can teach better or or we can work as a team second we need workers and third we also need to be in touch or at Le start to think what to do with the evidence if they're found and at the end this panel was showing the huge complexity to make it replicable which is our goal and we hope to do it in many other um countries of Europe beside Italy and we be great to find someone in Jer that can collaborate with us great thank you the room has opted in to one short last question from microphone number two hello um do you know of any app that is uh doing gig economic in a good way but in theory there is um cycle cop not what is the name there is some some Fair form of um of
gear economy yes and uh it do not only um cover the technical part but especially what is the employment the support uh the assistance you can get as a worker I did not focus in a extended research on it so I cannot even uh repeat the correct name I know that is a French project that has been replicated around Europe and the name is similar to cycle cop h and I hope D go will help you to find the right answer but exist it's possible probably is less profitable it doesn't matter I mean we have also to think forward that we have not to spend our time to investigate to do things bad we have to build a network that want to have only a fair economy perhaps a European regulation would have helped what is going to happen in the future if someone else can start to build more initiative of fair uh the economy will be a great example that this can exist and when Uber threaten I don't know France to say oh we're going to leave your Market uh maybe the next French president can answer oh we have already a better alternative clario Gano thank you so much let's give them a huge round of
[Applause]
applause
[Music]
I