GitKraken – data kraken – Yet another application that tracks you?
tl;dr: GitKraken does not check certificate for
api.gitkraken.com, and submits an ID plus some usage statistics on every start.
Today, I was excited to try the just released GitKraken. After installing the AUR package (1.0.0-1) and launching the application, I was immediately asked to register. I entered some nonsense email and name and followed the tour.
GitKraken soon listed all my Git repository on my computer which is a cool feature. But I also got a bit suspicious: it could easily aggregate the repository names, submit it and link it to the registered user.
I decided to investigate the network traffic using mitmproxy. The challenge was to obtain the GitKraken traffic. Since I could not find a proxy configuration within GitKraken. I followed this tutorial to configure mitmproxy in the “Transparent Proxy” mode. I did not install the CA, though.
I registered in the application …
… a observed a request to
The server generates an
id which is used for subsequent requests:
But, wait! Mitmproxy intercepts the HTTPS traffic and encrypts it again using its own certificate, which I did not trust. This is what Chromium showed while my traffic was going through mitmproxy:
This means that GitKraken does accept any certificate for api.gitkraken.com!
I clicked on the confirmation link sent via email (
https://api.gitkraken.com/activate/d810cfe7-c828-47af-860f-9e71cbd68ded/0746…, note the
id from above). The application makes a request to
https://api.gitkraken.com/phone-home to check the registration status:
After every start of the application,
https://api.gitkraken.com/phone-home is requested again. Besides re-checking the activation status this aims at submitting usage/timing statistics, of course together with the
You can man-in-the-middle
api.gitkraken.com and obtain usage/timing statistics every time the user opens GitKraken.