Simon Legner

GitKraken – data kraken – Yet another application that tracks you?

tl;dr: GitKraken does not check certificate for, and submits an ID plus some usage statistics on every start.

Today, I was excited to try the just released GitKraken. After installing the AUR package (1.0.0-1) and launching the application, I was immediately asked to register. I entered some nonsense email and name and followed the tour.

GitKraken soon listed all my Git repository on my computer which is a cool feature. But I also got a bit suspicious: it could easily aggregate the repository names, submit it and link it to the registered user.

I decided to investigate the network traffic using mitmproxy. The challenge was to obtain the GitKraken traffic. Since I could not find a proxy configuration within GitKraken. I followed this tutorial to configure mitmproxy in the “Transparent Proxy” mode. I did not install the CA, though.


I registered in the application …

… a observed a request to

The server generates an id which is used for subsequent requests:

But, wait! Mitmproxy intercepts the HTTPS traffic and encrypts it again using its own certificate, which I did not trust. This is what Chromium showed while my traffic was going through mitmproxy:

This means that GitKraken does accept any certificate for!


I clicked on the confirmation link sent via email (…, note the id from above). The application makes a request to to check the registration status:

Application start

After every start of the application, is requested again. Besides re-checking the activation status this aims at submitting usage/timing statistics, of course together with the id:


You can man-in-the-middle and obtain usage/timing statistics every time the user opens GitKraken.