Snapd persistent tracking cookie

Why snapd daemon is sending the persistent device authorization cookie while checking for updates if I’m not logged in to snapcraft store?

Hi there, and welcome to the forum.

This is the automatically generated device session based on general properties of the system (distribution name, version, etc), and is completely independent from anything user-related. If you login you’ll see that there’s additional user authentication information added to the request. And if you logout, it goes away again.

Thanks for clarifying, is somewhere a complete list is of properties and how it’s encoded?

Anyway such token is persistent and can definitely be used for tracking, not a thing a linux user is expecting. Is there a way to remove this header?

The entire snapd system was built with security in mind, which means your machine has a private key and a public key that is used to establish sessions with the store. The store also has private and public keys that are used to sign several pieces of information that your machine will require to be able to trust it. You can delete that key and recreate it, and snapd will reestablish the session, but this may introduce side-effects in behavior that we won’t be able to make promises about.

Note that there’s no association between that data and any personal information, unless you intentionally login.

1 Like

Security does not equal privacy. If hardware and software information is being transmitted it can be used for hidden tracking, even without keys. Distribution name and snap version is already being sent in user-agent header, so it’s weird to duplicate in cookie too.

Since this is open source software, can I see somewhere what’s encoded in this cookie?

It is encoded using the gopkg.in/macaroon.v1 library.

The outer encoding is URL safe base64 (which you can decode via Python’s base64.urlsafe_b64decode() function, if you’re more comfortable with that language). Inside, you’ve got a collection of length prefixed records followed by an HMAC-SHA1 signature to verify that the data in the records originates from the store.

The records are mostly plain text, so you should get a feel for what is being sent.

1 Like

I was able to decode using this method and I’m extremely disappointed with the result. Yes, it hasn’t any personal information, but along with sending keys to the server it has no privacy also. These values can be changed only if I reinstall the snapd daemon, otherwise they are persistent.

api.snapcraft.io|valid_since|2020-xx-xxxxxxxxxxx
api.snapcraft.io|session|xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
api.snapcraft.io|device|{"brand": "generic", "authority": "generic", "serial": "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"

You’re extremely disappointed with what more specifically? There’s nothing there which wasn’t discussed above.

You can see the entire code of snapd in github.com/snapcore/snapd, and the store package under it should have everything related to the communication with the store.