Apps without location permission attempting to get location

venner · September 8, 2017, 3:44am

I have identified two apps, both privacy based apps that attempt to get location information even though the installer does not state they require that permission, neither does the app description here on f-dtoid. The two apps are,
Open Key Chain
Secure SMS
Open Key Chain does it when I click on the button to create a new key pair,
SECURITY WARNING
OpenKeychain is trying to obtain your current position.

venner · September 8, 2017, 9:43pm

CONVERSATIONS instant messaging app is another app doing the same thing also does not have location listed as a required permission.
WARNING
Conversations is trying to obtain your current position.
Conversations is also another privacy related app. This one does encrypted messaging.
Is the NSA maintaining f-droid now or what?

frief · September 8, 2017, 11:01pm

Hi Venner,

answering as user not developer. Take with a grain of salt.

Hopefully it’s a matter of the App using NFC (which is somewhat location related). Not sure whether this explains your finding.

venner · September 9, 2017, 4:39am

If it was NFC that should have appeared in the list of permissions required by the apps though right? I think this is highly suspicious especially considering the nature of the apps affected.
I have found another one that exhibits the same behaviour although this one is not on f-droid it is Google play but it also does not have “get location” as a required permission but then attempts to do exactly that when I tested it so that is now four, all privacy/encryption related apps trying to get user location covertly.
Secure SMS (f-droid)
OpenKeychain (f-droid)
Conversations (f-droid)
Proton Mail (Google play)

k3b · September 9, 2017, 7:06am

Some android libs contain permissions that every app inherits if it uses the lib

i have put this in my apps manifest to explicitly remove location permissions inherited from osmdroid-lib

<!--
     permissions inherited from a lib that the app does not need.
     tools:node="remove" means remove permission
     see http://stackoverflow.com/questions/37223379/google-play-game-service-adds-an-unwanted-permission-in-my-app-phone-status-and
-->
<uses-permission
    android:name="android.permission.ACCESS_FINE_LOCATION"
    tools:node="remove" />
<uses-permission
    android:name="android.permission.ACCESS_COARSE_LOCATION"
    tools:node="remove" />