Compromised privacy apps

raven9 · February 7, 2018, 11:36pm

Please can someone check into this. I strongly believe privacy related apps are being compromised in some way, so far I have identified 4 that exhibit similar behaviour.
They are,
Open Key Chain
Conversations
Proton Mail
Tutanota mail
Each of these apps try to access location, my phone warns me of this. They only do it when accessing certain functions. Open key chain attempts location access and camera access when creating a new pgp key.
Conversations and the email apps do it when clicking the icon to compose new message.
I have many apps installed but this issue seems to be specifically related to privacy apps that use encryption.
As these apps from different repos and developers I think this is something to be concerned about.

Ildar · February 8, 2018, 2:54am

Mentioning the ROM details would be useful.

raven9 · February 8, 2018, 3:33am

Android 4.4.2
API 19
Not rooted

Ildar · February 8, 2018, 6:08am

MORE ROM info? Device info, ROM code?

raven9 · February 9, 2018, 4:26am

It is an alcatel A460G
Kernel version 3.4.67
Build 03001

relan · February 10, 2018, 12:00pm

Thanks for sharing your observations! We take such reports seriously.

Open Key Chain
Conversations
Proton Mail
Tutanota mail

Are you sure you’ve installed them from F-Droid?

The latter two aren’t on F-Droid (and have never been AFAIRC).

Conversations has neither camera nor location permissions: Conversations | F-Droid - Free and Open Source Android App Repository

OpenKeychain does not have location permission: OpenKeychain: Easy PGP | F-Droid - Free and Open Source Android App Repository

hotlittlewhitedog · February 10, 2018, 7:33pm

“Are you sure you’ve installed them from F-Droid?”
Just go in “Manage application installed” in F-Droid, check the app detail and versions.
If it says “installed” or “No versions with compatible signature”

raven9 · February 21, 2018, 4:42pm

I installed openkeychain and conversations from f-droid. I contacted one of the openkeychain devs about this, he said there is no way openkeychain accesses location and it must be a bug in the mediatek permission control, confusing access to contacts with access to location

raven9 · March 6, 2018, 4:08pm

Update to this issue, in the latest release OpenKeyChain 4.9.1 fdroid build, this issue appears to be fixed, my phone is no longer warning about attempted location access when creating a key.
This has to mean it was not caused by the contacts permission which is still used.
OpenKeyChain devs did not mention anything about fixing this on their github issue tracker or changelog but I have asked them to explain.
If they respond I will post here.

system · May 5, 2018, 4:08pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.