Compromised privacy apps


#1

Please can someone check into this. I strongly believe privacy related apps are being compromised in some way, so far I have identified 4 that exhibit similar behaviour.
They are,
Open Key Chain
Conversations
Proton Mail
Tutanota mail
Each of these apps try to access location, my phone warns me of this. They only do it when accessing certain functions. Open key chain attempts location access and camera access when creating a new pgp key.
Conversations and the email apps do it when clicking the icon to compose new message.
I have many apps installed but this issue seems to be specifically related to privacy apps that use encryption.
As these apps from different repos and developers I think this is something to be concerned about.


#2

Mentioning the ROM details would be useful.


#3

Android 4.4.2
API 19
Not rooted


#4

MORE ROM info? Device info, ROM code?


#5

It is an alcatel A460G
Kernel version 3.4.67
Build 03001


#6

Thanks for sharing your observations! We take such reports seriously.

Open Key Chain
Conversations
Proton Mail
Tutanota mail

Are you sure you’ve installed them from F-Droid?

The latter two aren’t on F-Droid (and have never been AFAIRC).

Conversations has neither camera nor location permissions: https://f-droid.org/packages/eu.siacs.conversations/

OpenKeychain does not have location permission: https://f-droid.org/packages/org.sufficientlysecure.keychain/


#7

"Are you sure you’ve installed them from F-Droid?"
Just go in “Manage application installed” in F-Droid, check the app detail and versions.
If it says “installed” or “No versions with compatible signature”


#8

I installed openkeychain and conversations from f-droid. I contacted one of the openkeychain devs about this, he said there is no way openkeychain accesses location and it must be a bug in the mediatek permission control, confusing access to contacts with access to location


#9

Update to this issue, in the latest release OpenKeyChain 4.9.1 fdroid build, this issue appears to be fixed, my phone is no longer warning about attempted location access when creating a key.
This has to mean it was not caused by the contacts permission which is still used.
OpenKeyChain devs did not mention anything about fixing this on their github issue tracker or changelog but I have asked them to explain.
If they respond I will post here.


#10

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.