How to know if apps exchange data with other apps?

I tend to avoid to install apps that require permission for unnecessary internet connection.
I’ve used Tracker Control and for apps without internet access it says they still might track you by exchanging data with other apps.
How do you know if such thing is happening? I couldn’t find any related info online.

I’ve also used Immuniweb to test the level of security and privacy of apps. The last section of analysis is Mobile App External Communciation. Surprisingly some apps that don’t require internet access seem to connect to remote hosts.
Do you find it convincing?
I haven’t read the full report yet but would check that later.

You can use a firewall like Netguard and block all, then look at those apps details…to find out if they try.

Also, yes they could exchange data, eg. save in /storage/ or they can use Webview to access the internet, so be sure to block Webview from access too in the firewall (manage system apps in settings).

If you have Play services…they can and they do use that too, but these are not FOSS, you won’t find F-Droid apps that do this.

1 Like

Oh does that mean Netguard block more things than TrackerControl?
Okay I’ll try it thanks!

Sorry I don’t quite get the last one. You mean F-Droid apps don’t use Webview to access the internet?

They can’t use Google Play Services

Some static analyzers will simply detect hosts in code and flag them.
Some also use poor regex and mark package names as valid hosts.

Oh good to know that

Is it hard to distinguish?
If an app conncets to facebook or reddit, would you consider it “safe”?

Really depends on the app and the host.

Like I mentioned basic static analyzers can easily falsely flag that an app is connecting to Facebook, when really it is just using a safe and open source library that Facebook made.

If you can actually observe the app connecting to Facebook, and the app isn’t Facebook itself, then I would strongly avoid it.

1 Like

Thanks for explaining!
I will check the full report to see what it’s for.

TrackerControl is a UI wrapper on top of NetGuard. I believe, it does hide away a lot of advanced NetGuard feature-set and presents its other features in a, imo, better UI. For that reason, I don’t think there would any discrepancies in what TrackerControl would filter vs what NetGuard might.

1 Like

I see. Thanks for clarifying!

I have found that some apps, even when blocked by a firewall app like AFWall+ (root) or NetGuard (non-root) can still access the internet though Google Play Services (includes Google Services Framework). Rumor is apps can also access the internet via Google Play Store, Chrome, Calendar & Contacts sync, or the Google app. I have all of these blocked and have background sync turned off and have no internet access problems with blocked apps.

Google Play Services is required if you use Google Maps. What I did was allow it access while I browsed maps I wanted cached, then I blocked access again. Be aware that on some devices if you clear the entire device cache you also clear your cached maps.

1 Like

Google Maps works just fine without Google Play Services last I checked.

What do you mean by “without Google Play Services”? If Play Services is not installed on the device then maybe there’s a fallback to not use it, which would be useful. What OS are you using?

There’s also https://f-droid.org/packages/us.spotco.maps/ but better use and contribute to OpenStreetMaps and the apps using it, like Organic Maps or OSMAnd~.

It’s “chicken and egg”, as OSM can’t get better if no one is using it or contributing, compared to the billions that Google pours into its services.

5 Likes

Speaking of maps, there seems to be 74 external communictions from Osmand Immuniweb Scan
(no offense to the developers)

Is Netguard capable of blocking these?

Link to the report? PIcture of hosts contacted on an actual device?

If the ‘scanner’ extracts ‘URL like strings’ from APKs and tells you it will connect to them, that’s not what it means.

A lot of them were just expected things.
I also think it treats linked items as “external communications”.
Some of them I wouldn’t expect to find in the F-Droid version, like Dropbox.
Might check myself later.

Attached is a screenshot of the page since it doesn’t allow linking.

Seems like no linking. You can search Osmand in and it will show you the result Mobile App Security Test | ImmuniWeb
(The full report doesn’t go into details about external communication.)

I don’t know much about coding or app components (?), but some of the hostnames like weibo, sina look … interesting. Would like to hear some description
Also there are apps that have few or 0 external communications from, so I don’t think it just extract URL from APKs. Correct me if I’m wrong

Thanks for the long screenshot!

Seems like facebook, reddit, etc are kind of common for hostname (?) but it may not necessarily be a bad thing?