How to know if apps exchange data with other apps?

I have found that some apps, even when blocked by a firewall app like AFWall+ (root) or NetGuard (non-root) can still access the internet though Google Play Services (includes Google Services Framework). Rumor is apps can also access the internet via Google Play Store, Chrome, Calendar & Contacts sync, or the Google app. I have all of these blocked and have background sync turned off and have no internet access problems with blocked apps.

Google Play Services is required if you use Google Maps. What I did was allow it access while I browsed maps I wanted cached, then I blocked access again. Be aware that on some devices if you clear the entire device cache you also clear your cached maps.

Google Maps works just fine without Google Play Services last I checked.

What do you mean by “without Google Play Services”? If Play Services is not installed on the device then maybe there’s a fallback to not use it, which would be useful. What OS are you using?

There’s also https://f-droid.org/packages/us.spotco.maps/ but better use and contribute to OpenStreetMaps and the apps using it, like Organic Maps or OSMAnd~.

It’s “chicken and egg”, as OSM can’t get better if no one is using it or contributing, compared to the billions that Google pours into its services.

Speaking of maps, there seems to be 74 external communictions from Osmand Immuniweb Scan
(no offense to the developers)

Is Netguard capable of blocking these?

Link to the report? PIcture of hosts contacted on an actual device?

If the ‘scanner’ extracts ‘URL like strings’ from APKs and tells you it will connect to them, that’s not what it means.

A lot of them were just expected things.
I also think it treats linked items as “external communications”.
Some of them I wouldn’t expect to find in the F-Droid version, like Dropbox.
Might check myself later.

Attached is a screenshot of the page since it doesn’t allow linking.

Screenshot 2021-10-15 at 15-38-25 OsmAnd~ 4 0 7 for Android Mobile App Scan1788×7652 1.01 MB

Seems like no linking. You can search Osmand in and it will show you the result Mobile App Security Test | ImmuniWeb
(The full report doesn’t go into details about external communication.)

I don’t know much about coding or app components (?), but some of the hostnames like weibo, sina look … interesting. Would like to hear some description
Also there are apps that have few or 0 external communications from, so I don’t think it just extract URL from APKs. Correct me if I’m wrong

Thanks for the long screenshot!

Seems like facebook, reddit, etc are kind of common for hostname (?) but it may not necessarily be a bad thing?

Can I see a screenshot from Netguard when OSMand~ from F-Droid tries to connect to Facebook and the other please?

I only even saw connections to osmand.net to download maps or openstreetmap.org.
I guess I could see Mapilarity (sp?) ones if I enable that function…

So I see the strings, VirusTotal but those are for OAuth… so, I guess that the OAuth lib that OSMAnd~ uses can be used for those services too, again, no issue there, as it’s FOSS… we need to see a network log when one talks about CONNECTIONS!

I dont have Netguard so cant do so.
Does Netguard show the activity related to Webview?

Chill man. Why do you think I/we should know what a internet log is or how internet works? Not everyone is familiar with these or a native English speaker

I never say anything about connection. Just raising some questions here

Peace

Yes, of all…

Well you were rather familiar with some random scanner of the Internet that gave false positives. And you trusted that more than the F-Droid workflow/process.

We are rather chill, and we do appreciate you “raising some questions”, but you’ll need to answer some too, do some research, in English or your native language.

I wouldn’t call that a random scanner ImmuniWeb wiki
If apps on Fdroid have some third party review tools like Exodus on Aurora Store, I wouldn’t have to find a “random” scanner.
As for false positives, It only says external communication. Only a community free edition but also have security rating.

First, why do you keep assuming? All I did was ask about what the scan results meant.

Second, I don’t know you. Some rather objective scanner reveals much more.
Like the other post about conspiracy said, we should treat all apps with caution. I think these tools should be shared, including the one you gave, especially among those like me who don’t understand coding.

Third, excuse me did I miss any post? What is the Fdroid process? I thought it’s all free here.

εxodus (not up to date but…)

But F-Droid apps are scanned with Exodus tooling already, and that covers actual code, classes, of known tracking and bad stuff. Not just random strings from the app.

I wouldn’t call that a random scanner ImmuniWeb wiki

If I’d make an app that had in code the text “This app does not connect to https://facebook.com” then that scanner will report that it literally connects to facebook.com…

As for false positives, It only says external communication.

But that’s a LIE. To check for “external communication” one needs to RUN the app on a real or emulated device and then capture the network connections. Do they do that? I think not…

Only a community free edition but also have security rating.

Care to explain this phrase?

Second, I don’t know you. Some rather objective scanner reveals much more.

They are not objective, they want to sell their snake-oil, and they do this with FUD.

Like the other post about conspiracy said, we should treat all apps with caution. I think these tools should be shared, including the one you gave, especially among those like me who don’t understand coding.

I agree, I still await for that report that we can take on serious.

Third, excuse me did I miss any post? What is the Fdroid process? I thought it’s all free here.

Yes, the code is free, everything needs to be transparent, no secrets, no sneaking around. No closed source dependencies. And any “user unfriendly” features need to be marked and advertised front and center: Build Metadata Reference | F-Droid - Free and Open Source Android App Repository

To find these and other, we analyze the apps, we run them, test them, as much as possible. Do things evade our detection? Does new info arise? Yes, and we go back and nuke any bad versions, and fix what can be fixed.

Exodus is similarly inaccurate, at least the way users tend to view it. It is a tool that simply scans the binary for “suspect” strings. While I suspect it’s worth using on proprietary software, from my recollection every time I’ve seen someone post an Exodus report on a free/libre app (or at least one built and published by F-Droid) it was either a false positive (i.e. stubbed out), something totally benign, turned off by default, etc.

The point stands, a tool that simply scans for strings in a binary can’t tell you what the app is actually doing at runtime. You need deeper analysis for that, either runtime analysis or manually inspecting the source code or analyzing the bytecode itself to see what the app does or will do.

Good to know that. Maybe you can add what tools or methods you use on the about page. It would reveal more information

If you do that and share the results, I will believe you. But right now you’re only assuming
The hostname it lists out isn’t invalid tbf. Just not full URL

I don’t know how it’s run but I think you assumed too fast. One should give out proof before accusing the other is lying.
It takes more than 20 minutes to get a scan done, sometimes an hour. Maybe they do idk
They use OWASP, an open source scanning tool. Maybe you know it

FYI, the scanning tool you gave is owned by Google. Enough said

You using “they” here is pretty vague. The website I gave does business with corporations not the pubilc. They also share online security information in their blog. Not really FUD.

I said that on the 19th post. It doesn’t list out the entire URLs in full report. It’s only a community free edition we’re using.

Good to know that and I’m sure you’d do that. Consider listing out the process you use.

I find it quite accurate imo. Most if not all FOSS apps I checked have the same result as TrackerControl reveals, but I’m not an expert on this.

(Just tryna give some justice to the scanning tool I gave, I don’t think it merely extracts URLs. Some apps I checked have few or 0.)
Would love more recommendations on that!

I suppose misleading is a better term than inaccurate. I don’t want to suggest Exodus is a bad tool, but users have the wrong expectations of it.

What it purports to do: find “tracker” classes in apps
What it actually does: find classes with the same name as known “tracker” classes (as explained by someone who is a contributor to Exodus). This is a subtle distinction, and irrelevant ~99% of the time, but e.g. when those classes are replaced with do-nothing stub classes, Exodus won’t be able to tell the difference. Fennec F-Droid and its derivatives are a high-profile example of this and one that I find I have to explain over and over and over, despite the developer stating such in this thread (maybe it should be explained on the app page itself).
What users expect it to do: tell you if an app is spying on you. Even if Exodus is able to accurately tell when a class is a known “tracker” class (and not a stub), it can’t tell you if or where that class is actually used, how it is configured, and so on. For example, the “tracker” may be a crash reporting tool (which is different than, say, an ads or analytics library) and is only used if the user opts in to it, and only when a crash happens. You need to actually inspect the bytecode or source code, or observe the app’s behavior at runtime, to answer the question of if the app shares date with other apps or with a network service.

Exodus is indeed used in the F-Droid review process alongside other tests, including actually running the APK to determine its behavior at run time. I think that is a good use of Exodus. However, Exodus and tools like it cannot answer the question in the thread title or any question as to what the app does at run time, because they do not analyze run time behavior.

As to whether F-Droid should include tools like Exodus in the client, for users to use, I don’t think that is a good idea. I think Aurora Store doing so makes sense in the case of proprietary applications (where developers generally do not care about user privacy), but F-Droid reviewers already use Exodus in a more appropriate way, and Exodus reports of apps in F-Droid are either superfluous at best or misleading at worst.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.