How to know if apps exchange data with other apps?

Can I see a screenshot from Netguard when OSMand~ from F-Droid tries to connect to Facebook and the other please?

I only even saw connections to osmand.net to download maps or openstreetmap.org.
I guess I could see Mapilarity (sp?) ones if I enable that function…

So I see the strings, VirusTotal but those are for OAuth… so, I guess that the OAuth lib that OSMAnd~ uses can be used for those services too, again, no issue there, as it’s FOSS… we need to see a network log when one talks about CONNECTIONS!

2 Likes

I dont have Netguard so cant do so.
Does Netguard show the activity related to Webview?

Chill man. Why do you think I/we should know what a internet log is or how internet works? Not everyone is familiar with these or a native English speaker

I never say anything about connection. Just raising some questions here

Peace

Yes, of all…

Well you were rather familiar with some random scanner of the Internet that gave false positives. And you trusted that more than the F-Droid workflow/process.

We are rather chill, and we do appreciate you “raising some questions”, but you’ll need to answer some too, do some research, in English or your native language.

3 Likes

I wouldn’t call that a random scanner ImmuniWeb wiki
If apps on Fdroid have some third party review tools like Exodus on Aurora Store, I wouldn’t have to find a “random” scanner.
As for false positives, It only says external communication. Only a community free edition but also have security rating.

First, why do you keep assuming? All I did was ask about what the scan results meant.

Second, I don’t know you. Some rather objective scanner reveals much more.
Like the other post about conspiracy said, we should treat all apps with caution. I think these tools should be shared, including the one you gave, especially among those like me who don’t understand coding.

Third, excuse me did I miss any post? What is the Fdroid process? I thought it’s all free here.

εxodus (not up to date but…)

But F-Droid apps are scanned with Exodus tooling already, and that covers actual code, classes, of known tracking and bad stuff. Not just random strings from the app.

I wouldn’t call that a random scanner ImmuniWeb wiki

If I’d make an app that had in code the text “This app does not connect to https://facebook.com” then that scanner will report that it literally connects to facebook.com

As for false positives, It only says external communication.

But that’s a LIE. To check for “external communication” one needs to RUN the app on a real or emulated device and then capture the network connections. Do they do that? I think not…

Only a community free edition but also have security rating.

Care to explain this phrase?

Second, I don’t know you. Some rather objective scanner reveals much more.

They are not objective, they want to sell their snake-oil, and they do this with FUD.

Like the other post about conspiracy said, we should treat all apps with caution. I think these tools should be shared, including the one you gave, especially among those like me who don’t understand coding.

I agree, I still await for that report that we can take on serious.

Third, excuse me did I miss any post? What is the Fdroid process? I thought it’s all free here.

Yes, the code is free, everything needs to be transparent, no secrets, no sneaking around. No closed source dependencies. And any “user unfriendly” features need to be marked and advertised front and center: Build Metadata Reference | F-Droid - Free and Open Source Android App Repository

To find these and other, we analyze the apps, we run them, test them, as much as possible. Do things evade our detection? Does new info arise? Yes, and we go back and nuke any bad versions, and fix what can be fixed.

4 Likes

Exodus is similarly inaccurate, at least the way users tend to view it. It is a tool that simply scans the binary for “suspect” strings. While I suspect it’s worth using on proprietary software, from my recollection every time I’ve seen someone post an Exodus report on a free/libre app (or at least one built and published by F-Droid) it was either a false positive (i.e. stubbed out), something totally benign, turned off by default, etc.

The point stands, a tool that simply scans for strings in a binary can’t tell you what the app is actually doing at runtime. You need deeper analysis for that, either runtime analysis or manually inspecting the source code or analyzing the bytecode itself to see what the app does or will do.

6 Likes

Good to know that. Maybe you can add what tools or methods you use on the about page. It would reveal more information

If you do that and share the results, I will believe you. But right now you’re only assuming
The hostname it lists out isn’t invalid tbf. Just not full URL

I don’t know how it’s run but I think you assumed too fast. One should give out proof before accusing the other is lying.
It takes more than 20 minutes to get a scan done, sometimes an hour. Maybe they do idk
They use OWASP, an open source scanning tool. Maybe you know it

FYI, the scanning tool you gave is owned by Google. Enough said

You using “they” here is pretty vague. The website I gave does business with corporations not the pubilc. They also share online security information in their blog. Not really FUD.

I said that on the 19th post. It doesn’t list out the entire URLs in full report. It’s only a community free edition we’re using.

Good to know that and I’m sure you’d do that. Consider listing out the process you use.

1 Like

I find it quite accurate imo. Most if not all FOSS apps I checked have the same result as TrackerControl reveals, but I’m not an expert on this.

(Just tryna give some justice to the scanning tool I gave, I don’t think it merely extracts URLs. Some apps I checked have few or 0.)
Would love more recommendations on that!

I suppose misleading is a better term than inaccurate. I don’t want to suggest Exodus is a bad tool, but users have the wrong expectations of it.

What it purports to do: find “tracker” classes in apps
What it actually does: find classes with the same name as known “tracker” classes (as explained by someone who is a contributor to Exodus). This is a subtle distinction, and irrelevant ~99% of the time, but e.g. when those classes are replaced with do-nothing stub classes, Exodus won’t be able to tell the difference. Fennec F-Droid and its derivatives are a high-profile example of this and one that I find I have to explain over and over and over, despite the developer stating such in this thread (maybe it should be explained on the app page itself).
What users expect it to do: tell you if an app is spying on you. Even if Exodus is able to accurately tell when a class is a known “tracker” class (and not a stub), it can’t tell you if or where that class is actually used, how it is configured, and so on. For example, the “tracker” may be a crash reporting tool (which is different than, say, an ads or analytics library) and is only used if the user opts in to it, and only when a crash happens. You need to actually inspect the bytecode or source code, or observe the app’s behavior at runtime, to answer the question of if the app shares date with other apps or with a network service.

Exodus is indeed used in the F-Droid review process alongside other tests, including actually running the APK to determine its behavior at run time. I think that is a good use of Exodus. However, Exodus and tools like it cannot answer the question in the thread title or any question as to what the app does at run time, because they do not analyze run time behavior.

As to whether F-Droid should include tools like Exodus in the client, for users to use, I don’t think that is a good idea. I think Aurora Store doing so makes sense in the case of proprietary applications (where developers generally do not care about user privacy), but F-Droid reviewers already use Exodus in a more appropriate way, and Exodus reports of apps in F-Droid are either superfluous at best or misleading at worst.

5 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.