Mysplash uses Bugly, needs tracking antifeature

Mysplash added Bugly analytics and crash reporting with version 3.7.1; the manifest needs to be updated.

I’ve also opened an issue with the developer because there is no disclaimer about it and this violates GDPR.

Ref: https://github.com/WangDaYeeeeee/Mysplash/issues/77

This won’t update since versionName/Code were not yet updated: https://github.com/WangDaYeeeeee/Mysplash/blob/3.7.5/app/build.gradle#L10

This Bugly also seems to be proprietary. Anyone knows what is Bugly Software License, Version 1.0? The link to the license text is broken.

I found this on github but I think it’s outdated, and there’s no license: https://github.com/BuglyDevTeam/Bugly-Android
So I think it IS proprietary. Holy crap.

This is terrible. This is the third time I find some dev sneaking in analytics into an app after it’s been accepted by F-Droid, we need to do something about it, like analyzing the generated APK with ClassyShark to make sure it doesn’t contain trackers there were not declared in the manifest. Personally I would ban third party analytics altogether.

1 Like

https://github.com/WangDaYeeeeee/Mysplash/search?q=bugly&unscoped_q=bugly with cleartextTrafficPermitted.

https://bugly.qq.com/docs/user-guide/instruction-manual-android/?v=20180312155926

Slightly different than com.thirtydegreesray.openhub_30 (OpenHub): a tencent aar inclusion https://github.com/ThirtyDegreesRay/OpenHub/blob/f5db8c0544c02ba04eef3c9a92aadfe4f5687185/app/build.gradle#L166

(“half-halted”: https://gitlab.com/fdroid/fdroidserver/issues/566 )

I’m surprised that that issue has been open for more than a year.

Seriously, we have the most annoying lint on earth that will reject manifests for having an extra whitespace, but I can sneak in proprietary third party analytics and nobody bats an eye?

Basically, fdroid is a collaborative project : no gitlab additional reviewers => no new additional features/controls.

… bring your voice to gitlab,

was (positively) surprised by low amount of fdroid apps with trackers. It will be great if fdroid (experts) community could identify all true open source trackers in Exodus database, so this information could reach ExodusPrivacy end-users (?)

why ?

it will seriously help for scan and signature’s reliability, if we know that a tracker is open source or not (especially also because opensource can be paste & obfuscated/scrambled in apk code)

as example of possible biased integration: new Facebook debugging tool Flipper is (MIT) open source https://github.com/facebook/flipper#contributing-to-flipper .

This is also why, imho, fdroid should discourage use of obfuscation :

btw @dosse91, imho, your FairEmail thread should be softened/edited, especially considering M66B’s thoughtfulness and skill…

Mastodon