RCX (io.github.x0b.rcx) has two trackers and 67 tracking classes: Microsoft Analytics and Microsoft Crash but not Anti-feature tag

According to Exodus.

Considering that this app handles sensitive user credentials, this seems like a potential security violation.

There is an Opt-Out for “Contribute error reports” which may disable the Microsoft Crash modules but what about the Analytics? Potential sensitive information about app usage and user app data including device fingerprinting or identification may be send to Microsoft servers which is very much an anti-user feature.

I see f-dfoid has a published high level policy on Anti-features https://f-droid.org/en/docs/Anti-Features/. Is there a more detailed technical explanation of how the Anti-features tag is applied to apps?

Was there any public discussion with f-droid and the developer regarding these issues?

How can I as the user be assured that this app isn’t leaking everything to Microsoft Corp?

According to https://reports.exodus-privacy.eu.org/en/reports/io.github.x0b.rcx/latest/#trackers there are no trackers in F-Droid version. If you downloaded an application not from F-Droid (e.g. from Github releases) amount of trackers may differ in analysis.

1 Like

The version in your report is 1.11.4. This is not the latest version, it is 6 months old.

The latest version of RCX in F-Droid is 1.12.1 (Added on 5/22/21). (https://f-droid.org/repo/io.github.x0b.rcx_210.apk). Running the ClassyShark3xodus app (from F-Droid) which also runs an exodus privacy scan reveals:

2 trackers = 67 Classes

Microsoft Visual Studio App Center Analytics

Microsoft Visual Studio App Center Crashes

I am not sure why the online exodus report shows version 1.11.4 as the latest version but it is not. I attempted to use their online analyzer tool to rescan the F-Droid repository and update the report however it does not detect the latest versions. You can validate this by the following:

  1. Installing the latest version of F-Droid (1.12.1)
  2. Installing the latest ClassyShark3xodus app from F-Droid (2.0-27)
  3. Installing the latest RCX from F-Droid (version 1.12.1)
  4. Open ClassyShark3xodus and scan RCX

The ClassyShark app will scan RCX and find 67 Microsoft Analytics classes.

Here is a screenshot of the Analysis:

Is it possible that Analytics for this app were removed when it was added to F-Droid and then added in again in later versions? What is the procedure of re-evaluating the anti-feature tags under these conditions?

Also, it appears that this one tracking-free version will be bumped from list as F-Droid only shows a few past releases. In a case like this where an app developer removed tracking then added it back in again in subsequent releases, is it possible to retain and display more version? Privacy aware users are now effectively frozen on this one old version.

what is very interesting, learned something

what do you think about this, do you know if app-private internal storage is in fact private from anything except root?

“Since the app does not (yet) support running with an encrypted configuration file, importing an encrypted config file will prompt for the password. The configuration will then be stored unencrypted in the app-private internal storage. For this reason running the app on a rooted device is discouraged.”

Very interesting that you bring this up. I was just thinking about how to mitigate this risk. It is a major security issue. The rclone binary does it correctly, if the app is using an encrypted config then a password in prompted every time. RCX should also do this rather than take a users protected conf file, decrypting it once and storing it on flash memory unprotected forever.

If the user is rooted it is trivial for them or any app granted root to grab the config, which RCX has decrypted and stored in plantext. Then you basically have the keys to the kingdom.

I don’t know if there are any technical reasons why this hasn’t been implemented but there are many apps (2FA apps, secure messengers, password managers etc) that store their data at rest properly and many ways to accomplish this. Android even provides key stores and way to securely store secrets.

Even on an unrooted device, relying on app-private internal storage is insufficient for any app that contains passwords or sensitive information. The Android ecosystems is rife with security problems, exploits and untimely OEMs updates.

In this case RCX doesn’t even need to do any of this, just change the code, instead of decrypting permanently to storage, simple prompt for a password and decrypt temporarily to memory like the rclone binary does. RCX can’t mount or do anything beyond the basic function where this could cause issues so this isn’t a concern.

Thank you for raising this important issue, I was trying to find a way to use the tracking free version of RCX but this is another show stopper and it seems running the official rclone binary via termux is the only safe answer at this time.

1 Like

The Exodus database has been updated to scan for the latest version of RCX. It now scans the latest version of the app and shows two trackers: https://reports.exodus-privacy.eu.org/en/reports/185013/

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.