Hi there
Can anyone tell me what are the rustdesk tracking features (when are being used) and how to opt-out?
Also why does some antiviruses pick it up as virus?
Thank you
Hi there
Can anyone tell me what are the rustdesk tracking features (when are being used) and how to opt-out?
Also why does some antiviruses pick it up as virus?
Thank you
F-Droid Client shows the reason, or you can read it here: metadata/com.carriez.flutter_hbb.yml · master · F-Droid / Data · GitLab
you can’t opt-out iirc, right @basilgello ?
Also why does some antiviruses pick it up as virus?
just read the red text that says “not a virus, but can be used as a remote control tool”
also see the developers message here: Releases · rustdesk/rustdesk · GitHub big banner
Thanks! I see now. But what device info it means? IMEI? Mac?
or just the model?
Also that applies to both controlling device and the device you using (without a rustdesk ID) to connect to the secondary device?
Feel free to ask them: rustdesk/rustdesk · Discussions · GitHub
I tried to respond yesterday via email but it seems the functionality is turned off despite advertised.
The antifeature in question comes from these places in Rustdesk source code:
rustdesk/src/common.rs at master · rustdesk/rustdesk · GitHub leaks the query of release on startup to github (but without any additional parameters apart from “usual” HTTP GET request)
rustdesk/src/common.rs at master · rustdesk/rustdesk · GitHub leaks the fact of connection to RD’s public rendezvous server (but again, without any additional parameters other than TCP connection)
rustdesk/src/common.rs at master · rustdesk/rustdesk · GitHub leaks device internal serial number to RD’s rendezvous server for NAT hole punching purposes.
The serial number is returned by rendezvous server as I could not find the code generating auto serial number. It is stored in Rustdesk2.toml and its starting default value is 3. On my device, serial returned by server is 0
Now turning off these checks is pretty trivial but for best UX I need to add new UI controls to let user opt out of these checks at startup. I have prepared a preliminary PR for this but Huabing does not seem very interested to push it in.
Hi Basilgello.
Thank you for your response.
Is the code able to grab device serial number if android version is 10 or newer? I read that they made it not possible for apps to get IMEI and serial.
Moreover, what’s the fingerprint id?
Does rustdesk collect those data for both devices? (controlling and the remote?)
Also would like to ask you, how is the connection made? is it p2p? is it possible for an infected android device (the one that shares the screen) to transfer any virus to another android device (the one which I use to connect to the other?)
Thank you
On android and iOS, the keypair hash is used to determine automatic device ID. On other platforms, automatic device ID is derived from MAC address using sys_info crate.
Yes, for every device contacting their public infrastructure.
No it is not possible to infect controlling device unless there is 0-day inside Rustdesk.
Thank you for the information!
Does the web version works? I keep getting time out when I try to connect to a remote device, though with the app it works great
Hm this is sad to hear, Rustdesk could have been a good app.
But no information from app/developer about tracking behavior and apparently no incentive to change it. I am not fully aware of potential security implications either.
Especially given a remote control app, this is an instant loss of trust for me.