this post was submitted on 06 Oct 2023
81 points (77.6% liked)
Open Source
31205 readers
201 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
- !libre_culture@lemmy.ml
- !libre_software@lemmy.ml
- !libre_hardware@lemmy.ml
- !linux@lemmy.ml
- !technology@lemmy.ml
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Edit: @Melco@lemmy.world actually appears to be right, check my comments down below
~~> This fdroid repo version~~
~~How did you find it on F-Droid? What repos do you use?~~
~~> contains user tracking telemetry spyware as reported by exodus~~
~~Also, what you said there doesn't match the exodus report at all.~~
~~You might have confused something and looked at the wrong app.~~ ~~Please only stick to the official sources.~~ ~~The official website for Futo VoiceInput is https://voiceinput.futo.org/.~~ ~~The Git repository is located at (their selfhosted GitLab instance) https://gitlab.futo.org/alex/voiceinput. Currently, they don't have an F-Droid release.~~
~~I am not affiliated with Futo, I just want to prevent misunderstandings.~~
Please be more explicit about the so-called "tracker" reported by exodus here. "Tracker" is a broad term that covers not just actual tracking and ad libraries but also crash detection and error reporting libraries, which can be useful as long as they are opt-in with informed user consent. Without knowing the exact library detected here, and how it is used, one cannot assess whether it is truly spyware or not.
From a cursory glance at the build.gradle I do see ACRA as a dependency here, which is sometimes (mistakenly) considered as a "tracker" but is actually a free software crash reporting library used by many free software Android apps including NewPipe and the F-Droid client itself. A cursory search across the codebase reveals ACRA is not even always enabled (it seems to depend on build configuration) and this dialog appears to be where the user is asked for consent for sharing a crash report.
Of course, Exodus can't tell how a library is used or even if it's used at all, it just sees a scary class name and warns about trackers. It might be useful to check if some proprietary app has suspicious behavior but it is by no means an actual malware scanner.
edit: it doesn't appear Exodus considers ACRA as a "tracker" as it is not included in their list however my point still stands. an Exodus report by itself isn't proof of nefarious activity unless backed up with more concrete evidence e.g. network analysis or source code analysis.
edit 2: I just installed ClassyShark and ran it on NewPipe, and it does show ACRA as a "tracker" however Exodus itself says NewPipe has no trackers. ClassyShark has not been updated in over a year so I assume it is using an out of date database. Something like TrackerControl which is more actively updated might be a better alternative.
I swear I only saw the Google Play link and the APK download link when I check their site like 5 hours ago. You're actually right, I checked the app from their F-Droid repo and your results appear to be correct. I was really confused when I saw this, as it doesn't make any sense to put trackers in the F-Droid version, but not include them in the Google play version. It's just weird, misleading and confusing. I have no idea what's going on there, and why they made these decisions.
They mention they have an F-Droid repo on their website (that you linked): https://app.futo.org/fdroid/repo?fingerprint=39D47869D29CBFCE4691D9F7E6946A7B6D7E6FF4883497E6E675744ECDFA6D6D
Maybe that's what the comment above meant?
I swear I only saw the Google Play link and the APK download link when I check their site like 5 hours ago.
Maybe they just added it between your comment and mine. After all these things have to be added and updated at some point... maybe we caught the magic moment!
Yeah I checked the archive. When I wrote the my original comment, the website looked like this: https://archive.ph/8swgn