This fdroid repo version of this this “privacy respecting” app contains user tracking telemetry spyware as reported by exodus.
The app is not transparent about it as it is not listed in the credits section with all their other components. There is no way to opt-out or turn it off in the settings.
I digged a bit into the source code and the apk. From looking at the code alone one can’t tell if the crash report is actually enabled, the build configuration depends on some unpublished file. But looking into the apk allows to reconstruct it. These are my findings:
the crash handler is compiled in and also enabled (BuildConfig.ENABLE_ACRA=true)
the crash handler is configured to dialog mode. According to the ACRA documentation (https://www.acra.ch/docs/Interactions#dialog) that means that user interaction is required for sending (a popup dialog with a cancel button).
4.1. If the app crashes, you may be asked if you wish to submit a crash report. If you accept, your device information and crash details will be sent to us for the purposes of investigating the crash and improving the software.
Can you give more details of the scan result? Exodus only lists the Play store version. I installed the F-Droid version but Exodus app reports it as “same version” and just shows the clean Google Play Store results. This is obviously wrong, the SHA1 listed for the Play Store version on the Exodus website is different compared to the F-Droid .apk I have installed. Sadly the Exodus website does not support scanning F-Droid apps from third-party repos so I have no idea how to scan it.
That being said, according to the privacy policy (https://voiceinput.futo.org/VoiceInput/PrivacyPolicy), the F-Droid .apk version should have some kind of crash report build-in. So I could imagine that this might get flagged.
Sure, there is a Google developer tool called classyshark which scans the code of any installed Android app and reports every class which you can view.
There is a version on fdroid which uses the exodusprivacy database, version (eof443) to highlight any classes which match their tracking database. If you install the fdroid version of classyshark then install the Google play or fdroid version of this app you will see the telemetry framework they added plus you can look at every class and see exactly what it does and what data it is collecting and leaking.
In this case there is a lot of telemetry code in this app. The issue is that it appears to be opt-in and the app itself does not contain any warning or setting to allow the user to disable it. This is disappointing for an app which is advertised as being privacy respecting.
Regarding why exodus does not show the tracking on their website, I believe the exodus website is manually maintained. 3 times in the past I found trackers in apps that were listed on exodus as being clean. The exodus guys said this typically happens when a developer adds telemetry to a new version and the site was not updated yet. Each of the 3 times they updated their website to include the trackers after I found them with classyshark and reported it.
Anyway with classyshark you don’t need to take anyone’s word for it, you can scan your apps yourself and it works offline too so you don’t even need to send hashes to the web to check your stuff.
This fdroid repo version of this this “privacy respecting” app contains user tracking telemetry spyware as reported by exodus.
The app is not transparent about it as it is not listed in the credits section with all their other components. There is no way to opt-out or turn it off in the settings.
Be aware.
The reported tracker is ACRA, a crash report library (https://github.com/ACRA/acra).
I digged a bit into the source code and the apk. From looking at the code alone one can’t tell if the crash report is actually enabled, the build configuration depends on some unpublished file. But looking into the apk allows to reconstruct it. These are my findings:
Unfortunetly they go with their own custom licence and AFAIK it’s not open source as it does not allow commercial use.
Can you give more details of the scan result? Exodus only lists the Play store version. I installed the F-Droid version but Exodus app reports it as “same version” and just shows the clean Google Play Store results. This is obviously wrong, the SHA1 listed for the Play Store version on the Exodus website is different compared to the F-Droid .apk I have installed. Sadly the Exodus website does not support scanning F-Droid apps from third-party repos so I have no idea how to scan it.
That being said, according to the privacy policy (https://voiceinput.futo.org/VoiceInput/PrivacyPolicy), the F-Droid .apk version should have some kind of crash report build-in. So I could imagine that this might get flagged.
Sure, there is a Google developer tool called classyshark which scans the code of any installed Android app and reports every class which you can view.
There is a version on fdroid which uses the exodusprivacy database, version (eof443) to highlight any classes which match their tracking database. If you install the fdroid version of classyshark then install the Google play or fdroid version of this app you will see the telemetry framework they added plus you can look at every class and see exactly what it does and what data it is collecting and leaking.
In this case there is a lot of telemetry code in this app. The issue is that it appears to be opt-in and the app itself does not contain any warning or setting to allow the user to disable it. This is disappointing for an app which is advertised as being privacy respecting.
Regarding why exodus does not show the tracking on their website, I believe the exodus website is manually maintained. 3 times in the past I found trackers in apps that were listed on exodus as being clean. The exodus guys said this typically happens when a developer adds telemetry to a new version and the site was not updated yet. Each of the 3 times they updated their website to include the trackers after I found them with classyshark and reported it.
Anyway with classyshark you don’t need to take anyone’s word for it, you can scan your apps yourself and it works offline too so you don’t even need to send hashes to the web to check your stuff.
Thank you, I’ll look into it.
ClassyShark3xodus is the app on fdroid, its a great tool, works offline and it itself is spyware free, source is on GitLab.
I didn’t install/scan it myself, but the exodus site shows no trackers on Google play version. https://reports.exodus-privacy.eu.org/en/reports/org.futo.voiceinput/latest/
I installed the version from the repo on their website: app.futo.org/fdroid/repo
It contains trackers: 1 tracker = 266 classes.
I also downloaded the Google play version. It also contains the same spyware:
1 tracker = 266 classes.