• hummingbird@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Can you give more details of the scan result? Exodus only lists the Play store version. I installed the F-Droid version but Exodus app reports it as “same version” and just shows the clean Google Play Store results. This is obviously wrong, the SHA1 listed for the Play Store version on the Exodus website is different compared to the F-Droid .apk I have installed. Sadly the Exodus website does not support scanning F-Droid apps from third-party repos so I have no idea how to scan it.

    That being said, according to the privacy policy (https://voiceinput.futo.org/VoiceInput/PrivacyPolicy), the F-Droid .apk version should have some kind of crash report build-in. So I could imagine that this might get flagged.

    • Melco@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      Sure, there is a Google developer tool called classyshark which scans the code of any installed Android app and reports every class which you can view.

      There is a version on fdroid which uses the exodusprivacy database, version (eof443) to highlight any classes which match their tracking database. If you install the fdroid version of classyshark then install the Google play or fdroid version of this app you will see the telemetry framework they added plus you can look at every class and see exactly what it does and what data it is collecting and leaking.

      In this case there is a lot of telemetry code in this app. The issue is that it appears to be opt-in and the app itself does not contain any warning or setting to allow the user to disable it. This is disappointing for an app which is advertised as being privacy respecting.

      Regarding why exodus does not show the tracking on their website, I believe the exodus website is manually maintained. 3 times in the past I found trackers in apps that were listed on exodus as being clean. The exodus guys said this typically happens when a developer adds telemetry to a new version and the site was not updated yet. Each of the 3 times they updated their website to include the trackers after I found them with classyshark and reported it.

      Anyway with classyshark you don’t need to take anyone’s word for it, you can scan your apps yourself and it works offline too so you don’t even need to send hashes to the web to check your stuff.