Anyone here use the Tasker app with GrapheneOS? Privacy implications?

43t34fg4

Same as title, basically. Tasker is pretty handy on some phones I have, but I keep my GOS Pixel device pretty vanilla with minimal apps on it (Signal, MySudo, etc). Do you guys trust Tasker? The Dev seems like a really nice guy overall.

The thing with Tasker is it uses most permissions on your phone. How do you guys feel about this? I understand from a privacy mindset that giving that app all those admin/device permissions and whatnot is a big red flag to the privacy community. I guess I'm just seeing if any of you "trust" Tasker on your GOS devices.

other8026

43t34fg4 The Dev seems like a really nice guy overall.

43t34fg4 trust

You can do what you want with your device, but the only advice anyone should be giving here is not to trust apps with special privileges. Unless you audit all of their code and audit all updates and audit all libraries or even the source to any binaries, then "trust" is all you have.

Not good from a security perspective.

43t34fg4

Bump

jackFang

Which app are we referring to? There are many "tasker" apps. Generally if its open source its great. If its not then nope

N1b

jackFang Generally if its open source its great. If its not then nope

This is too general for me. Rather "If it's solving your problem, is up to date and has a large userbase, open source is preferred to proprietary for privacy and security reasons".

An outdate open source app with no eyes on the code is not good.

jackFang

This is one example why open source is good

https://www.theverge.com/2024/2/22/24080135/avast-security-privacy-software-ftc-fine-data-harvesting

And quote

"The FTC also claims Avast deceived users by saying its software would help eliminate tracking on the web — when it actually did the tracking itself."

DaRon

I use tasker very extensively with basically all permissions granted it asks for (incl. all add-ons and supportive apps tasker provides).
A check now and then on the phones permissions dashboard and on my adguard dashboard shows nothing unexpected or suspicious, basically every request of files, location or network access is known and intentional. This aligns (from my point of view) with their privacy statement (https://tasker.joaoapps.com/privacy.html).
So far i am happy with it.

bayesian

Signal-message yourself why another app?

ErnestThornhill

It's proprietary trialware. I'll pass.

43t34fg4

other8026 Ironically, the Dev actually got back in contact with me and updated the privacy policy of the site today. At this point, though, I guess it's a matter of trusting if the policy is accurate since, yeah, we can't actually see what's going on in the app. The reason for it being closed-source is since it's 1 Dev, they hope people will donate to the cause (but of course, they mention it isn't ever required or anything, to be friendly) and not lose out on money if making it open source.

Fay_Wilmont

Tasker's developer doesn't seem to be very security-minded. So even if you trust the Tasker apps not to abuse their privileges, attackers might.

For example, any app or website can start an existing Tasker automation:

https://www.reddit.com/r/tasker/comments/1ficluu/why_can_any_third_party_app_or_website_run_any_of/

To launch a task through the command system, a third party app needs to declare and manually be granted the net.dinglisch.android.tasker.PERMISSION_SEND_COMMAND permission. Yet any app or website can run any task by launching tasker://assistantactions?task=TASKNAME.

This cannot be disabled.

There's the option to lock certain things behind a PIN but it can be easily circumvented:

https://www.reddit.com/r/tasker/comments/1lluum6/bug_tasker_splitscreen_lock_removaloverwrite_bug/

Tasker asks for All files access just to read a backup file.

The current developer sometimes makes remarks on Reddit about how he didn't know Tasker could do X, or how exactly it does Y. Seems he's not intimately familiar with (all of) the inner workings of Tasker.

From using Tasker for the past couple of years and reading the Reddit community, I got the impression that it's kind of a miracle that Tasker exists, is still maintained and—although I encountered lots of bugs—mostly works. I suspect the code might be a hot mess.

The dev, who seems to be a fine person overall, seems to be more motivated to add new features like AI integration than to address long-standing issues.

Things to take into consideration when considering if using Tasker fits your threat model.