Proton apps pinging Google API + sending reports back after opting out

bootloader

Time by time I revisit the DNS requests my GrapheneOS makes. Today I found out the following new activities:

I have frequent connection requests to firebaselogging.googleapis.com and sometimes to firebaseinstallations.googleapis.com. After changing my apps network permissions and testing where is this coming from, for me it clearly seems that all of these are made by all my Proton apps. If I revoke any of my Proton app (Mail, Drive, Calendars, VPN) network permission, the requests stops. If I re-enable any, it starts again. ProtonVPN downloaded from F-Droid, the rest is from Aurora Store, all has the same behaviour regardless of this fact.
All of the Proton apps are connecting to reports.proton.me regardless I opted out any crash report and telemetry (in every app one by one).

Is there anyone having the same experience as me? What on earth is happening?

treenutz68

My understanding is that Proton uses google play services for notifications. Do you have google play services installed on your phone? Perhaps its just notifications, but I'm stabbing in the dark here

fid02

bootloader Sounds like it would be beneficial to contact Proton support about this and ask what these connections are intended for.

fbi

bootloader Which ones ? Mail shouldn't behave like that.

zzz

bootloader Time by time I revisit the DNS requests my GrapheneOS makes

Just curious - what method do you use to review DNS requests for your device?

bootloader

treenutz68 Thanks for your comment! I definitely don't, no notifications enabled and no Google Play services installed. So this is out, still not sure what is causing this.

bootloader

fid02 I did a few days ago, I'll update this thread if there is any updates.

Meanwhile, is there anyone has the same experience? Or it is just me?

bootloader

fbi all of my Proton apps have the same behavior. Calendar, Mail, Drive, VPN. After the first eye twitching this is my conclusion too. I cannot imagine than any of the Proton apps should have this behavior on purpose.

I wrote Proton with this now a week ago, and still didn't get any reply back. Probably my mail just lost somewhere, but still, this whole story makes me feel very uneasy.

RRZishe

bootloader interesting, please keep us updated

bootloader

fbi

zzz I'm not sure how to monitor that as I simply use NextDNS on my firewall to filtering connection attempts.

jroddev Via Mail, but great idea, never tried that! Thanks for the idea.

fbi

Which Data is being PING-ed in and out ? Proton should disclose the technical details of what exactly points to Firebase/Googleapis. You are surely aware ProtonMail is not fully encrypted ( the content is scrambled but some metadata is in plain text ) , useful to have a response.

jroddev

How did you contact Proton? I reported a differenr issue in the ProtonMail app "report an issue" option and they got back to me within a couple of days.

TRInvictus

Hello,
I'm not using any Proton stuff so I'm not checking the apps on my phone. Did you check the Exodus reports of those apps? https://reports.exodus-privacy.eu.org

To me, Firebase and everything else related, is to be considered as tracking. Period. I'd not use such apps personally, without blocking those connections. Proton using Google stuff is a privacy contradiction, imo.

Edit:
If you want to check (and block) the connections on your phone, you may want to try the app "RethinkDNS".

bootloader

TRInvictus Hello, thank you for the app suggestion! I'll definitely check that out.

Interesting, Exodus says there is only one tracker in the app, but that is Sentry, not Firebase. Anyway, I completely agree with you. So far I was a heavy Proton user, but now I'm thinking of divorce.

fid02

I'm not sure that the presence of certain libraries in an app necessarily means that their functionality is activated during one's usage of the app. Proton has optional telemetry and crash reporting, and if one does not trust that disabling those toggles does not actually disable the telemetry / crash reporting, I think one should look for alternative apps. I personally don't think Proton disrespects that, and the only way forward that I see in this case is to get a clarification from Proton Support.

Proton's ticketing system has been known to mistakenly auto-mark submitted tickets as spam, sometimes when the customer sends a follow-up email to the original ticket after a brief amount of time. That means that a support agent will not respond in due course. I recommend filing a new ticket, with reference to the old ticket, in the case of no response.

The GrapheneOS account has raised some points about the issues with the results displayed by Exodus Privacy, which I think is of relevance here: https://x.com/GrapheneOS/status/1793051200255848553

bootloader

fid02 Thank you for the infos! Meanwhile they answered (see my before comment), but it's good to know.

I agree. My worries here are more about the Proton apps constant connections to Google API, what at the moment looks like it is default, and not sure if there is a way to opt out apart from blocking. Let's see what Proton answers again, but if there is no way to stop these connection, then indeed as you said, I should move on. Sadly, as I really liked Proton, but if their apps are saying hello to Google API every ten minutes and I can't opt out, that is an absolute break up reason for me.

TRInvictus

fid02 The GrapheneOS account has raised some points about the issues with the results displayed by Exodus Privacy, which I think is of relevance here:

Check the manifest of an app. There you see what stuff it uses (receivers, services, etc.). If there is an entry about eg. Firebase, you can pretty much be sure that it is used. An app may let opt you out, but loaded stuff still can access the internet, do RPC, by itself...

Apps like "AppManager" or "LibChecker" (from Github or F-Droid) can help you check such stuff too. And RethinkDNS lets you check (and block) the net traffic on-device if you haven't eg. a home lab to do such on a dedicated device/firewall.

bootloader

UPDATE: Proton staff just reached me back. They were kindly apologized for the delay, but their answer was in short:
this is indeed the expected endpoints in the Android app, and this two google api connection is used for Android push notification.

As in the Proton app alternative routing, push services, notifications, crash reports, telemetry are completely disabled (and also: there is no Google Service on my phone), I asked them more questions if there is a way to opt out/stop these connections. I'll share an update here once there is a reply.

Goatey523

bootloader Damn that thread gave me a heart attack, thank god they are doing the bare minimum of those requests xD

GlytchMeister

bootloader

Any word back from Proton? I have it, too, but I've been hearing... Mixed opinions about it.

zzz

To compare notes:

Inspired by this thread, I used RethinkDNS to monitor traffic for the last 2 days.

Active Proton apps include:
VPN (not using it for internet at the moment though because RethinkDNS takes up that slot)
Mail
Calendar
Drive

I never use push notifications for these apps. Originally, it was because if my belief that it contributes subtle yet harmful impacts on a person's behavior and inner life. Better to check manually, of one's own initiative.
As of recently, I've added a new reason - push notifications are rarely implemented without using Google or Apple's infrastructure. Signal is ok, but very few others are (for me)

Even without push notifications, I am indeed seeing roughly 1x call per day to firebaselogging.googleapis.com, possibly from the proton apps, possibly from the 10x other apps in that profile.

I might do some more testing to isolate the proton apps only and report an update here.

I did find one workaround. It might not be for everybody, but here goes:

Use this version of RethinkDNS by Celzero (threat model allowing, of course)
https://github.com/celzero/rethink-app

Then generate a Wireguard config file from Proton, instructions here:
https://protonvpn.com/support/wireguard-configurations/

Upload that config file into Celzero's Rethink app.

Block DNS queries to anything that looks like google, while still enjoying (some) benefits of ProtonVPN.

The proton apps continue to work great this way.

Hope this helps!

mmmm

zzz can I derail the thread slightly and ask you about Rethink? I have recently heard about it. Is it as good as it looks from a first glance?

TRInvictus

zzz As of recently, I've added a new reason - push notifications are rarely implemented without using Google or Apple's infrastructure. Signal is ok, but very few others are (for me)

Even without push notifications, I am indeed seeing roughly 1x call per day to firebaselogging.googleapis.com, possibly from the proton apps, possibly from the 10x other apps in that profile.

Push notifications / meta data is the new "gold" in tracking, since eg. messengers encrypt stuff. Push is the new "way to go" to track such stuff.

Firebase has tons of functions. However, its all Google, and I'm thus blocking it consequently, for those few apps I depend on with no alternative.

zzz

mmmm

Honestly my opinion is underinformed, I only started looking into RethinkDNS a few days ago.

My understanding is that vanilla RethinkDNS can help you monitor network traffic (similar to tools like LittleSnitch, Wireshark, etc) and then block domains that you disagree with (firewall). I think there's more to say about this, but I lack the expertise to type it up. Would appreciate anyone else's input / correction.

The drawback is that it uses up the one and only active VPN slot on your pixel, without actually being a VPN - you don't get the benefits of a VPN that way. From the Rethink site:

It isn't a VPN, at least not yet. Though, it is effective in circumventing internet censorship in most if not all countries. Rethink DNS uses VPN APIs to only route the DNS traffic and not the actual internet traffic.
Rethink DNS isn't a tracker. Rethink DNS logs DNS requests if a user opts-in. Rethink doesn't sell any user information or use it for anything else other than to provide analytics and reports to the user.

https://rethinkdns.com/faq

After some research, I did find that variant linked in my last post, which allows one to use a Wireguard protocol compatible VPN (like ProtonVPN) and get the benefits of RethinkDNS, all in one app and active VPN slot on your device.
I don't consider this to be as trusted as vanilla Proton VPN, so it will not be my daily driver. But I think its interesting and good for testing like this. Proton's disclaimer:

we strongly recommend using WireGuard via our apps as this is the easiest way to use WireGuard, and it allows you to benefit from many of Proton VPN’s advanced features. For example:
Kill switch and permanent kill switch
Smart protocol
DNS leak protection
Port forwarding (Windows only)
However, Proton VPN’s implementation of WireGuard follows the official open-source specifications for the protocol. This means that advanced users can use any WireGuard client that also matches official specifications to connect to Proton VPN servers using WireGuard

https://protonvpn.com/support/wireguard-configurations/

Its interesting to note that the official GOS site also does speak favorably of RethinkDNS:

If you're using a VPN, we recommended against having a Private DNS server configured. If you want to filter traffic while using a VPN, use a VPN service app able to do both such as RethinkDNS. Private DNS also interacts strangely with multiple profiles since each profile has their own VPN configuration but Private DNS is global. Either leave Private DNS on the default Automatic mode or set it to disabled when using VPNs.

https://grapheneos.org/faq#vpn-support