Opinions on Find My Device (fmd)?

Clark

Just installed this app and I want to know this app works/respects privacy since I grant it so many permissions.

RRZishe

Clark I Don't know how to read code, so I can't verify myself. But I can say that virtually all the features work perfectly fine with network access disabled.

secrec

I'd suggest sticking with the SMS mode on it and disabling network access. Their server implementation leaves a lot to be desired and I believe creates a great big nasty tracking risk (even if you install their server side on your own server, I don't trust it as secure), and frankly, doesn't really work well (unreliable).

For server based location tracking, I'd suggest Nextcloud PhoneTrack, which can be a little finnicky to get set up, but works absolutely brilliantly once it is.

Clark

secrec thanks for the suggestion I'll try it out!

feedmewater

Sorry for the novel, but you asked for opinions on the internet :)
I recently lost my gOS Pixel and bought new one (ouch, hopefully it still turns up). Years before Pixels and me caring about privacy I used a program called https://www.cerberusapp.com/home/en which back in the day wasn't nearly as tracky, ran offline, and did the sms control feature. I came across https://gitlab.com/Nulide/findmydevice which seems to be the only open source 'find my device' program that does sms with any kind of success for me.
There are 'automation' programs like Tasker that are closed source that I can sort of get to work, but fmd seems to implement it well enough with a few caveats that I am not sure are possible to overcome.

Why I think it's a secure method of tracking:
If someone hasn't used this feature the idea is to send my phone an sms with a code word+password ie 'snazzlebottom 1701 locate gps' and my phone texts back with the gps coords(in a osm link). No other possible chain of codewords will return a result, and naturally all the 'commands' are regular sms messages so if someone tried to brute force this it would be obvious and easy to block and track. After testing everything works, it's possible to change the password so whoever may have snooped on the sms messages or the other phone you used for testing would thus be locked out again (though they would know that fmd is 'listening'). This password never leaves the device and can be changed anytime.

One advantage to this is there is not an app constantly sending your location somewhere, even if it's your own super secure server. This could be a tracking issue in itself if not setup properly since likely you are the only person constantly communicating with your own server across various connections. fmd should run entirely offline and only interface with sms. This also saves battery and data. I agree with @secrec the server itself can be unreliable in my testing (vs sms) and I am uncomfortable with this kind of control being internet facing. Chances are if someone can snoop on your sms, they already know where your phone is. The only issue would be if fmd had a magic backdoor code and pin, hid/erased sms messages, and did this all while being open source. You can request your activity logs from your provider and see if suspect sms messages are being sent and received.

I cannot think of any reason why this is insecure when properly implemented, or even in the state it's in now when configured properly (without internet permissions).

Issues / Deal breakers:
I simply cannot get any solution to work BFU. If you wait too long (18hr auto reboot) to try and find your phone after a long night and lazy sleep in Sunday, you're sol. This may be impossible to 'fix' for security reasons. I know this is rare, but I often will go a day or two without seeing my phone, and generally it still has a fair amount of battery left when I find it. I tell myself it will pop up in my car or whatever and I don't usually panic until 24+ hrs later.
Is it possible to run something like this BFU?

Other complaints about the app (not gOS related):
The whitelist feature does not have option to force a password for whitelisted devices, so I simply don't use it. I'd rather any number work and I keep my pin long and secure.
The wifi scanning is nice but does not return signal levels, just a dump of ssids and thats it. It's nice but a signal report would be nicer.
Taking a picture doesn't work without the server. I am not sure why this limitation exists, but a backup option to email or use a messenger would be nice. Cerberus had a feature that fired off a picture if someone entered the pin wrong 2-3 times, or under other scenarios like waiting for the phone to be picked up after lost so you had a better chance of capturing a face even if they don't attempt to unlock it.
Missing an option to send location and picture when the battery is <5%, or maybe before the 18hr gOS reboot timer for an increased chance of recovery. Also my wife wouldn't mind knowing where I last was when my phone died, which can happen on long hikes.
TOTP option would be additionally cool and more secure.

Other things that are nice:
Technically any 'messenger' that produces a auto reply box can be interfaced with, so it is possible to use xmpp/signal.
Remotely ring the device even if on silent.
remote factory reset

I am hoping to get this idea to work BFU, and without internet / server stuff built in. I'd even pay for it if someone wanted to quote me.

Viewpoint0232

feedmewater Missing an option to send location and picture when the battery is <5%

I like this idea. Maybe you could make a suggestion to the developer?

PaulDavis

A thought.
If you are the type to piggyback your phone off a burner phone hotspot you carry, then unless you left both phones there, you are unlikely to get a connection to activate any commands.
So you can either be trackable by the network at all times, or you are going to have to tie the phone to your wrist with a cord, like a kid and their mittens