ve3jlg To be fair to them, unless I missed it, Exodus did not use the word "evil" that I saw. I found their explanations of the different classes of "trackers" uninflammatory. I believe that they could have gone into more detail on each. But it's difficult to know what depth to go into, and they have to consider they are (mostly?) writing for a general and non-technical audience. Language and translation may be an issue for them too.
Of course using the word "evil" is me exaggerating to make a point, however, I don't think it's an inaccurate or unfair characterization of their approach. Their approach seems to be that more "trackers" = bad, less "trackers" = good. They also periodically suggest that software projects use their "tracker" sniffer in their projects to remove any bad juju (if I recall correctly, Cryptomator is one such example), and I believe that Exodus is also at least partly used by F-Droid to scan apps for "trackers", as well. So while them deeming these libraries as "evil" is not exactly what they're saying, they obviously seem to think that ideally, an app should have none of the libraries that their tools detects as a tracker in them, whether that is a library that provides functionality to the end user, or whether it is a crash reporting library (opt-in or not) to help the developers improve their apps.
ve3jlg Your comment about Google's Firebase Cloud Messaging is an interesting one. If I understand correctly, push notifications using that will allow Google to learn metadata about the communications if not the encrypted content; at the wide scale which Google works, its software can create inferences about the receiver / device owner from that.
Judging from the fact that you've specifically made "Google's" bold, I will assume that a library from Google fells worse to you than any other. Let me ask you this; what would you have Bitwarden do (using Bitwarden as an example cause I brought them up earlier)? Would you have them forgo that functionality entirely? Would you have them invent their own implementation which will be less effective in comparison? Keep in mind that if all apps used their own implementations/libraries for functionality such as notifications, then each app that has notifications would need to be running its own background service. Your battery life would take a significant hit from that.
There's also another question that I have. Do you (not you specifically, but anyone that uses the service) Bitwarden enough to securely store your passwords, but not enough to know which libraries they should use to provide the functionality you need? At the end of the day, you have to trust the developers that make the apps you use, and which libraries/dependencies they choose to use is part of that. It's up to everyone to determine what they find acceptable.
Again, my issue with the approach of enumerating specific libraries is that an app sporting a library that may be significantly more harmful than the ones Exodus detects will go unnoticed, and the person evaluating the app will be none the wiser. It is a very flimsy way to enumerate threats and protect yourself.
ve3jlg At the most basic level, Google must know the IP address of where it is delivering a push notification - from that they can derive a way better geolocation than almost anyone else in the world; the class of that location (mobile, fixed); and inferences about the device user and their relationships (is the IP address that of a private business? a university? residence? What time of day is that IP address being used? Oh - barring a VPN, that device owner must be there now. etc.).
You bring up a great example based on which I can make my next point. In an ideal world, all software we use would be 100% trusted, but we don't live in that ideal world. Instead of trying to enumerate bad libraries, I think we should be using a more meaningful and in-depth approach. Are you concerned about your IP address being trackers? Use a VPN to hide it. That way you're hiding it from the app in its entirety, as well as any other unknown libraries that may be tracking you but may not be caught be whatever tracker detector tools you're using.
ve3jlg What to properly call that behaviour if not tracking?
I call it providing a service, personally. Anything you connect to on the Internet requires your IP address. You can hide that IP address and present them with another one instead, but they'll need something. Does that make every website a tracker? If everything's a tracker, nothing's a tracker.