FOSS Photo editor
- Edited
wojon The question would be if the github version has the same feature set. I might be wrong here, but to my understanding the github version is the non-pro version. So in the end you have to make a decision. Go with pro and take it from F-Droid, build yourself, or go with non-pro directly from the maintainer. How do you chose here? ;)
I have the pro version from GitHub. The FOSS release is the Pro one on the release page and you also get free access to their Thankyou app to unlock the features it does across their apps.
wojon F-Droid is patching out trackers
They use exodus and their scanning is not accurate. It completely misrepresents the permission model. The checks for 'trackers' is really just a list a blacklisted third party libraries which they've fairly arbitrarily decided are privacy invasive. Doesn't check for anything else. It's misleading.
Their apps often due to their practices end up horrendously outated. Take Element for Matrix for example. https://nitter.net/Metr0pl3x/status/1575250126574129178
Using F-Droid and a developer maintained repo is fine but relying on F-Droid has all the issues outlined.
As GrapheneOS doesn't compromise the standard of security/privacy, it is only right that the advice we offer aligns with that.
What individual users can/will choose to do is entirely their prerogative.
MetropleX However would seriously advise against using F-Droid as an additional level of trust, their apps can be downloaded direct from the developer via github here:
The GrapheneOS project regularly states the importance of keeping software updated. I generally agree.
If someone downloads an app direct from the developer, what existing tools do you recommend to keep informed of available updates?
Secondly, how does one update an app from the developer?
Does updating in this way reset or erase existing app data and settings?
- Edited
MetropleX They use exodus and their scanning is not accurate. It completely misrepresents the permission model. The checks for 'trackers' is really just a list a blacklisted third party libraries which they've fairly arbitrarily decided are privacy invasive. Doesn't check for anything else. It's misleading.
Thanks for clarifying that.
MetropleX https://nitter.net/Metr0pl3x/status/1575250126574129178
That tweet cannot be found. But I got your point.
ve3jlg If someone downloads an app direct from the developer, what existing tools do you recommend to keep informed of available updates?
The method I use for apps that I get from the developer is through an RSS feed reader (I use an app called ReadYou) to follow GitHub Releases feeds for the apps I use. Using ReadYou itself as an example, the feed for its release page would be https://github.com/Ashinch/ReadYou/releases.atom, which is the releases page with .atom
appended to the end of it, to turn it into a feed.
Another method to do this is to use Obtainium which makes this process a little easier. Some people prefer it, some people don't.
Secondly, how does one update an app from the developer?
With the RSS feed reader, you are notified of the new version, click on it to go to the release page and download the APK and install it.
Pretty much the same thing with Obtainium, though you don't have to navigate to the site on your browser, if I recall correctly, it happens within the app.
Does updating in this way reset or erase existing app data and settings?
No, the OS will see it as a regular system update, same as if you were updating from a store.
- Edited
MetropleX They use exodus and their scanning is not accurate. It completely misrepresents the permission model. The checks for 'trackers' is really just a list a blacklisted third party libraries which they've fairly arbitrarily decided are privacy invasive. Doesn't check for anything else. It's misleading.
Hmm.
As someone who has read Exodus reports carefully and based decisons on them, could you please tell me how it "completely misrepresents the permission model"?
In saying that are you referring to the way that the GrapheneOS permission model works, and/or stock or Google's Android? As I understand it, Exodus is intended as a tool for all Android users, not specifically GrapheneOS.
MetropleX The checks for 'trackers' is really just a list a blacklisted third party libraries
"Blacklisted" - I am unsure what that means. If they are blacklisted, how are they in an app, or what damage can they do?
What is the problem with Exodus reporting these? Can you given examples and sources of claims of false positives or negatives?
MetropleX which they've fairly arbitrarily decided are privacy invasive.
I am interested to know what you mean by "fairly arbitrarily decided" so I can understand and interpret Exodus reports better.
Does Exodus have a stated and consistent basis for their classification?
MetropleX Doesn't check for anything else. It's misleading.
I'm confused. What specific statement or claim (words) does Exodus make which is "misleading"?
As a new GrapheneOS user I am trying to understand then make the best use of all the tools available to me to limit disclosure of my PII to corporations, as I expect many others are. Exodus has seemed like one useful tool to me.
How might continuing to use it go against my personal threat model to minimize corporations collecting more information about me?
Thanks for elaborating,
- Edited
ve3jlg Hey! I know you weren't asking me, but I thought I'd jump in with some more information, as well as a recent example that I have which showcases how this approach is flawed and can lead to false positives.
ve3jlg As someone who has read Exodus reports carefully and based decisons on them, could you please tell me how it "completely misrepresents the permission model"?
I think the idea here is that people often misunderstand what a "tracker" means on Android. All apps are sandboxed, both on GrapheneOS and in Android in general (assuming you've not altered the OS in any way that damages the security model such as rooting it etc.) Therefore, any "trackers" that an app has can only see what's happening within the app itself for the most part, and not elsewhere. This is very different to how trackers on the Internet work, for example.
ve3jlg "Blacklisted" - I am unsure what that means. If they are blacklisted, how are they in an app, or what damage can they do?
I think they meant blacklisted as in Exodus puts them on their list so that they're enumerated in these reports. Exodus doesn't intelligently track what an actual tracker is and reports it to you. It's essentially just a list of third part libraries that the project's maintainers have collectively decided are evil, and when they detect that specific library, they present it to you as a tracker. Not only can this approach be misleading (example incoming), but if an app developer wanted to hide these libraries, they could do so very easily, so by using this approach, you're lulling yourself into a false sense of security, in my opinion.
ve3jlg What is the problem with Exodus reporting these? Can you given examples and sources of claims of false positives or negatives?
https://fosstodon.org/@bitwarden/109636825700482007 is Bitwarden's response when someone asked them why Exodus was showing Bitwarden as having two trackers. Their toot seems to have been deleted, along with their account, but Bitwarden's response still hold.
This is Exodus' report for Bitwarden: https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/
As stated by Bitwarden's Mastodon account:
Hey there, Firebase Cloud Messaging (often mistaken for a tracker) is used only for push notifications related to sync and performs absolutely no tracking functions. Microsoft Visual Studio App Center is used for crash reporting on a range of mobile devices.
So here we have a library that provides basic functionality, and a regular crash reporting library. Are these really trackers? With the approach of Exodus of just enumerating libraries and calling them all trackers, you're throwing out the baby with the bathwater. There is no room for nuance. Anything on their list is a tracker, anything not on their list is a-ok.
I hope that provides some more context and helps!
matchboxbananasynergy I'm using RSS feeds for some apps as well but you can get email alerts from github - under Watch select Custom and then Releases. Works great.
- Edited
matchboxbananasynergy Thanks for jumping in on this. It does further educate me.
You make a good point about terminology / classification. I agree that's important. (I was personally confused by the use of both "profile" and "user" here after I installed GrapheneOS. )
Your response prompted me to properly read the Exodus site now. I see they have a page titled Trackers which distinguishes between the different potential uses of the information.
In each tracker report they do make the distinction.
To be fair to them, unless I missed it, Exodus did not use the word "evil" that I saw. I found their explanations of the different classes of "trackers" uninflammatory. I believe that they could have gone into more detail on each. But it's difficult to know what depth to go into, and they have to consider they are (mostly?) writing for a general and non-technical audience. Language and translation may be an issue for them too.
Your comment about Google's Firebase Cloud Messaging is an interesting one. If I understand correctly, push notifications using that will allow Google to learn metadata about the communications if not the encrypted content; at the wide scale which Google works, its software can create inferences about the receiver / device owner from that.
And metadata drives a great, great deal of profiling of individuals up to successful criminal prosecutions.
Was it a "tracker" inserted by BitWarden? I don't see how it does that. Can Google use FCM message wrapper metadata to deepen their profile and deanonymize an individual? Does that make FCM a Google tracker? Yes, potentially. At the most basic level, Google must know the IP address of where it is delivering a push notification - from that they can derive a way better geolocation than almost anyone else in the world; the class of that location (mobile, fixed); and inferences about the device user and their relationships (is the IP address that of a private business? a university? residence? What time of day is that IP address being used? Oh - barring a VPN, that device owner must be there now. etc.).
What to properly call that behaviour if not tracking?
It seems that the problem is the broad use of the term "tracker", which should be better defined, with more words on the consequences.
ve3jlg To be fair to them, unless I missed it, Exodus did not use the word "evil" that I saw. I found their explanations of the different classes of "trackers" uninflammatory. I believe that they could have gone into more detail on each. But it's difficult to know what depth to go into, and they have to consider they are (mostly?) writing for a general and non-technical audience. Language and translation may be an issue for them too.
Of course using the word "evil" is me exaggerating to make a point, however, I don't think it's an inaccurate or unfair characterization of their approach. Their approach seems to be that more "trackers" = bad, less "trackers" = good. They also periodically suggest that software projects use their "tracker" sniffer in their projects to remove any bad juju (if I recall correctly, Cryptomator is one such example), and I believe that Exodus is also at least partly used by F-Droid to scan apps for "trackers", as well. So while them deeming these libraries as "evil" is not exactly what they're saying, they obviously seem to think that ideally, an app should have none of the libraries that their tools detects as a tracker in them, whether that is a library that provides functionality to the end user, or whether it is a crash reporting library (opt-in or not) to help the developers improve their apps.
ve3jlg Your comment about Google's Firebase Cloud Messaging is an interesting one. If I understand correctly, push notifications using that will allow Google to learn metadata about the communications if not the encrypted content; at the wide scale which Google works, its software can create inferences about the receiver / device owner from that.
Judging from the fact that you've specifically made "Google's" bold, I will assume that a library from Google fells worse to you than any other. Let me ask you this; what would you have Bitwarden do (using Bitwarden as an example cause I brought them up earlier)? Would you have them forgo that functionality entirely? Would you have them invent their own implementation which will be less effective in comparison? Keep in mind that if all apps used their own implementations/libraries for functionality such as notifications, then each app that has notifications would need to be running its own background service. Your battery life would take a significant hit from that.
There's also another question that I have. Do you (not you specifically, but anyone that uses the service) Bitwarden enough to securely store your passwords, but not enough to know which libraries they should use to provide the functionality you need? At the end of the day, you have to trust the developers that make the apps you use, and which libraries/dependencies they choose to use is part of that. It's up to everyone to determine what they find acceptable.
Again, my issue with the approach of enumerating specific libraries is that an app sporting a library that may be significantly more harmful than the ones Exodus detects will go unnoticed, and the person evaluating the app will be none the wiser. It is a very flimsy way to enumerate threats and protect yourself.
ve3jlg At the most basic level, Google must know the IP address of where it is delivering a push notification - from that they can derive a way better geolocation than almost anyone else in the world; the class of that location (mobile, fixed); and inferences about the device user and their relationships (is the IP address that of a private business? a university? residence? What time of day is that IP address being used? Oh - barring a VPN, that device owner must be there now. etc.).
You bring up a great example based on which I can make my next point. In an ideal world, all software we use would be 100% trusted, but we don't live in that ideal world. Instead of trying to enumerate bad libraries, I think we should be using a more meaningful and in-depth approach. Are you concerned about your IP address being trackers? Use a VPN to hide it. That way you're hiding it from the app in its entirety, as well as any other unknown libraries that may be tracking you but may not be caught be whatever tracker detector tools you're using.
ve3jlg What to properly call that behaviour if not tracking?
I call it providing a service, personally. Anything you connect to on the Internet requires your IP address. You can hide that IP address and present them with another one instead, but they'll need something. Does that make every website a tracker? If everything's a tracker, nothing's a tracker.
- Edited
matchboxbananasynergy The method I use for apps that I get from the developer is through an RSS feed reader (I use an app called ReadYou) to follow GitHub Releases feeds for the apps I use. Using ReadYou itself as an example, the feed for its release page would be https://github.com/Ashinch/ReadYou/releases.atom, which is the releases page with .atom appended to the end of it, to turn it into a feed.
That's a nice solution. Is your approach working for gitlab instances too? I tried to add .atom at the end of some project's URLs (Aurora for example) but it didn't work.
wojon GitLab will work as well, but the syntax for it is a bit different:
https://www.privacyguides.org/android/#gitlab provides an explanation of how to do this.
- Edited
There is merit to downloading from fdroid I found out. Example is OsmAnd. From Fdroid you get the full pro version and its google component free. Can't get that anywhere else. Geometric weather is another case. There is a few more.
Simple Gallery has a two different versions from the github page. There is the FULL pro version that has proprietary bits (its the image enhancement bits). There is also the foss version which doesn't have the proprietary bits, and instead has a very basic image editing feature.
If you want the better editing tools you need to get the proprietary version. I believe its not privacy invasive.
Or just get the google camera and photos apps on the different profile and network block them.
There might also be some option from photoshop, which perhaps you can install and network block. Not foss, but for best image enhancement you may have to look at proprietary stuff.