Aurora Store Apps - Identified Trackers

D1ceman

Hey folks.

Just a question on the trackers identified for apps in the Aurora store.

Are these blocked by GrapheneOS, or do you install the app at your own risk with this trackers list purely being provided as information?

Thanks!

userofgos

D1ceman Just a question on the trackers identified for apps in the Aurora store.

These "trackers" are highly inaccurate and misleading.

See here: https://discuss.grapheneos.org/d/20641-aurora-store-exodus-trackers/6

They made a list of specific third party libraries they decided are trackers. The decision is quite dubious in some cases. It doesn't detect privacy invasive code in general, only a list of specific libraries they taught it to detect. Not all the libraries they mark as supposedly being trackers are truly privacy invasive and the app may make the functionality optional. It's very misleading and is not a good way to evaluate the overall privacy of apps. It can tell you if an app has a specific library that's on their list which you don't want, but not if an app is private at all.

Their permission listing is highly misleading and inaccurate. It shows all the low-level permissions both defined by the OS itself and ones which only have meaning defined by apps themselves. Most of these are grouped into the standard runtime permission toggles which are disabled by default, special access permission controls (disabled by default other than Wi-Fi control, which isn't actually invasive), case-by-case requests (such as Bluetooth pairing requests) and the battery usage setting (Restricted vs. default Optimized vs. Unrestricted). The OS doesn't actually grant most of them to apps at install time, and there's control over when an app can run via the battery usage setting. Many people are greatly misled about how things work by their permission listing. The "All permissions" page within the OS is misleading too, but at least it only shows OS defined permissions with a meaning in the OS and it groups the ones covered by runtime permission toggles together. It unfortunately doesn't group the ones covered by special access permissions or the battery usage toggle. We could improve it to make it less misleading.

And here: https://discuss.grapheneos.org/d/24896-exodus-not-running-properly/2

schweizer

D1ceman do you install the app at your own risk with this trackers list purely being provided as information?

This clearly is the case. So I do not understand the mainstream argumentation here that it is better to use PlayStore. Why would having less information be better than having more? While it is true the Exodus list is not complete it does contain many famous libraries such as Google, Temu and Facebook. You can then decide not to download the app, use it in a secondary profile or without network access. Playstore does not give you the opportunity to make an informed choice.

Some people argue that having a degoogled phone is useless because google libraries can still be included in the apps. But with Exodus you will see all the included google libraries.

ClickClickDrone

GrapheneOS doesn't block anything.

You can, however, utilise the OS' Network permission toggle*, and reduce permissions overall for the app, and also isolate it in its own profile for more control, etc.

*: do note, though, that toggling off Network is not a bulletproof vest, and apps may leak via other ways, like IPC.

MetropleX

schweizer mainstream argumentation here that it is better to use PlayStore

This primarily comes down to better to use it over... [insert X app source] approach. Play Store itself provides many security benefits, not infallible as a vetting system for apps but the store architecture and app delivery certainly is good.

The problem with simply declaring arbitrary libraries as trackers is due to the fact that libraries can be multifacted in their implementation and how it is used or abused comes down to their implementation by the app developer and whether they are used at all down to what privacy options in settings are provided for you to opt-in or out of.

They don't do any actual analysis or review of the code written by the app developers. An app including a library that can be detected if they don't hide it but that isn't a 'tracker' and the developers can choose to do things in a way which won't be detected by primitive automatic scans doesn't really mean a whole lot.

I mean Exodus themselves even state it:

This report lists trackers signatures found by static analysis in this APK. This is not a proof of activity of these trackers.