• Free Palestine 🇵🇸
      link
      fedilink
      21 year ago

      I swear I only saw the Google Play link and the APK download link when I check their site like 5 hours ago. You’re actually right, I checked the app from their F-Droid repo and your results appear to be correct. I was really confused when I saw this, as it doesn’t make any sense to put trackers in the F-Droid version, but not include them in the Google play version. It’s just weird, misleading and confusing. I have no idea what’s going on there, and why they made these decisions.

    • Captain Beyond
      link
      fedilink
      2
      edit-2
      1 year ago

      1 tracker = 266 classes.

      Please be more explicit about the so-called “tracker” reported by exodus here. “Tracker” is a broad term that covers not just actual tracking and ad libraries but also crash detection and error reporting libraries, which can be useful as long as they are opt-in with informed user consent. Without knowing the exact library detected here, and how it is used, one cannot assess whether it is truly spyware or not.

      From a cursory glance at the build.gradle I do see ACRA as a dependency here, which is sometimes (mistakenly) considered as a “tracker” but is actually a free software crash reporting library used by many free software Android apps including NewPipe and the F-Droid client itself. A cursory search across the codebase reveals ACRA is not even always enabled (it seems to depend on build configuration) and this dialog appears to be where the user is asked for consent for sharing a crash report.

      Of course, Exodus can’t tell how a library is used or even if it’s used at all, it just sees a scary class name and warns about trackers. It might be useful to check if some proprietary app has suspicious behavior but it is by no means an actual malware scanner.

      edit: it doesn’t appear Exodus considers ACRA as a “tracker” as it is not included in their list however my point still stands. an Exodus report by itself isn’t proof of nefarious activity unless backed up with more concrete evidence e.g. network analysis or source code analysis.

      edit 2: I just installed ClassyShark and ran it on NewPipe, and it does show ACRA as a “tracker” however Exodus itself says NewPipe has no trackers. ClassyShark has not been updated in over a year so I assume it is using an out of date database. Something like TrackerControl which is more actively updated might be a better alternative.