Hi

I may be wrong, but can someone help me interpret the results of this analysis correctly?

https://www.hybrid-analysis.com/sample/0a0238f85b8a559e8ab54f67920004db3a67a39bdbdbfa00075fd7d27e41dec4/672423b56b46e4feb006681d

See the Network Related section: Why does Simplex.apk have a hardcoded communication with

issuetracker.google.com

android.googlesource.com

developers.google.com

An app that is advertised as the most privacy-friendly?

All other indicators can (probably) be considered false positives (for example, the Camera permission, which is needed for video calls)

  • IronJumbo68@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    When installing from Github you only trust the developer and their signed certificate key.

    When installing from F-Droid you additionally also have to trust the F-Droid developer’s signature.

    Besides that F-droid has its own problems:

    https://privsec.dev/posts/android/f-droid-security-issues/

    I don’t use F-Droid. I use Obtainium and additionally check signatures in AppVerifier.

    https://sideofburritos.com/blog/obtainium-overview/

    • Mettled@reddthat.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      The link for F-Droid security issues is goijg on 3 years old, have you looked at the code xhanges for F-Droid since then?

      For using Obtainium, how do you avoid or block all apps from Github that depend on GCM, Firebase, or Google services? That’s wh I uae F-Droid and disable all anti-features so those apps are never listed, even if I search for an app that has Google dependancies, F-Droid will say that app does not exist or is not listed, as long as all anti-features is disabled.

      • N0x0n@lemmy.ml
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        For using Obtainium, how do you avoid or block all apps from Github that depend on GCM, Firebase, or Google services?

        You do have a point though, but how does that even comes into the mix? Obtainium fetches directly from the source (api.github.com).

        But to answer your question, it’s blocked at the DNS level with RethinkDNS. Blocking all requests, except those explicitly allowed by myself.

        This seems more like hardcoded into the .APK or that we can’t correctly interpret the results or something is wrong in the analysis. And I’m also curious to get more Info’s from someone.

        • Mettled@reddthat.com
          link
          fedilink
          English
          arrow-up
          0
          ·
          2 months ago

          I woud still like for you to do a scan on the FDroid SimpleX apk to verify the difference for yourself instead of whatever I say about it.