latest version adds trackers

[IzzySoft]

I've just rolled back the update in my repo and disabled future updates, as the current version adds a couple of non-free dependencies and trackers: Crashlytics, Firebase Analytics, Firebase… Can you please check and make sure they do not pop in again?

Offending libs:
---------------
* Crashlytics (/com/crashlytics): Tracking
* Firebase Data Transport (/com/google/android/datatransport): NonFreeNet
* Google Mobile Services (/com/google/android/gms): NonFreeDep
* Firebase (/com/google/firebase): NonFreeNet,NonFreeDep
* Firebase Analytics (/com/google/firebase/analytics): Tracking

5 offenders.

Looks like they were intentionally added with commit 8a594d2 (I thought some other lib might have dragged them in). If you really want that for potential releases to Google Play, please consider establishing build flavors (and providing tthe FOSS APK). If it's rather that you need some analytics, you might wish to take a look at this snippet where I list some potential candidates (which are also acceptable by F-Droid).

Please let me know when a fixed version is available again, so I can re-enable updates. Thanks for taking care!

[BlackIQ]

Hi,

Yes I just wanted to analyse crashes, performance. Ok, I can remove them and release another version.
As you know, app has an authentication with Firebase. Should I remove authentication and release app without auth?

[IzzySoft]

First thanks for the fast response! For collecting crashes, one of the linked libs should do (make sure to ask the user's consent, though). As for Firebase: if you want your app to stay FOSS, you shouldn't use that (it's proprietary, not FOSS). Should authentication be a requirement, couldn't happen locally? If you'd then use e.g. ACRA to send crash reports by mail, you could even drop the INTERNET permission.

[BlackIQ]

Hi again. Sorry for doing that. I will remove them and release a new version. Tnx.

For internet permission, Google fonts need internet. In this case we can not remove that.

Regards.
Amir.

[IzzySoft]

I will remove them and release a new version.

Thanks!

Google fonts need internet.

Ouch. That means Tracking – and will scare away many privacy-focused users (I wouldn't use an app depending on that, if I can help it). Better include the fonts if they are really needed (usually they are not, unless there's something really specific needed). Use what's on device, that then also blends in much better.

[BlackIQ]

Thats ok. I will do it as soon as possible.
Sorry for my late responses. I have exams and some other things to do.
I have an idea. What is your idea about an offline version with no internet permission and no authentication. The other needs internet to people be able to authenticate and even store their data in cloud.

Let me know what you think about.

[IzzySoft]

I personally don't like the idea of storing my data on the computers of strangers (as that's what "the cloud" is) – especially not if its (sensitive) personal data. YMMV, and there are certainly use-cases for that (corporate/shared stuff and such) – but I see no need for such with 1 persons personal todo list. If you think it needs protection, authentication can be done locally (and then, as it needs protection, the data should not leave the device – at least not unencrypted).

I vaguely remember other apps with similar conflicts (there was one Keepass app, for example). They solved it using build flavors: one for offline, one for online, each with a dedicated applicationId (like com.foobar.online and com.foobar.offline). So each user could pick their preferred variant, and could even run both in parallel if they wanted. Especially repositories could keep both in parallel, thanks to the dedicated package name.

[IzzySoft]

Any news here, @BlackIQ?