Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Osmand collects Android ad ID and sends unencrypted #599
Comments
thestinger
added
upstream
upstream-app
Component: documentation
and removed
upstream
labels
Feb 22, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Jun 11, 2017
Contributor
Please report this to F-Droid instead so they can mark it in the repository.
|
Please report this to F-Droid instead so they can mark it in the repository. |
thestinger
closed this
Jun 11, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Jun 11, 2017
Contributor
I added a note to our documentation about it too. All I can say is that it's very unfortunate that there's barely any community of people working with us to reach our goals.
|
I added a note to our documentation about it too. All I can say is that it's very unfortunate that there's barely any community of people working with us to reach our goals. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
securesearch commentedFeb 21, 2017
Realise Osmand isn't bundled, but since you recommended it, maybe should just put it out there or let users know about it.
When connected to a network, Osmand tries to contact osmand.net every time you open the app, and when explicitly downloading maps, download.osmand.net.
All requests include the Android ad ID (sure, not the serial number, but still potentially sensitive) and sends them over an unencrypted connection.
Sanitized example (notice "aid=XXXXXXXXXXXXXXXX"):
GET /?gzip&osmandver=OsmAnd%7E+2.5.4&nd=XX&ns=XX&aid=XXXXXXXXXXXXXXXX HTTP/1.1
User-Agent: Dalvik/ (Linux; U; Android ; "" Build/XXXXXX)
Host: download.osmand.net
Connection: Keep-Alive
Accept-Encoding: gzip