Skip to content

v2.6.0-beta1

Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 02 Jul 12:53

Security

This release addresses a security advisory covering several intent-handling vulnerabilities. Users are strongly encouraged to upgrade. Thanks to Noel Gomillion & Pranati Majhi at Texas A&M for working with us on this.

  • External configuration loading (via owntracks:// URLs and config files) is now disabled by default and must be explicitly enabled in Settings → Advanced
  • A confirmation dialog is shown when enabling external configuration, warning that any config URL can fully reconfigure the app
  • The allowIntentControl intent receiver now requires a shared secret (intentAuthKey) in every intent, preventing unauthorised apps from triggering location publishes or changing monitoring mode
  • BackgroundService is no longer exported; only explicit intents from within the app are accepted
  • EXIT and SEND_EVENT_CIRCULAR intent actions have been removed
  • OngoingNotification service intents are now explicit
  • Security-related preferences (allowConfigurationByURIAndConfigFile, allowIntentControl, intentAuthKey) cannot be changed via imported config files or URLs
  • Certificate fingerprint verification migrated from SHA-1 to SHA-256

New features

  • New Remote Control preferences screen showing the intent auth key (with a copy-to-clipboard button) for use with automation apps such as Tasker
  • Config import screen now shows a structured diff of what is changing, with human-readable preference names, highlighting new values alongside the current values — unchanged settings are summarised rather than listed in full
  • Waypoints in an imported config are listed individually in the import review screen
  • Preference setting (Android 16 and later only) to allow user to enable GNSS location source for Significant Monitoring mode (#2155)

Bug fixes

  • DEBUG and VERBOSE log messages are no longer emitted to the system Logcat in release builds, preventing potential PII (e.g. coordinates) leakage via TimberInMemoryLogTree (CWE-532)
  • HTTP mode no longer treats an unparsable or empty response body as a send failure. A 200 OK response is sufficient to confirm a message was delivered successfully; response body parse errors are logged as warnings and ignored (#2242)
  • Fix geofences silently failing to register with Google Play Services on devices with significant uptime, due to a Long.MAX_VALUE overflow when computing the expiration time (#2245, thanks @Cooad)