v2.6.0-beta1
Pre-release
Pre-release
Security
This release addresses a security advisory covering several intent-handling vulnerabilities. Users are strongly encouraged to upgrade. Thanks to Noel Gomillion & Pranati Majhi at Texas A&M for working with us on this.
- External configuration loading (via
owntracks://URLs and config files) is now disabled by default and must be explicitly enabled in Settings → Advanced - A confirmation dialog is shown when enabling external configuration, warning that any config URL can fully reconfigure the app
- The
allowIntentControlintent receiver now requires a shared secret (intentAuthKey) in every intent, preventing unauthorised apps from triggering location publishes or changing monitoring mode BackgroundServiceis no longer exported; only explicit intents from within the app are acceptedEXITandSEND_EVENT_CIRCULARintent actions have been removedOngoingNotificationservice intents are now explicit- Security-related preferences (
allowConfigurationByURIAndConfigFile,allowIntentControl,intentAuthKey) cannot be changed via imported config files or URLs - Certificate fingerprint verification migrated from SHA-1 to SHA-256
New features
- New Remote Control preferences screen showing the intent auth key (with a copy-to-clipboard button) for use with automation apps such as Tasker
- Config import screen now shows a structured diff of what is changing, with human-readable preference names, highlighting new values alongside the current values — unchanged settings are summarised rather than listed in full
- Waypoints in an imported config are listed individually in the import review screen
- Preference setting (Android 16 and later only) to allow user to enable GNSS location source for Significant Monitoring mode (#2155)
Bug fixes
- DEBUG and VERBOSE log messages are no longer emitted to the system Logcat in release builds, preventing potential PII (e.g. coordinates) leakage via
TimberInMemoryLogTree(CWE-532) - HTTP mode no longer treats an unparsable or empty response body as a send failure. A
200 OKresponse is sufficient to confirm a message was delivered successfully; response body parse errors are logged as warnings and ignored (#2242) - Fix geofences silently failing to register with Google Play Services on devices with significant uptime, due to a
Long.MAX_VALUEoverflow when computing the expiration time (#2245, thanks @Cooad)