Permissions and Tracking (Android) #2030
Conversation
dngray
commented
Feb 26, 2023
dngray
commented
- Please check this box to confirm you have disclosed any relevant conflicts of interest in your post.
- Please check this box to confirm your agreement to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute your contribution as part of our project.
- Please check this box to confirm you are the sole author of this work, or that any additional authors will also reply to this PR on GitHub confirming their agreement to these terms.
✅ Deploy Preview for privacyguides ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
✅ Deploy Preview for privacyguides ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
|
I'm not so sure that this makes sense. I do like the sentence in there that explains that this approach is flawed (as can be seen with Facebook), which simply highlights how bypassable such "tracker lists" are. In other cases, (such as with Bitwarden), the "trackers" which are mentioned are not actually trackers at all, and are being used to provide app functionality. The approach with labeling a specific library as a "tracker" no matter how it's being used within the app, or whether it's opt-in or opt-out makes the usefulness of such tools, dubious. And while we may work that something showing up as having no trackers, or having multiple doesn't actually mean much without context, I fear that people will be using this as a "if it says zero, I'm good to go". Can you provide me with some more information about how the decision to include this came up? |
I wanted to highlight that point, as the site is regularly mentioned without any of the caveats.
Oh, that's not really too useful. I thought it did more analysis than just looking at imports
I think we discussed it on Matrix some time ago. It does come up from time to time, so I thought it might be useful as a preliminary investigation tool. |
|
Regarding Bitwarden specifically, because I brought it up as an example in my previous reply, here's a reply from Bitwarden themselves after being asked by someone who was looking at the Exodus report about it: https://fosstodon.org/@bitwarden/109636825700482007 If people cannot interpret what they're seeing, they're likely going to end up making bad decisions based on a tool like this. Imagine if someone disregards Bitwarden because of its "trackers" and instead opts for an option that shows up squeaky clean like Facebook, but really isn't. How is that useful for Privacy Guides readers? |
Excellent. I really think we should use this as an example of how the results might not be accurate. I will say this though, in a lot of cases they are though especially when labeled "profiling", "identification" and "advertisement". Crash reporting is quite clearly labeled as that. The reason I want to mention it often gets referred to on social media/reddit, and I think the Facebook/Bitwarden example is a perfect opportunity to discuss how these tools aren't 100% foolproof. |
dngray
force-pushed
the
pr-exodus
branch
2 times, most recently
from
f2e156c
to
6d4dec6
Compare
|
Isnt exodus a form of badness Enumeration? |
No, because it does actually look at the app to see what libraries are used. The point is it does work quite well, but you just need to be careful you're reading the results right. If you mean badness enumeration in the sense that the code might not be in a library, that is entirely possible too however that does present more effort to app developers and they simply are not going to care about obfuscating their code from a small site like Exodus. So for example if we look at an app that says maybe it has some "telemetry", while this is counted as a "tracker", it may be benign or harmless. Likewise with push notifications. However, there are many things which are absolutely 100% advertising and profiling, and cannot be anything else, so I do think it has value. If you look at recent reports, and then click on some of the items, it's pretty clear. |
Not exactly. At least, not to my understanding (someone can correct me if I'm wrong, of course). It displays libraries that it finds that are contained in the list of what it considers bad. If a library is not enumerated by Exodus, it slips by. So it cannot really provide guarantees. Case in point, do you really think the Facebook app doesn't contain analytics at the very least? It's a flawed and incomplete way of looking at things, and it might push people away from legitimately good options (see: Bitwarden) or lull them into a false sense of privacy in cases where apps' libraries are not being caught by Exodus. A much better approach is to be careful about what kind of permissions you grant to an app. If you grant a permission to an app, you trust it with that data. It doesn't need libraries integrated in the app. It can collect the data itself and process it, send it off to third parties on the server side. While I understand that there are good intentions behind the creators of this tool, I don't think it's actually effective at what it sets out to do (and I don't blame it, the goal they've set from themselves is herculean). I think if this PR is to go through, it should be phrased more as a word of caution and to outline the issues with this approach of confirming whether an app respects your privacy or not, and not as a recommendation. |
|
@matchboxbananasynergy what are your thoughts on recommending the use of Exodus to review app permissions? https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/ lays them out relatively nicely, and they highlight permissions which are considered dangerous/special by the Android developer guidelines. |
I don't really see the point in that, personally. Dangerous permissions (the ones that are marked as such on Exodus' reports as well) are not granted by default, and require explicit consent from the user for the app to obtain them. So, we have dangerous permissions (those that allow access to one's profile data, such as contacts, files etc.), and then normal permissions, which don't grant access to data but may be necessary for the app to provide the functionality it needs. By having a gigantic list of all defined permissions, be they dangerous or not, someone who is trying to evaluate an app may just get overloaded with information and lose the plot, and I don't really want to see someone deciding whether they should use an app on the grounds of "This app requires 20 permission, and this one requires 3, so I'll choose the latter" when the one with the 3 permission may require some of the most invasive/dangerous permissions out there. Also, listing out an app's permissions in that way doesn't account for the fact that while an app may require, for example, access to your files or location, it doesn't mean that the app needs those permissions to function. A lot of optional functionality is provided by giving an app access to a permission, but those permissions are in no way mandatory (The GrapheneOS Camera would be a great example of that, as it optionally allows you to grant it the location permission, so that it can geotag photos that you take - needless to say, that is completely optional.) All in all, a list of permissions, much like the "trackers" caught by Exodus doesn't tell the full story, and is a very incomplete tool that doesn't really replace properly looking into an app and determining whether it's something that infringes on your privacy. |
|
Makes sense, I think I agree with you and @blacklight447. @dngray I think even if I did agree with you, I don't really see this specific tool being a solid recommendation for the site, seeing as 90% of the text in this PR itself is basically explaining why Exodus is not super useful, so I'm going to close this PR. Exodus maintaining a list of trackers "which are absolutely 100% advertising and profiling, and cannot be anything else" is <scary-word>badness enumeration</scary-word>, and even though I generally disagree with the premise that "badness enumeration" is always a bad thing which many people here like to believe, I think if that's something you want to do on your own device there are better alternatives, like blocking the trackers entirely with a DNS-level ad/tracker blocking tool for example, so merely listing them like Exodus does is not a super compelling use-case to me. |
That is fine, it's also important to note that Exodus does link to the Google article on permissions that expands on this further.
I also don't think we should treat every reader as if they are so dumb they can't figure out anything for themselves. It is not a recommendation card, simply an entry on a page that already exists. I think what we say about it, which is that:
What I wrote sufficiently addresses that.
Just because one app doesn't have any third party trackers (Facebook's would be internal), and Bitwarden only has some crash analytics, does not make the tool useless. Most apps will import libraries from adtech developers simply because re implementing that in their own code is going to be annoying to maintain. They're going to want to use simple APIs in a modular method which is in line with maintenance practices of their app. Remember Exodus is such a small website they are not going to be actively mitigating that. Remember is to not let perfect be the enemy of good. If you look at example of other apps and I suggest you do, you'll see that you can get a pretty good idea from the trackers found, what the app will actually do. You don't need much imagination to see what these are allowing: |
|
So I was having a look at religious apps. In this case, I chose look at some Quran apps:
The point is it is what is labeled on the box, other Quaran apps, we can see they are likely to be more privacy friendly:
Note it does have the warning there: The application could contain tracker(s) we do not know yet. So yes, I still think Exodus can be useful as a tool to decide whether you want an app on your phone. There are advertisers out there, they use tracking. They are not changing their domains and APIs for each customer so this approach is going to pick up most of them sooner or later. I am well aware they could encode, decode their imports in hex or whatever to hide from the analysis, but I think it's pretty unlikely. They companies who have to pay taxes, pay app developers, and have registered companies, this is an entirely different threat model to that of a criminal trying to exfiltrate some data from the device. It's important to remember the threat model of this app is not to get around Exodus, and they do have to get approved to be on Google Play. |
|
If you want to avoid "trackers" in these apps, why wouldn't you just block connections to these services via DNS instead of using Exodus? I know you say "give people some credit", essentially, but I'm willing to bet that most people seeing Bitwarden's entry on Exodus will make them not want to use it. I know this because I've had to explain the simple fact that what's shown there isn't a bad thing numerous times. Do apps use tracking and ad SDKs? Absolutely they do. The extent of how much that matters varies wildly. If Exodus is going to be mentioned in any way shape or form on Privacy Guides, I think the section needs to be much more elaborate and talk about what it can and cannot provide much more, because as much as it can provide some information that may be useful when evaluating whether an app makes sense for you, it can be very confusing and turn people away from great apps because libraries they contain are being misinterpreted. People are generally not going to be able to tell them apart, so we either need to go in depth, or not at all imo. |
|
I've decided to re-write this whole section and make it more about Permissions and Trackers in general, as well as discuss some of the recent permission changes in supported versions of Android. This is in line with the thinking in #1984
Perhaps you want to just avoid these things altogether rather than try to neuter them.
I've expanded upon that, and I still think it is better to explain that, rather than ignore it, considering Bitwarden is a product we also recommend.
It can, and you can get a pretty good idea, based on the kinds of data that a specific company collects.
Perhaps, and I am happy to elaborate on that, because Exodus does get mentioned a lot, so we should educate people on that. I have added some of the ones I can think of.
That will happen anyway whether we mention it or not. |
|
I feel a lot for @dngray' proposal. Exodus can help making a desicion when multiple apps exist for same purpose. If little trackers are found it's more likely that they are blocked by your private DNS. We should also realize people will use apps that we do not think about and will not all have grapheneOS. |
jonaharagon
force-pushed
the
main
branch
3 times, most recently
from
ef532b6
to
1ac4dd7
Compare
|
Circling back on this since it has been reworded. I think I would change a few things here and/or elaborate more, but wouldn't this be better under https://www.privacyguides.org/en/os/android-overview/#android-permissions? |
I think so, this works |
I think you misunderstood me. You thought I meant you should change the header. I was pointing to the fact that there is a section on Android Permissions in the Anroid Overview page, under the Knowledge Base: https://www.privacyguides.org/en/os/android-overview/#android-permissions |
Oh, yes you're right. I actually forgot about that. |
|
This pull request has been mentioned on Privacy Guides. There might be relevant details there: |
