Tracker in Nextcloud Client App for Android (on IOS too!)

šŸ“± Desktop & mobile clients šŸ¤– Android
1

Why on earth does the Nextcloud Client App for Android have a well known Google Firebase Tracker?

https://reports.exodus-privacy.eu.org/en/reports/66060/

P.S. Nextcloud Talk App aswell!
https://reports.exodus-privacy.eu.org/en/reports/61846/

This is not Privacy by design and default!

1 Like
2

Thatā€™s a question for the developers: https://github.com/nextcloud/android
and https://github.com/nextcloud/talk-android

3

It seems that this issue has already been fixed a couple of days ago:

4

Would you please forward it to them tough I believe this is a poltical issue aswell.

Itā€™s disturbing, that exodus reports are dated March, 2019 for current version 3.5.1
This indicates to me, that the problem is still pending.

1 Like
5

@mario Could you please comment?

6

3.6.0 is in beta I believe, so once its released we will be all fine.

1 Like
7

Current IOS Nextcloud Apps are sending data to crashlytics.com (Markmonitor). Also to play.googleapis.com (on IOS?!?!)

WTF!!

19-04-04%2011-50-19%203694
19-04-04%2011-50-19%203694750Ɨ1334 136 KB
19-04-04%2011-50-12%203693
19-04-04%2011-50-12%203693750Ɨ1334 95.4 KB

8

Hi @jakobssystems
thanks for letting us know! We had a look and this is the information I received from our engineers:

With regards to iOS:

Crash analytics

crashlytics.com gets really only crash information, you can check the source code to verify what data is sent by our app. Weā€™ll look into providing an option to disable this altogether, however.

push notifications server

We used play.google.com for push notifications, we have moved to ā€˜pushkitā€™ so this will no longer show up in a more recent version of our iOS app. In any case, though, no unencrypted information was ever sent through google, nor do we believe the ā€˜metadataā€™ can be used to infer anything other than ā€œthis app is being usedā€.

Talk iOS app has never used Crashlytics and doesnā€™t use Firebase anymore since we moved to PushKit. Weā€™re not not aware of any third party library that we use in Talk iOS that sends any tracking info.

I need to check up still on the Apple app store connection.

analytics

Until about a year ago, we had Firebase analytics enabled in our iOS client, which was sending only information about if users where using the app and what country they were from. This was disabled with this commit:


It wonā€™t be enabled anymore (as we removed Firebase entirely now).

With regards to Android:

push notifications server

As soon as you open the app it communicates with Google in order to get the push token, and on push notifications, data is sent (encrypted) through this channel. Like said above, no unencrypted information was or is ever sent through google, nor do we believe the ā€˜metadataā€™ can be used to infer anything other than ā€œthis app/server is activeā€. As push notifications can be sent for a variety of reasons from calendar notifications to shares to incoming calls and they all would look the same to the push server, we donā€™t think this is very useful information.

There is nothing sent if you use the F-Droid version, this also means it has no push notificationsā€¦

Together with a community volunteer weā€™ve built a SSE server so you will hopefully soon be able to use that instead of Google provided you grab a build from F-Droid. Weā€™ll have to run this SSE server ourselves. For iOS there are no (and canā€™t be, as far as we know) alternatives.

Analytics

WRT firebase analytics on Android, this issue was found and solved last year in the Files client, for Talk more recently. We checked and FireBase analytics was shipped and enabled for a while in the Files app, for 3 minor releases: 3.2.0, 3.2.1 and 3.2.4. from June to September 2018. It reported only on crashes and time of user activity, giving us a percentage of active users, engagement per session and nr of crashes. No other information was collected and transmitted. While this is of course useful information for us, we didnā€™t intend to collect this and thus disabled it when we found out.

It was never shipped enabled for Talk for Android.

I hope this answers your questions.

3 Likes
9

Hi there, hi @jospoortvliet ,

Iā€™m still seeing some ā€œtracker domainsā€ being contacted by Nextcloud App on iOS (both are update to latest version):

firebase-settings.crashlytics.com - thereā€™s still no option to disable this!?
firebaselogging-pa.googleapis.com - this doesnā€™t reflect https://github.com/nextcloud/ios/commit/8f6fbe0a2a6ce97caa1b5f99ed04e9525f7c38ba :frowning_face:

I got them by the ā€œapp privacy reportā€ on iOS and analyzing the ndjson.

Please keep us updated regarding this not being Privacy by design and default.