Privacy comparison PlayStore vs APK Store vs F-Droid version

CMatt · January 14, 2022, 6:16pm

For people who value the spirit privacy, FOSS, Non-GAFAM, degoogled etc will be great to have all this explained and no doubt.

Was it possible to completely remove the Amazon trackers from the code?
https://github.com/cryptomator/android/issues/312
Amazon Kinesis and Amazon Metrics In Android App
Is it currently in the APK Store / Github and F-Droid version?

Any tracking code
Any code “calling home”, analytics, crashlytics, social-login, etc
Any proprietary dependencies

Although I do not use PlayStore personally, tell me what badware contains the PlayStore version?
I am aware that in this version you will not avoid some of the bad code, but your application can not be tested for exodus-privacy
Are there any differences between the APK Store and F-Droid version?
For example: Does the APK Store version describe dependences for GDrive?

Cheers!

SailReal · January 14, 2022, 8:18pm

Yes, we switchted the dependency to another one so this (disabled) tracking library is completely removed, see

All versions doesn’t contain

any tracking code
any code “calling home”, analytics, crashlytics, social-login, etc

The F-Droid version doesn’t contain proprietary dependencies because there we removed Google Drive cloud but the APK store variant and the Google Playstore variant does support Google Drive and therefore have a proprietary dependency.

See 2. but you can run exodus for sure, we use it on every release to check if any library added tracking, see

github.com

cryptomator/android/blob/develop/fastlane/Fastfile#L268-L278


      
              sh("zipalign -v -p 4 ../presentation/build/outputs/apk/lite/release/presentation-lite-release-unsigned.apk presentation-lite-release-unsigned-aligned.apk")
              sh("apksigner sign --ks #{ENV["SIGNING_KEYSTORE_PATH"]} --ks-key-alias #{ENV["SIGNING_KEY_ALIAS"]} --ks-pass env:SIGNING_KEYSTORE_PASSWORD --key-pass env:SIGNING_KEY_PASSWORD --out release/Cryptomator-#{version}_lite_signed.apk presentation-lite-release-unsigned-aligned.apk")
          	  sh("rm presentation-lite-release-unsigned-aligned.apk")
          
              lane_context[SharedValues::GRADLE_APK_OUTPUT_PATH] = File.join(Dir.pwd, 'release', "Cryptomator-#{version}_lite_signed.apk")
          
              checkTrackingAddedInDependencyUsingIzzyScript(alpha:options[:alpha], beta:options[:beta], flavor: 'lite')
              checkTrackingAddedInDependencyUsingExodus(alpha:options[:alpha], beta:options[:beta], flavor: 'lite')
            end
          
            desc "Check if tracking added in some dependency using Izzy's script"

As well we’re running Izzy’s script (which also runs on the F-Droid servers), see

github.com

cryptomator/android/blob/develop/fastlane/Fastfile#L223-L266


      
            properties: {
              "android.injected.signing.store.file" => ENV["SIGNING_KEYSTORE_PATH"],
              "android.injected.signing.store.password" => ENV["SIGNING_KEYSTORE_PASSWORD"],
              "android.injected.signing.key.alias" => ENV["SIGNING_KEY_ALIAS"],
              "android.injected.signing.key.password" => ENV["SIGNING_KEY_PASSWORD"],
            }
          )
          
          checkTrackingAddedInDependencyUsingIzzyScript(alpha:options[:alpha], beta:options[:beta], flavor: 'fdroid')
          checkTrackingAddedInDependencyUsingExodus(alpha:options[:alpha], beta:options[:beta], flavor: 'fdroid')
          
          if options[:alpha] or options[:beta]
            puts "Skipping deployment to F-Droid cause there isn't currently a alpha/beta channel"
          else
            puts "Updating F-Droid"
          
            FileUtils.cp(lane_context[SharedValues::GRADLE_APK_OUTPUT_PATH], "repo/Cryptomator.apk")
          
            sh("cp -r #{fdroidMetadataDir} metadata/org.cryptomator/")
            FileUtils.cp("metadata/org.cryptomator/en-US/changelogs/default.txt", "metadata/org.cryptomator/en-US/changelogs/#{version}.txt")

This file has been truncated. show original

See 2.

CMatt · January 15, 2022, 1:33pm

Does this mean that the F-Droid version is “the purest” from all?
Can I download the apk F-droid version somewhere if the F-droid store also does not use?

I mean https://exodus-privacy.eu.org

Can you help me how to start Exodus and Izzy’s script locally?
I am too thin for it

Thank you very much for your time and patience!

SailReal · January 16, 2022, 4:18pm

That is true.

You can download this version from GitHub releases: Releases · cryptomator/android · GitHub
It’s the one with the following name: Cryptomator-X.Y.Z_fdroid_signed.apk but please make sure that you check the SHA256 hash after downloading and before installing the APK. Furthermore this version is normally updated using F-Droid so it doesn’t have an auto updater included (in contrast to the APK store version), so please make sure that you are aware of updates and install them ASAP.

We’re using the exodus checker from this organization using their docker image, see GitHub - Exodus-Privacy/exodus-standalone: εxodus CLI client for local analysis. Please checkout our linked fastlane script above, which commands we do execute or see the linked GitHub repo to know how to use exodus-standalone.

Regarding Izzy’s script I would also recommend to study the calls we execute in our Fastlane script and map them to normal terminal commands like e.g. FileUtils.mkdir("unsigned") → mkdir unsigned