this post was submitted on 06 Oct 2023
81 points (77.2% liked)
Open Source
31358 readers
484 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
- !libre_culture@lemmy.ml
- !libre_software@lemmy.ml
- !libre_hardware@lemmy.ml
- !linux@lemmy.ml
- !technology@lemmy.ml
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Please be more explicit about the so-called "tracker" reported by exodus here. "Tracker" is a broad term that covers not just actual tracking and ad libraries but also crash detection and error reporting libraries, which can be useful as long as they are opt-in with informed user consent. Without knowing the exact library detected here, and how it is used, one cannot assess whether it is truly spyware or not.
From a cursory glance at the build.gradle I do see ACRA as a dependency here, which is sometimes (mistakenly) considered as a "tracker" but is actually a free software crash reporting library used by many free software Android apps including NewPipe and the F-Droid client itself. A cursory search across the codebase reveals ACRA is not even always enabled (it seems to depend on build configuration) and this dialog appears to be where the user is asked for consent for sharing a crash report.
Of course, Exodus can't tell how a library is used or even if it's used at all, it just sees a scary class name and warns about trackers. It might be useful to check if some proprietary app has suspicious behavior but it is by no means an actual malware scanner.
edit: it doesn't appear Exodus considers ACRA as a "tracker" as it is not included in their list however my point still stands. an Exodus report by itself isn't proof of nefarious activity unless backed up with more concrete evidence e.g. network analysis or source code analysis.
edit 2: I just installed ClassyShark and ran it on NewPipe, and it does show ACRA as a "tracker" however Exodus itself says NewPipe has no trackers. ClassyShark has not been updated in over a year so I assume it is using an out of date database. Something like TrackerControl which is more actively updated might be a better alternative.