Privacy Concern: Zap wallet accessing 3rd party servers

[ghost]

Zap is doing those calls:

And the wallet is NOT working when fulmo.org is disabled.

Why is the wallet doing that?

I am little bit worried, that wallet connected to my LN node is doing something like that.

I would expect that the only communication will be the communication with my node.

[michaelWuensch]

Hi, Thanks for your issue. I can explain the blockchain.info call. This is to fetch current exchange rates. But the fulmo thing, i have no Idea where that comes from. I do not even know what fulmo.org is, so I definetly did not add a call like that on purpose. And I don't think this is in any dependency either.

What node Setup do you have? A raspiblitz? When I go to fulmo.org there seems to be stuff of RaspiBlitz mentioned.

Can you test to use another app like Zues and see if this also needs fulmo to work? If yes, then it is not a Zap issue.

[michaelWuensch]

What software did you use that shows this? I would like to try if I can reproduce this on my device.

[michaelWuensch]

Actually after googling I think this has something to do with Tor. tondro01.fulmo.org seems to be a tor node. Do you use tor to connect to your node? If yes it would also make sense, why it doesn't work if you block it. You cannot block the Tor node you are connected to and expect it to work. Please try to connect to another tor node and see if the address Zap tries to connect to changes. If yes, there is nothing to worry about.

[ghost]

Yes, I am running Raspiblitz and my node is behind Tor, but to make Zap work I had to use IP2TOR.

I had only IP, so I didn't know the domain is it. Sorry for confusion. I should have double checked it before.

---

I can explain the blockchain.info call. This is to fetch current exchange rates.

Thank you for clearing it. I would suggest do disable this by default. I have seen in settings that I can choose what source I will app use. Maybe this can be asked by app on the first startup.

I will close issue as the privacy concern was cleared. Thank you :)

[michaelWuensch]

No problem, better safe than sorry.

The blockchain.info call only queries the current exchange rate, it of course does not send any information about your balances or any other personal data with the exception of the ip. If you want to disable this, you can select a bitcoin unit as second currency instead of a fiat currency. In this case no further exchange rate request will be sent.