non-free dependencies

[IzzySoft]

I just noticed your latest release adds several non-free dependencies, some even falling into the category "Tracking" (which is a no-go for apps in the health sector):

Offending libs:
---------------
* Google Mobile Services (/com/google/android/gms): NonFreeDep
* Cloud Audit Logs (/com/google/cloud/audit): Tracking
* Firebase (/com/google/firebase): NonFreeNet,NonFreeDep

3 offenders.

Can you please revert their addition – or at least provide the APK of a build flavor coming without those? Until then I unfortunaely have to disable automated updates for your app in my repo and remove the last version :cry:

[IzzySoft]

Urn… After updating my library definitions:

Offending libs:
---------------
* Google Mobile Services (/com/google/android/gms): NonFreeDep
* Cloud Audit Logs (/com/google/cloud/audit): Tracking
* Firebase (/com/google/firebase): NonFreeNet,NonFreeDep
* Play Services SafetyNet (/com/google/android/gms/safetynet): NonFreeDep,NonFreeNet
* Google App Engine (/com/google/appengine): NonFreeNet

5 offenders.

Seeing SafetyNet: Does the app even still run on devices without Google Services (e.g. with pure cusom ROMs without those installed)?

[TheArtyomMDev]

Yes, it's will run without google services (because it needs only Firestore to upload measure results and Firestore doesn't require GMS as I know). I am strongly watching that my app doesn't require GMS because I'm planning to get rid of them on my phone)

[TheArtyomMDev]

I added only Firestore, but GMS, Safety net, Audit Logs and App Engine were added automatically, I will try to remove them Right now you could disable internet connection during measures (or cut it for my app) if you don't want results to be uploaded. But it's my course work so I need to collect measure results to proof that my app is working.

[TheArtyomMDev]

Okay, I suggest you a solution: registration still required but in next update I will add option to disable collecting your measure results Also I will try to remove other libraries (such as GMS and Google Audit Logs), however you could see that I don't use them (only Firestore to keep results) Finally later I will add privacy notes such as which data I am collecting and for what

[TheArtyomMDev]

So I what do you think of this?

[IzzySoft]

That sounds all good, @TheArtyomMDev (and apologies for my late response, but my Github notifications where not sent to my mail for some reason which is hopefully fixed by now). The less proprietary dependencies, the better :wink: Please let me know when a new release (APK) is available, so I can check again.

Ideally, and to be compliant for inclusion to F-Droid.org, you'd drop all proprietary dependencies entirely. If you think some of that (here: Firestore) is really needed, you could use build flavors: one (e.g. named gplay) includes them, another (e.g. foss) comes entirely without. I'd then prefer to pick the latter for my repo – and if you want can also help you get listed directly with F-Droid.org.

[TheArtyomMDev]

New build is ready. Could you please provide website or program that you are using to find which libs am i using in apk?

[IzzySoft]

Sure: it's FOSS and freely available (and even used in different CIs already). Instead of linking you to the code directly, let me link you to the instructions covered inside the corresponding blog article. In German it was published even in print by c't (Heise.de, the biggest IT magazin here in Germany) and the blog of a security researcher – but you probably prefer it in English, so: Identify modules in apps :smiley:

The lite looks good, I've switched to that for my repo now (effective with the next sync tomorrow). My updater looks for tags following the pattern v<versionName>, which is what the latest release (v4.0.0-alpha) is using. Should you need to change the pattern please let me know, else updates will be missed. You can "make profit" from this by using a different pattern for things you don't want to be picked up for some reason :wink:

[TheArtyomMDev]

Okay, thanks for such essential info!

[IzzySoft]

Gladly, and anytime! Thank YOU for providing the "really free" build variant & APK :heart_eyes:

[IzzySoft]

Looks like we're back with the problem. Somehow v5.0.0 wasn't fetched by my updater, and checking manually just revealed:

Offending libs:
---------------
* Play Services SafetyNet (/com/google/android/gms/safetynet): NonFreeDep,NonFreeNet
* Google Mobile Services (/com/google/android/gms): NonFreeDep
* Google App Engine (/com/google/appengine): NonFreeNet
* Cloud Audit Logs (/com/google/cloud/audit): Tracking
* Google Cloud Logging Client for Java (/com/google/cloud/logging): NonFreeNet
* Firebase (/com/google/firebase): NonFreeNet,NonFreeDep
* firebase-firestore (/com/google/firebase/firestore): NonFreeDep,NonFreeNet

7 offenders.

which makes it illegible for F-Droid, and even for my repo. Taking a closer look I see why the updater missed it: Did you forget to attach the lite build, @TheArtyomMDev?

Besides, in case it matters: most of the Firebase stuff can be accomplished with free software like appwrite or Supabase – and analytics/crash-logging has FOSS pendants, too :wink: No idea why your app would need SafetyNet, which would be the only thing left then…

[IzzySoft]

@TheArtyomMDev any chance of a fix?

[TheArtyomMDev]

Hi, sorry for not replying so long (was quite busy). I consider this project as dropped cause there aren't anyone who using it (as I see). If it becomes more popular then probably I will fix this

[IzzySoft]

Thanks for the update! As the affected version's APK wasn't fetched anyway, it might not be that urgent. For now, I've switched the update checker from daily to monthly for your app. So once you pick up again, please let me know. Also if you should decide to abandon the project altogether (and archive the repo to make that clear).

All the best for you meanwhile!