Wheellog / Wheellog.Android

App for EUC on Android. Various popular unicycle manufacturers are supported.
GNU General Public License v3.0
61 stars 20 forks source link

Trackers and proprietary libraries in the app #372

Closed IzzySoft closed 6 months ago

IzzySoft commented 2 years ago

Description

Wheellog is described as open source app, yet it comes with 7 non-free libraries, two of which are considered tracking – summing up to 8 libraries not meeting the inclusion criteria of F-Droid or my repository, where your app is listed since 2021-02-28. In my repo, a few deviations are tolerated – but this number is much too far beyond the red line, so I would have to remove your app now.

I understand the need for the Samsung Accessory SDK (for supporting Tizen devices) as well as Connect IQ (for Garmin) – both libraries making a listing at F-Droid.org impossible (as it taints the app which due t this is no longer considered entirely F/LOSS) which could be tolerated in my repo (as such "borderline issues" are one of the reasons for its existence). Same for Android Wear – which unfortunately drags in GMS as a dependency. That would be on the "red line" already.

So may I kindly ask for a build (APK) with the remaining "offenders" (see below) removed? Especially those marked Tracking. For now I've just added 2 more "Anti-Features" (taking effect with the next sync tomorrow) so users are properly warned. But if the number of those "offending libs" cannot be reduced, I'll have to unlist the app.

If you want to keep the current configuration with its APK, that's fine – you could just add a build flavor to produce a "less offensive" APK which I could then pick for my repo.

Thanks for your understanding!

Steps to reproduce

Run a library scanner and find:

Offending libs:
---------------
* Play Install Referrer Library (/com/android/installreferrer): NonFreeDep,NonFreeNet,Tracking
* Connect IQ SDK (/com/garmin/android/connectiq): NonFreeDep
* Android Market (/com/google/android/finsky): NonFreeNet
* Android Wear APIs (/com/google/android/gms/wearable): NonFreeDep
* Google Mobile Services (/com/google/android/gms): NonFreeDep
* Samsung Accessory Service (/com/samsung/accessory): NonFreeDep
* Samsung Accessory SDK (/com/samsung/android/sdk): NonFreeDep
* AppMetrica (/com/yandex/metrica): NonFreeDep,Tracking

8 offenders.

Not needed for the app's functionality:

* Play Install Referrer Library (/com/android/installreferrer): NonFreeDep,NonFreeNet,Tracking
* Android Market (/com/google/android/finsky): NonFreeNet
* AppMetrica (/com/yandex/metrica): NonFreeDep,Tracking

Expected behavior

Above list being much shorter :wink:

Screenshots

n/a

Smartphone model and android version

n/a

EUC model

n/a

Workaround

none

paymicro commented 2 years ago

We don't have the resources to support a separate version. If you have such a desire, you can do it yourself. The whole code is open and something can be removed quite simply. And any person who wears a foil cap can compile their own version and use it. Also, I don't agree with you about not needed for the app's functionality libraries.

IzzySoft commented 2 years ago

Thanks for your response, @paymicro!

We don't have the resources to support a separate version. If you have such a desire, you can do it yourself.

I understand the resource problem – but not being an Android dev, I unfortunately cannot do so myself :cry:

Those libraries are considered "trackers" by those "foil cap wearers". Apart from that they are not free/libre and depend on non-free services, so they taint your app – and you can never be sure what they really do as you cannot look inside (their source is not open).

Anyway: as I wrote, I understand your resource problem. So maybe this issue can be left open and marked as "help wanted", to hopefully attract (new) contributors to fill this gap? Then instead of removing the app from my repo, I'dd add a "banner" to its description with some explanation and link here – again in the hope to attract said contributors.

Assuming your consent, I've just added that note (so it goes live with the next sync in about an hour). Should that not be what you wanted, simply let me know; but then I'll have to remove the app from my repo.

Keeping my :crossed_fingers: we can get this solved. Would be a pity otherwise.

IzzySoft commented 1 year ago

In addition to the above, my scanner now also reports an embedded APK (res/sq.apk) which again contains non-free libraries. While I understand some of the libraries are required by core functionalities of your app, that's not true for all. And while I understand you don't have the resources to maintain a different flavor, an app coming with that many non-free dependencies and even Trackers cannot really be considered free. So I'll unfortunately have to remove your app from my repo now, which is a real pity.

Should you be able to at least reduce those dependencies just let me know and I take a look if I can re-establish the app, which I'll gladly do if conditions allow.

Thanks for your understanding, and all the best for you and your project!

powerofpickle commented 1 year ago

I may be interested in maintaining a FOSS version of the app to submit to F-Droid. @IzzySoft what library scanner are you running?

IzzySoft commented 1 year ago

My own, see Identify modules in apps for some background and hints, and also its variant run by F-Droid. Library definitions are updated regularly, so make sure to fetch their latest version at least once a month :wink:

thubalek commented 1 year ago

I have major concern regarding AppMetrica. It has quite bad reputation.

See https://arstechnica.com/information-technology/2022/03/data-harvesting-code-in-mobile-apps-sends-user-data-to-russias-google and https://www.ft.com/content/c02083b5-8a0a-48e5-b850-831a3e6406bb

thubalek commented 1 year ago

I really appreciate that AppMetrica code was removed in pull request #444.

IzzySoft commented 6 months ago

@palachzzz I guess these remaining ones are needed for the app's functionality then:

Offending libs:
---------------
* Connect IQ SDK (/com/garmin/android/connectiq): NonFreeComp
* Android Wear APIs (/com/google/android/gms/wearable): NonFreeComp
* Google Mobile Services (/com/google/android/gms): NonFreeComp
* Samsung Accessory Service (/com/samsung/accessory): NonFreeComp
* Samsung Accessory SDK (/com/samsung/android/sdk): NonFreeComp

5 offenders.

Not sure about GMS, but the other ones are libraries specific to device vendors and probably required/used to communicate with such devices. Ah, and GMS is dragged in by Wear.

@powerofpickle did you manage to establish a plain FOSS variant? I know that e.g. Gadgetbridge also communicates with Garmin, Pebble, Samsung and other devices without using any proprietary libraries, so resources could probably be found in their repo.