brandonp2412
commented
1 month ago One of the three letter agency glow boys must be up to no good again
Closed shaneutt closed 4 weeks ago
brandonp2412
commented
1 month ago One of the three letter agency glow boys must be up to no good again
shaneutt
commented
1 month ago One of the three letter agency glow boys must be up to no good again
:joy: hahaha what does this mean lol
brandonp2412
commented
1 month ago The CIA are trying to sabotage us
brandonp2412
commented
1 month ago No but seriously I don't know anything about Flutter or any of my dependencies querying for Location. It's probably a false positive.
I had experience with Massive requesting internet access because of some 3rd party dependency pointlessly doing it (i think it was for a dark/light mode or something dumb). But I think f-droid is pretty thorough on testing these things so i'd imagine you got a false positive.
Check if these queries happen in other versions of FitBook or if it's just the latest one.
shaneutt
commented
4 weeks ago Sounds good, here are the three most recent releases after the latest release from F-Droid:
All of these releases appear to exhibit the behavior? I also noticed that F-Droid is a bit behind on releases, so I pulled the latest 1.0.19 you released this morning straight from the GitHub releases for good measure:
So in the "Full Reports" table all of these seem to trigger the Queries the phones location (GPS). After having had a bit more time to review some of the code, it's not clear to me where this is coming.
I then went on to test The Simple Text Editor App (from F-Droid), and this app despite being extremely tiny, and the source code seeming to want nothing to do with location, also exhibits the behavior:
This app doesn't use Flutter either, from what I can tell it's just a straight-up Java android app. I tested a few more random apps that are tiny, and I've yet to find one that doesn't trigger this check so this seems to suggest that my first guess (that this is a false positive of some sort) is probably right.
I'm no android expert. It would seem I might need to dig in pretty deep and perhaps check in with the Virustotal folks to see how that test is conducted to understand it better. My curiosity on this has actually been piqued, and I kinda wanna dig in deeper, but it doesn't seem that from the FitBook perspective there's anything actionable here so I'll close this for now. Thanks for your considerations and taking a look at this with me, if I do learn more, I'll be sure to share! Hopefully you found this interesting if nothing else, like I did (and if not, sorry for the noise!).
Hello :wave:
First off: a huge thank you for creating this app. Several weeks ago I was desiring an OSS, privacy-focused and offline-capable calorie counting app but never found time to get started. Then recently I noticed this app on F-Droid and I'm greatly appreciative that you've taken the time to build and maintain this, thank you! :bow:
I have been digging through the code and the app to see if there are ways I might be able to help contribute. As part of digging in, I ran one of the F-Droid release APKs through VirusTotal. Here's a sample of results:
https://www.virustotal.com/gui/file/95ff906b5e4cedd167c35d57268c3ccd5785bb08db1d65f45cceae0c44948640
So I noticed on F-Droid that the app asks for no permissions but in a behavior check for the app using zenbox android I noticed that the analyzer indicates that location data was queried by the app:
Given the location permission isn't requested, and on a quick scan I didn't find anywhere in the app code that seems interested in location, my first assumption was that this is either: a false positive of some kind; or perhaps some kind of left-behind thing that Flutter is responsible for? I'm completely unfamiliar with Flutter so I thought I would stop and ask, very curious as to your thoughts.