Antifeatures at izzy's repo don't seem to match this repo's README

[gdt]

Reading the description here, I don't see a hint of non-Free dependencies or of sending data anyplace (other than the user configuring gRPC or MQTT, which seems fine). But the entry at Izzy's repo shows NonFreeDep and Tracking.

This issue is a bug report that one cannot understand the situation from looking at the README in the sources.

[christianrowlands]

Thanks for bringing this up.

The tracking bullet will be removed with the next version. There was a false positive in the APK scanning that I fixed a few days back, and will be in the next release.

As for the non-free dependencies, I am not sure why that is in there. I will coordinate with Izzy and see why that is being called out.

[christianrowlands]

@IzzySoft , Following are the anti-features listed in IzzyOnDroid

NonFreeDep: The application depends on a non-free application (usually Google Services) – i.e. it requires it to be installed on the device, but does not include it.
NonFreeNet: This application promotes or entirely depends a non-Free network service.

Do you have any details on why this was hit? The only thing I can think of is I am using the Play Services Location library to get the Fused location (GNSS and Network based) for CDR now. However, that is not a paid service so that is probably not it.

[IzzySoft]

Do you have any details on why this was hit?

Sure. Scroll down to the packages and open the library list. Watch out for symbols marking the anti-features. Basically you already named the culprit:

The only thing I can think of is I am using the Play Services Location library

Now guess what that might drag in? Itself already being NonFreeNet (I guess; it's not marked such as it's "aggregated" into the GMS framework), it depends on GMS which is NonFreeDep. That said, let me look at the library section now: oops, too long for a proper screenshot, so in words: "Google Mobile Services Ⓓ", Cloud Audit LogsⓉ (funny, what did raise the Ⓝ in the past? Still applies to the "Cloud Audit Logs" though not explicitly marked.

implementation 'com.google.android.gms:play-services-location:21.0.1'

Things starting with com.google.android.gms. are almost always NonFreeDep. To my knowledge, there was only a single exception – and I cannot even remember which that was…

that is not a paid service so that is probably not it.

Hehe, the common "error-in-thought": non-free does not mean "paid", it means "not libre" (i.e. "free" as in "freedom"). Closed source, walled garden. A paid F/LOSS library/tool would not even raise the flag :wink:

[christianrowlands]

Ahh, ok. Thanks for the information. I should be able to swap out the use of that library with just the general location provider. I used it because it provided some nice features, but I should be able to get around it.

[IzzySoft]

Thanks! That should then get rid of the two NonFreeBees.

[gdt]

Also, the Play services location library is unusable on AOSP devices without microG. As I understand it, the AOSP location API has both precise (GPS) and "network", and with microG you can have backends to resolve the network requests, perhaps on device.

Thanks very much for being willing to move towards a fully-Libre approach.

[christianrowlands]

I went ahead and removed the Play Service Location library and committed the change just now. I will cut a new version this weekend after some testing. I also saw a couple places the app could crash in edge cases so I want to fix those as well quick. I will post here once I publish a new version.

[christianrowlands]

I released a new version yesterday (version 1.12) and tracking and Non-Free are still showing up in the listing. When look in the APK I am not seeing the previous offenders. Are you able to restart the scanning to see if the UI is stuck or something? @IzzySoft

[IzzySoft]

@christianrowlands have you seen the library section for the APK?

I can certainly remove the NonFreeDep now (done; that doesn't remove itself automatically nor alert me as it, like NonFreeNet, cannot clearly be told based on libraries).

Offending libs:
---------------
* Cloud Audit Logs (/com/google/cloud/audit): Tracking
* Google Cloud Logging Client for Java (/com/google/cloud/logging): NonFreeNet

2 offenders.

Didn't you say you had that one removed? Seems to still be there.

[gdt]

What does Google Cloud Logging Client for Java do? It appears to be a way to basically call log(foo) locally and have that end up Someplace Else. That would seem to merit Tracking in most uses, but I may be missing something.

[christianrowlands]

@gdt , I think Google Cloud Logging Client for Java would do exactly that. However, I am not using that at all.

@IzzySoft I thought I excluded those libraries as well. I even looked in the APK before I uploaded it and I don't see anything. Running a ./gradlew networksurvey:dependencies against the repo also shows that the library is gone. Here is a comparison of 1.11 vs 1.12 which shows the removal of some of the GMS stuff and the audit_log.proto file:

I downloaded 1.12 straight from your website to rule out me accidently posting the wrong version.

My thought is that either somehow it is slipping in from another dependency, or the scan results from your repo need a kick start to refresh. If it is slipping in from another dependency I would expect that the ./gradlew networksurvey:dependencies would show those libraries in the result, but I am not seeing it (I could be missing it because maybe it shows up under a different name).

I will keep digging on my side, but is there a way to refresh the APK scan on your side just to be sure?

[IzzySoft]

My thought is that either somehow it is slipping in from another dependency

That is my suspicion, too. Could you please run gradle :app:dependencies to find out which one might be the culprit (not sure if that's the same as what you already executed – I'm no Android dev, so I can only "quote my notes")?

or the scan results from your repo need a kick start to refresh

Unlikely. Scan takes place immediately after download of the APK and before the index is built – so what you see definitely reflects the APK. So apart from "false positives" (e.g. due to stubs), this should be correct.

I use Apktool from iBotPeaches to get the smali – and that's where the library shows up. I can only tell it's "in there", not what brought it in…

is there a way to refresh the APK scan on your side just to be sure?

I can do that, but I don't expect a different outcome from doing it a third time (see my post above, I already did that manually to confirm). How did Einstein put it: "Insanity is doing the same thing over and over again and expecting different results." :speak_no_evil: But to leave no doubt:

$ iod shell scanapk com.craxiom.networksurvey_45.apk
..
Offending libs:
---------------
* Cloud Audit Logs (/com/google/cloud/audit): Tracking
* Google Cloud Logging Client for Java (/com/google/cloud/logging): NonFreeNet

2 offenders.

$ aapt d badging com.craxiom.networksurvey_45.apk |head -n 1
package: name='com.craxiom.networksurvey' versionCode='45' versionName='1.12' platformBuildVersionName='13' platformBuildVersionCode='33' compileSdkVersion='33' compileSdkVersionCodename='13'

[christianrowlands]

🤦 My bad. I missed that you already re-ran your apk scan. Sorry about that.

I spent some time yesterday trying to figure out where these two libraries are coming from. The gradle :app:dependencies is the same as ./gradlew :networksurvey:dependencies I renamed the app to networksurvey when I first created this repo, and I regret it. I should have left it app. Anyway, When I run that I searched the output for audit, cloud, and logging, and nothing comes up. google comes up a lot, but those all look like the expected libs.

When I run ./gradlew networksurvey:dependencies | grep 'audit\|cloud\|logging' I don't get a single hit.

However, when running apktool against the apk, I do see that in the smali directory there are some Google Cloud Audit classes. I am still not sure how those are getting in there because I would have expected the gradle dependencies command to show the tree, but now I have something to go off of and check on my side so I will figure it out.

Thank you for being patient with me. Sometimes it takes me a minute to catch up.

[IzzySoft]

My bad. I missed that you already re-ran your apk scan. Sorry about that.

No prob. Though most of my framework is available in a git repo covered by a FOSS license, I guess I'm the only one deeply familiar with it. So how should you know when exactly which scanner is run without diving into my code? :smile:

and nothing comes up

That's very strange. As you didn't add it explicitly, something must have dragged it in – and that should have shown up at this point.

However, when running apktool against the apk, I do see that in the smali directory there are some Google Cloud Audit classes.

Yupp, that's where my scanner got it from.

but now I have something to go off of and check on my side so I will figure it out.

That sounds promising! I keep my :crossed_fingers: then!

Thank you for being patient with me.

Eh, I have to thank you for your patience and for digging into it! Takes quite some time I see, so let me tell you it's much appreciated you do so!

[christianrowlands]

I think I got it. https://github.com/christianrowlands/android-network-survey/commit/3ab5122534cb03c624f74d1a215ee01ced2b635f

It will come out in the next release, which probably won't be for a couple weeks. I have some CSV file logging work I want to finish first.

Thanks again for all the help. Hopefully this is the last library.

[IzzySoft]

implementation("io.grpc:grpc-protobuf:${grpcVersion}") {

Argh, yesyesyes! Now that I see that I remember having heard exactly this before (grpc-protobuf needing an exclude group to not drag in unwanted dependencies). Thanks for linking to that diff! Updated the corresponding section in my F-Droid snippet right away before forgetting about it again.

It will come out in the next release, which probably won't be for a couple weeks.

No prob; maybe just give me a ping so I check then ASAP to (hopefully) remove that last anti-feature. And best success for that pending feature!

Thanks again for all the help. Hopefully this is the last library.

Gladly done – and I share your hope! :smile:

[christianrowlands]

I found a bug with requesting Bluetooth permission that I wanted to get out, so I figured between the two changes it was worth pushing out a release. I just now published it. Hopefully the scan that kicks off will be clean!

I will keep an eye on the listing to see the result.

[gdt]

I've been just reading along, but I wanted to say thank you for taking this seriously. I have long felt that open source code, because of its social construction, is far more likely to be trustworthy, and cleaning up trackers is very much part of that.

[IzzySoft]

Hopefully the scan that kicks off will be clean!

It does, congrats!

No offending libs found.

Congrats, and muchos gracias! Good thing I triggered the updater manually, so I could remove the AFs in time as well. With the next sync around 7 pm UTC, Network Survey should show up clean in my repo :partying_face:

[christianrowlands]

Thanks! I am glad to hear that.

I will keep an eye out for offending libs as I add new features.

I appreciate all the help!

[IzzySoft]

You're welcome anytime! If you wish, you can use my library scanner yourself (some projects have integrated it into their workflows, e.g. running it via CI when preparing releases, F-Droid uses it with its IssueBot scanning RFPs and MRs), it's FOSS and thus freely available. For an intro & some instructions, see my article Identify modules in apps.