Remove MapBox Tracker from F-Droid Android App

element-hq / element-android

A Matrix collaboration client for Android.

https://element.io/

GNU Affero General Public License v3.0

3.34k stars 709 forks source link

Remove MapBox Tracker from F-Droid Android App #8300

Closed marek22k closed 1 year ago

marek22k commented 1 year ago

Steps to reproduce

Install element from F-Droid, use a tracker scanner like Warden. Screenshot_20230403-162225_1

Outcome

What did you expect?

No trackers

What happened instead?

MapBox Tracker

Your phone model

FP4

Operating system version

CalyxOS 4.7.5 Android 13

Application version and app store

1.5.28 F-Droid

Johennes commented 1 year ago

German forum post from the Threema community about the same issue in their app: https://threema-forum.de/index.php?thread/7215-logger-und-tracker-der-threema-app/

Looks like it can be turned off with an SDK setting: https://github.com/threema-ch/threema-android/blob/29816f75fbbce6b6491ddd13366772d9f8ae9c55/app/src/main/java/ch/threema/app/ThreemaApplication.java#L974-L979

julioromano commented 1 year ago

It seems a false positive, Warden will trigger that warning whenever it sees com.mapbox.mapboxsdk in an app's classpath. The Warden check is here: https://gitlab.com/AuroraOSS/AppWarden/-/blob/master/app/src/main/assets/trackers.json#L1460

Thing is we don't use MapBox in Element Android. We use MapLibre which is a fork of MapBox which, among other things, removes the telemetry code. MapLibre still uses the same package names from MapBox so Warden will trigger a warning because that classpath is actually there. But there's actually no telemetry in the source.

marek22k commented 1 year ago

Thanks for the answer!

julioromano commented 1 year ago

Filed this to report the false positive: https://gitlab.com/AuroraOSS/AppWarden/-/issues/25