Privacy concerns

[IzzySoft]

We've just received reports about "Tracking", so I've checked your app. And while the initial concern is rather unwarranted (it's opt-in), an on-device-test raised some other concerns:

• fonts are loaded from Google servers. This in fact borderlines tracking. Can you please "inline" those fonts with your app – if they are needed at all?
• even wihout any user activity, and before reaching the Tracking dialog, there are pings all 2 seconds to a server named ackee.mark.vin. Mind to explain what those are for?

Until this issue is solved, we'll have to mark your app with the NonFreeNet Anti-Feature.

[IzzySoft]

PS: reference: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/9767

[licaon-kter]

https://github.com/marchellodev/sharik/blob/2c9305bb2f3eb18c5a216eb7c64675e0e97e96a3/lib/screens/loading.dart#L217-L233 smells like Tracking :(

Good that it's open source and hostable, but it should be disabled completely: https://github.com/electerious/Ackee

[IzzySoft]

Urgs, indeed. So what about that Opt-In dialog (that ping even starts before that)? Is that just cosmetical? Added Tracking as well until solved. I fully agree with @licaon-kter here – especially as screen size is completely irrelevant for file sharing.

[marchellodev]

Yep, sorry, the tracking seems to be enabled by default. But other than that it is possible to disable it

[marchellodev]

I am going to fix the behavior with tracking by default in the next release, for now I am fine with the anti feature :)

My only concern is the Google Fonts, since we support a lot of languages, many of which require custom fonts, If we include all of them, the APK will weight much more, but most of them will not be used.

Is that really that important? Since all Google can see is the IP, and the font name

@IzzySoft @licaon-kter

Thanks!

[IzzySoft]

Thanks in advance for fixing, @marchellodev – but be aware of 2 facts:

• I've added NonFreeNet (Google fonts) and Tracking – the latter will certainly scare some users.
• that ping was still sent after denying Tracking, so something is amiss there.

As for the 3rd point: Google is present in far to many places. So every bit contributes to even more profiling. In other words: Yes, it is "that important". Some users (like me for example) prefer to keep Google out completely, and because of that decided for Google-free devices with F-Droid. We wouldn't like if holes were poked into that.

[marchellodev]

that ping was still sent after denying Tracking, so something is amiss there.

Oh, yes, I can see that now lol. The 'disable tracking' event has effect only after user restarts the app, since the analytics process is already running :). I will fix that.

Speaking of google, will it be ok, if I will host those fonts on my server, and distribute them this way?

[IzzySoft]

Why not including the font with the app? And why does it need a "special font" at all for a sharing app? It's not a "design app" after all. I'd understand that with graphic and text editors, but not with an app having "file sharing" as primary/sole purpose. Keep it simple :smile:

[marchellodev]

It's my baby, and I want it to look pwetty 🥺🥺🥺 And default fonts suck anyways

[licaon-kter]

Since you're not replacing all UI fonts the app will look ...ummm...off somehow? Will look different. Maybe pretty or maybe ugly, eg. Out of place

[IzzySoft]

Don't be so harsh, @licaon-kter :rofl:

@marchellodev you could make that optional, i.e. offer to download the font(s) from your server – and if someone doesn't want that fall back to default fonts. IMHO the most important thing with an app like yours is the sharing works fine, and the UI is intuitive. For those who decided not to download the font(s) and redecide later, there could be an option in settings to (re-)download them. That way you're fully transparent, no Anti-Features are needed, and those feeling extra fonts are needed can still have them.

[opusforlife2]

@marchellodev Trebleshot has been put into maintenance mode, so now I'm looking towards your app for future development. I would like it to provide the same guarantee as Trebleshot, that the app will not use the internet permission for anything other than transferring files that I want to transfer over Wi-Fi Direct.

[marchellodev]

@opusforlife2 You are very welcomed to fork the project then.

While I am very likely to remove analytics at all in the next releases (since it's mostly useless lol), I am not removing google fonts nor embedding all of them (due to app installation size).

I might proxy it through my server, or add a settings button to disable google fonts at all (PRs are welcomed btw :>), but it is not going to be the default behavior (when the app starts for the first time)

[opusforlife2]

or add a settings button to disable google fonts at all

@marchellodev This is perfectly fine. It allows the user to firewall the app, disable the setting, then disable the firewall, leading to the same end result. 👍

[IzzySoft]

Hmpf, wouldn't it be better to prompt the user before downloading, asking whether those downloads are wanted at all – instead of sending the user through hoops? Not everyone is tech-savvy enough to play that Firewall game. And what's more, to do so one must know in advance. A simple dialog would solve that.

[opusforlife2]

Ah, yes, I didn't think about that. A prompt that simply states: "Downloading Google Fonts is highly recommended for better looking UI. Download? Yes No"

[IzzySoft]

That sounds perfect! Even more perfect if the download is proxied via a "neutral server" :smiley:

[opusforlife2]

@marchellodev Pweeeeez? (づ￣ ³￣)づ

[marchellodev]

@opusforlife2 give me some time :>

[clicky6]

@opusforlife2 & @IzzySoft, Just wanted a general advice, Can you tell Best firewall in Android that doesn't do any data collection etc. things...

[licaon-kter]

@clicky6 not the place, but try Netguard :)

[clicky6]

@licaon-kter, It is somewhat freeware any other suggestion...

[agharbeia]

Regarding fonts, is it possible to subset the needed glyphs, as can be done on the web and PDF, for example? And in reference to the optional downloading of Google fonts via a neutral server, perhaps you can find insights in the Decentralize Firefox extension.

[a-pav]

While you are concerning yourself with fonts, translations and the beauty of your app, there's Warpinator for Android with only ~7MB in package size and no Anti-Features whatsoever. Your app is more intuitive, though. And the fact that only the sender has to have the app installed is a plus.

When I first learned about SHARIK I thought I finally found the FLOSS replacement for SHAREit, the ad-ridden, privacy invasive, chinese spyware which has possibly billion(s) of installations. Later I got disappointed because the author, despite creating a worthy brand, clearly isn't much concerned with those type of issues.

I'm afraid I'll be using and recommending Warpinator to family and friends for the time being.