Trackers

[Donkey-Doug]

The app containsthe following trackers

• Google firebase analytics
• Google crashlytics

Is it maybe possible to remove these?

[michaldrabik]

@Donkey-Doug Not planning on removing those as they are 2 main tools that help with tracking bugs and gather basic statistics which help me fix and improve the app. These SDKs are well known and used in basically every app so nothing to be afraid of.

[Donkey-Doug]

@Donkey-Doug Not planning on removing those as they are 2 main tools that help with tracking bugs and gather basic statistics which help me fix and improve the app. These SDKs are well known and used in basically every app so nothing to be afraid of.

What about a FOSS alternative, ACRA. https://github.com/ACRA/acra

[michaldrabik]

Never heard of it but might be worth looking into in the future. At the moment if you wish I can prepare an APK for you with all the Google stuff removed.

[Donkey-Doug]

You do not need to remove trackers for me specifically. I just wanted to help the community. Hope to see showly on fdroid some day.

You could add the app in its current state to izzydroid fdroid repo however. See: https://gitlab.com/IzzyOnDroid/repo

Requirements: The app

• [x] should be free (as in „free beer“ and as in „free speech“) and Open Source
• [x] must be targeted at end users (so no libraries, proof-of-concept demos, etc.)
• [x] its code must be freely accessible, preferably at Github, GitLab, NotABug, Codeberg or a similar platform if the app processes sensitive data (e.g. health data, passwords), is intended to improve security/privacy, has root permissions, or is targeted at children, it must have no trackers at all
• [x] it preferably has no proprietary components. While some of them might be acceptable, trackers (e.g. ads, analytics) are tolerated at best but only if there are no more than two such modules.
• [x] that code repository should have a proper description so it gets clear what it is (if it's not, you must provide these details)
• [x] the .apk file must be available from the project. Currently, IzzyOnDroid can work with files

I already opened an issue:https://gitlab.com/IzzyOnDroid/repo/-/issues/194

[IzzySoft]

At the moment if you wish I can prepare an APK for you with all the Google stuff removed.

That would be great, and I'd then gladly accept that into my repo. If you'd attach those APKs to their corresponding releases, can you please make sure the file name contains a part I can match on? For example, app-release-foss.apk (as without all the Google stuff, it would be foss :wink:)?

For completeness, this is what my library scanner currently complains about:

Offending libs:
---------------
* BillingClient (/com/android/billingclient): NonFreeDep,NonFreeNet
* Crashlytics (/com/crashlytics): Tracking
* Firebase Data Transport (/com/google/android/datatransport): NonFreeNet
* Google Mobile Services (/com/google/android/gms): NonFreeDep
* Google Play Core (/com/google/android/play/core): NonFreeNet,NonFreeDep
* Firebase (/com/google/firebase): NonFreeNet,NonFreeDep
* Firebase Analytics (/com/google/firebase/analytics): Tracking

7 offenders.

[IzzySoft]

So any chance you'll implement your promise, @michaldrabik? Else I'll have to close the request for inclusion with my repo, as the number of offending libraries exceed the maximum tolerated.

As you wrote, those SDKs are well known – especially by privacy researchers and proponents where they always raise at least one eyebrow if not both, and so there's indeed reason to be afraid of them especially because they are present in so many apps (about every 2nd app uses at least one of them, so a lot of data from different apps accumulate at a single place and make the users quite transparent in terms of what apps they use, how they use them, when, where etc.pp.)

To put it a bit into the extreme: replace "SDK" by "weapon" and "app" by "soldier", then read your sentence again – and you might feel what we privacy-folk feel. Just being wide-spread doesn't make a thing safe or less worrysome :wink:

[IzzySoft]

As this is open for 8 months now, and still unclear if it will be addressed (the currently latest release still has the trackers, and my question on this was still not answered), I'll now have to close the inclusion request with a "decline". Should this one day be fixed, please give me a ping and I can check again. Thanks!

[BradNut]

@michaldrabik Any update on removing the trackers from the app so it can be included other repos like F-Droid or @IzzySoft?

Just wondering given no update and the README still claims "soon also on F-Droid".

[1RandomDev]

Since there doesn't seem any activity I created a FOSS fork of the app myself. Because this version uses a lot of Google Services it's probably really difficult to make one project that can be built with and without proprietary software. If someone is interested, the project can be found here https://github.com/1RandomDev/showly-oss

[IzzySoft]

Thanks @1RandomDev! I took the freedom to immediately integrate it with my repo – should show up here with the next sync around 6 pm UTC :smiley: Updates as usual within 24h of your creating a tag and attaching the APK to it. Should you need some details updated, just give me a ping.

[1RandomDev]

Nice, maybe you should add to the description that Push Notifications and Billing is not working since I removed all Firebase and Google Play libraries.

[IzzySoft]

I don't think it needs mentioning that there's no billing :wink: As for notifications: what are those for in the non-free build? Maybe @michaldrabik could be convinced to switch to UnifiedPush (and have the FirebaseDistributor integrated with the PlayStore build so folks there wouldn't even notice the difference)?

[1RandomDev]

I have no clue what the push notifications do. I never got one on my phone. Looks like it's just subscribing to the general and shows channel and showing everything that gets sent to them https://github.com/michaldrabik/showly-2.0/blob/5beb8db4570abf9a872e685425e6571c263bcd0e/app/src/main/java/com/michaldrabik/showly2/ui/main/cases/MainInitialsCase.kt#L55

[IzzySoft]

Well, if you never got one, nothing is missing now, right? :see_no_evil:

[michaldrabik]

Firebase based notifications have only been added for sending some notifications globally. For example general information about Trakt servers problems or whatever.

Shows channel was meant for some global notifications about shows/movies etc. but in reality it's not used at all.

[michaldrabik]

@1RandomDev I'm OK with the fork but I would like the OSS version to not have any of the premium features available then. This means also removing hidden option of unlocking after multiple clicks.

It should just inform that premium features are only availalble in PlayStore version and thats it.

[1RandomDev]

@michaldrabik okay I can remove the setting. I'm sure most members of the FOSS community are programmers anyway and will find a way of restoring premium functionalities after paying for the app in the play store.

[michaldrabik]

@1RandomDev Naturally. Just don't want this kind of variant to be sitting out there for everybody to download.

[rollingmoai]

@1RandomDev Naturally. Just don't want this kind of variant to be sitting out there for everybody to download.

Not like the average Android user will actively try to find a FOSS variant that is not in the Play Store. Librera Reader is an example of an app that has a pro version in the Play Store that is completely free on GitHub.

[BradNut]

@rollingmoai And the same can be said about many other apps that exist both as FOSS and paid Play Store. Another example being some Simple Mobile Tools Apps where you have the Simple Gallery Pro Play Store and completely free on GitHub and published to F-Droid.

[McBaumwolle]

At least for users in the EU there needs to be an option to disable these analytics (GDPR) and for users located in Germany the TDDDG requires informed consent - Thunderbird Mobile recently had this issue (link in German) and removed them completely until further notice.

Such access to end devices for the purposes of (web) analysis, market research and any form of advertising without informed consent is not permitted under Section 25 (1) TDDDG.

This basically means that the user must be given the option to turn this on or off when the app is first started and at all times somewhere in the settings. This applies even if the application does not send a unique device ID, and even if it sends basic information such as model or screen size - what the three Google services track I do not know.

For legal reasons I think @michaldrabik should look into this, Germans love their laws. :laughing:

[IzzySoft]

This basically means that the user must be given the option to turn this on or off when the app is first started

Even stronger: they must be asked for permission before it's turned ON – so OFF must be the default. :man_shrugging:

[michaldrabik]

@IzzySoft @McBaumwolle Thanks, I do have it logged to implement, should do it finally.

This basically means that the user must be given the option to turn this on or off when the app is first started

I wonder is this part Germany specific?

[michaldrabik]

Oh and this only affects PlayStore version. For Github there are no trackers at all anymore.

[McBaumwolle]

The 'Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz' (TDDDG, we love German law names) or 'Telecommunications Telemedia Data Protection Act' (TTDSG) is a German law that specifies some things the GDPR does not - I think.

~And I thought the F-Droid version also has tracking? Or are the releases on GitHub different, aka without telemetry?~

The OSS version available in this repo is completely free of all Google services.

Oh, never mind, I did not see that, so I'll stick to that. Nevertheless, the Play Store version should respect the TTDSG and GDPR. And unfortunately the GitHub version does not offer (an option to buy) premium options. :/

Edit: @michaldrabik oh didn't see the question, but I think the TTDSG is only affecting German users.

[Aeris1One]

GDPR mandates the same, though it is less clearly formulated. The Thunderbird issue sent above shows it pretty clearly. So at least it is a EU-wide thing (+ some countries which have a GDPR clone like China).

Also, I do think asking people before collecting data is way more ethical than collecting without consent, so that's a great thing to do regardless of what law applies.

[michaldrabik]

@Aeris1One Makes sense. Even if all data and crash reports in PlayStore version are fully anonymous ofc. Will be adding relevant settings in next release.

[Aeris1One]

In fact they are not that anonymous, even if there isn't the user real name in the crash report. They often contain install ID, and even if they do not, it is possible to correlate data (like phone model + language + timezone + date of install + ...) to create a unique user profile (fingerprinting).

If fingerprinting is possible, even if it's purely theorical and not done in practice, collected data are considered by GDPR as PII and all GDPR rules apply.

I really thank you for taking the time to add those settings :)

[McBaumwolle]

I agree - many apps simply do not care and collect anyway, so this is really nice! On the other hand, I am aware how useful crash reports are, so maybe a splash screen with something like "want to help improve the app?" when first starting (after the update) would be interesting.