Closed Perflyst closed 5 years ago
This is not true!
Please have a look at https://github.com/nilsbraden/ttrss-reader-fork/blob/master/ttrssreader/src/main/java/org/ttrssreader/controllers/Controller.java#L354 where the URL for downloading the icon is generated. It is constructed by using the base URL of your server, adding the icon folder and the feed-ID. No other Servers are called at all.
Thanks for the reply. I can see DNS queries to the domains of subscribed feeds, I did not analyzed further but there are at least data-leaking DNS queries.
Ah I see. Ok since they don't originate from fetching the icons we should investigate further. It might be some part of the android webview does it or I don't know. Can you pinpoint the exact time where they happen and acquire logfiles with adb?
The DNS query does not leak the data to the feed server but it leaks the information that you access feedserver.com to your DNS server.
I will try to get logcat informations.
Monitored with Net Monitor I can see https connections to the feed servers. I cleary notice that if I click on a feed a new connection to the feed server is made. It is HTTPS encrypted so I cannot see if it is the icon or something else.
Logcat is here:
Oh dear. You're on the wrong project page. I just noticed there is no FeedsFragment in my project, please have a look at this line:
HeadlinesFragment: onCreateView, feed=org.fox.ttrss.types.Feed@658e0a
Youre looking for this project: https://github.com/abelgomez/tt-rss-android
Currently this app leaks IP address, useragent etc to each feed's server. This is because the images of the previews are downloaded directly from them.
Please proxy the images either through tt-rss or provide an option to disable image previews (or just block connections to anything else except the tt-rss instance domain)