App trackers found on the Quran app.

[Taratect]

Are the developers aware that the app contains google trackers? https://reports.exodus-privacy.eu.org/en/reports/com.quran.labs.androidquran/latest/

I'm terribly put off by knowing the fact that Google has ability to know when I read the words of my Lord which is is supposed to be extremely personal is being used to make money off selling to data brokers at the expense of my privacy.

I really liked the app and Frankly I'm disappointed. So, I'd really appreciate it if you guys would remove such intrusive codes from your app. These type of trackers has no place in apps used for prayers and duas

[ahmedre]

Salam 3alaikum,

as the link you sent mentions, we use two Google services:

• Crashlytics
• Firebase Analytics

We use Crashlytics to report crashes - anytime the application crashes, it lets us know that a crash happened, along with where in the code it happened. None of the developers have any way to tie this crash to a particular person. It literally is just the part of our code (line number and class name) where the crash occurred, plus any generic metadata we add to it.

We use Firebase Analytics to gather anonymous analytics on things like "how many people enable this setting" or "how many people use translation view in line versus the full screen translation view" in order to make decisions (if I remove this feature, will people be really upset? or I expect more people would be using this feature, why aren't people using it? is there a problem or does it need to be more obvious?) Again, even in this case, we have no way of tying this back to you. I get aggregate numbers.

Both Crashlytics and Firebase Analytics give developers an option to "tie data to a userid" for example - so applications that require a log in typically use this and can link this information back to you personally (i.e. "I know person with email x@y.com clicked this link and used the app for z minutes," etc). We don't do that.

We've thought about replacing Crashlytics with Bugsnag at some point, but even if we did so, it'd still show up as a tracker, even though again we're just using it for crash reporting.

In summary, we're building this app for the sake of Allah - not to profit from you directly or indirectly (i.e. there's no "this app is free but we make money from ads so the more ads you click the more money we make), and we don't gather user data so we don't have anything to sell. Everything we collect is anonymous for the purposes of making the app better and I can't tie it back to you.

If this bothers you, please consider building from source, we've provided a flag to disable Firebase for those cases, or use the version from F-Droid, since that one has those disabled.

jazakumAllah khairan.

[Taratect]

I get what ur trying to say but the anonymized data still ends up in Google servers waiting to be aggragated. It would be nice if u guys could explore other alternatives which are privacy friendly analytics like matomo or plausible for example sometime in future.

Anyways, do u guys have the app on fdroid? I have searched it up & got no results. Which repo is it? Could u provide me the link?

[ahmedre]

happy to consider one of those in sha' Allah if they have good mobile SDKs.

My fault, I misspoke - I think it's not there yet due to #755. I think I should be able to get a build for them that disables Crashlytics in the same way we disable Firebase Analytics now. Can try to prioritize this in sha' Allah for people to be able to get the apk from F-Droid if they don't want the anonymous events.

[Taratect]

It would be great if u could build for fdroid without the trackers. I'd like to do this myself but I'm not confident enough to build one because I'm really new to programming.

I have no further issue. Will I close this issue or keep it open for future reference?

[IzzySoft]

We use Crashlytics to report crashes

• ACRA can be configured opt-in (e.g. popping up the crash report asking the user to confirm sending it). That's also what the official F-Droid client uses.
• several other alternatives do exist

None of the developers have any way to tie this crash to a particular person.

Google has.

We use Firebase Analytics to gather anonymous analytics on things like

Same thing. For that, you could e.g. use a self-hosted Sentry.io or Swetrix.

but even if we did so, it'd still show up as a tracker,

Most likely true for Exodus. With the listing in my repo, they can be white-listed if they are opt in (does not apply to proprietary ones like Crashlytics or Firebase, as with those you cannot really prove everything is "off by default").

we're building this app for the sake of Allah

We fully believe you – but we cannot trust Google & Co here as they abused that trust more than once (eg "location tracking is off" only means "we don't show it to you", as the case has proven).

please consider building from source

Not everybody is a developer or has the required setup. And as for "turned off", see the paragraph above.

[Taratect]

Hey, is the apk on izzyondroid without the trackers,?

[IzzySoft]

It is the APK provided here, so unfortunately not:

I (who runs the IzzyOnDroid repo) cannot do anything about that, that must be done by the app's developers. Which is why I pointed to alternatives (see above) which can be used more privacy-friendly.

[ahmedre]

I actually updated the code so doing this isn't too difficult now, I'll add this to my list to do soon.

[IzzySoft]

If you need some more choices with alternatives for analytics, be welcome to check with my list of acceptable analytics, @ahmedre – I'd be happy to remove some of those "red flags" then from your app's listing in my repo!

[ahmedre]

@IzzySoft I think I already fixed this - you can just build with ./gradlew assembleMadaniRelease -PdisableFirebase - it doesn't use the Crashlytics nor Google Services plugins nor dependencies from what I can tell (unless I missed something - if I did, please let me know!)

If this is the case, should I just append each release in GitHub with a "no-google" apk or what do you typically do (i.e. which signing key do your releases use?)

[IzzySoft]

I think I already fixed this

:partying_face:

you can just build

Err… I can't :see_no_evil: No build env here. I'm no Android dev… But if you can link me to such an APK (can be in artifacts for this case, or here in the issue) I can run it through my scanner and post the output here.

should I just append each release in GitHub with a "no-google" apk

That would be much appreciated, yes! And I use the APKs signed by you (with your release key) of course. It's your app, so the signature should show that. And those wanting to get out of Google's walled garden then could update the app installed from Play via my repo (provided you used the same key to sign there).

[ahmedre]

I just added a -no-google apk to the release artifacts built using ./gradlew assembleMadaniRelease -PdisableFirebase - please run it through your scanner and let me know.

[IzzySoft]

That looks very good!

No offending libs found.

Permissions:
------------
* android.permission.INTERNET
* android.permission.WRITE_EXTERNAL_STORAGE
* android.permission.ACCESS_NETWORK_STATE
* android.permission.WAKE_LOCK
* android.permission.RECEIVE_BOOT_COMPLETED
* android.permission.FOREGROUND_SERVICE
* com.quran.labs.androidquran.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION
* android.permission.POST_NOTIFICATIONS
* android.permission.FOREGROUND_SERVICE_DATA_SYNC
* android.permission.FOREGROUND_SERVICE_MEDIA_PLAYBACK
* android.permission.READ_EXTERNAL_STORAGE*

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

That blob can be easily avoided, too:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it contains.

Will you attach that APK (with the current naming schema) for future releases as well? Then I'd go right ahead telling my updater to stick with it :star_struck:

[ahmedre]

may you check now? I've merged #2575 and updated a new apk on the release page for 3.4.4 while applying this fix on that branch.

[ahmedre]

if it works out, can aim to always add a -no-google artifact to releases, though I can't promise I'll never forget. note to self, I probably should automate this at some point.

[ahmedre]

any update @IzzySoft ? can i close this?

[IzzySoft]

Will you attach that APK (with the current naming schema) for future releases as well? Then I'd go right ahead telling my updater to stick with it 🤩

You didn't answer that one :wink: So shall I pin com.quran.labs.androidquran to /no-google\.apk/i then? If I do, and you do not have such a file attached, nothing will be pulled.

[ahmedre]

sure, sounds good.

[ahmedre]

I will setup a CI process for release at some point so I don't forget this for future releases.

[IzzySoft]

Thanks! So updated:

ApkMatch: /quran.*no-google\.apk$/i

going by the current file name. So once the next release is out, most (if not all) of the anti-features should be cleared. Do you have any ETA for when that might be?

[ahmedre]

thank you! honestly not sure when the next release is, no plans at the moment, but will keep this open so i can update once it's released. thanks for your help!

[IzzySoft]

Thank you for taking care! Looking forward to the next release (or ping, or both) then :smiley: