szTheory / exifcleaner

Cross-platform desktop GUI app to clean image metadata
https://exifcleaner.com
MIT License
1.92k stars 120 forks source link

Firewall on Windows 10 seeing outbound connection to "call home" #116

Open wohali opened 3 years ago

wohali commented 3 years ago

Every time I start ExifCleaner (Windows 10), my firewall catches the program trying to "call home."

I don't know if this is telemetry, checking for updates, or what, but it would be nice to disable it in the program (rather than having to block it at my firewall).

Would that be possible?

szTheory commented 3 years ago

Hi, thanks for the report! There's no telemetry or network code in ExifCleaner, and no auto updater (there was in the very first version but I ripped it out). Does the firewall say what server or IP it's trying to connect to? Make sure you install the official ExifCleaner from the releases page on Github here https://github.com/szTheory/exifcleaner/releases, because if you got it from somewhere else it's possible they could have packaged other stuff in with it.

wohali commented 3 years ago

HI there,

I installed direct from your GitHub release, specifically; https://github.com/szTheory/exifcleaner/releases/download/v3.4.0/ExifCleaner-Setup-3.4.0.exe

On startup it is immediately accessing 172.217.164.238 on port 443/tcp, which seems to be a Google site (yyz12s05-in-f14.1e100.net). I am in Toronto so it is probably trying to hit a Google resource.

Given the product is based on Electron, perhaps it is something specific to that?

szTheory commented 3 years ago

Strange, maybe it's some Windows specific packaging issue with electron-build? Or a Windows specific thing related to Electron? ExifCleaner doesn't initiate any network connections, so if it's a broader issue with electron-build or Electron then Windows users from other apps should be experiencing it as well, and you might be able to find reports for it. Could you try cloning the git repository and running it locally in development mode, to see if it exhibits the same behavior?

wohali commented 3 years ago

OK, I ran in dev mode using yarn run dev. With this, I see a connection to a localhost:9080 (expected) but no network traffic off-system.

I then modified the build target to include only building for windows (can't build macOS binaries on Windows), I extracted the self-installer .exe, and ran ExifCleaner.exe from inside of it -- no call home.

I then uninstalled the download from GitHub and used the self-built installer, and... it doesn't "call home" either. 😕 ❓

So, I guess either the electron-builder downloads of binaries when you generated the installer were tainted, or there is something else strange about how electron apps get built by whatever your CI solution is.

If you can generate a new installer from your CI setup, I'm happy to test it for you and see if the problem persists. For now, I have a working local binary I can trust. Thank you for keeping this program open source!

Gitoffthelawn commented 3 years ago

I am new to ExifCleaner (thank you for creating it!), and am experiencing the same issue on Windows 7.

Upon running the portable build of ExifCleaner (downloaded directly from this GitHub repo), it immediately tries to create an outgoing TCP connection via Port 443. The destination IP address varies each time ExifCleaner is run, but after 3 tests, every IP address was owned by Google.

This unwanted communication occurs every time ExifCleaner is run.

I'm hoping you'll be able to fix this, as you mentioned it's not intended, and software creating unintended network connections over a port typically reserved for encrypted data transfer is obviously quite concerning.

szTheory commented 3 years ago

Yeah that definitely shouldn't be happening. I'm going to mark this as a bug. The only problem is I don't really use Windows so it takes me longer to get around to these Windows issues. If someone could dig into the exact cause of this, whether it's something in electron-build or something else, or even contribute a PR with a direct fix that would be a huge help.

Gitoffthelawn commented 3 years ago

I'm not much help right now when it comes to Electron because, as of this writing, I've never used it (and honestly, I've avoided any applications that use it... but your app looks so useful that I made an exception!). Perhaps @wohali or someone else might be of more assistance. Sorry.

I know people often use Wine or a VM to test Windows issues on other operating systems. Maybe that would be an option for you?

What's really odd is that this issue hasn't been reported on other operating systems. Are you using a firewall that catches outgoing connections and packets?

szTheory commented 3 years ago

Yeah I am using a two-way firewall on a Mac right now and never saw any network activity.

I also try to avoid Electron apps. I originally made this app just to learn Node and Electron but the ecosystem with its dependencies is so fragile that I have even considered rewriting it in Perl/Tk or Tcl/Tk. Don't hold me to that, though. My main goal right now is to strip out as many dependencies as possible. Right now I am in the process of removing webpack completely. Next I want to remove the node-exiftool dep so that there are no production NPM deps, and no dev NPM deps outside of electron, electron-builder, typescript, and prettier. I would even consider eventually removing the electron-builder dep if feasible. Especially if it turns out to be the root of this Windows connection issue and we can't find a workaround.

Gitoffthelawn commented 3 years ago

That's funny that you try to avoid Electron apps, and here you are publishing one, and I try to avoid Electron apps, and here I am using one. :)

I don't know if this will be of much help, but you may want to take a look at this other great project: https://github.com/Qalculate

It's cross-platform, but doesn't rely on Electron. It suffers from the slow-to-load on Windows issue (just like Electron apps), but that's largely the first time you run it after rebooting.

There's also this wonderful project: https://sourceforge.net/projects/webchangemon/

It's cross-platform and uses wxWidgets. wxWidgets has its minor issues, but that application loads right up real fast on any supported platform. It's a great example of a cross-platform app that loads fast and doesn't use too much memory. Plus, it's multi-threaded, which is real nice for performance.

I hope some of this is helpful to you! :)

szTheory commented 3 years ago

I opened an issue in the electron-builder repo and they don't know anything about a google connection. I installed all the NPM deps for it and did a search in node_modules and couldn't find anything about 1e100.net or google.com. Did the same for the exifcleaner and electron source code after installing on their deps, and couldn't find anything there either.

Not sure what to do next. Maybe read a book about reverse engineering to learn how to easily search the compiled binaries for google.com and 1e100.net then go from there. If someone could run the Windows version with whatever the Windows equivalent of strace is and provide more info that would also help track this down.

Gitoffthelawn commented 3 years ago

Thanks for all the effort! FYI, the IPs its calling are owned by Google, but I wouldn't be surprised if the actual URL is not google.com.

When I first ran it, I thought perhaps it was calling google-analytics.com (a big no-no), but then I went through the source code, and saw that it wasn't doing anything like that.

Google owns a bazillion IP addresses, and only a small fraction of them are resolved via google.com. One thing you can do is search for google instead of google.com and also search for gstatic.com. There are also googleapis, googleadservices, googletagmanager, googletagservices, and googlesyndication, but a search for google will find those too. Searching for analytics wouldn't be a bad idea too, but searching for google will at least find google-analytics. Other common Google-owned URLs include youtube, ytimg, and doubleclick.

I wouldn't recommend including the TLD for any of the domains because just searching for the domain should be sufficient and the period before the TLD could be escaped or encoded.

Gitoffthelawn commented 3 years ago

Another two common Google-owned domains are googlecommerce(.com) and recaptcha(.net). The former will obviously be caught be search for google, but the latter will require an additional search.

Gitoffthelawn commented 3 years ago

Just remembered... there is also gmodules(.com). I think Google owns half the internet at this point. ;(

wohali commented 3 years ago

Hey @sztheory @gitoffthelawn ,

Have you tried installing Wireshark and capturing whatever traffic it sends out and receives?

I will try the same, as I haven't reinstalled since I rebuilt this particular machine - though the last build I pulled didn't "call home."

szTheory commented 3 years ago

@wohali Good idea, I haven't had the time and I don't work on Windows so it's been easy for me to kick the can down the road sorry. It might be a while until I can dedicate time to getting to the root of this so if someone else could figure it out and even provide a fix/PR that would be a godsend.