Hi

I may be wrong, but can someone help me interpret the results of this analysis correctly?

https://www.hybrid-analysis.com/sample/0a0238f85b8a559e8ab54f67920004db3a67a39bdbdbfa00075fd7d27e41dec4/672423b56b46e4feb006681d

See the Network Related section: Why does Simplex.apk have a hardcoded communication with

issuetracker.google.com

android.googlesource.com

developers.google.com

An app that is advertised as the most privacy-friendly?

All other indicators can (probably) be considered false positives (for example, the Camera permission, which is needed for video calls)

  • Mettled@reddthat.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    4 days ago

    I can’t speak to that with a familiar level with the code, I can only presume or guess. All I will say is that is why I never install any app from Github or Gitlabs, because there is no third party verification of the code for releases on those sites.

    I only use F-Droid after disabling all anti-features in Settings and then install apps that I know are 100% clean from all dependancies.

    Download the SimpleX apk from F-Droid website and then run that to see what it says for any difference in the results.

    • IronJumbo68@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 days ago

      When installing from Github you only trust the developer and their signed certificate key.

      When installing from F-Droid you additionally also have to trust the F-Droid developer’s signature.

      Besides that F-droid has its own problems:

      https://privsec.dev/posts/android/f-droid-security-issues/

      I don’t use F-Droid. I use Obtainium and additionally check signatures in AppVerifier.

      https://sideofburritos.com/blog/obtainium-overview/

      • Mettled@reddthat.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        3 days ago

        The link for F-Droid security issues is goijg on 3 years old, have you looked at the code xhanges for F-Droid since then?

        For using Obtainium, how do you avoid or block all apps from Github that depend on GCM, Firebase, or Google services? That’s wh I uae F-Droid and disable all anti-features so those apps are never listed, even if I search for an app that has Google dependancies, F-Droid will say that app does not exist or is not listed, as long as all anti-features is disabled.