Hi
I may be wrong, but can someone help me interpret the results of this analysis correctly?
See the Network Related section: Why does Simplex.apk have a hardcoded communication with
An app that is advertised as the most privacy-friendly?
All other indicators can (probably) be considered false positives (for example, the Camera permission, which is needed for video calls)
I woud still like for you to do a scan on the FDroid SimpleX apk to verify the difference for yourself instead of whatever I say about it.
Hello !
Version 6.1.1 (250) arm64-v8a https://f-droid.org/en/packages/chat.simplex.app/ https://f-droid.org/repo/chat.simplex.app_250.apk
Here’s the analysis: https://www.hybrid-analysis.com/sample/9b14b4f80b479a7eb2a5e9fb22ad3f5d547690f4e30da6b5c6f0e9ed8d4039da/672727b3fd3db6063b002513
Same exact result:
Dunno if this is something we should worry about or not ? Maybe OP and myself are not educated enough to interpret the results, however I’m also not very comfortable seeing those
Found potential URL in binary/memory
from SimpleX’s APK. Do you have any further thoughts?Thanks.
I hope @epoberezkin@lemmy.ml will dispel our doubts or a member of the Simplex.chat team :(
In the details for potential URL in memory, it says that’s for .onion address.
Thank you for posting the report, after I read through it, everything to me is clean and clear. The FDroid apk does not communicate with any outside resource that is not part of the anonymous network.
The Github version relies on Google, and to me nothing in the report suggeats that the FDroid version communicates with Google services.
It’s not about whether the application communicates with these addresses or not. It’s about the fundamental question: why are these addresses even encoded in the code of a VERY privacy-sensitive application?
My friend, in every answer you push F-Droid as a cure for all evil. There is no perfect store, F-Droid also has its problems (I wrote about it above). I am not an enemy of F-Droid (I also use it sometimes), but I will repeat: F-Droid control is insufficient (it’s security theater - it’s not a full audit of the source code).