11
submitted 1 month ago by IronJumbo@lemmy.world to c/simplex@lemmy.ml

Hi

I may be wrong, but can someone help me interpret the results of this analysis correctly?

https://www.hybrid-analysis.com/sample/0a0238f85b8a559e8ab54f67920004db3a67a39bdbdbfa00075fd7d27e41dec4/672423b56b46e4feb006681d

See the Network Related section: Why does Simplex.apk have a hardcoded communication with

issuetracker.google.com

android.googlesource.com

developers.google.com

An app that is advertised as the most privacy-friendly?

All other indicators can (probably) be considered false positives (for example, the Camera permission, which is needed for video calls)

you are viewing a single comment's thread
view the rest of the comments
[-] Mettled@reddthat.com 5 points 1 month ago

Is that based on the F-Droid version of SimpleX from the native F-Droid repository?

[-] N0x0n@lemmy.ml 4 points 1 month ago* (last edited 1 month ago)

I tried it with the official github .apk and same result. I have no idea what it means though maybe someone could chime in?

Found potential URL in binary/memory:

  • Pattern match: "https://issuetracker.google.com/issues/new?component=618491&template=1257717"
  • Pattern match: "https://android.googlesource.com/toolchain/llvm-project"
  • Pattern match: "https://developers.google.com/protocol-buffers///"

Except that they need something to make an android application (android SDK) and somehow to get issuetracker feedbacks, there's nothing to worry about ? I guess? I don't know.

[-] Mettled@reddthat.com 3 points 1 month ago

I can't speak to that with a familiar level with the code, I can only presume or guess. All I will say is that is why I never install any app from Github or Gitlabs, because there is no third party verification of the code for releases on those sites.

I only use F-Droid after disabling all anti-features in Settings and then install apps that I know are 100% clean from all dependancies.

Download the SimpleX apk from F-Droid website and then run that to see what it says for any difference in the results.

[-] IronJumbo@lemmy.world 3 points 1 month ago

When installing from Github you only trust the developer and their signed certificate key.

When installing from F-Droid you additionally also have to trust the F-Droid developer's signature.

Besides that F-droid has its own problems:

https://privsec.dev/posts/android/f-droid-security-issues/

I don't use F-Droid. I use Obtainium and additionally check signatures in AppVerifier.

https://sideofburritos.com/blog/obtainium-overview/

[-] Mettled@reddthat.com 2 points 1 month ago

The link for F-Droid security issues is goijg on 3 years old, have you looked at the code xhanges for F-Droid since then?

For using Obtainium, how do you avoid or block all apps from Github that depend on GCM, Firebase, or Google services? That's wh I uae F-Droid and disable all anti-features so those apps are never listed, even if I search for an app that has Google dependancies, F-Droid will say that app does not exist or is not listed, as long as all anti-features is disabled.

[-] N0x0n@lemmy.ml 1 points 1 month ago

For using Obtainium, how do you avoid or block all apps from Github that depend on GCM, Firebase, or Google services?

You do have a point though, but how does that even comes into the mix? Obtainium fetches directly from the source (api.github.com).

But to answer your question, it's blocked at the DNS level with RethinkDNS. Blocking all requests, except those explicitly allowed by myself.

This seems more like hardcoded into the .APK or that we can't correctly interpret the results or something is wrong in the analysis. And I'm also curious to get more Info's from someone.

[-] Mettled@reddthat.com 1 points 1 month ago

I woud still like for you to do a scan on the FDroid SimpleX apk to verify the difference for yourself instead of whatever I say about it.

[-] N0x0n@lemmy.ml 1 points 1 month ago

Hello !

Version 6.1.1 (250) arm64-v8a https://f-droid.org/en/packages/chat.simplex.app/ https://f-droid.org/repo/chat.simplex.app_250.apk

Here's the analysis: https://www.hybrid-analysis.com/sample/9b14b4f80b479a7eb2a5e9fb22ad3f5d547690f4e30da6b5c6f0e9ed8d4039da/672727b3fd3db6063b002513

Same exact result:

  • Pattern match: "https://android.googlesource.com/toolchain/llvm-project"
  • Pattern match: "https://developers.google.com/protocol-buffers///"
  • Pattern match: "https://issuetracker.google.com/issues/new?component=618491&template=1257717"

Dunno if this is something we should worry about or not ? Maybe OP and myself are not educated enough to interpret the results, however I'm also not very comfortable seeing those Found potential URL in binary/memory from SimpleX's APK. Do you have any further thoughts?

Thanks.

[-] IronJumbo@lemmy.world 2 points 1 month ago

I hope @epoberezkin@lemmy.ml will dispel our doubts or a member of the Simplex.chat team :(

[-] Mettled@reddthat.com 0 points 1 month ago

In the details for potential URL in memory, it says that's for .onion address.

Thank you for posting the report, after I read through it, everything to me is clean and clear. The FDroid apk does not communicate with any outside resource that is not part of the anonymous network.

The Github version relies on Google, and to me nothing in the report suggeats that the FDroid version communicates with Google services.

[-] IronJumbo@lemmy.world 1 points 1 month ago

It's not about whether the application communicates with these addresses or not. It's about the fundamental question: why are these addresses even encoded in the code of a VERY privacy-sensitive application?

My friend, in every answer you push F-Droid as a cure for all evil. There is no perfect store, F-Droid also has its problems (I wrote about it above). I am not an enemy of F-Droid (I also use it sometimes), but I will repeat: F-Droid control is insufficient (it's security theater - it's not a full audit of the source code).

[-] Mettled@reddthat.com -1 points 1 month ago

I think I can agree with the crux of your statement, the problem I see completely outside of your argument is the online privacy community is both highly toxic and highly ignorant. Most of them have never worked in IT or as an admin and have to work with customers according to what the customer is paying for and not what someone believes is a better way but the paying customer has no interest in learning, so they spout their opinions online but have never had formal employment in network security and privacy for a company.

this post was submitted on 01 Nov 2024
11 points (92.3% liked)

SimpleX Chat

355 readers
1 users here now

Community of SimpleX Chat users โ€“ managed by the team.

SimpleX Chat is the first chat platform that is 100% private by design โ€“ it has no user identifiers of any kind and no access to your connections graph โ€“ it's a more private design than any alternative we know of.

Please ask any questions and make feature suggestions. Your ideas and criticism are very welcome!

https://github.com/simplex-chat/simplex-chat

founded 2 years ago
MODERATORS