Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trackers & Permissions (exodus report) #319

Open
fwn opened this issue Mar 5, 2021 · 4 comments
Open

Trackers & Permissions (exodus report) #319

fwn opened this issue Mar 5, 2021 · 4 comments

Comments

@fwn
Copy link

fwn commented Mar 5, 2021

I ran exodus privacy (link to their website) on my phone and they linked a report for FreeCBT which can be found here: https://reports.exodus-privacy.eu.org/en/reports/142251/

According to this report there is no app on my entire phone with more trackers. Is this correct? Maybe it's overly zealous or something. There are also a lot of unlikely permissions (like the internet permission?) but those are much more transparently listed on the Play Store page.

Anyway, thank you for reading & big thank you for keeping this app alive!

@Klemet
Copy link

Klemet commented Jun 3, 2021

I completely agree ! While I am very thankful that the app is kept alive, I think that if the trackers are not used to gain information to maintain the app or to do ads, then they should be removed. This would make the app much more privacy-friendly. As it is, I don't feel like using the app if information about its use will be sent to Facebook or Google, and especially if it is not used to make the app better.

Which is a shame, as the app looks really amazing !

@shumonsharif
Copy link

Thank you for keeping this app going. It's not clear where the source code for version 2.2.3 is (what's currently deployed to the Google Playstore). The release date of March 2nd, 2021 doesn't correspond to anything on the releases page, and it's not obvious which commits went into it. Is it safe to assume that the code in Github reflects what's ending up on our phones?

@erosson
Copy link
Owner

erosson commented Dec 1, 2021

https://reports.exodus-privacy.eu.org/en/reports/142251/

Never knew about this site; nifty!

trackers

FreeCBT intends to use exactly zero of the trackers listed on that page. Unfortunately, I suspect most of them come from Expo - Expo probably allows integration with those trackers, so they end up listed on that page, even when they are never used and no data is sent their way. Example of another developer encountering that issue with Expo:
https://forums.expo.dev/t/why-does-my-app-have-trackers/50936

FreeCBT inherited several other tracker/analytics/internet-access-y tools from Quirk. I'm not very familiar with any of these, and since I'm not adding new features I certainly don't check any of them regularly. Removing these would be totally fine, I'd like to do it eventually, and I wouldn't be opposed to any pull requests doing so:

  • sentry
  • onesignal (but I think I already removed this?)
  • segment (expo-analytics-segment)

permissions

Probably the same story with most of the required permissions: I haven't deliberately added them. I'd be open to removing them (or PRs removing them), if it can be done without breaking things. That said, I am not a mobile app expert and am very wary of breaking things.

(like the internet permission?)

The last kind of internet access that FreeCBT uses is for automatic updates to the FreeCBT code via Expo.
https://docs.expo.dev/workflow/publishing/

FreeCBT automatically updates itself to match what's in the github repository, without going through appstore/play store review processes. Small and infrequent changes, usually. The internet permission's regrettable for an app that deals with such sensitive data, but I'm not going to turn off this auto-updating. Without it, releasing any change to freecbt is incredibly tedious, with many manual steps to update the app stores - and as an unpaid volunteer, I'm sorry but I'm just not going to do that.

Your CBT exercises and other personal data should never leave your device.

Is it safe to assume that the code in Github reflects what's ending up on our phones?

Yes: automatic updates, explained above, ensure the code on github is what ends up on your phone. The release date shown on the play store is usually not relevant - the automatic updates described above don't affect it.


I hope that helps? Feel free to ask more questions; privacy's important!

@Klemet
Copy link

Klemet commented Dec 1, 2021

That's a great post, @erosson ; thanks a lot for taking the time to address those details. I feel like this can sound like a lot of nitpicking, especially since our privacy is being daily breached in many ways when we use computers/phones. But I do believe that it is still important to show that alternatives are not only possible, but awesome; just like FreeCBT !
And yeah, the very, very personal aspect of CBT journaling makes it pretty important that people can feel safe with the app.

Sadly, I don't know enough code to remove the existing trackers; but I'd be glad to help to make more visible the idea that FreeCBT might be the only free and private app for CBT journaling once they're gone. Internet access for auto-updates seems reasonable to me.

Thanks again for the explanation, and have a nice day !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants