Comment by Draiken
1 month ago
I would love to use this, but I don't want to allow a third party app with closed source to read all my notifications. This can read OTP passwords, full messages, etc. so it must be open source for me to consider it.
I would donate/pay for this if it was open source on F-Droid.
Kudos to you for building it. I put off building this exact same application so many times it's not even funny. Too bad I'm too lazy to maintain something like this.
>I would love to use this, but I don't want to allow a third party app with closed source to read all my notifications. This can read OTP passwords, full messages, etc. so it must be open source for me to consider it.
The app lacks the INTERNET permission so it can't really exfiltrate data even if it wanted to.
This is correct, but it is still a slippery slope. At some point the dev ends up adding internet permission (might be for legit reasons too), and lo and behold you are sharing your data. For something as sensitive as notifications, I really can't trust anything but open-source app which is vetted by a few seasoned people and hosted on F-droid.
Related, GrapheneOS has a handy feature to disable network access for individual apps.
1 reply →
If the permission is added in retrospect wouldn’t you still need to opt in?
fwiw i completely agree that oss is the way to go here
1 reply →
I’m interested in what you’re suggesting. Who are those auditors you trust? Does f-droid imply things have been audited?
1 reply →
Would a safe alternative (albeit annoying to update) be to side load the apk for the purpose of eliminating the possibility of auto updates brought on by an app store?
That's another pet peeve of mine: Why the hell can't we block internet access for apps in (native) Android? Everything else is a permission, but this is not, somehow.
Maybe Google doesn't want users blocking ads from getting loaded.
1 reply →
Wait, we can in Android. In my OnePlus 12 in the app settings under "data usage" there are two toggles for "disable mobile data" / "disable wifi"
9 replies →
You can on some devices (many Chinese brands, funnily enough) and on custom ROMs.
There are also (open source) firewall apps that will let you block (non-system) apps if you're on a stock ROM like me.
Technically, this is a permission, just not a user-grantable one. Google has moved quite a few permissions from inherent to user-grantable, but most apps don't work without internet (unfortunately) so I doubt they will do it for the internet permission in stock android.
It is a permission that app can get without asking the user
Lacking INTERNET permission today does not guarantee that the app will never have that permission. The internet permission is considered a "normal" permission by android so it will be auto granted without even a notification to the user.
Moreover an app without internet permission can still send data out using "INTENTS" for other apps in Android. This can make an app dangerous even without internet permission.
I was excited about the application and was dissapointed to see that it was closed source. I will absolutely not trust anyone that I cannot sue with this data. Big companies at least follow some standards that are enforced by multiple governments here we know nothing.
It's hard to rule out intentional side channels without access to source.
Do you mean a no-internet app (like this) could write data locally in a way that another internet-enabled app (in cahoots) could locally receive? Like a non-sandboxed storage area? Seems plausible.
2 replies →
Is that actually required? I thought that was implicit
It's automatically granted but the app needs to declare it in order to access internet. Because of that it's not enough that the app _currently_ doesn't request internet permissions, because if it ever starts, it would be mostly transparent to a user
Yes. Without the permission all network requests will just fail.
1 reply →
Not alone,
but it could prepare a tidy little package for something else to grab later.
Fair enough, you only have my word on it (that it doesn't send any data to the Internet). But you do have my word :)
Another person requested that the app be open-sourced as well. I will look into that.
I would greatly appreciate it, if this was open source :) Especially since this will be able to read 2FA codes sent by SMS. (I get that SMS 2FA codes are not perfectly safe to begin with, I personally don't love them either, but they are still used on a bunch of services)
Just makes me sleep a little better.
I'm going to join the list of voices requesting open source here. If you're not planning to charge money for this, there are several benefits starting with increased trust.
Mobile apps are a cesspool of user-hostile behavior, and I have a strong preference for not giving closed source apps access to sensitive data.
> completely free, and there is no advertising or hidden gotchas
I don't understand why not release the source if the app is completely free, what are you trying to protect?
Putting on my CISO hat, if they release the source, someone else could then create an app, but this time maliciously with said exfiltration of information, and publish it on play with paid ad time.
1 reply →
It's something i've also vaguely thought about building myself, because god damn uber, how many times do you need to send me an advert for uber one? just tell me when my car is here.
so congrats to the author of this. I do agree that I'd prefer it open sourced too, it feels a bit risky it having access to all your notifications.
It took me a moment to find, but Alertly claims to do something similar while being open-source. Last commit was made two years ago though.
https://f-droid.org/packages/com.example.notificationalerter
https://github.com/lightningcpu/Alertly
What about this? https://f-droid.org/packages/co.adityarajput.notifilter
If you're feeling skeptical and just want to be sure, you can use this NetGuard https://github.com/M66B/NetGuard to block internet access for any app.
Just blocking access to internet for this one app is not enough. It can use intents or a shared local storage with some other app to send the data out.
Great tool. Additionally, some Android forks (ColorOS) allow you to do this without apps, directly in the system settings of the app
The irony
App1 abuses notification permission
App2 keeps App1 in check
App3 to keep App2 from abusing network permission
...
TIL! What a find. Thanks mate!
I might actually try this now.
If NetGuard makes you smile, have a look at ReThink.
Fast/private DNS, firewall, logs, VPN (WireGuard) ready to go.
You're welcome
If you're that paranoid, you might also consider not using F-Droid:
https://www.privacyguides.org/en/android/obtaining-apps/#f-d...
https://discuss.grapheneos.org/d/15490-f-droid-or-obtainium
TIL!
IDK if I would consider not blindly trusting an unknown third party to read all my notifications being paranoid, but if it is, then yeah, I guess I am.
I've used F-droid merely due to the open source guarantee, so how fast these apps are patched isn't a deal-breaker for me, but I'll definitely look into Obtanium now.
Thank you!
As a developer, the fact that F-Droid now compiles all your packages for you, using their own keys, is a non-starter for me. It means they are free to modify my code however they want or inject malware etc. (whether by mistake or not), and it's totally outside of my control, but still has my name on it.
2 replies →
Absolutely! It is a sovereignty software effectively, it could be OSS only, otherwise treated as "soon to turn into bloatware cash-cow to death". There is no other way to gain trust, but staying closed source is a way to confirm distrust. If dev scared about monetization that much, that's a pre-bloatware effectively.