Comment by gruez
1 month ago
>I would love to use this, but I don't want to allow a third party app with closed source to read all my notifications. This can read OTP passwords, full messages, etc. so it must be open source for me to consider it.
The app lacks the INTERNET permission so it can't really exfiltrate data even if it wanted to.
This is correct, but it is still a slippery slope. At some point the dev ends up adding internet permission (might be for legit reasons too), and lo and behold you are sharing your data. For something as sensitive as notifications, I really can't trust anything but open-source app which is vetted by a few seasoned people and hosted on F-droid.
Related, GrapheneOS has a handy feature to disable network access for individual apps.
Also non-GrapheneOS Android. I'm on CrDroid (Android 16), ans if I go into "Settings -> Apps -> Some App -> Mobile data usage", there's a toggle for "Allow internet access", and a few more to control network access on Wi-Fi, cellular, background, and VPN.
If the permission is added in retrospect wouldn’t you still need to opt in?
fwiw i completely agree that oss is the way to go here
The "Internet" permission on Android is one of the no-approval ones. If it gets added, you won't notice.
I’m interested in what you’re suggesting. Who are those auditors you trust? Does f-droid imply things have been audited?
f-droid implies
* that the application is source-available;
* toolchain used to build the app is FOSS - application does not use Play Services, or proprietary tracking/analytics, or proprietary ad libraries.
* application toolchain doesn't depend on "binary blobs";
Not even passing the sniff test on those easy to meet requirements is suspicious.
Would a safe alternative (albeit annoying to update) be to side load the apk for the purpose of eliminating the possibility of auto updates brought on by an app store?
That's another pet peeve of mine: Why the hell can't we block internet access for apps in (native) Android? Everything else is a permission, but this is not, somehow.
Maybe Google doesn't want users blocking ads from getting loaded.
ADs work via play services so even if you block internet for the app the ADs will continue to work.
The reason many apps stop showing ADs when their internet is blocked is because they need to make an API call to their own servers before running the AD. That is the common behavior but not mandatory
Wait, we can in Android. In my OnePlus 12 in the app settings under "data usage" there are two toggles for "disable mobile data" / "disable wifi"
Not present with a Pixel with Android 16, my effective choices are:
1. App can't use mobile data in background
2. App can use mobile data in background except in Data Saver mode
3. App can use mobile data in background regardless of Data Saver mode
____
For anyone doing comparisons, the literal settings appear under "Mobile Data Usage" as:
* [X] Background Data ("Enable usage of mobile data in the background")
* [ ] Unrestricted mobile data usage ("Allow unrestricted mobile data access when Data Saver is on")
1 reply →
Wow, thought it was GrapheneOS only, but no.
Confirmed these settings on One+15 on OOS16 (based on Android 16).
Is it also the case for other Android brands?
P.S. I did use it before to turn off ads.
5 replies →
I have an S25 Ultra with the latest version of Android, and these options don't seem to be there at all. I don't have a "data usage" under Permissions for any apps. I do have a Mobile Data section under App Info for any given app, but there's no way to toggle the options you mentioned.
You can on some devices (many Chinese brands, funnily enough) and on custom ROMs.
There are also (open source) firewall apps that will let you block (non-system) apps if you're on a stock ROM like me.
Technically, this is a permission, just not a user-grantable one. Google has moved quite a few permissions from inherent to user-grantable, but most apps don't work without internet (unfortunately) so I doubt they will do it for the internet permission in stock android.
It is a permission that app can get without asking the user
Lacking INTERNET permission today does not guarantee that the app will never have that permission. The internet permission is considered a "normal" permission by android so it will be auto granted without even a notification to the user.
Moreover an app without internet permission can still send data out using "INTENTS" for other apps in Android. This can make an app dangerous even without internet permission.
I was excited about the application and was dissapointed to see that it was closed source. I will absolutely not trust anyone that I cannot sue with this data. Big companies at least follow some standards that are enforced by multiple governments here we know nothing.
It's hard to rule out intentional side channels without access to source.
Do you mean a no-internet app (like this) could write data locally in a way that another internet-enabled app (in cahoots) could locally receive? Like a non-sandboxed storage area? Seems plausible.
Meta literally got caught doing this.
Writing to a local server, and then uploading from the browser to bypass consent mechanisms.
https://wire.com/en/blog/metas-stealth-tracking-another-eu-w...
yes that and internet permission can be added later and pushed with an update. Unless you are checking permissions after every update you will not know.
Is that actually required? I thought that was implicit
It's automatically granted but the app needs to declare it in order to access internet. Because of that it's not enough that the app _currently_ doesn't request internet permissions, because if it ever starts, it would be mostly transparent to a user
Yes. Without the permission all network requests will just fail.
You can silently add the permission in an update though. It's safe if you don't auto-update it I guess.
Not alone,
but it could prepare a tidy little package for something else to grab later.