Hi

I may be wrong, but can someone help me interpret the results of this analysis correctly?

https://www.hybrid-analysis.com/sample/0a0238f85b8a559e8ab54f67920004db3a67a39bdbdbfa00075fd7d27e41dec4/672423b56b46e4feb006681d

See the Network Related section: Why does Simplex.apk have a hardcoded communication with

issuetracker.google.com

android.googlesource.com

developers.google.com

An app that is advertised as the most privacy-friendly?

All other indicators can (probably) be considered false positives (for example, the Camera permission, which is needed for video calls)

  • N0x0n@lemmy.ml
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    2 months ago

    I tried it with the official github .apk and same result. I have no idea what it means though maybe someone could chime in?

    Found potential URL in binary/memory:

    Except that they need something to make an android application (android SDK) and somehow to get issuetracker feedbacks, there’s nothing to worry about ? I guess? I don’t know.

    • Mettled@reddthat.com
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      I can’t speak to that with a familiar level with the code, I can only presume or guess. All I will say is that is why I never install any app from Github or Gitlabs, because there is no third party verification of the code for releases on those sites.

      I only use F-Droid after disabling all anti-features in Settings and then install apps that I know are 100% clean from all dependancies.

      Download the SimpleX apk from F-Droid website and then run that to see what it says for any difference in the results.

      • IronJumbo68@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        When installing from Github you only trust the developer and their signed certificate key.

        When installing from F-Droid you additionally also have to trust the F-Droid developer’s signature.

        Besides that F-droid has its own problems:

        https://privsec.dev/posts/android/f-droid-security-issues/

        I don’t use F-Droid. I use Obtainium and additionally check signatures in AppVerifier.

        https://sideofburritos.com/blog/obtainium-overview/

        • Mettled@reddthat.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          2 months ago

          The link for F-Droid security issues is goijg on 3 years old, have you looked at the code xhanges for F-Droid since then?

          For using Obtainium, how do you avoid or block all apps from Github that depend on GCM, Firebase, or Google services? That’s wh I uae F-Droid and disable all anti-features so those apps are never listed, even if I search for an app that has Google dependancies, F-Droid will say that app does not exist or is not listed, as long as all anti-features is disabled.