Hi

I may be wrong, but can someone help me interpret the results of this analysis correctly?

https://www.hybrid-analysis.com/sample/0a0238f85b8a559e8ab54f67920004db3a67a39bdbdbfa00075fd7d27e41dec4/672423b56b46e4feb006681d

See the Network Related section: Why does Simplex.apk have a hardcoded communication with

issuetracker.google.com

android.googlesource.com

developers.google.com

An app that is advertised as the most privacy-friendly?

All other indicators can (probably) be considered false positives (for example, the Camera permission, which is needed for video calls)

  • Mettled@reddthat.com
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    20 days ago

    In the details for potential URL in memory, it says that’s for .onion address.

    Thank you for posting the report, after I read through it, everything to me is clean and clear. The FDroid apk does not communicate with any outside resource that is not part of the anonymous network.

    The Github version relies on Google, and to me nothing in the report suggeats that the FDroid version communicates with Google services.

    • IronJumbo68@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      19 days ago

      It’s not about whether the application communicates with these addresses or not. It’s about the fundamental question: why are these addresses even encoded in the code of a VERY privacy-sensitive application?

      My friend, in every answer you push F-Droid as a cure for all evil. There is no perfect store, F-Droid also has its problems (I wrote about it above). I am not an enemy of F-Droid (I also use it sometimes), but I will repeat: F-Droid control is insufficient (it’s security theater - it’s not a full audit of the source code).

      • Mettled@reddthat.com
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        2
        ·
        19 days ago

        I think I can agree with the crux of your statement, the problem I see completely outside of your argument is the online privacy community is both highly toxic and highly ignorant. Most of them have never worked in IT or as an admin and have to work with customers according to what the customer is paying for and not what someone believes is a better way but the paying customer has no interest in learning, so they spout their opinions online but have never had formal employment in network security and privacy for a company.