I found two trackers in Ente auth using exodus privacy app and i need explanation cause the reason i used it instead of Aegis is Henry’s recommendation.
Either no one else has found the super scary butt probe trackers in this open source, relatively popular app OR it’s yet another false positive from “Exodus”
I know what my bet’s on.
Trackers aren’t necessarily all bad, and that doesn’t mean anything, it can be a tracker to monitor application crashes for example
Emte Auth is open source, has a good confidentiality policy and above all the old community
Google and Meta applications have very few trackers and that doesn’t stop it from being a company that tracks absolutely everything.
Do they have that much false positives? In which case I guess it’s not the most trustworthy source
Exodus simply scans whether a known tracker library is included in the package. It says nothing about how that tracker is used or used at all.
For example tor browser on mobile contains two known trackers. These libraries are disabled instead of removed as removing it would increase the maintaince of the fork. Yet exodus lists tor browser as containing two trackers.
Exodus can be informative, but take it with a grain of salt :).
This is a common practise i see amongst these node developers. Taking in all shit from all kinds of packages and bloat the hell out of it. It is so wasteful in terms of data usage and just increases attack vector. It is a bad practice that somehow has been acceped these days. Include all.
If they already now what the trackers are what can’t they judt delete the code?
They could but often it is not as easy as in comes from packages and libaries used who on their end also include them (and often require). If a developer wants to rely on those packages maintained by others they will have to accept that or patch them which is what make it require more maintenance as @Niek-de-Wilde pointed out.
In the case of Fennec and Tor browser, iirc, it was because as they both forks from Firefox, removing them would increase maintaince as they differt further from upstream(Firefox).
I would not know if this is the case with Ente, but I was just pointing out that including the libraries does not mean you are actually getting tracked perse, which is why you should take that part of Exodus with a grain of salt.
Maybe @vishnukvmd can point out their use?
Thx
Huawei Mobile Services?
either this is a mistake by Exodus because they might have scanned a Huawei store version (Huawei adds it’s SDKs to all apps in it’s stores) or I would like an explanation from Ente. HMS is fine for Huawei phones but I wouldn’t want it on other builds as it increase attack surface.
This is not a mistake by Exodus, but this is a false alarm – there are no privacy implications.
Auth v4.2.4 introduced a dependency on the scan | Flutter package that indirectly depends on HMS to scan QR codes from your local gallery. We were aware of the indirect dependency, and the feature was blocked behind a feature-flag and never made available to the public.
Any calls to HMS servers for instrumentation happens when the feature is used, and since the feature is not available to public, there is no data leakage.
The dependency will be removed in the next update.
Related thread on Ente’s Discord.