this post was submitted on 01 Nov 2024
12 points (100.0% liked)

SimpleX Chat

460 readers
1 users here now

Community of SimpleX Chat users – managed by the team.

SimpleX Chat is the first chat platform that is 100% private by design – it has no user identifiers of any kind and no access to your connections graph – it's a more private design than any alternative we know of.

Please ask any questions and make feature suggestions. Your ideas and criticism are very welcome!

https://github.com/simplex-chat/simplex-chat

founded 2 years ago
MODERATORS
 

Hi

I may be wrong, but can someone help me interpret the results of this analysis correctly?

https://www.hybrid-analysis.com/sample/0a0238f85b8a559e8ab54f67920004db3a67a39bdbdbfa00075fd7d27e41dec4/672423b56b46e4feb006681d

See the Network Related section: Why does Simplex.apk have a hardcoded communication with

issuetracker.google.com

android.googlesource.com

developers.google.com

An app that is advertised as the most privacy-friendly?

All other indicators can (probably) be considered false positives (for example, the Camera permission, which is needed for video calls)

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 2 weeks ago (6 children)

For using Obtainium, how do you avoid or block all apps from Github that depend on GCM, Firebase, or Google services?

You do have a point though, but how does that even comes into the mix? Obtainium fetches directly from the source (api.github.com).

But to answer your question, it's blocked at the DNS level with RethinkDNS. Blocking all requests, except those explicitly allowed by myself.

This seems more like hardcoded into the .APK or that we can't correctly interpret the results or something is wrong in the analysis. And I'm also curious to get more Info's from someone.

[–] [email protected] 1 points 2 weeks ago (5 children)

I woud still like for you to do a scan on the FDroid SimpleX apk to verify the difference for yourself instead of whatever I say about it.

[–] [email protected] 1 points 2 weeks ago (4 children)

Hello !

Version 6.1.1 (250) arm64-v8a https://f-droid.org/en/packages/chat.simplex.app/ https://f-droid.org/repo/chat.simplex.app_250.apk

Here's the analysis: https://www.hybrid-analysis.com/sample/9b14b4f80b479a7eb2a5e9fb22ad3f5d547690f4e30da6b5c6f0e9ed8d4039da/672727b3fd3db6063b002513

Same exact result:

  • Pattern match: "https://android.googlesource.com/toolchain/llvm-project"
  • Pattern match: "https://developers.google.com/protocol-buffers///"
  • Pattern match: "https://issuetracker.google.com/issues/new?component=618491&template=1257717"

Dunno if this is something we should worry about or not ? Maybe OP and myself are not educated enough to interpret the results, however I'm also not very comfortable seeing those Found potential URL in binary/memory from SimpleX's APK. Do you have any further thoughts?

Thanks.

[–] [email protected] 2 points 2 weeks ago

I hope @[email protected] will dispel our doubts or a member of the Simplex.chat team :(

load more comments (3 replies)
load more comments (3 replies)
load more comments (3 replies)