this post was submitted on 01 Nov 2024
12 points (92.9% liked)

SimpleX Chat

355 readers
1 users here now

Community of SimpleX Chat users – managed by the team.

SimpleX Chat is the first chat platform that is 100% private by design – it has no user identifiers of any kind and no access to your connections graph – it's a more private design than any alternative we know of.

Please ask any questions and make feature suggestions. Your ideas and criticism are very welcome!

https://github.com/simplex-chat/simplex-chat

founded 2 years ago
MODERATORS
[email protected]
12
Why is Simplex calling to Google? (self.simplex)
submitted 3 months ago by IronJumbo to c/[email protected]
17 comments fedilink hide all child comments
 

Hi

I may be wrong, but can someone help me interpret the results of this analysis correctly?

https://www.hybrid-analysis.com/sample/0a0238f85b8a559e8ab54f67920004db3a67a39bdbdbfa00075fd7d27e41dec4/672423b56b46e4feb006681d

See the Network Related section: Why does Simplex.apk have a hardcoded communication with

issuetracker.google.com

android.googlesource.com

developers.google.com

An app that is advertised as the most privacy-friendly?

All other indicators can (probably) be considered false positives (for example, the Camera permission, which is needed for video calls)

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 3 weeks ago (1 children)

These URIs are the references to technical documentation in Google Android site - they are used in error messages by various libraries.

The presence of the URI in code does not mean that the app communicates with this URI.

On the opposite, the absence of the URI in code does not prove that the app does not communicate with any given URI - the URIs can be obfuscated in many ways.

So this scanning technique to discover potential attacks is completely inefficient, and it creates unnecessary work of removing URIs from code, but achieves absolutely nothing to prevent the actual network connection - any malicious app can hide them and make them invisible to the scanning.

Another example would be simplex.chat domain. While the app contains it in code, the app never communicates with this domain, and it is only used to namespace the links and to allow showing QR code for people who don't have the app.

You cannot establish what URIs any given app communicates with by scanning its code - you need to proxy all traffic and monitor all connections that the app makes.

[–] IronJumbo 2 points 3 weeks ago

Thanks Evgeny for your explanation and time (I'm sure we all appreciate it). But you didn't say directly and specifically - does the app make these connections to Google servers?