Some period tracking apps will share your data. Stay safe, use one from @fdroidorg without Internet permission.

Possible options are:
drip (safest!)
Periodical
log28

All of these apps don't ask for internet permission and thus can't share your data. Drip goes the extra mile and explicitly opts out of Android's backup framework so your data won't be backed up on Google servers.

Please boost for those who need it!

@SylvieLorxu @fdroidorg

Periodical and log28 are in my exhibition in berlin / germany at @topio since august 2020

@malte @SylvieLorxu @fdroidorg
In their website why does it say "previous version" under the F-Droid download link ? Are they not updating the F-Droid package anymore ? If that's the case then someone should let them know, the F-Droid version is very important for protecting people's privacy & freedom, F-Droid can even work on the Tor network to prevent ISPs from snooping on user's data.

@futureisfoss @malte @fdroidorg Looking through issues, they seem a bit understaffed, the Google Play release is also almost a year and a half old. Luckily, with an app that is fully offline, there is no real security concern with a lack of updates.

I am not completely sure what the exact issue is, but I found these related issues:

gitlab.com/fdroid/fdroiddata/-
gitlab.com/bloodyhealth/drip/-
gitlab.com/bloodyhealth/drip/-

@SylvieLorxu @fdroidorg I find this in general a good idea. However, if you do not keep your phone safe by encryption and having a good pin (at least), this might create a false sense of safety. LEOs do look at your phone whenever they can get a chance.

@andrej @fdroidorg Yup! And I believe they're allowed to force you to unlock the device with your finger, but not with your code (see androidauthority.com/open-sesa).

So yes, you should always use PIN unlock on your device. Good point!

@SylvieLorxu @fdroidorg @UlrikeHeiss On the one hand, I'm thrilled at how engaged you are; on the other, I'm ashamed to the bottom of my soul to belong to a species that still needs such debates in 2022.

Thank you. I’m gonna spread your hint.

@SylvieLorxu
Check my stream but I ran drip (from the play store) through Classy Shark and found no trackers.
@fdroidorg

@SylvieLorxu @fdroidorg The safest software is the one you don't install. :P

@SylvieLorxu @fdroidorg
Can you tell me more about this Android backup framework ? I didn't know about it. So does this mean google will backup all of my apps data unless the app explicitly opts out of it ?!

@futureisfoss @SylvieLorxu @fdroidorg Android backups are a system integration which allows a system backup to include app data. Great for backing up entire devices with one tap.

However, it can also mean sent to cloud if that's enabled, so you can disable it.

@inference @fdroidorg @SylvieLorxu Ah, thanks for explaining. Is this feature turned on by default or is it opt-in ? I know a lot of people who uses their google account to backup their contacts and stuff, I hope that's different from this android backup thing, because I don't think they want all their app data to be backed up.

@futureisfoss @fdroidorg @SylvieLorxu Android backup is system-level and integrates with Google accounts. However, it can be and is changed to different cloud services by different OEMs and their forks of Android (Samsung and Huawei come to mind).

I'm using GrapheneOS, which uses its own offline backup system (with optional Nextcloud uploads), so I can't test right now.

On by default? Yes if you choose yes at the phone setup screen.
Can be disabled later in phone settings.

@inference @fdroidorg @SylvieLorxu @futureisfoss To my knowedge this doesn't mean one has to entirely disable it (ALLOW_BACKUP:FALSE) but, at lest with newer Android versions (11+?) the dev can decide to only allow D2D (device-to-device) but not D2C (device-to-cloud). That way backup systems like Seedvault (e.g. coming with LOS) can at least create local backups, while nothing goes to Google (or other clouds) by accident.

@IzzyOnDroid @fdroidorg @SylvieLorxu @futureisfoss I'm well aware. I didn't claim it was theirs. It's being replaced in GOS at some point, anyway.

@futureisfoss @fdroidorg It is, as most of the Android "syncing with Google" features, easily accidentally enabled without realizing. See support.google.com/android/ans for more information and details of how to turn it off.

Google offers 25MB of storage per app, for most apps that will be enough for literally all of its data. For example, in a note app, this would easily fit every single note you made. All apps are opted into this unless they explicitly opt out: developer.android.com/guide/to

@SylvieLorxu @fdroidorg This backup thing is very concerning, it should only be backing up the data of apps that request it, that's the right way to do it.

@futureisfoss @fdroidorg As is typical of Google, they went full in on convenience without caring about privacy. And because this is the default, users are used to their settings and data being restored when they switch to a new phone and will get upset if an app doesn't do that (because it opted out). They've created a "doomed if you do, doomed if you don't" scenario and didn't create proper libraries for apps to ask the user what they want.

TL;DR (updated): If you use Android older than version 9 "Pie", Google can get access to your app data through cloud backups, even if the app itself shares nothing with Google. There's also the possibility that Google could be lying about their encryption. #privacy

@SylvieLorxu @futureisfoss @fdroidorg

@samgai
Because this thread was broken Im adding this post back to the thread as you suggested-

Think, unless your using a real old device, Googles app data backups are all now end to end encrypted and have been for a few years
security.googleblog.com/2018/1

So with these kind of cycle tracking apps on Android the concern is likely more if they have network permission & directly collect your data. @SylvieLorxu @futureisfoss @fdroidorg

@dazinism @samgai @futureisfoss @fdroidorg Important note though: "This decryption key is encrypted using the user's lockscreen PIN/pattern/passcode"

So, it is important people use Android lock screens!

And even though theoretically your data should indeed be pretty safe, it is still good to be aware it leaves your device as you can never know 100% surely if things on someone else's system are as promised.

@SylvieLorxu can you please list some examples of what apps sharing what data? I'm compiling a list of examples for a seminar about the importance of privacy and risks of unregulated data collection.

@Krash Well, this toot was a response to vice.com/en/article/y3pgvg/the

However, this is not the first time such a thing happens. See also wired.com/story/your-digital-t for example, where user data from the app Muslim Pro was sold to US government agencies.

While it doesn't tell you which data is collected and sold, @exodus has an amazing list of which popular third-party trackers are in which apps.

@SylvieLorxu @exodus thanks for letting me know. Was familiar with those other incidents, but the period tracker app might be of particular interest to the group I'm giving a talk to.

@SylvieLorxu @fdroidorg does the other apps simply back up the data or what? WhTs so bad about it having internet connection?

@jordan31 @fdroidorg They use Android's backup framework which uploads data to Google yes (although that should be encrypted).

And the problem with apps having internet access is that they can share your data (without you knowing, because let's be honest, nobody reads all the terms and conditions and they're purposefully written to be hard to read). Given abortion is now illegal in many parts of the US, stuff like this is dangerous: vice.com/en/article/y3pgvg/the

@SylvieLorxu @fdroidorg I fail to see how abortion falls into this. Is this what they call gas lighting?

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!