The version from their F-Droid repo, SchildiChat[f], has no Google libraries. The version from the playstore includes proprietary blobs to support Firebase Cloud Messaging (Google notifications system). Exodus may be misidentifying this as "Google Admob", which is not present in the app.
I got it from F-Droid that's why. so confusing
The f-droid version also supports FCM, which I was a bit surprised by.
FCM means ?
Firebase cloud messaging
You can install ClassyShark3xodus,
which can de-compile apps and scan them for trackers on the fly to figure it out yourself.
Do let us know the results :)
Exodus brings up false positives
I can confirm that schildichat from f-droid contains 2 Google trackers after analysis :
603 tested signatures on 67125 classes (40361329)
Google AdMob Sentry
*Google AdMob 9com.google.ads.
*Sentry 698io.sentry.
file:///data/app/~~Opb2slJC07NYLm9e2C2ikw%3D%3D/de.spiritcroc.riotx-uWSIGBd1PzyWdDEl86q5NA%3D%3D/base.apk
MD5sum: 55da2edbc904165755632ae132f30ed5 SHA1sum: ed27b82c54dd62315c6a46935af66e4666549a3d SHA256sum: de365d9e2d8e3fa08b1501a0079a95cd0b37fee6186dbd9eba2a4c22d7268473
CN=FDroid,OU=FDroid,O=fdroid.org,L=ORG,ST=ORG,C=UK
SHA256withRSA
CERTIFICATE fingerprints: md5: c78350850dd5f3421f36d7cfbe0927bc sha1: 63ec0e3261dc3be0469bc68955bf58c0684ba52d sha256: 5d473a5169ef71aedcbca1da511210bab4aaff278c5ef785760df882954b1a99
Its a bit confusing because F-Droid ship the schildichat version with Google trackers without saying it. One have to add the schildi repo to F-droid and download the FOSS version: https://s2.spiritcroc.de/fdroid/repo/?fingerprint=6612ade7e93174a589cf5ba26ed3ab28231a789640546c8f30375ef045bc9242
How is that possible that I depend from the source ?
https://gitlab.com/fdroid/fdroiddata/-/issues/3717
Opened an issue about it
Closed this issue, false positives from exodus.
Thank you very much. 🙏🏼
Well according to the Dev this might be false positives. Adding to the confusion. And indeed they are. The sources code don't have them.
So how we're sure it do jot contain any tracker ?
Use Obtanium or Zapstore to get the non-Google and non-F-Droid .apk, as those contain trackers for the notification system to work.
@uxellodunum @harfang então o abtanium é melhor do que o F-Droid ou Aurora store? Tipo, só para atualização?
Claro. Obtanium (e Zapstore) vão directamente à página de Github buscar da fonte. F-Droid tem builds que seguem certas regras estritas, e por isso às vezes tem mudanças. Aurora store é apenas um proxy para Google Play Store.
Those are alternative stores ?
Indeed. They offer up the original .apks from their respective github sources, so generally don't include trackers etc as you'd find on the Google store versions, or even f-droid at times.
Obtanium is an app where you enter webpage links to github repositories. Its easy. Its just simple copy and paste. Then it downloads and installs it for you while constantly checking for new versions just like an app store. Its great for apps not on F-Droid.
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Community icon from opensource.org, but we are not affiliated with them.
