A new Free and Open-Source project called "Exodus" scans Android apps and already has found many advertising trackers:
"Researchers at Yale Privacy Lab and French nonprofit Exodus Privacy have documented the proliferation of tracking software on smartphones, finding that weather, flashlight, rideshare, and dating apps, among others, are infested with dozens of different types of trackers collecting vast amounts of information to better target advertising.
Exodus security researchers identified 44 trackers in more than 300 apps for Google's Android smartphone operating system. The apps, collectively, have been downloaded billions of times. Yale Privacy Lab, within the university's law school, is working to replicate the Exodus findings and has already released reports on 25 of the trackers.
Yale Privacy Lab researchers have only been able to analyze Android apps, but believe many of the trackers also exist on iOS, since companies often distribute for both platforms. To find trackers, the Exodus researchers built a custom auditing platform for Android apps, which searched through the apps for digital "signatures" distilled from known trackers. A signature might be a tell-tale set of keywords or string of bytes found in an app file, or a mathematically-derived "hash" summary of the file itself.
The findings underscore the pervasiveness of tracking despite a permissions system on Android that supposedly puts users in control of their own data. They also highlight how a large and varied set of firms are working to enable tracking."
The statement by Yale Privacy Lab summarizes the situation, and the story has seen coverage by Cory Doctorow and Le Monde. Private search engine Qwant has removed trackers in its app and Protonmail is under fire.
(Score: 4, Informative) by seandiggity on Monday November 27 2017, @12:44AM (1 child)
Short version: Almost all of the trackers are proprietary/non-free and therefore won't be in F-Droid. We need to do some analysis and digging to see if there are FOSS-y trackers finding their way over to F-Droid.
Long version:
The vast majority of these trackers are shipped as proprietary or partially-proprietary code, with third-party repositories/dependencies added to the app's build config via an IDE like Android Studio or Eclipse. At build time, binary blobs are often added to the app's APK package. So, F-Droid builds (at least with default repos) will not have the vast majority of these trackers simply by the requirement of Free and Open-Source Software. We've been recommending F-Droid in press for that reason. Devs who ship to both Google Play and F-Droid may have these tracker SDKs (and other "features" like advertising) in the Google Play version, but will (always?) strip them out for the F-Droid version of the APK.
That said, there are some FOSS trackers, and F-Droid does list tracking "anti-features" [f-droid.org]. We haven't compared our work with what they consider trackers, yet, and our definition of what is privacy-respecting and what isn't may also differ (unlikely, but who knows).
(Score: 3, Interesting) by seandiggity on Monday November 27 2017, @01:26AM
There is also a shorter answer which is "No but we will" :P