>I would love to use this, but I don't want to allow a third party app with closed source to read all my notifications. This can read OTP passwords, full messages, etc. so it must be open source for me to consider it.
The app lacks the INTERNET permission so it can't really exfiltrate data even if it wanted to.
This is correct, but it is still a slippery slope. At some point the dev ends up adding internet permission (might be for legit reasons too), and lo and behold you are sharing your data. For something as sensitive as notifications, I really can't trust anything but open-source app which is vetted by a few seasoned people and hosted on F-droid.
Related, GrapheneOS has a handy feature to disable network access for individual apps.
Also non-GrapheneOS Android. I'm on CrDroid (Android 16), ans if I go into "Settings -> Apps -> Some App -> Mobile data usage", there's a toggle for "Allow internet access", and a few more to control network access on Wi-Fi, cellular, background, and VPN.
If the permission is added in retrospect wouldn’t you still need to opt in?
fwiw i completely agree that oss is the way to go here
The "Internet" permission on Android is one of the no-approval ones. If it gets added, you won't notice.
I’m interested in what you’re suggesting. Who are those auditors you trust? Does f-droid imply things have been audited?
f-droid implies
* that the application is source-available;
* toolchain used to build the app is FOSS - application does not use Play Services, or proprietary tracking/analytics, or proprietary ad libraries.
* application toolchain doesn't depend on "binary blobs";
Not even passing the sniff test on those easy to meet requirements is suspicious.
Would a safe alternative (albeit annoying to update) be to side load the apk for the purpose of eliminating the possibility of auto updates brought on by an app store?
That's another pet peeve of mine: Why the hell can't we block internet access for apps in (native) Android? Everything else is a permission, but this is not, somehow.
Maybe Google doesn't want users blocking ads from getting loaded.
ADs work via play services so even if you block internet for the app the ADs will continue to work.
The reason many apps stop showing ADs when their internet is blocked is because they need to make an API call to their own servers before running the AD. That is the common behavior but not mandatory
Wait, we can in Android. In my OnePlus 12 in the app settings under "data usage" there are two toggles for "disable mobile data" / "disable wifi"
Not present with a Pixel with Android 16, my effective choices are:
1. App can't use mobile data in background
2. App can use mobile data in background except in Data Saver mode
3. App can use mobile data in background regardless of Data Saver mode
____
For anyone doing comparisons, the literal settings appear under "Mobile Data Usage" as:
* [X] Background Data ("Enable usage of mobile data in the background")
* [ ] Unrestricted mobile data usage ("Allow unrestricted mobile data access when Data Saver is on")
You mean Google-Android.
Wow, thought it was GrapheneOS only, but no.
Confirmed these settings on One+15 on OOS16 (based on Android 16).
Is it also the case for other Android brands?
P.S. I did use it before to turn off ads.
Google's Pixel phones (near stock Android) famously do NOT have the option.
Google is invested into you having WiFi all the time.
Weirdly, my very old Nexus 6P with the WiFi off, could lie untouched for weeks, with almost no battery depletion. Yet if I turn the WiFi on with near stock Android (meaning no messengers, tens of email accounts, etc, to constantly ping _something_), it just eats the battery within 24 hours tops. Perhaps that’s just the module itself, but I remember flashing LineageOS and having better savings. I have no real numbers to support that right now, although I still have the phone lying around somewhere and could test this some day.
Modern Google Android will use neighbouring WiFi networks to guesstimate your location quickly, so it's scanning even when the toggle says "off" unless you disable it. This location can be queried in the background when nearby devices broadcast the equivalent to Apple's "find my" network broadcasts, because Google uses collected reports of beacons+location to roughly locate tags and such. Opting out of all of that stuff should massively improve standby battery time.
I've also noticed the difference between vendor+custom ROM with a Xiaomi device, which I use as a second phone around the house for controlling smart lights and such. The biggest difference there seems to be that I don't have as many apps installed and as many features enabled, because during active use and shortly after, the battery drains just as fast as (actually a bit faster than) when using the original ROM.
Many custom ROMs (at least the LineageOS-based ones) also don't do thing like configure the country code for the WiFi chip and GPS caches. A large part of the 5GHz spectrum simply doesn't exist (by default) on my custom ROM devices so there's just less to scan in the background.
I believe this has been part of LineageOS since before it was called LineageOS. Most custom ROMs have some kind of internet filtering capability.
Some Chinese/Taiwanese brands do it too, but most western brands don't seem to include a firewall.
Xiaomi phones also have it but you can block Wi-Fi only for user (non system) apps. However you can block mobile data access to all apps.
None of the Samsungs I have owned so far had this feature and neither did my last Pixel.
I have an S25 Ultra with the latest version of Android, and these options don't seem to be there at all. I don't have a "data usage" under Permissions for any apps. I do have a Mobile Data section under App Info for any given app, but there's no way to toggle the options you mentioned.
You can on some devices (many Chinese brands, funnily enough) and on custom ROMs.
There are also (open source) firewall apps that will let you block (non-system) apps if you're on a stock ROM like me.
Technically, this is a permission, just not a user-grantable one. Google has moved quite a few permissions from inherent to user-grantable, but most apps don't work without internet (unfortunately) so I doubt they will do it for the internet permission in stock android.
It is a permission that app can get without asking the user
Lacking INTERNET permission today does not guarantee that the app will never have that permission. The internet permission is considered a "normal" permission by android so it will be auto granted without even a notification to the user.
Moreover an app without internet permission can still send data out using "INTENTS" for other apps in Android. This can make an app dangerous even without internet permission.
I was excited about the application and was dissapointed to see that it was closed source. I will absolutely not trust anyone that I cannot sue with this data. Big companies at least follow some standards that are enforced by multiple governments here we know nothing.
It's hard to rule out intentional side channels without access to source.
Do you mean a no-internet app (like this) could write data locally in a way that another internet-enabled app (in cahoots) could locally receive? Like a non-sandboxed storage area? Seems plausible.
Meta literally got caught doing this.
Writing to a local server, and then uploading from the browser to bypass consent mechanisms.
https://wire.com/en/blog/metas-stealth-tracking-another-eu-w...
yes that and internet permission can be added later and pushed with an update. Unless you are checking permissions after every update you will not know.
Is that actually required? I thought that was implicit
It's automatically granted but the app needs to declare it in order to access internet. Because of that it's not enough that the app _currently_ doesn't request internet permissions, because if it ever starts, it would be mostly transparent to a user
Yes. Without the permission all network requests will just fail.
You can silently add the permission in an update though. It's safe if you don't auto-update it I guess.
Not alone,
but it could prepare a tidy little package for something else to grab later.