When were the apps code last checked?

[Isaacson33]

Forgive me if this is a silly question, I've little expertise in these things. I used SimpleMobileTools apps for years, they were streets ahead of the competition, and, like others, I was disappointed to find they'd been sold, then delighted to find them back in the open source realm (thanks so much!).

Given that my trust in the project was, to say the least, a little damaged by the sale - has anyone checked the code since the transfer?

I know that the security of open source is pretty much dependant on good people such as yourselves all keeping an eye on the code to make sure it has nothing untoward in it, and non-code-savvy users such as myself have to just trust you. I had no problem with that trust until recently...

Having the main author happily sell the user-base, I'm now far less trusting that his code is safe, and I don't have the skills to check it myself.

So basically, I wanted to start that trust process again with the new team. Do you vouch for this code in these versions, it's not just blindly copied from the old versions assuming it's fine, have people checked the privacy claims previously made for these apps are actually sound?

[Aga-C]

I don't know if any full audit of the code has been done, but from what I know:

• Code in SMT GitHub wasn't updated since the sale, and in the latest commits I haven't seen any suspicious code.
• F-Droid and IzzyOnDroid have their quality checks in terms of finding any anti-features. As an example, we've already removed one Google dependency from Gallery, which was discovered by IzzyOnDroid.
• Also, to be GPL-compliant, we've removed the advanced editor from Gallery.
• Apps undergo a bit of refactorings and updating before each release. That's why we still don't have all of them released, even on GitHub.
• We've forked all libraries that were already forked by Tibor, to not use his forks. In those forks, we've removed a few things related to SMT's security.

[Aga-C]

@inson1 But we removed that lock from our forks, and we don't care whether what Tibor did was good. See e.g. here: FossifyOrg/subsampling-scale-image-view@9c43e61.

[inson1]

@Aga-C I know it was removed

[dp35654]

Is it safe to remove every Simple Mobile Tools app? Looks like everything transfered perfectly with you're file's, Gallery, Phone, Contacts and Calendar which was acting up before and I don't seem to have 471 extra contacts, only thing that concerns me is it shows up in grey like a system app but it says installed by Chrome and I defiantly didn't use the play store, is this normal as I believe it's a part of Chrome code? If I'm wrong please understand I don't even know what code looks like.

[inson1]

@dp35654 Why shoudnt be it safe? But not all apps are yet released. Stock android shows app source?

[LucaMkIII]

@dp35654 It shows up gray because it wasn't installed by Google Play. It has nothing to do with whether it's a system app or not.

I use a different browser, but after I download an .apk, if I press the browser's download notification, my phone says "App installed from" my browser. If I instead install the app by opening the .apk in File Manager (which prompts it to install), it says "App installed from File Manager". Or if I get an app through F-Droid, it says "App installed from F-Droid". And something from the Play Store says "App installed from Google Play Store".

If it's from the Play Store, the text is standard, and if I press it, the app's Play Store page opens (which is a convenient way to get there). If it's installed from anywhere else, the entry is grayed out to show that it's not a pressable option.

@inson1 My phone is almost stock Android. If I look at my apps through Settings, in any individual app's "App Info" screen, there's a section at the bottom where it says "App installed from ______".

[naveensingh]

Private and Secure are two different things.

Private: I have worked with pretty much all the SMT apps and I can say with some confidence that all the apps are safe to use from a privacy perspective. You don't need to worry about your personal data being stolen or worse. All Fossify apps still don't have any access to the internet as you can verify here so they can't send any data even if a piece of code wanted to. This might change if we decide to add support for RCS but even then, we won't be tracking users or selling data.

Secure: I would say not having the internet permission reduces the attack surface considerably and if there are any vulnerabilities or back doors in any of the apps released by Fossify, I can assure you it is not intentional.

By the way, there's a fun poll about this by Broadie Robertson: https://www.youtube.com/post/UgkxbSSrd1b1FV59p-Ry6jcaCaTAVD07Odrk

[Isaacson33]

Thanks for the explanations, and thank also to @Aga-C for the full and open info.

What was done with these apps shook me a bit, nice to have a bit of confidence restored...