Apps which include nonfree code
Making this confidential so that others can first verify these findings before making this public.
This is a list of apks currently in /repo that inlcude classes of the com.google.android.gms
package, which I believe is entirely nonfree. I didn't verify all of these in detail but those I did check returned sensible results.
https://f-droid.org/repo/ar.rulosoft.mimanganu_122.apk
https://f-droid.org/repo/ar.rulosoft.mimanganu_129.apk
https://f-droid.org/repo/ar.rulosoft.mimanganu_132.apk ==> False positive: https://github.com/raulhaag/MiMangaNu/tree/master/fakegps/src/main/java/com/google/android/gms/common
https://f-droid.org/repo/be.mygod.vpnhotspot_218.apk
https://f-droid.org/repo/be.mygod.vpnhotspot_220.apk ==> Billing: https://github.com/Mygod/VPNHotspot/blob/master/mobile/build.gradle.kts#L83
https://f-droid.org/repo/com.adityakamble49.dcipher_10.apk
https://f-droid.org/repo/com.adityakamble49.dcipher_7.apk
https://f-droid.org/repo/com.adityakamble49.dcipher_9.apk ==> repo gone. This one did fool our scanner and does include the oss license module.
https://f-droid.org/repo/com.foobnix.pro.pdf.reader_3728.apk
https://f-droid.org/repo/com.foobnix.pro.pdf.reader_3772.apk
https://f-droid.org/repo/com.foobnix.pro.pdf.reader_3869.apk ==> false positive.
https://f-droid.org/repo/com.github.axet.maps_1053.apk
https://f-droid.org/repo/com.github.axet.maps_1061.apk
https://f-droid.org/repo/com.github.axet.maps_1062.apk ==> false positive: https://gitlab.com/axet/omim/-/blob/HEAD/android/src/com/google/android/gms/ads/identifier/AdvertisingIdClient.java
https://f-droid.org/repo/com.github.axet.smsgate_236.apk
https://f-droid.org/repo/com.github.axet.smsgate_237.apk
https://f-droid.org/repo/com.github.axet.smsgate_238.apk ==> also false positive, uses: https://gitlab.com/axet/android-firebase-fake (which seems like pretty cool project actually.)
https://f-droid.org/repo/com.totsp.crossword.shortyz_40400.apk ==> False positive, uses https://github.com/yourealwaysbe/play-services-shortyz
https://f-droid.org/repo/eu.faircode.email_1189.apk
https://f-droid.org/repo/eu.faircode.email_1192.apk
https://f-droid.org/repo/eu.faircode.email_1193.apk ==> billing
https://f-droid.org/repo/fr.xgouchet.packageexplorer_16.apk
https://f-droid.org/repo/fr.xgouchet.packageexplorer_17.apk
https://f-droid.org/repo/fr.xgouchet.packageexplorer_18.apk ==> OssLicences
https://f-droid.org/repo/im.pattle.app_741.apk
https://f-droid.org/repo/im.pattle.app_766.apk
https://f-droid.org/repo/im.pattle.app_791.apk ==> firebase
https://f-droid.org/repo/io.github.kobuge.games.minilens_1.apk ==> com.google.android.gms.R ? But it's only there in the old version, so we can just disable it.
https://f-droid.org/repo/io.github.wulkanowy_59.apk
https://f-droid.org/repo/io.github.wulkanowy_60.apk
https://f-droid.org/repo/io.github.wulkanowy_61.apk ==> firebase
https://f-droid.org/repo/me.echeung.moemoekyun.fdroid_87.apk ==> no idea how gms is pulled in, it's only in the latest version
https://f-droid.org/repo/net.guildem.publicip_2.apk ==> firebase, I'd assume pulled in here: https://github.com/guildem/publicip-android/blob/1.0.1/app/build.gradle#L47 the newer version doesn't have it.
https://f-droid.org/repo/net.ivpn.client_75.apk
https://f-droid.org/repo/net.ivpn.client_78.apk
https://f-droid.org/repo/net.ivpn.client_79.apk ==> billing
https://f-droid.org/repo/net.yolosec.routerkeygen2_72.apk ==> firebase, gms
https://f-droid.org/repo/org.addhen.smssync_25.apk
https://f-droid.org/repo/org.addhen.smssync_26.apk ==> google analytics, pretty sure unused but present in the apk.
https://f-droid.org/repo/org.kobuge.ninjatraining_2.apk ==> same as miniles_1.apk seems to be a bug in an older godot version.
https://f-droid.org/repo/pl.hypeapp.episodie_2.apk ==> firebase/gcm: https://github.com/hypeapps/episodie/blob/224d9e381e5cac002622db24ba85e99876d029b8/dependencies.gradle#L93
You can check with $ANDROID_HOME/tools/bin/apkanalyzer dex packages --defined-only $APK | grep com.google.android.gms
How do we proceed? I'd like give upstream some warning (if possible in private) and a chance to fix this for their next releases before removing these apps, because I somewhat consider this F-Droid's fault for not being able to detect the presence of non-free libraries before app inclusion. What do you think?
@uniqx @relan @Rudloff @thermatk @licaon-kter @cde @eighthave