Warn users about potential connections to Google when using Riot
In the developer chat @mvgorcum shared that Riot falls back to using Google's servers when a user's home server doesn't provide its own TURN server. See below for evidences.
This is a big metadata leak that wasn't obvious to me as an operator of my own Synapse instance. Also, I don't think many of Riot's users know about this fallback. To make this clear: voice and video streams will not be relayed though Google. Their TURN server is just telling users their external IP addresses so they can attempt a peer-to-peer call. Still, this gives Google information about the social graph of users.
To give some context: to be able to make calls in Riot, Riot needs to connect to a TURN server. This TURN server either relays voice and video streams between two users or just gives them their external IP addresses so they can attempt a peer-to-peer call directly between their devices. When setting up your own Synapse home server, you don't have to set up a TURN server, i.e. there are additional steps necessary to do that. Originally, I thought calls will then be peer-to-peer with Synapse telling users their IP addresses, but according to @mvgorcum a TURN server is always necessary as calls will otherwise fail. If a home server doesn't provide a TURN server, Riot apparently falls back to using Google's one.
In my opinion, we need to warn user about this in the app's description in F-Droid. Additionally we should patch F-Droid's build of Riot to not include that fallback, i.e. letting calls fail when a home server hasn't configured its own TURN server. I'll open an issue on Riot's issue tracker to discuss this with Riot's developers. I opened an issue on upstream's repo to discuss this issue.
To prove his statements, @mvgorcum linked two pieces of code:
/** The fallback server to use for STUN. */
MatrixCall.FALLBACK_STUN_SERVER = 'stun:stun.l.google.com:19302';
// define at least on server
if (iceServers.isEmpty()) {
Log.d(LOG_TAG, "## createLocalStream(): use the default google server");
iceServers.add(new PeerConnection.IceServer("stun:stun.l.google.com:19302"));
}