• @ipo23 will set up fast DNS for ipgrep runs --> DONE
• @eighthave will finish the base level raw feature data extraction for the helloworld model
• @MillivoltLightningbolt will process raw data into ML-ready features
• @redplanet will interview @licaon-kter and @IzzySoft about the user experience of fdroid reviewers

notes

@ipo23 wrote the position paper to work on the definition of tracking (https://docs.google.com/document/d/104bN2XkqtEzfg5x-hSMroGlKQp-RhkzY8sw0rsxOI78/edit?usp=sharing). We discussed more which contexts need their own definition of tracking (users, reviewers, etc). The "ML definition of tracking" proposed by @eighthave was wrong, instead it is something more like the reviewers definition, but the difference of being things that we have features for. E.g. we do not have features for which organizations are trusted or not trusted by fdroid contributors.

We also discussed some key UX items, like whether the ML should post binary answers True/False, or percentages like 70% this contains a tracker. We want to make sure that the ML results don't make reviewers just click through without doing any review Feedback from the skilled reviewers will be very valuable here

Features discussed

Exodus database of trackers: https://etip.exodus-privacy.eu.org/

Features from source code

• maven repos as URLs
• is maven repo whitelisted by fdroid
• libraries listed in gradle files
• library binaries committed as filename and hash
• API keys? How to get which service they are for? We don't want the key/token itself.
• Android device IDs
• ipgrep
• do we need to track targetSdkVersion? Old ones mean more permissions are automatically granted
• functions:
  • UUID generator
  • contains reflection
  • System.load(), System.loadLibrary() (Kotlin calls?)

Features from binaries

• permissions from AndroidManifest.xml
• ipgrep
• libraries found by LibScout and other tools
• Android device IDs
• system calls:
  • reflection
  • other code to check: System.load() System.loadLibrary()
  • file access: android.database.*, java.io, javax.io, SharedPreferences
  • networking: java.net, javax.net,
• dump system calls from lib*.so for the same things