Use of Google Firebase and related unwanted stuff

Google Firebase and other Google spy/junk are appearing in Jami APKs distributed by Google Play and all other sites distributing Jami for Android --there is only one exception we are aware of and that is F-droid.

Sadly, F-droid is still offering the Jami version of early August 2020! This situation is bad for security updates and in many other ways, especially when code fixes for Jami are constantly and desperately needed for it even to have a hope of becoming and staying functional.

Jami publishes that it is 100% for user data privacy and security. Allowing 3rd parties to add ANY alien stuff to APKs like Firebase, trackers etc is contrary to assertions of user protection. Moreover, allowing Google’s insertions or anyone else s into a pure Jami APK make that APK into a facially untrustworthy hybrid item of very dubious security.

Does the Free Software Fondation know about this issue?

If Jami now wants to focus on proprietary platforms exclusively, fine, but please do not confuse the general public with the GNU name and logo.

Please either restart publishing Jami on F-Droid or on a similar platform, or drop the GNU trademarks.

Hello.

While the developers have not responded yet, I would like to add some common knowledge about the “state of the art” in this field. I hope this will make the discussion more constructive.

F-Droid updates

First of all, AFAIK, updates on the official F-Droid repository can’t be simply uploaded by the application’s maintainer. To ensure, that a published binary really corresponds to source code offered by application’s developer, the repository’s maintainer must download sources, build an application and sign it with his key. Obviously, all of this is periodically done by hand for every single application you can find on the official F-Droid repository. And, obviously, it introduces huge delays for update’s publication.

There is an experimental workaround involving reproducible builds, so that developers could build and sign their applications themselves and have their builds automatically verified by a build-bot before publication on the repository. But, the build-bot is still buggy and sometimes fails for unknown reason.

So, many developers created their own F-Droid repositories so that their users could receive updates as soon as possible. There are already dedicated repositories with Jami for various Linux distros, so, I don’t see any problem in creating another one for Android. But maybe I am wrong and I don’t know something.

Google Firebase and Push notifications

As it is described here, Google Firebase is used to wake up an application on new messages. Without it an application “sleeps” until user opens it, so it can’t react to anything trying to interact with it from outside world. IMO, this is a clear example of a vendor lock.

This issue is not unique to the Jami application. The Telegram-FOSS (a cleaned fork of the original Telegram application) also had this issue. So, they just show a notification all the time so that their application could run in background without being forcefully put to sleep by the Android OS. They also clearly explained this issue to their users. They even suggested how to cope with this distraction: just hide this notification. IMO, such publicity is the best approach to deal with this kind of artificially imposed issues, because reputation is still valuable for large corporations. (I prefer to naively hope that it is true.)

As I can see, the current F-Droid release of Jami (20200810-01) follows the same approach, but I have not found any description of this feature. So, the always appearing meaningless notification just looks strange. For comparison: users of Telegram-FOSS can open a detailed description of this workaround by just tapping on this notification.

This is a Possible Solution to the issue

OpenPush - A Free, Decentralized Push Messaging Framework

A Google Cloud Messaging (GCM) /Firebase Cloud Messaging (FCM) REPLACEMENT

OpenPush is a self-hosted, free alternative push messaging implementation which can either run alongside or as a replacement to FCM.
OpenPush was presented at FOSDEM. The talk gives a general architecture overview as well as walks through the design and implementation challenges of a push messaging service.
OpenPush Article more links in article
https://f-droid.org/en/2020/02/03/openpush-talk.html
OpenPush Project Website
https://bubu1.eu/openpush/

Application developers choose to integrate Firebase — it was not added by Google. The question is, why are they doing it. I can think of two possible reasons:

Firebase push services are more reliable than the method which is employed by the F-Droid builds (?)

…For that we have no explanation: is there some problem with ntfy? --This is the only relevant thing I could find in the Jami documentation:

“A DHT Proxy is used with mobile devices to save battery by avoiding synchronization. It is generally dhtproxy.jami.net but can be any DHT node with the REST API enabled. However, if the DHT proxy is using push notifications it will depend on another external service (Firebase or APN or a Unified Push instance). In this case, only the third one can be self-hosted.”

• Use Jami on a LAN — Jami documentation

• The architecture of a chat app built with Firebase

Firebase provides a feature called ‘Error Reporting’ that automatically collects & reports device-specific error logs

…in which case there are various alternatives that respect user privacy better. But even if privacy is no concern to the user, he is still compelled to guess which push service will meet his needs best.

What is the selection criteria here? Does one method use less energy? If so, how much? Which one should he choose, and why?

Firebase tracker is not used anymore.

Check the recent analysis:

https://reports.exodus-privacy.eu.org/de/reports/search/cx.ring/