- cross-posted to:
- opensource@lemmy.ml
- cross-posted to:
- opensource@lemmy.ml
You must log in or register to comment.
Can we move away from the habit of just copy-pasting clickbait video titles with no information as to what they’re actually about? Lemmy gives you a description field, you have the power to summarise videos which should really be blog posts!
I’m not watching a video for something that can be 3 lines of text.
I’m supposing this is some speech to text? It’s completely on device? If it’s not on device, i don’t see many difference between giving data to google and giving the same exact data to somebody else.
Yes, it is text to speech engine that works completely on the device. Actually, I use it right now to write this.
I’m using it to type this comment and I REALLY like it! But I will say it tries to do punctuation for me, and that drives me nuts.
(Video is about an open source voice to text, input method for Android, by the way.)
What’s the name of it? Then I don’t have to watch a video
Futo Voice Input, and there are links in the post ☺️ Weirdly, it doesn’t seem to be on Fdroid (yet?), but you can install it as an APK from their website.
I’m going with yet. They do mention an F-Droid build on GitLab.
There are four build flavors:
dev- for development, includes Play Store billing and all payment methods, auto-update, etcplayStore- Play Store build, does not include auto-update and only includes Play Store billingstandalone- does not include Play Store billing library, includes auto-updatefDroid- does not include Play Store billing nor auto-update
Gotcha. I missed that on their GitLab page, Thank you for pointing it out to me!
Section 4: Termination, suspension and variation
We may suspend, terminate or vary the terms of this license and any access to the code at any time, without notice, for any reason or no reason, in respect of any licensee, group of licensees or all licensees including as may be applicable any sub-licensees.
The license isn’t exactly giving me warm fuzzies, the source is available, but it isn’t GPL.
https://gitlab.futo.org/alex/voiceinput/-/blob/master/FTL_LICENSE.md?ref_type=heads
Reading through their license, it appears that people may only distribute the code, and the binaries non-commercially. There’s nothing in there allowing people to modify in the distribute the modification. But I’m not a law talking person so maybe I got that wrong
Oh no :(. Another cool project being ruined by trying to invent it’s own licence.
If they want to not make it free of price, they could make payments for model download or just do a paywall screen. Most people would prefer to pay some bucks for not having to compile app themselfs or having to get it from shady sources.
This fdroid repo version of this this “privacy respecting” app contains user tracking telemetry spyware as reported by exodus.
The app is not transparent about it as it is not listed in the credits section with all their other components. There is no way to opt-out or turn it off in the settings.
Be aware.
The reported tracker is ACRA, a crash report library (https://github.com/ACRA/acra).
I digged a bit into the source code and the apk. From looking at the code alone one can’t tell if the crash report is actually enabled, the build configuration depends on some unpublished file. But looking into the apk allows to reconstruct it. These are my findings:
- the usage is implemented here: https://gitlab.futo.org/alex/voiceinput/-/blob/master/app/src/main/java/org/futo/voiceinput/CrashLoggingApplication.kt
- the crash handler is compiled in and also enabled (BuildConfig.ENABLE_ACRA=true)
- the crash handler is configured to dialog mode. According to the ACRA documentation (https://www.acra.ch/docs/Interactions#dialog) that means that user interaction is required for sending (a popup dialog with a cancel button).
- the upload domain is crash.sapples.net
- the dialog can’t be disabled via settings
- the usage of ACRA is missing in the licenses and about dialogs (https://gitlab.futo.org/alex/voiceinput/-/blob/master/app/src/main/assets/license-list.html)
- the privacy policy is correctly stated (https://voiceinput.futo.org/VoiceInput/PrivacyPolicy)
4.1. If the app crashes, you may be asked if you wish to submit a crash report. If you accept, your device information and crash details will be sent to us for the purposes of investigating the crash and improving the software.
Unfortunetly they go with their own custom licence and AFAIK it’s not open source as it does not allow commercial use.
Can you give more details of the scan result? Exodus only lists the Play store version. I installed the F-Droid version but Exodus app reports it as “same version” and just shows the clean Google Play Store results. This is obviously wrong, the SHA1 listed for the Play Store version on the Exodus website is different compared to the F-Droid .apk I have installed. Sadly the Exodus website does not support scanning F-Droid apps from third-party repos so I have no idea how to scan it.
That being said, according to the privacy policy (https://voiceinput.futo.org/VoiceInput/PrivacyPolicy), the F-Droid .apk version should have some kind of crash report build-in. So I could imagine that this might get flagged.
Sure, there is a Google developer tool called classyshark which scans the code of any installed Android app and reports every class which you can view.
There is a version on fdroid which uses the exodusprivacy database, version (eof443) to highlight any classes which match their tracking database. If you install the fdroid version of classyshark then install the Google play or fdroid version of this app you will see the telemetry framework they added plus you can look at every class and see exactly what it does and what data it is collecting and leaking.
In this case there is a lot of telemetry code in this app. The issue is that it appears to be opt-in and the app itself does not contain any warning or setting to allow the user to disable it. This is disappointing for an app which is advertised as being privacy respecting.
Regarding why exodus does not show the tracking on their website, I believe the exodus website is manually maintained. 3 times in the past I found trackers in apps that were listed on exodus as being clean. The exodus guys said this typically happens when a developer adds telemetry to a new version and the site was not updated yet. Each of the 3 times they updated their website to include the trackers after I found them with classyshark and reported it.
Anyway with classyshark you don’t need to take anyone’s word for it, you can scan your apps yourself and it works offline too so you don’t even need to send hashes to the web to check your stuff.
Thank you, I’ll look into it.
ClassyShark3xodus is the app on fdroid, its a great tool, works offline and it itself is spyware free, source is on GitLab.
I didn’t install/scan it myself, but the exodus site shows no trackers on Google play version. https://reports.exodus-privacy.eu.org/en/reports/org.futo.voiceinput/latest/
I installed the version from the repo on their website: app.futo.org/fdroid/repo
It contains trackers: 1 tracker = 266 classes.
I also downloaded the Google play version. It also contains the same spyware:
1 tracker = 266 classes.
I figure if I lurk here someone will come along and breakdown whether this is legit to install or not
Louis Rossmann is a respectable person in the open source/right to repair arena
Right on, that helps to know, thank you
Howsabout you try it and let us all know if your phone gets hot?
I tried it on my device… Works great!
But it’s just a Voice to Text utility at the moment, so only where there’s a mic icon for said VTT applications. But they’re working on integration with open source keyboards and also suggested the possibility that they’d make one of their own keyboards.
It is if you don’t care about your privacy, this app contains user tracking telemetry with no way to disable or opt-out. I downloaded it, scanned it with exodus and deleted it afterwards.
I didn’t expect much considering he works for this company and this click baity post is a paid advertisement.
Damn. I appreciate that you did that leg work for the rest of us
Its no work, it only takes a second. Download Googles classyshark app. The fdroid version contains the embedded exodusprivacy database.
Whenever you install a new app scan it with classyshark and you will instantly know if the app will be tracking you or not.
This way you don’t have to believe strangers on the internet: trust but verify for yourself.
Of course in this case you didn’t even really need to do that. The link is to a YouTube
influencerwho is pushing a “privacy app” by a company he works for…From reading other posts it sounds like it is only for crash reporting and that the user has to click to provide the report in the event of a crash. It also appears to be documented in their policy docs so it’s not exactly like it’s anything underhanded.
If the user doesn’t trust that their data will be safe, couldn’t the domain attached to the tracker found by Classyshark be blocked using something like NextDNS or RethinkDNS to prevent any data from connecting to said domain?
Here is an alternative Piped link(s):
https://piped.video/UCGaKvZpJYc?si=SXknCynbr_7pakmC
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
