Giters

tutao / tutanota

Tuta is an email service with a strong focus on security and privacy that lets you encrypt emails, contacts and calendar entries on all your devices.

Home Page:https://tuta.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

PRIVACY BUG - Mobile app connects to GOOGLE!

Uj947nXmRqV2nRaWshKtHzTvckUUpD opened this issue · comments

commented

Bug in mobile app
Mobile app connects to GOOGLE:
android.googleapis.com = ajax.googleapis.com on :443

To Reproduce
install app from fdroid (de.tutao.tutanota)
monitor network usage with netguard => even before logging in, the app attempts connections to google

Expected behavior
no connection to GOOGLE

Smartphone (please complete the following information):

  • Device: OP7
  • OS: android 12
  • Tuta Version 227.240502.0
commented

Hi @Uj947nXmRqV2nRaWshKtHzTvckUUpD,
Thank you for your report.

We are investigating the cause of this connection and would like to ask you some questions. What keyboard (GBoard etc.) are you using on your device? Are you using the stock version of Android included on your device (OxygenOS) or a custom distribution?

Kind regards,
rezbyte

commented

using stock oxygen os but with microG instead of google play services
gboard is uninstalled, instead using heliboard (open source)

both microG and heliboard are kinda offline in my setup. microg is allowed through firewall but has no connections to google (since i have FCM disabled and no google account) ; heliboard is offline by default

commented

Thanks for responding.

Does the same request appear in the logs when using other apps? I am having some trouble at the moment reproducing this on a stock android system with the F-Droid version.

Connections to ajax.googleapis.com implies the app or it's dependencies use Google's CDN which is not the case. Likewise, we should not see requests to android.googleapis.com as we do not use Google Play services at all. I suspect perhaps there is another app that overlay over the Tuta Mail app in your setup which sends requests to these URLs. Something like a password manager for instance.

commented

Does the same request appear in the logs when using other apps?
only a couple apps that actually connect to google (eg. uber, revolut, maps itself) probably for maps or recaptcha or other hosted libraries. Protonmail (only connects to dns.google in some cases) and the rest of my apps do not connect to these google endpoints .

I have keepassDX as password manager which is also offline. I am not using other kind of overlays

can you confirm all the endpoints tuta app should connect to ?

i can see besides the google attempts:

app.tuta.com
w9.api.tuta.com
w15.api.tuta.com
w16.api.tuta.com
tuta.com

commented

we are not able to reproduce this connection to google's servers. The issue appears to be related to your specific device or setup.

Please contact our support with more details so we could investigate this further. Closing as not planned.