StuckInYYZ

Ok, so I wasn't about NRF, but now I have some concerns after doing some quick research about it. Apparently it creates a quasi-VPN interface to control the data. I had originally thought "ok, it's blocking stuff at the system level... not sure how it works without rooting, but sure". If it creates a VPN interface to manage the data, there are quite a few concerns, many that have been expressed in a couple of forums...

• It's not open source. This in and of itself isn't necessarily a bad thing, but linked to the next point, raises some questions...
• It's free. So what does the author have to gain? There is a bit of a credibility issue as well since it's "closed source". What is there to gain to maintain an app that could earn you a lot of unpaid work (and the abuses that come along with this)
• What data is it (potentially) gathering on you? As a chokepoint for inbound and outbound data, it has the potential to gather *A LOT* of information. App intelligence, user intelligence, etc. The specs on the app also raise suspicions... "varies with device"
• As a VPN, it could potentially redirect data without you knowing. If it includes an SPI module, it could easily redirect data under a given condition
• Information in the app store is suspicious... free email provider (created before gmail required phone verification).... free easy-to-host website... yes, there are over 5mil downloads, but just because it does what it says it does doesn't mean it doesn't do other things as well (say that five times fast)

And those are just what came to mind. It raises a number of questions which really concern me. I could be wrong (to be fair, I didn't do anything indepth) but I would be weary of the app.


Yup. I deny it all but the network connection and I kill the app when not using it (I use it to collect points and pre-order). Sure it can track me by IP address and where I pick up, but not when I am asleep or moving around. Haven't found it active otherwise, but it's something to keep in mind.

Jimmie76

Actually the person who recommended it said they'd tested it before suggesting it to anyone else. They'd used it (on an old mobile) and their pi hole on a closed circuit wifi and blocking all outgoing traffic via the app. They said that the mobile they were using didn't have any outgoing network traffic when the app was running. They may have also said they'd taken the APK apart to check I can't remember. I might have a look at doing that one of these days. I also use it to block itself from connecting. That's not the only one of these apps by the way there are others such as Netguard etc.

StuckInYYZ

Oh, I'm not saying it's not legit or it doesn't work as advertised. I'm just saying be skeptical due to x and y factors. One other thing... metadata doesn't necessarily have to be sent immediately. If it's been fingerprinted, then it can be sent at any given time. It doesn't take a lot of code to (for example) say wait until it detects the LTE modem activate before sending the data or at pre-determined intervals that might not easily be detected. I'm not trying to raise the paranoia level... just saying it's raised enough red flags for me to be concerned before using it.

As for the others, it depends on how they do things. If they raise red flags, then question them as well.

Jimmie76

Well now you've got me interested so I just decompiled the APK and will have a look through it over the coming days.

StuckInYYZ

Lol. Better you than me. I can muck my way through code but it'd take a lot of time and effort (and likely make a lot of assumptive errors).

Keep in mind, technically this applies to all apps, not just what you find for mac or windows or linux (or their mobile equivalents). Think about it this way. Earlier this year, password managers were under the spotlight as well. Most were called out as they were sending out metadata (granted they didn't breach passwords, but that's not necessarily the point). If you can ID the fingerprint of a specific user you are looking for, you can now track them... and this is likely happening with many of the world's governments right now (as well as some people who have the funds to do this).