OSMAnd is spyware that leaks your travel history to the OSMAnd developers, even if you have analytics/telemetry turned off!

This unethical and consent-violating data leak exists in both the iOS and Android versions. It's not an accident - they are deliberately phoning home with a unique identifier.

@sneak This kind of shit is what makes me leery about going to meetups cause you know people bring their phones, ntm most new cars have some means of being tracked by intel agencies inbuilt.
@sneak I thank the good Lord above for making me so lazy a piece of shit that I put off setting up OsmAnd for about seven years. Also, chalk another W up for Team "Android is fucking dead please someone make the Pinephone usable I beg you."

@sneak @coolboymew valid concern, but your wording makes it sound as if they added this for the sole purpose of tracking individuals and don't intend to do anything about it. Let's give them some time to respond before starting drama.

@jomo @sneak Agree. I don’t like the UUID part but I don’t care about the IP part.

@greypilgrim @jomo the ip part is how it tracks your travel history (ip geolocation)

@sneak @jomo I understand how it works. There aren’t enough downloads in the app to track someone.

@sneak @jomo Even then, it’s not something you can get away from. Are you going to blame your e-mail provider next? The way things work today, if you fear your source IP history, then it’s up to the user to control it themselves (VPN).

@greypilgrim @jomo "if you don't like us collecting your data, hide"

no, fuck that. osmand is free software. i have already patched out the spyware antifeatures. i will probably distribute my fork. let users choose what they consent to.

@sneak @jomo Sounds like you’ve never had to protect your infrastructure from abuse or wanted to know where you needed to improve caching performance.

@greypilgrim @jomo yes i the victim must not relate sufficiently to the person appropriating my data without consent. debian and ubuntu solved this problem on a much larger scale without end user tracking. your comment is both factually incorrect (i have been a prod sysadmin in hostile environments for 20+ years) as well as a red herring (due to what i assume is ignorance of the state of the art)

@sneak Let's step back a minute.

You have a legitimate argument.

Time and resources come into question, but that really comes down to a question of value.

And there it is. I don't value the issue as much as you do.

@sneak This from having a particular app downloaded or this baked in shit off the OS?
@sneak Also I just noticed that the iPhone version is written in Objective C(++)
That's cool I thought they nuked anything other than Swift because Apple.

@sneak I have analytics disabled and it pings on ios privacy report. It happens during a live update or download - it should not be sending IDs (but I havent checked with a proxy to inspect https). Can't wait to hear back from them though, as I've been a long time fan of OsmAnd and a premium subscriber... 😬

@lambdagoat the lead dev says it doesnt require consent because it's just a random id. he doesn't get it.

@sneak thanks for the update, that really sucks. I will rethink my subscription then

@sneak Good thing it's FOSS, someone should maintain a fork like @tenacity did with Audacity. This might be Android only (through F-Droid), but at least we'll be safe.

@james @sneak @tenacity You won't be able to download the map data from anymore, so somebody would also need to provide this service.

@kaip @james @tenacity that's easy.

you could also ship a fork that has the same download urls, that's between the user and the server.

@trashcatt the lead dev thinks that it doesnt need consent because it is just a random id lol

@sneak Unfortunately OSMAnd+ is, at least for me, still unbeatable as I can configure it to navigate me exactly like I want it. It does not impose onto me a specific set of routing calculations

@sneak It looks like it only happens when downloading maps for later offline use, not continuously? So it could track the maps you're interested in, and maybe where you are while planning a trip, but not where you actually go?

Long thread, but that claim seems far fetched.

@hans it sends a unique and permanent tracking id on every map download.

@sneak That doesn't imply it "leaks your travel history", that's what is far fetched. It can "track" which maps you download, that's not travel history, is it?

@hans client ip is city level geolocation. when you send a persistent unique id from changing client ips over time, i know which cities you were in, and when.

@sneak I've downloaded a lot of maps of areas I've never been to. So unless they actually follow my GPS coordinates, I don't see it as "leaking travel history".

@hans this has nothing to do with which maps you download. you don't seem to understand ip geolocation.

@sneak I've read the thread on Github, and I think I understand enough to know that this kind of "tracking" isn't a problem. I don't wear a mask and pay with cash only while doing groceries because the cashier could track my purchases either.

Sure, maybe OsmAnd could work without that ID, but again, I find your claim far fetched.

@hans it’s fine if you don’t care about your own personal privacy but that doesn’t give anyone license to track people who do (and don’t consent to such tracking)

@sneak Again, I don't see this as tracking. I have a serious problem with online tracking, that's why I never visit sites like Google or Facebook, but an enterprise setting an ID do check the number of maps I download and nothing else, is not a privacy concertn. Not for me, at least.

It's a good thing that you told the world about this, so that people have a choice. Not going to be easy, I think, because every alternative that I know of is a far bigger privacy risk, but hey. But telling the world by calling it "spyware" and "leaking travel history" is a bridge too far, I think.

@hans that's because you don't understand tracking. it is objectively tracking regardless of whether you comprehend it as such or not. the idea that it needs informed consent is your clue.


that's because you don't understand tracking.

Yeah, let's go with that.

@hans if it weren't literally designed to discern one user from another, no unique identifier would be necessary.

@sneak holly molly I will read about it tomorrow. I use this app for cycling tracking.

@sneak years ago they had a weird response against a request to allow showing tagged surveillance cameras in OSMAnd

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!