Homepage    |    GitHub    |    API    |    Wiki    |    FAQ

Privacy and background network calls

I am using iOS 15.1, Joplin version 12.5.3.

I use the new feature of iOS that it could record app activities (i.e. what server the app has connected to).

I discover that Joplin will connect to server "clients3[dot]google[dot]com" when I open the Joplin App.

Why is it doing that? I use dropbox as my synchronization server, so that is no point for Joplin to connect to Google server.

Anyone to clarify?

Thanks

Google has several such clientX servers. Some are used for software update checks, others for network checks etc. Since Joplin is based on Electron which uses Chromium, it could be something called from deep inside these libs. Someone else might know more?

Ref: Network Portal Detection - The Chromium Projects

Thanks for the reply.

If this is the case, there are still serious privacy concerns:

Data Leakage to Google:
We are not sure exactly what data is being transferred to Google. But I can imagine that at least some meta-data will be very likely to be transfered, for example, ip address, user agent, usage of the application (e.g. at which time user is using Joplin), Application ID.

This is just my guess. Further investigation should be investigated on what data is leaked.

Is Joplin still trustworthy on your data?
According to Joplin's privacy policy, no data is sent to any service without my consent (Joplin Privacy Policy | Joplin). This issue is a clearly violation of the policy.

I guess most people choose Joplin because of its emphasis on security and privacy. Evernote is more user-friendly and easy to use, yet I choose Joplin over Evernote because of the privacy and security concern on Evernote. Is Joplin still trust-worthy?

Suggestion to the author of Joplin:
I suggest the author to investigate on the details of this issue. For example, what data is leaked, which platform (desktop/ios/android?) is affected, any other similar leakages. A non-data-leaking / non-google-dependent / offline version of network check should be implemented instead. Or, simply do NOT claim that you would not send data to any service without consent.

Thanks

1 Like

Please provide the complete log showing that Joplin is making this request.

Glad to see more discussion about security as it is one of the reason I choose open source project over proprietary. No application will be perfect but it can be better I guess.

A quick search and a couple thing is coming up:

  • React Native Netinfo keep ping google
  • The reason is it need a server to check if a url is reachable for certain platform
  • Joplin ios might be the only affected by this

Hope more people can offer their insights as software security is not my speciality.

We investigate security issues all the time, but proper security specialists disclose such issues via email first to give us time to investigate. Coming here and making accusations is not the proper way to deal with security issues.

2 Likes

That is good to know. I think people can be sensitive when it comes to security so they can react quite strongly.

I confirm the request in iOS (15.1) logs.

First request to clients3.google.com :

{"domain":"clients3.google.com","firstTimeStamp":"2021-11-09T12:28:23.070+01:00","context":"","timeStamp":"2021-11-09T12:29:24.278+01:00","domainType":2,"initiatedType":"AppInitiated","hits":2,"type":"networkActivity","domainOwner":"","bundleID":"net.cozic.joplin"}

Second to my sync target (ok) :

{"domain":"my sync target","firstTimeStamp":"2021-11-09T12:28:25.538+01:00","context":"","timeStamp":"2021-11-09T12:29:06.570+01:00","domainType":2,"initiatedType":"AppInitiated","hits":4,"type":"networkActivity","domainOwner":"","bundleID":"net.cozic.joplin"}

Thanks for investigating @hieuthi. So it's probably due to the "Synchronise only over WiFi connection" option then, which needs to check for the type of connectivity. I'll update the privacy documents to mention this.

2 Likes

It would be interesting to have a field in the mobile app to change the default reachabilityUrl value.

Hi laurent,

Thanks for looking into the issue. Thanks for your hardwork.

I am sorry that I may be too aggressive. I am a Google hater.

I do not consider myself as a security specialist. iOS, in the latest update, offer an interface for average people to look into the network activity of each app. The network activity becomes transparent to average user (not just expert), I can expect that many APPs (not just Joplin), would face similar situation.

For the fix, apart from modifying privacy policy, my suggestion is that, if possible, do not make use of the reachability feature if the user do not turn on "sync only over wifi".

1 Like

Just 2c and I learned not to be consumed by hate, but as a consumer I try to unGoogle and deFacebook as much as possible.
Mostly I rely on ad-blockers, nextdns filtering and occasionally using Exodus (for Android) εxodus (exodus-privacy.eu.org) or BlackLight Blacklight – The Markup.

So I followed your post with interest.

I do find distinction between tracking and certain telemetry hard tho.
Or examples of Google servers for Google Fonts.

I do find it hard to draw the line sometimes though. I no longer use Facebook but I'm pretty much forced to use WhatsApp, people are slowly migrating to signal but it took long enough for people to go onto WhatsApp and now it has just become the de-facto standard here. If I stopped using it I would simply be cut off from a huge number of people who are important to me.

Then we go into other things. Is using React bad? It is facebook after all. What about using Go for a new project?

I'm not saying that the above are bad or trying to counter you here, I'm just interested at where one draws the line at cutting the likes of facebook and google out of our lives.

2 Likes

Same here .... I was in a hybrid Signal/Whatsapp situation for more than a year.
Hoping it would grow organically.

Then I went cold turkey, which led my family to switch, for pictures of (grand)children etc.
Now they are in a hybrid situation and I could stop.
But predicament stays for other people in my social graph.

And I'm still on Android which kind of makes it impossible to escape Google.

1 Like

I have seen two new domains connections from the mobile app :

A bit of diversion from the topic: would you consider renaming the thread as something less harsh?

To give you an idea, here's an example: "Privacy and background network calls"

For people browsing the forum for the first time and considering switching, the long standing topic with current title could signal a giant red flag.

For them it's impossible to say if the issue is real, if it was resolved, the author has changed their mind, didn't mean it in the first place and kind of evidence is presented. The first impression stays regardless.

Maybe you're right, and there's a problem that ought to be solved, still it would be great to attract (with the title) the people interested in fixing things rather than anger raging mob fuelled by hateful media coverage.

6 Likes

This page allows this Apple log to be decoded.

domainType

When the associated value is 1, the domain has been identified as potentially collecting information across apps and sites, and potentially profiling users. A value of 2 means that the domain hasn’t been identified as such.

"domainType":2

OCSP

OCSP stands for Online Certificate Status Protocol and is used by Certificate Authorities to check the revocation status of an X.509 digital certificate.

Start preventing things like this and TLS is undermined.

4 Likes

Thanks for the suggestion.

I would love to change the title. Yet I find that I don't have the permission to edit it. There is no edit button appear. I wonder if there exist some sort of limitation that I cannot edit the title any more?

1 Like

You are still trust level 0 (Discourse automatic community management stuff, there should be things in your PMs to explain it) so can't edit.
Any regular members or admin/moderators can change it, I'll change it to what @graphit0 has suggested, let me know if it isn't what you intended.

1 Like

Yes, sure.

Thanks for the changing.