Meshtastic

Is Meshtastic spying on users?

Meshtastic app (android) tries to connect to:
e.g.
142.250.74.202
172.217.23.234
142.250.180.234
and many others.
Google?!

I do not use Play Store and statics and crash reports are unchecked.

1 Like

Those look like Internet connectivity checks/heartbeats, so am going to guess there is no actual data being exchanged.

1 Like

Besides, isn’t the code open sourced…

1 Like

You are using a google device (Android) and you are worried about a small opensource project spying on you?

Chances are it is from one of the libraries the android app uses. And to anyone reading this, the Android app is an optional component of the Meshtastic project.

If your goal is to make the user app more private, and leak less information to the outside world any serious effort would require not using a device (smart phone) that spys on you in the first place.

If you want to make the existing apps better then you will get better engagement from the community by not posting questions in such an inflammatory way.

Why do you assume this app is doing anything unusual compared to similar apps? Why did you say “and many others” instead of posting those addresses?

And finally, the Android App can download map tiles so you have a nice picture of where the radios are. Are you sure that is not what is making the connections?

5 Likes

A quick search pops up e.g. Getting metadata from plugin failed with error: request to https://www.googleapis.com/oauth2/v4/token failed, reason: connect ECONNREFUSED 142.250.74.202:443', · Issue #1099 · googleapis/google-auth-library-nodejs · GitHub, so it looks like at least that one is used for OAuth or authentication with Google. All the URLs appear to be Google owned, so seems reasonably unlikely Meshtastic is doing the spying.

1 Like

I don’t know where those IPs belong to, but it is no secret that the app uses analytics: Possibly switching android analytics provider. Feedback requested
This only becomes an issue if you’re using an ungoogled android, because in any other case, google already knows much more about your behaviour than the app sends metrics to improve the quality of the app.
Maybe this can be communicated more transparently.

Apart from that, everyone can look at the source code and compile the app by themselves. To my best knowledge, there is no “spying” happening here.

I agree, that it is a bit counterintuitive for a project like meshtastic to have analytics enabled by default, because the background and environment communicates “off-grid”, “independence” and “privacy”. However, again, everyone using a vanilla android phone with google services already sends more telemetry to google than the app.

Yep - if anyone doesn’t want analytics, just click the checkbox to turn it off. We have analytics for two reasons:

  • It lets us know the general level of usage (but no PII) - how many users, what types of phones etc…
  • We use the “free” mapbox version which (presumably) they use their map data for analytics as well (and they require this for their TOS). Which is why if you click to turn off analytics we turn off the map (because we don’t want to run the mapbox code in that case)

I’m not opposed to other options, but we have a small number of devs (for the android app currently mostly me) and changing this is very low on my personal priority list. If anyone wants to make a clean pull-request with other options I would eagerly merge it.

I bet though that those IPs you are seeing are from some other app (or system software) running on your phone.

3 Likes

what is the reason? Statistics are unchecked.

I wrote clearly, analytics are unchecked.

No, those IP are from Meshtastic.

? what?

IPs belongs to Goggle

No, those IP are from Meshtastic.

I think you are probably mistaken ;-). But if you do further debugging and can provide evidence it is meshtastic in the stacktrace (rather than some other app or system service on your phone), I’d be super interested in helping.

You can also check the source code yourself and build it with android studio if you’d like to run it under emulation (where it is easier to see the source of any packet)

1 Like

I had also asked for analytics data to see what meshtastic was sending to Google analytics.
I’m still waiting, because I also think I need to do a research on this. Something is wrong with me, maybe it’s paranoia but I have to be sure.
With the IPs you listed I have the right material to investigate, it gave me suspicion option to investigate :grin:

1 Like

@TitanTronics oops sorry, I forgot about that. Here’s a typical recent non-fatal log from some random phone.

com.geeksville.mesh_issue_780cc733e52f4b6b51e332b21c7bb349_error_session_60BCB4CC03B1000102470A9C919C6F4E_DNE_0_v2.txt (97.7 KB)

Also, if you pm me an email address I can grant you temporary read-only access to the analytics account so you can look around :wink:

1 Like

Don’t worry @geeksville I trust your work you are doing with Meshtastic.
I want to make a request to those IPs to understand which servers respond “even if they look like IPs that are addressed to Google itself” to see what the user is talking about before making accusations.
Thanks for the analytics log and it is absolutely not necessary for me to go to the account because I am more than sure that there is absolutely nothing strange, as there is nothing strange from the analytics logs you provided, indeed the logs are super limited and focus on the connection and relationship of the bluetooth and the app itself with the lora device.

1 Like

I could be off base here, but I think the fact that Meshtastic works as intended with mobile data and WiFi switched off speaks volumes.

I did a quick research for the IPs the user had listed!
They are Google Cloud IPs.
It is usually simply the Google Cloud that takes care of the analytics located in Kansas.
The cloud hosts Google services and is not connected with meshtastic at all.
Those who think they have removed Google from their phones by installing the so-called Ungoogled android system are not saved from the Google Cloud that other apps use for analytics data :grinning_face_with_smiling_eyes:.
It must be said that meshtastic also uses the Google Cloud but I have never seen it active from the Wireshark, but I have seen a lot of apps that use the Cloud that can be confused with Meshtastic. “I have also seen that some apps use the Amazon Cloud too”
Put your souls in peace because Meshtastic does not spy on anyone and if it collects analytical data, these are extremely limited to the app or the usual errors reported by users.
And as we have seen from the logs provided by @geeksville , it is only data of Bluetooth connections and errors that can create malfunctions in the communication of the Meshtastic app with the lora device. :grin:

2 Likes

For some reason I decided it should be fairly easy to look at the IPs on netstat through termux, so followed a few days of trying to root my phone, thinking I had bricked it, accidentally wiping the os and having to installing a new one. But after all that malarky, I can confirm that meshtastic does not contact any IP addresses with the analytics disabled. Should have just tried to learn how to run it in a virtual environment, would have saved a lot of stress!

2 Likes

Haha I’m sorry for that :sweat_smile:
I leave you a link of the Null-Bytes website which proves that you can use Wireshark by connecting the phone in the wifi
Null-Byte Website: How to Spy on Traffic from a Smartphone with Wireshark « Null Byte :: WonderHowTo

Null-Byte YouTube vido: https://youtu.be/Hl0IpoS503A

2 Likes

NetGuard informs that Meshtastic app tries to connect to the mentioned Google’s IPs

Does Netguard give any other information about it?
I suspect maybe the maps that are included with the Meshtastic app.
It would be necessary to recompile the Meshtastic app with Android studio excluding the maps to understand more in my opinion.
I’ll take a closer look at it :slightly_smiling_face:

(On your phone, scan with Malwarebytes to see if you haven’t caught the Triada Malware and xHelper to make sure the IPs aren’t from malware)
“I’ll try a Netguard scan to see what it says too.”

1 Like