Post AQc8GTNMIijk1rC7TE by cliffb_infosec@mastodon.social
 (DIR) More posts by cliffb_infosec@mastodon.social
 (DIR) Post #AQZhmBoS36u5kKqWp6 by apps@toot.fedilab.app
       2022-12-13T20:21:28Z
       
       0 likes, 0 repeats
       
       To Google users, our previous beta release has been rejected. Google asked us to indicate in their privacy forms (the one displayed in the app description), that we use email addresses.They asked that because we allow to sign up with the app and there is an email field.While it's directly sent to the Mastodon server, we added that in their privacy form.With that change you should get the new release 3.11.0.But that release needs to pass a human check so it will be longer.
       
 (DIR) Post #AQZiJzK6zU2crCltWy by angiebaby@mas.to
       2022-12-13T20:26:15Z
       
       0 likes, 0 repeats
       
       @appsThank you for the update. It's my go-to mobile app now.
       
 (DIR) Post #AQZivb6bTqrykcO2Eq by potto@infosec.exchange
       2022-12-13T20:32:32Z
       
       0 likes, 0 repeats
       
       @apps Tsk tsk - your data harvesting should be as pristine as all the walled-garden social network platforms...
       
 (DIR) Post #AQZp0Edd2Z2gF6Qd96 by gryps@social.anoxinon.de
       2022-12-13T21:23:01Z
       
       0 likes, 0 repeats
       
       @appsLong live fdroid ;-)
       
 (DIR) Post #AQc1JQtZHRyRWdiyoa by mahescho@mhc.social
       2022-12-14T21:17:15Z
       
       0 likes, 0 repeats
       
       @appsF-Droid stats 3.10.0 ... why?
       
 (DIR) Post #AQc1yfqoa461mZ6O1Y by apps@toot.fedilab.app
       2022-12-14T21:37:11Z
       
       0 likes, 0 repeats
       
       @maheschoIt takes longer to build from sources and we publish very often :)
       
 (DIR) Post #AQc8GRjyNfdaxPl9RQ by cliffb_infosec@mastodon.social
       2022-12-14T22:35:09Z
       
       0 likes, 0 repeats
       
       @apps It seems that you are saying "we don't store the email or send it to ourselves, so we didn't need to disclose it". But that's old thinking. Like most modern data-centric privacy thinking (see ISACA CDPSE, GDPR, and other privacy guidance), Google cares that you HANDLE or PROCESS the email address.
       
 (DIR) Post #AQc8GTNMIijk1rC7TE by cliffb_infosec@mastodon.social
       2022-12-14T22:35:57Z
       
       0 likes, 0 repeats
       
       @apps So the fact that the email address is in the control of your app is why you need to disclose and include in the privacy policy. Contrast that with an OAuth2 Authorization Code grant where the app would redirect the user to the service via browser, the user would enter their login info directly to the authorization server, then you'd receive only a token—never handling the email address or user info.
       
 (DIR) Post #AQc8q3W9uyXiFyHISO by apps@toot.fedilab.app
       2022-12-14T22:40:09Z
       
       0 likes, 0 repeats
       
       @cliffb_infosecShould we disclose to Fdroid users that a volatile variable is using their email while alll tos and privacy policy is displayed when registering?The app is just a client with no memory for this process.
       
 (DIR) Post #AQc9clZ5SFJelasHIm by apps@toot.fedilab.app
       2022-12-14T22:43:38Z
       
       0 likes, 0 repeats
       
       @cliffb_infosecIt's Google rules, we are on Google so we did what they want. But @Gargron should have a look because they do the same and might have same issues.
       
 (DIR) Post #AQcO76pWM3e0lTvM6C by cliffb_infosec@mastodon.social
       2022-12-15T00:41:21Z
       
       0 likes, 0 repeats
       
       @apps That's your app. Not every app that has an email field is like that.Thus, it is reasonable for you to disclose the gathering and mention in your privacy policy that you don't keep it.It's the only mechanism that scales to all use cases.