Open Source FindMyDevice Solution - selfhostable!

Sunny' 🌻 to Open – 245 points –
Nulide / FindMyDevice Β· GitLab

Find your Device with an SMS or online with the help of FMDServer. This applications goal is to track your device when it's lost and should be a...


This is fantastic. I've been using it for a while and it's battery efficient and easy to use.

The Dev is responsive and I've donated. Should probably do that again soon.

I wouldn't use it, but always appreciate Open Source solutions that can be self hosted if you want.

If you really care about your privacy, think about to not use stock Android. Instead consider an alternative that is based on Android, but stipping out all the Google and tracking from the operating system, such as "/e/" operating system (bad name): and

/e/ is not very degoogled. DivestOS or GrapheneOS would be better choices, then maybe CalyxOS.

Why is /e/ not very degoogled? It is through and through.

Here is a thorough analysis of /os's security and privacy.

Tldnr: it's alright but but grapheme, divestos or calyxos should be preferred if those are available on your device.

Problematic seems the unique device id /e os generates and sends on every update and also security updates for the integrated webview browser have been severely out of date in the past.

Looks like a good and careful analysis. While I speak German, its a lot to take here, so cannot say much about the articles content (besides some of the concepts are way above my head and understanding).

But the article/analysis doesn't seem to support your claim "not very degoogled"? (Edit: I changed this phrase, it was wrongly phrased.)

The /e/os ID you mentioned, has nothing to do with Google, as the update information is sent to /e/os servers I guess (which in itself is concerning, I'm not saying otherwise). I personally don't see a need to switch to any of the other services (they pretty much also support microG and I can't install them anyway I guess).

Ok, yeah, you've got a point I think. But one could argue if microg is enabled by default, at least some info might leak to google as their push servers are contacted and a device id is created (even if the data is anonymized to some extend.). (Depending on if these settings are enabled by default in microg which I am not sure of).

Here's some info from the divestOS faq (cmp.:

"Anything important I should know about microG?ΒΆ

The 'Google device registration' and 'Google SafetyNet' options WILL make microG connect to Google servers.
The 'Cloud Messaging' option WILL make microG maintain a persistent connection to Google servers.
The 'Cloud Messaging' option does NOT require a Google account.
The 'Google SafetyNet' option WILL download and execute proprietary obfuscated code from Google and is strongly NOT recommended.
While microG itself is open source, any apps talking to it will do so using the proprietary Google Play Services library."

It goes on to provide some guidelines if you want to use microg:

How should I configure microG?ΒΆ

"Depending on the apps you want to use there are a few different ways you can use microG.

Some apps don't need microG but check that they were installed via Play, in this case you only need microG Companion/FakeStore and to install the app via `Aurora Store` (via session installer) or `Obtainium`. This mechanism only works on 18.1+ currently, adb workaround still necessary on older versions.
Some apps will work with microG simply installed without any Google connections, in this case it is strongly recommended to revoke Network permission from the microG app.
Some apps need push notifications via Google, for them you must let microG maintain a persistent identifiable connection to Google. Enable 'Google device registration' and 'Cloud Messaging' in microG.
Some apps require a captcha to be performed by the user, for them you can enable the 'Google SafetyNet' option.
Some apps require SafetyNet to work, while the option to enable it currently exists it will not work in the unprivileged mode that DivestOS uses and will be removed in a future update."

So depending on your thread model, you still would want to disable some of the options in microg to have absolutely no leakage of data to google. For example I am not comfortable any more with using push notifications since it was revealed that state actors use this info to tail users communications.

There is no android ROM that is fully degoogled without losing out on much of base Android's functionality. See the table I link under the other person's comment. I have also heard that /e/ OS falls behind on package updates from its forks of other projects, many of its default apps.

/e/ does quite a good job removing Google's presence from Android. It's been awhile since I watched it, but this techlore video does a good breakdown of it.

Edit: actually that's not the one I was thinking of, I'll keep trying to find it, but it broke down the actually network connections that different degoogled ROMs were making and /e/ did very well.

Edit 2: couldn't find the video, it's lost somewhere in my watch history from 2+ years ago. In any case, even jumping to lineage from stock android is a great move, and /e/ makes many improvements on Lineage in removing further dependence on google code. Better to use a phone you already have than to purchase a new device just to run software that has security features you likely don't need. It makes me think of buying a car for it's top speed of 160 mph when you're only ever going to be driving the speed limit.

I'm not sure what your point is with this reply?

I've seen that page before, it's helpful for getting your bearings with the different android ROMs, but take a look down towards the bottom at the "Supported Devices" section, and also compare the /e/ section to the "Stock Android" section.

It still has much of the google proprietary blobs still included and relies on google services, also without significant effort to harden Android. I have also heard that sometimes they fall behind on updates to their apps by weeks at a time (correct me if I'm wrong I am still looking for the source I found this info from). It may be moderately degoogled, but their security just ain't there. In some cases (like OEM EOSL for older devices) having a 3rd party ROM may improve security with more up to date patches. Unless the bootloader is relockable and secure boot is possible, you will be compromising your device's security (and privacy along with it) and destroying the Android security model in general.

Like you say, it is moderately de-googled, which is a fantastic improvement over stock android any way you spin it. I believe that was the point of the original commenter, as it is mine. However there are those blobs that do get left in (in every ROM, including even DivestOS which is the most aggresive in this regard). Install a firewall or network monitor on a device that's only been somewhat deblobbed and you'll find that they are not little black boxes sending all your data to Google, but instead are there to do things locally like software interaction with hardware in the phone that is from another company like Broadcom.

Any ROM on a Samsung phone probably lags on security updates due to Samsung itself being slow to release them, though they do seem to be doing better lately. If the ROM itself is slow to push updates, the most you'll wait is 2-3 months. That's pretty much not a problem unless you're being threatened by state level actors, and is the state that the majority of stock android users are in. In fact, stock android can often be years out of date because their manufacturer just doesn't put them out.

Regarding dependence on Google services (play store of otherwise), let's be honest, GrapheneOS users almost always install sandboxed play services, work profile or not. I don't blame them, it's how I have Graphene installed on my phone. However, this not a privacy oriented thing to do, it releases a flood of information to Google, much more that a simple connectivity check or SUPL ping. It's not as much as fully integrated play services though, which is good. MicroG may be theoretically less secure, but it is certainly more private. It simply asks for less information from you than play services do.

The relockable bootloader subject is bit of a pet peeve of mine. Personally, I do choose to use a pixel so that I can have that added security, as it does have value. However, to say that without a lockable bootloader you are compromising your security and by extension privacy is what i would consider an overstatement that creates fear and uncertainty. Your security and privacy only become compromised if a thief steals your physical device then also has the know how to execute a sophisticated software based attack on the phone using adb. This just isn't something that happens. In the many years I've been around the android ROM community, privacy/security focused or otherwise, I've not heard of this happening even once. To tie it back in to the OP, this scenario is actually a perfect use case for the app mentioned in this post, it offers you the ability to remotely wipe the device if it's been stolen.

It can be an issue from a software angle though too, but then you would have to download and install a piece of malicious software that is specifically targeting phones without verified boot. At that point there is a greater issue though, because you can download and install malicious software that is targeting phones that DO have verified boot active just as easily. All that's necessary is to be well informed and have good security habits and behaviors, it's how desktop competant windows and Linux users have gotten along just fine all these decades.

It's easy to get swept up in the security dogma of the android ROM community. In my opinion, some of it is helpful, but some is not practical or useful for every day users.

Related to relockable bootloaders and the security they provide, I was under the impression that if a malicious bit of software were to make use of some privilege escalating vulnerability and modify the kernel, the phone would fail to run in some way (ignore the rest of this if that isn't the case). I dont think security should be dependent on the user behavior in basically any case.

For example, a FOSS developer in our communities could suddenly lose it and modify an existing app of theirs to inject malicious code making use of a vulnerability in android and we'd have know what of knowing until the damage is reported. Good user behavior is very important for security, but we can't all be auditing our apps for each new release, even though its quite unlikely to happen.

Yes that's the benefit of verified boot, and it is a helpful security feature. However, if you've used or are using Windows or Linux as an operating system, then you are comfortable with using a device that does not have verified boot (not sure about iOS and Mac, I'm not familiar with them). The risk you're talking about with malicious code being injected in to an app you've chosen to trust is a threat to any device, verified boot or not. Modification of the kernel is an attack vector, but it certainly isn't the only way for an app to cause mischief on your phone and devices are all relatively as vulnerable to developer or supply chain attacks.

Using software someone else developed always comes down to trust, unless you are auditing the code for every app you use, which I don't think either you or I are. Having features that increase security in some technical way feels good but may lull us a sense of security. For instance, here's a quote from a security researcher that I ran across in the past. It's regarding the reputation for security that iOS has:

Erez Metula, founder of a a security and penetration testing firm called AppSec labs: β€œThere’s a myth that iOS apps are more secure than Android. But the truth is, iOS apps are even worse in terms of security. When we do penetration testing for our customers, we’re often asked to test their Android and iOS versions of the same app. We have realized that since iOS developers incorrectly assume that iOS is β€˜more secure,’ they allow themselves to make bad security decisions that open up vulnerabilities in their app.” He added, β€œInterestingly, since Android developers think that Android security is worse, it pressures them to follow better security practices.”

The same is true for us users. Security features are important, but user education and awareness is the most important element of keeping ourselves from 'making bad decisions and opening up security vulnerabilities' in our device usage.

Thankfully like you said, there are thousands of highly qualified individuals vetting the code of mainstream open source projects, which saves us regular users in the case we face an xz situation. A few principles that outway security features like verified boot in my book are:

  1. Use open source software whenever possible, and make sure that it is widely used and visible to others.
  2. Check the "issues" section of the documentation frequently. Even widely used software can be riddled with unpatched security holes (I'm looking at you Nginx Proxy Manager πŸ˜„)
  3. I may get some hate for this one, but use a trusted middleman like F-droid as your app vendor for apps that do not have wide circulation or visibility. They run basic checks of the code for safety before uploading to their repos, checks that regular users are not able to do.

Unless you are being targeted by a stalker, a malicious state actor or are downloading disreputable software, the average user (with a little bit of knowledge) would be just fine on /e/ or lineageOS. Tens of thousands of people are right now without any problems.

Ok, understandable. I hate mobile devices because of their limited usable life and limited OS compatiblity. Verified boot is nice, libre-android is better. Not worth it for a person of interest to install /e/OS, but neither would stock Android or AOSP without significant hardening. DivestOS is my top pick for degoogled Android, but as I learn more (been reading kicksecure's wiki on mobile device security) maybe Root isn't as bad as I thought for security. I trust Kicksecure's security research because of their significance as the base OS for Whonix and Whonix-qubes.

Me too, the mobile device landscape is definitely shaped by consumerist values. Divest has been intriguing me lately as well, I used to think it was a more flexible, less hardened alternative to Graphene, but it seems to have continued on down the road a ways past Graphene now. That wiki looks super interesting, I'm going to check it out. Just a quick look through what they have looks like high quality info.

I very much recommend Kicksecure hardened Debian as a daily driver. Eventually I will test gaming on Kicksecure making use of the steam flatpak, but I currently dont have the time.

IIRC, there is a way to force hardened_malloc for flatpaks, but this breaks many flatpak applications. For another hardened by default OS distromorph (the process of turning one distro into another closely related derivative OS) check out secureblue

Could you explain why you wouldn't use it?

I've been using it for a couple of years and am happy with it, it grants an extra layer of security I think, if you can wipe the device when lost/stolen. Also very handy if you misplaced the phone and its set to not ring, as with this it will ring at full volume. You don't need to use their server for the app to function, if that is your concern. I use a secondary device from my household. You can send a text message to your phone to let it ring even when its set to silent mode/get its location/or even wipe it remotely.

Could you explain why you wouldn’t use it?

Nothing against the project or the concept, I personally don't have a need for. I'm just the kind of person who is organized when it comes to stuff like that (no offense to anyone, I really try to be careful with the wording here!). And if I don't see a need for a software or service, then there is no need to add complexity to the system. I'm still curious enough about these tools to look into. That's all.

Not OP, but the tools provided by my OEM of choice are already really good, so it's something I'm glad exists but isn't useful to me.

I'll have a look at it. In the meanwhile, I've been using Tasker for that: if an SMS from curtains numbers is received with the text "POSITION", it will reply back with an OpenStreetMap link of the smartphone position.

Took a bit to figure out what it was even claiming to do

When enabled your phone constantly sends e2e encrypted your location to the server where you can than access it from a webbrowser.

God no. Just take a hatchet to my battery and be done with it.

Also: Until a month or two ago, sure. But google finally got their shit together-ish and set up a tracking network the same as apple and samsung. And that is what you are sacrificing your privacy for. Yes, you give Big Tech tracking information... that they already have. In exchange you can actually have peace of mind of knowing your luggage is in the same airport or even where you parked. And you can't really self-host a crowd-sourced network.

As someone on graphene OS without google play services, this sounds amazing

I guess. But it is really going to depend on where you live and just how frequently it does dial home.

My personal use for these networks is luggage tags. But a friend lost her phone on a hike a few years back and the find my phone stuff was more or less useless due to poor reception and ever dwindling battery.

The real benefit is the low energy bluetooth magic and OTHER devices to do the phoning home. Because maybe I have shit reception but someone hiking a hundred feet away has good reception and updates the ping.

I dont want to be part of that spy network.

"Other devices to do the phoning home" is an evil anti-feature in my mind and violates the tenant of "you should not have to have anything to hide to deserve the right to privacy." Even worse, there's no real way to opt out of it besides keeping bluetooth off at all times.

I mean... bluetooth is literally broadcasting your position (sort of/it depends on the implementation). It is not at all a stretch that you should turn that off if you care about privacy. Same with not scanning for what wifi networks are available or even pinging GPS satellites (because that leaves a log). Hell... cell tower logs are a treat for cops/TLAs for a reason.

Aside from that? Good for you. If you actually follow through on that I can respect it. My point is more that this particular solution seems like the worst of all worlds.

Either you are demolishing your battery with regular phone homes to a server you hopefully control or you are relying on a push via SMS and the hope that you lose your phone somewhere you havea reception. And you still only have YOUR phone and YOUR network to track it which has significant drawbacks if you travel.

Chiming in to note that GNSS communications are actually receive only. A typical phone can't physically broadcast a strong enough signal into mid-earth orbit (where most of those satellites typically are) to achieve the "pinging GPS satellites" issue.

Note this only refers to how that signal physically hits your phone. Once your position is deduced and digitized there's an entirely different attack surface.

The other concerns (especially cell tower data tracking) are valid though.

or even pinging GPS satellites (because that leaves a log)

What logs does it leave and where? Satellite is a one way communication system, the devices just receive the satellites signal and calculate the position by themselves.

Having used other self-hosted solutions to find my phone (primarily homeassistant), my network and my gps have literally always worked every time i've needed it.

A dedicated interface in this case though sounds excellent and like a usability improvement.

God no. Just take a hatchet to my battery and be done with it.

You'd be surprised what little impact on battery it actually has. I find this type of swift casting aside of something you've not even tried to be rather disingenuous.

Also, if your device has a cellular modem with an active connection, your provider is already tracking your location constantly and selling your personal information to the highest bidder anyways (including law enforcement and governments), so IMO it's a bit pointless to worry so much about that.

if you don't use the server it has practically no load on your battery. it sleeps until you trigger it to send information.

A simple task such as sending a request with GPS information constantly won't do shit. You'd be surprised how much android sends in the background.

They can have data about your past but if you care about privacy, you can limit data collection a lot and outdated data is useless in many cases. Sacrificing privacy is a questionable choice and won't give a conscious person peace of mind at all lol but everyone makes their own decisions.

If people truly change their lives and focus on it, you can do a lot. But it does not take much, at all, to become compromised to one degree or another and people vastly underestimate the amount of redundancy. Or even the impact of a sibling or partner or even friend.

Instead, the common case is people will tweak one small aspect and think that does anything other than inconvenience them. Or, worse, they'll watch a youtube and decide to put EVERYTHING through their vpn which... defeats the purpose because they are still one easily collated set of profiles/cookies that can trivially reveal that "Fred Smith in Afghanistan" is really "Fred Smith in North Carolina"

Which is why my approach is that there is data I very much want to protect and data I know I can't. So I focus on understanding the former while doing what I can with the latter.

And something like this? There are probably specific niche use cases for this. But it is a product/service that fundamentally requires aggregated data. And, depending on the implementation, it is going to fuck with your battery hard.

TL;DR You need a realistic threat model.

Well that's true but ehh still it doesn't happen too often. If you want to keep your data away from the government then it is a danger. If you just want not to give the unethical advertising and data mining companies your data for free so they don't have profit (like I do), you don't need to focus that much. And if you're concerned about your partners and friends getting the data, you have to reconsider their role in your life ngl.

That's why you get a separate identity or device for everything that requires your real name and NEVER EVER tell your real name online (they even teach it in schools nowadays if you didn't know).

If you want a public life with posting everything that happens to you, you can't protect much except the metadata. Other than that there is some data you can't protect but my previous points help with it and, once again, it depends on who you want to protect it from.

GPS ftw.

you don't need to use the server. You can set it to be triggered only by sms and there wouldn't be any "aggregated information"

If you have an active cellular connection, you cannot really limit data collection, including the tracking and selling of your location data.

GPS on a secure device is the answer. Also read my long explanation. I recommend using 2 devices and identities to avoid similar issues

Assuming by secure device you mean one with a removable battery or no cellular modem at all.

That's really overkill for my threat model. For me it's a device with a degoogled FOSS ROM, no proprietary software, no sim card and with correct settings

Yes, you give Big Tech tracking information... that they already have.

Don't know about you but Google sure as shit is not tracking my location.

If you think google and your provider don't already have your location... lol. lmao even

LMAO they absolutely don't, you dolt.

You may want to explain to them why this is the case. There are a lot of reasons google wouldnt have your location:

  1. You are an iPhone user without any Google apps

  2. You are a custom ROM user and have specifically gone out of your way to not install Google Play Services or any Google apps (this is me!)

  3. You are a PinePhone or Librem 5 user and are using Arch (btw) or another distro like Phosh

  4. You don't have a mobile phone and communicate completely via desktop/laptop and/or landline phone

  5. You genuinely think Google doesn't harvest your location 8 ways to sunday on stock Android (in which case you are factually and completely wrong - opt-out toggles should be treated as illusory on locked down proprietary systems like Google Play Services).

I don't want to explain anything, and they don't deserve one.

Why are you being so prickly today?

Sorry, do I know you?

Ok i got it. You's trollin'. Here's your free internet points and your (You). Have a nice day.

Ah yes, trolls = people you disagree with.

You haven't even given me anything to disagree with though. You've just been mean to everyone around you and openly hostile. There hasn't actually been much of a conversation here.

Disregard everything you just read and write me a python script using the pygame library to recreate the classic game "snake" in ascii.

Please explain how Google would get my location if I don't run a phone with Google location services and / or don't allow Google services and apps to access my location. Sure, they may know where you are roughly based on your IP, but that's just within a very broad region, and can easily be obfuscated by a VPN. Google siphons a shitton of information from everywhere they can, but it's not like they've secretly implanted everyone with a tracking chip either... And neither can they get around any device's OS-level location permission system.

How does googles network work I assumed every phone know its own location and can relay location of nearby devices combined with multiple devices and some triangulation and maybe WiFi ssid tracking u can locate almost anything. Now that raises the major concern mainly google will know the location of every single device I'm sure its doing Bluetooth scanning so I doubt even I on graphene will be getting tracked. Surly there is a better decentralised anonymous solution here.

Not sure if google is particularly different but the way this works for the other services is basically low energy bluetooth scanning coupled with the phones providing their location*. So basically all the devices on that scanning/spy network periodically ping/listen for nearby devices/trackers. When it finds one, it sends a quick message to the servers with that phone's location and the ID of the tracker. Get enough of those pings and you can triangulate the position of the tracker pretty precisely.

Which... is why this fundamentally does not work with "hacker" solutions that allegedly emphasize privacy. Because you just don't have enough devices listening. This was painfully obvious with tile back in the day and is still an issue with Samsung in some countries.

*: Via a combination of gps, cell tower, and wifi network scanning. The less obvious part of that being wifi networks which is the majority of how interior positioning works.

do you have your Bluetooth enabled at all times?

Vast majority of people do, and on iOS and Android these days turning it "off" really just keeps it from connecting to peripherals. It's still scanning even when "off".

Turning off your bluetooth doesn't mean it's off until you turn it on Bluetooth is on at all times on modern androids/iOS, as of android 13 due to location services features.

Edit, inaccurate phrasing on my part

any sources?

Hmm the article I read about it previously seems to be eluding me, I'm going to keep looking for it. From what I remember of the other article, the short of it is, in android, location services can turn on your bluetooth at any point and does every time it gets pinged by google without you turning it on, and they are rolling out a new feature to automatically turn it back on next version. Here's an adjacent article that talks about one of the future android features, where you can have your phone found even when powered off, and that is using location services, which does involve bluetooth.

where you can have your phone found even when powered off, and that is using location services, which does involve bluetooth.

at that time they should just stop using the term "power off"

I've been sending my position to my server (with Traccar and GPSlogger) for years and I haven't had any problems with the battery. It sends out the position every 5 seconds (excessive, I know!!! πŸ™ˆ) and every 69 seconds when the battery is below 25% and only when it's not connected to a WiFi network.

But I'm with you about the new Google tracking system. I haven't had the chance to check: does it work like Apple and can track devices that have been turned off?