Exodus Privacy: result of our investigation regarding reported trackers

Last Friday, an association called Exodus Privacy published reports about trackers found within Android applications, which reported that three trackers had been detected in our Qwant mobile application for Android. This was a major surprise to us as we always took care of protecting the privacy of our users, including by auditing the parts of the application that were not developed internally. Without waiting for the results of a full investigation, we decided to withdraw the app immediatly and to replace it with a brand new app with 100% open source code. It was done within a four hours timeframe.

Today we completed our investigation and we can affirm that neither the DoubleClick tracker (from Google) nor the Shibsted tracker were embedded in our app.

For now, Exodus Privacy works by using software that detects suspicious characters strings that have the same name as pre- identified trackers. In our case, they detected :

  • url”: “schibsted.com” in a file called selectors.json
  • “.doubleclick.com” and “doubleclick.net” in the Crosswalk open source library

Our investigation shows the “Schibsted.com” characters strings was detected in our code because Shibsted, which publishes a website that enables people to sell and buy things, was added in a list of preinstalled shortcuts (favorites) in the embedded third party browser, dedicated to secure shopping. It was just a URL. Nothing more. There was absolutely no code that would have enabled Schibsted to track our users. The Crosswalk library was implementend to display the Android Webview, which is the very basic web browser offered on Android devices. It includes code that enable Google to activate special features for its own domain names only. It did not enable to track your browsing activity.

We did however use the Crashlytics services, which was also identified as a tracker by the association. We used it to receive technical information about crashes that required a fix. It was a very useful library, that we implemented before it was sold to Google. We made the decision not to use it anymore.

Although Exodus Privacy was wrong in saying we had 3 trackers in our app, we still believe their work is important to educate people about what applications do that can harm their privacy. We will offer all the help possible to improve and maintain their reporting efforts.