Why is /e/OS still using cleanapk.org? (And passing users ip addresses)

The old /e/OS Apps app store used to source app apks from cleanapk.org. A number of concerns were raised and many of them were answered and addressed. /e/ appeared to recognise that using an anonymous website was less than ideal for a privacy-friendly OS, and in March 2022, in a long post about /e/'s product roadmap for 2022 , @GaelDuval wrote about a new app store:

We will also soon be offering a much larger and transparent access to
mobile applications, with our new application installer called “App
Lounge”. On this aspect, even if we didn’t have a single case of
tampered application during the past three years, we’re progressively
abandoning our dependency to the “CleanAPK” service. CleanAPK is
still going to be used momentarily for the catalog of apps coming
from F-Droid and Progressive Web Apps, but will be totally abandoned
this year.
(my emphasis)

18 months on however, we can see that App Lounge is still using

CleanAPK API from CleanAPK

According to the API documentation available at https://info.cleanapk.org/, the CleanAPK API offers HTTP GET operations. As I understand it, the HTTP GET Header field will include the ip address of the callng client in the RemoteAddr field. So App Lounge will be passing users’ ip addresses to cleanapk.

One of the original issues raised with respect to cleanapk was about lack of information about the site, whether it was/is GDPR compliant, and, specifically,

Who is the legal organization behind cleanapk.org?
What law applies, French, German, Indian, other?
What is the postal contact address and name?

Another quick search does not reveal any new information to answer these questions. So I have the following questions

  1. For what purpose does App Lounge currently use the cleanapk API?
  2. Does /e/ still intend to “totally abandon” using cleanapk?
  3. If so, what is the proposed timescale
  4. If not, is the advice to users who do not wish to have their ip addresses sent to cleanapk still as @Manoj stated

If you are still not confident please use any other repository like FDroid or Aurora store or any other which you feel is secure for your app downloads.

Thanks for any responses

8 Likes

Let me check on this and get back with the response.

The response I got from the team is that it is only used for Open Source applications at present.

I thought those came from F-Droid?

The development to fetch the apps from Google took months. For now with other priority tasks ahead in the queue the team is utilizing CleanApk for opensource apps. The development of an interface to fetch open source app without cleanapk in the middle will take some time and more importantly will need to be planned against resource availability.

Me too. Well, back to F-Droid…

1 Like