I thought I’d take a look at his app and dig around a little. It appears to incorporate Google Firebase with hundreds of APM and FIR tracking classes I couldn’t begin to count.
It also incorporates Crashlytics, which is yet another tracking company that was bought by Google. So the app logs data and shares with these each of these parties, including directly to Google servers.
One of their many features enrolls tracking identifiers (a UDID) into the keychain, which is like a so-called “super cookie”. You can’t remove these, most people don’t know it exists, and it will persistently track you across apps and isn’t removed even if you uninstall his app. The only way to clear your keychain–for an ordinary user–is to reset the device and not use a backup. There’s
I’m seeing connectivity to servers run by the dev, including apollogur.download (search says it’s some sort of caching server, so I believe he may be proxying data between other servers and your device); apollopushserver.xyz; app-measurement.com; some misc connections to amazonaws.com probably for the third party tracking; and numerous Google domains.
So those of you who believe pi-holes and hosts blocking makes you secure, have fun trying to accomplish that when they route it through AWS and Google servers. You can’t actually host block Google because they’ll often rotate these around over generics like api.google.com, so you either IP block every subnet they own or things will get through.
Note that he has a “disable crashing reporting and analytics” setting in the app. It does not actually disable these things.