> Firstly, the WiFi logic is probably entirely handled by Android, so the app doesn’t have to do anything with that.
The app handles the process of connecting to a WiFi network.
It doesn't have a standard Android interface. The only interface is through the Rabbit app, so by definition the app must also handle WiFi at some point.
The already released an update to reduce logging before this blog was posted.
I'm not defending their initial over-logging as a good security choice, but I do think it's being greatly exaggerated in this comment section. If you could access the device's storage, you could access the WiFi network name, period. The fact that it's in the logs, not just the config files/db, doesn't raise the severity of any vulnerabilities.
Sure, the app includes a UI to select a WiFi. That’s not what we were talking about though, right? You made the point that the System needs to store known access points, but that is probably still handled by the OS. The app only queries available access points and tells the OS to connect to one if the user clicks on it.
Also, logging WiFi connections theoretically does raise the severity of vulnerabilities because it stores metadata you wouldn’t have if you only store all access points you ever connected to. If you have an access point called „tabledance gentleman’s club guest“ in your access point list, I know you probably went there once. If you’ve been married for a year and I see that you still connect to it every Saturday evening, that’s a lot more sensitive.
> It doesn't have a standard Android interface. The only interface is through the Rabbit app, so by definition the app must also handle WiFi at some point.
Per the article, this is a new development. It originally shipped with the Settings app, albeit hidden. They could have easily linked to the WiFi page; I have a hotspot which does just that but overall obscures the Settings page away.
If they're not paying you, they certainly should be.
Accusations of shilling for a company is not only uncalled for, in my eyes it greatly weakens your argument because I will have to assume that all you have left are ad hominems. Let your arguments stand on their own and leave the insinuations out of it.
I don't care about ad hominems. But we have to outgrow calling someone a shill just because they apply some critical thinking rather than jumping on a bandwagon.
It's basically saying that someone shouldn't care how weak your claims are because it's a business you're wrong about.
It doesn't work against people who care about the truth.
It's perfectly possible to mix valid points and yelling at people in the subway, but it's still quite useful for one's attention to assume that those who do the latter aren't likely to be making an honest effort at the former.
Way over the top commentary from you, I was already shaking my head before this round.
It was unkind of you to write up an elaborate accusation just because you felt frustrated.
There's one very obvious reason why they they don't use the Android Settings app: it's built for displays at least 2x as tall. (some of the dozens more in [1])
Additionally, a major point of frustration for you seems to be a perceived refusal to admit there's no reason to send WiFi info to the server. TFA doesn't claim they are. Just logged locally in files.
Note everyone along the way clearly said "this is bad and I don't like it" along with facts they were trying to communicate --- its really annoying to have to add those disclaimers because people might be on edge, I can't imagine how frustrating it was to add them and still get the personal attack.
source: I have no love for Rabbit. I left Google in October to found an AI startup. At Google, I worked on Android for several years.
[1] it's unskinned, has a bunch of unnecessary settings, would complicate it with legacy nonsense in what was sold as simplification of legacy nonsense, and they're using something that makes it the face of the device (setting their APK as launcher? kiosk mode?). I can't think of a single OEM that says "hey just go to the settings app to set up wifi".
Where do you see that they're sending it to their servers? The article doesn't say that WiFi names were sent to the servers.
> You're also going out of your way to defend Rabbit in this thread, with several multi-paragraph posts rebutting the same things. If they're not paying you, they certainly should be.
No, I'm just correcting misinformation in this comment section. Some people are apparently only here to pile on Rabbit regardless of the truth, but the rest of us are actually curious about the facts of the situation.
The app handles the process of connecting to a WiFi network.
It doesn't have a standard Android interface. The only interface is through the Rabbit app, so by definition the app must also handle WiFi at some point.
The already released an update to reduce logging before this blog was posted.
I'm not defending their initial over-logging as a good security choice, but I do think it's being greatly exaggerated in this comment section. If you could access the device's storage, you could access the WiFi network name, period. The fact that it's in the logs, not just the config files/db, doesn't raise the severity of any vulnerabilities.