Stories feature has huge privacy implications

[krille-chan]

Description

I'm using Fluffy Chat on Android from the Fluffychat Fdroid Repo. F-Droid shows version 1.2.0 as recommended, so it was automatically installed by the F-Droid update feature. It looks like this is a beta release, why is it marked recommended in F-Droid?

Anyway, back to the topic. I didn't know what the Stories feature was so I tried it, not knowing what it would do. I expected it to somehow broadcast my stories to my contacts in a way that wouldn't disclose all my contacts to each other. This is not what happened.

Using a different client, I wanted to see how stories were shown for non-fluffy-chat users. I was shocked to see that Fluffy Chat had created a single new room and invited all my contacts into it. Now all my contacts know who I'm in contact with, even though they don't know each other. They were thrown into a chat group with random strangers, from their point of view. Also, I am very much not comfortable with disclosing all my contacts to, well, all my contacts. This is a severe privacy issue, possibly even with legal issues attached (GDPR won't be amused).

Also, some of my contacts declined the invitation to that room. With each next story I sent, they got spammed with another invite to the same room. Fluffy Chat should not do that. Declining an invite to a story room should be detected and respected and new invites should not be sent. Fluffy CHat doesn't clearly communicate this in the UI so I didn't know I had to un-check the checkbox of the contacts that declined the invite.

Steps to rectify this:

1. Do not mark alpha or beta releases as recommended on F-Droid!
2. Unstable features should have a really obvious warning message explaining details and implications.
3. Unstable features that are shipped with "recommended" releases to F-Droid should be hidden behind an opt-in in some advanced settings screen.

To Reproduce

See above.

Additional information:

• Device: Shift6mq
• OS and OS version: ShiftOS L (google-free, Android 10)
• Installed version of FluffyChat: I'm using Fluffy Chat on Android from the Fluffychat Fdroid Repo. F-Droid shows version 1.2.0 as recommended and installed. In the app details (phone settings), it shows version 1.3.8.sc47.
• (Android only) Which store are you using:
• (Android only) Are Google Services available: no

[github-actions]

This issue is stale because it has been open for 120 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 14 days since being marked as stale.