[Help Wanted] Windows app connects to Google ip

[frps]

I get an alert from firewall that standard notes.exe is trying to connect to Google ip address on 443 port.
As far as I understand SN infrastructure is located on Amazon services so the question is what is the reason for contacting Google servers?

[JaspalSuri]

Hi @frps,

Are you using any third-party themes, editors, or other extensions that might connect to Google's servers? You might be able to check this via the desktop app's menu button/bar > View > Toggle Developer Tools > Network. Have you set up an automated backup via the CloudLink extension to Google Drive? While the backups aren't sent from the app, (and although unlikely) it might be the reason why it's showing and I'll look into it further.

IIRC, the only things the app would connect to is our servers on AWS, Bugsnag's (only if you've opted-into error reporting), and GitHub's (for updates).

[frps]

Are you using any third-party themes, editors, or other extensions that might connect to Google's servers?

I don't use anything that is not included in "standard-notes-3.5.18-win.exe"
This is the new app installation and account registration. No additional components were installed. Update checking disabled. No other settings have been changed.
Does it mean the app contain "third party themes, editors and extensions" by default?

Developer Tools > Network

I see only the sync worker there.

Why does the app silently connect Google without my permission or notifying?

Screenshot

IP info

[JaspalSuri]

Does it mean the app contain "third party themes, editors and extensions" by default?

No, not at all. I was just wondering if you had downloaded any extensions from the community. Thanks for sharing the details of your setup and the screenshots.

I checked with a firewall application named GlassWire and it did not pick up a connection between Standard Notes and Google. LittleSnitch on macOS doesn't show any connections to Google's servers's either. Which firewall app are you using (if it's not the one provided by Windows)? I'll reach out to dev team so that way they can look into this further.

[frps]

WFC Version 6.4.0.0
It's a control interface for the Windows firewall.

Here is the list of registered outbound TCP connections that is not DNS:53

54.158.44.25 Amazon
52.2.165.240 Amazon
140.82.121.4 Github
142.250.186. Google

[JaspalSuri]

Hi @frps,

I haven't been able to reproduce this so far. I've only seen two connections to Amazon. As much as I like Malwarebytes, the program doesn't appear to be very intuitive as you have to constantly refresh the log and hope to capture an instance of the application making an outbound connection. Can you provide a list of steps of what you're doing to consistently reproduce this?

Also, just to make sure, you've downloaded the desktop application from our Home Page (technically through GitHub), correct?

[frps]

The app is downloaded fromhttps://standardnotes.org/extensions?downloaded=windows
redirect to => https://github-releases.githubusercontent.com/....
There are no steps to reproduce this. I just blocked outbound connections to Google
and allowed to Amazon and dns server.

I am deleting the app from PC and iphone since I didn't get any explanation what is going on and what kind of data has been transfered to the third party (Google).

[moughxyz]

We don't connect to Google. Without replication steps/more user reports this is just a local issue on your end. Could be an image you've embedded into a note the app is trying to load from an external source, for example. Could be a proxy on your system, a VPN, or some other app running on your system interfering with network connections.

[frps]

a local issue on your end

No. And here's the proof.
Below is a quote from the automated sandbox malware analysis report for Standard Notes 3.5.1 (not the latest version since there is a size limit of 100 mb for Falcon free tier).
This time my local PC was not involved in any way. They run a virtual windows machine on their servers.

"Sends traffic on typical HTTP outbound port, but without HTTP header

details
TCP traffic to 140.82.114.3 on port 443 is sent without HTTP header
TCP traffic to 172.217.3.206 on port 443 is sent without HTTP header
TCP traffic to 185.199.108.154 on port 443 is sent without HTTP header
source
Network Traffic"
https://www.hybrid-analysis.com/sample/a157e5aaf75a992662c2d916788bfce8c0d2a9b7083088b0a8f8ae4c4bb49364/603cfc23a5d74200765aacb3

Screenshot, just in case.
Another screenshot.

140.82.114.3, 185.199.108.154 - Github, no problem
172.217.3.206 - Google - ????
IP Location United States Of America Mountain View Google Llc
https://whois.domaintools.com/172.217.3.206

And it would be nice if someone could explain why the app with a focus on privacy makes some silent connections to the Google servers.
I don't say the app is malware, I am just asking what is going on.

[moughxyz]

It looks like this maybe Electron downloading dictionary files: https://www.electronjs.org/docs/tutorial/spellchecker#does-the-spellchecker-use-any-google-services

@baptiste-grob can you confirm? If so, we might want to self-host these files.

[arielsvg]

Yes, this must be Electron downloading dictionary files off the Chromium CDN.

[frps]

I think it would be nice to ask user permission to make any side downloads.
The silent background network activity is a sign of spyware and not a good practice for software with accent on privacy and security and should be avoided.

I am also aware of temporary ban of Firefox add-on just for automatic downloading internal bookmarks favicons from Google.
https://addons.mozilla.org/en-US/firefox/addon/my-sessions/ - now there is a separate option for that with red alert background and it is disabled by default and they move from Google to DuckDuckGo also.
Screenshot
And I am glad they (Mozilla and add-on author) care.

[moughxyz]

I definitely agree it's not a good look. We're discussing this internally to see what might be the best solution. Will keep this thread updated.

[frps]

Thank you for your reply.

I think that dictionaries rehosting is not a perfect solution because "the Google" is a part of the problem but not the main part. The primary task is stopping of unauthorized background activity and ensuring full transparency. This also applies to Github connections. Any network traffic other than db synchronization must be explicitly authorized by user. The less the program has in common with spyware, the better.