←back to thread

Google flags Immich sites as dangerous

(immich.app)
742 points janpio | 7 comments | 22 Oct 25 20:53 UTC | HN request time: 0.644s | source | bottom
Show context
NelsonMinar ◴[22 Oct 25 23:29 UTC] No.45676467[source]
Be sure to see the team's whole list of Cursed Knowledge. https://immich.app/cursed-knowledge
replies(5): >>45676661 #>>45677766 #>>45677816 #>>45678252 #>>45679167 #
1. nemothekid ◴[23 Oct 25 03:08 UTC] No.45677766[source]
Some of these seem less cursed, and more just security design?

>Some phones will silently strip GPS data from images when apps without location permission try to access them.

That strikes me as the right thing to do?

replies(5): >>45677942 #>>45677957 #>>45677969 #>>45678369 #>>45679345 #
2. gausswho ◴[23 Oct 25 03:42 UTC] No.45677942[source]
Huh. Maybe? I don't want that information available to apps to spy on me. But I do want full file contents available to some of them.

And wait. Uh oh. Does this mean my Syncthing-Fork app (which itself would never strike me as needing location services) might have my phone's images' location be stripped before making their way to my backup system?

EDIT: To answer my last question: My images transferred via Syncthing-Fork on a GrapheneOS device to another PC running Fedora Atomic have persisted the GPS data as verified by exiftool. Location permissions have not been granted to Syncthing-Fork.

Happy I didn't lose that data. But it would appear that permission to your photo files may expose your GPS locations regardless of the location permission.

replies(1): >>45678762 #
3. serial_dev ◴[23 Oct 25 03:44 UTC] No.45677957[source]
I think the “cursed” part (from the developers point of view) is that some phones do that, some don’t, and if you don’t have both kinds available during testing, you might miss something?
4. _ZeD_ ◴[23 Oct 25 03:47 UTC] No.45677969[source]
How does it makes sense?
5. monegator ◴[23 Oct 25 05:16 UTC] No.45678369[source]
It's not if it silently alters the file. i do want GPS data for geolocation, so that when i import the images in the right places they are already placed where they should be on the map
6. krs_ ◴[23 Oct 25 06:18 UTC] No.45678762[source]
With the Nextcloud app I remember having to enable full file permissions to preserve the GPS data of auto-uploaded photos a couple of years ago. Which I only discovered some months after these security changes went into effect on my phone. That was fun. I think Android 10 or 11 introduced it.

Looking now I can't even find that setting anymore on my current phone. But the photos still does have the GPS data intact.

7. sofixa ◴[23 Oct 25 07:52 UTC] No.45679345[source]
> That strikes me as the right thing to do

Yep, and it's there for very goos reasons. However if you don't know about it, it can be quite surprising and challenging to debug.

Also it's annoying when your phones permissions optimiser runs and removes the location permissions from e.g. Google Photos, and you realise a few months later that your photos no longer have their location.