Security section does not address if there are any defaults for publishing about booklet HOT 10 CLOSED

Can you clarify the problem?
The apps do not report locations to a broker/endpoint per default, hence there is no documentation about that.

from booklet.

It seems that some other apps do report to demo servers by default. So adding a line in the security section that says:

"Both the Android and iOS apps will not report location to anywhere until the user explicitly configures a server to publish location to."

would address what I am asking. I'm glad to hear that this sounds true.

from booklet.

Which 'some other apps'?
Which 'demo servers'?

This is OwnTracks. There are no surprises. You get what you ask for when you configure it, and you get it where you tell the apps to send it to.

from booklet.

See the text at https://apps.apple.com/us/app/traccar-client/id843156974

That's great that there are no surprises. I would just like to see affirmative documentation of security properties, and nothing configured by default seems on a par with TLS and access control.

from booklet.

Why do you bring Traccar into this? This is OwnTracks.

from booklet.

I avoided doing so until you asked.

Once one is aware that an app might have a preconfigured server, it is a fair question to ask if owntracks does. Many people in the world seem to think that convenience and immediate demo are a good thing. Obviously you think that sending data without permission isn't ok, and owntracks behaves correctly. I am simply asking that the security documentation, which has the purpose of explaining the security properties of the system, note that this desirable security property holds. (Most of my motivation is to understand owntracks behavior, but I also would like the app world to have security specifications.) I don't understand why asking for a sentence to be added where it might help others is an objectionable request.

from booklet.

I don't understand why asking for a sentence to be added where it might help others is an objectionable request

It is not, we were just a bit puzzled about the issue. It read as if we were sending location data without the user consent ;)
The booklet is also on Github, we're very happy to accept PRs for any improvement to it.

from booklet.

Thanks - see #47

from booklet.

Merged, thanks.

from booklet.

Thanks for the discussion and for merging my change. Sorry if I sounded accusing -- I was just trying to point out something missing from the docs without presuming which way it actually was.

from booklet.