[bilalq]

It's a good question. The app doesn't look fully open source, but I suspect they'd have to. Currency conversions aren't fixed, after all.

[coldtea]

Wouldn't that just require an incoming list of up-to-date currency conversions (fetched on each run, and perhaps cached for an hour or so)?

They could do those even without the user asking for any currency calculation -- so in practice no data would ever leave to show anything about actual queries (which would be the case if you e.g. wanted to calculate X euro in yen and they asked for the current euro/yen values only).

Plus, you can add it to Little Snitch or some free such, and it wont be able to do any talking anywhere.

[bilalq]

An hourly cache may not be up-to-date enough for many use-cases. But sure, let's say you have some caching on a timed interval and those are all the requests you see. Unless you block all outbound requests from the app, you still can't guarantee it's not reporting on you.

Imagine if you saw a header on the request that looked like:

``` Authorization: Bearer A17b2C23kd231h12309 ```

That might look totally safe/normal at a glance. It's just an auth header, right? But who's to say there isn't extra info embedded in there? Maybe "A" means a conversion between USD to Euros and the number after it refers to the number of times such a query was made in the last hour. Maybe the letter after it is a signal for the order of magnitude of the largest unit amount (tens, thousands, millions, etc).

I have little hopes for end users (including myself) from ever being able to reliably confirm/disconfirm the privacy impact of closed source apps unless network access is completely cut off. Even if I monitored requests in Little Snitch, who knows what clever encoding schemes can be used to leak out data through requests that appear benign. That's not to say it's not useful to do so (many, if not most malicious apps like that would probably not bother to cover their tracks that well).