from mxdcodes@lemmy.world to selfhosted@lemmy.world on 12 Apr 08:56
https://lemmy.world/post/45500976
Hi there,
recently there has been a post here about Colota and thought you might be interested in a short summary about Colota.
I am tracking my position since several years now mainly with Owntracks (and now Colota) and a simple postgres DB/table.
I am a fan of the indieweb and eat what you cook and with already some million location points collected I recognized some pattern in existing GPS trackers I wasn’t happy about:
- Battery consumption
- Duplicate points while staying in the same location for a long time
So I decided to build my own GPS tracker and called it Custom Location Tracker.
Improved battery consumption should come from disabling GPS entirely in so called “geofences” which are basically circles you draw on a map in the app. With GPS disabled in these you also won’t get duplicate points while staying at e.g. home or work.
The app is still quite new (actively developed since early 2026) but has already quite a lot of features which basically all came from user feedback. E.g.:
- Automatic Tracking profiles which apply different tracking settings while e.g. being connected to Android Auto, moving slower than 6km/h or while the phone is currently charging.
- The app works fully offline (map will not be visible then) but you can predownload map tiles from a tile server I selfhost or use your own tile server.
- You can define how locations are synced to your backend. E.g. only for a specific Wi-Fi SSID every 15min, once a day or with every location update.
Overall the app’s focus should move to be a mobile location history app. So basically Google Timeline in a mobile app which also supports selfhosted backends (as backup).
The app is fully open-source AGPL-3.0, has no ads, analytics or telemetry and only sends data to your own server (if you want to).
You can download two versions.
- Google Play store which uses Fused Location Provider and therefore uses Google APIs. Also works with the sandboxed version by GrapheneOS and microG.
- FOSS version which uses Android’s native GPS provider with a network location fallback. Available on IzzyOnDroid and hopefully someday on F-droid.
Both can be also downloaded directly from the repo.
threaded - newest
Thank you for sharing. Is this information encrypted? Doesn’t seem safe to use without that…
All location data is stored locally on device in a (unecrypted) SQLite DB. Auth headers (Bearer tokens, Basic auth) are stored using Android’s EncryptedSharedPreferences. HTTPS is enforced for all public endpoints. HTTP is only allowed for private/local network addresses (192.168.x.x, etc.) for self-hosted setups. For a app where the user controls both endpoints, I think that’s a reasonable tradeoff (colota.app/privacy-policy/). Probably makes sense to also mention that in a separate page in the docs for easier overview. Thank you for the question.
I absolutely agree with you. Such private data should be End-To-End-Encrypted.
I also agree with you both that location data is definitely personal data that should be protected. However, Colota stores data only on your own device and it’s never sent anywhere unless you configure a server and that server is out of Colota’s reach. End-To-End-Encryption doesn’t apply here since Colota is just one endpoint sending to the user’s own server. There’s no third party to encrypt against.
Colota is also meant to be an app which supports several “Google Timeline” alternatives like Dawarich, Reitti, Geopulse, etc. All these backends would have to support the same decryption which Colota offers, which is not realistic. You can also specify that data is only sent via an active VPN connection or just use it offline and use the built in file export as e.g. geojson.
Also Colota is a free and open source project. You can review the full source code to verify how your data is handled.
If the target server is compromised or taken by LEA the data is gone.
Laying the responsibility into the hands of the user is not ok for such an data aggregating service. Such highly critical, private and intime data should be protected and secure by default.
Not even transport encryption is enforced in the project. At first glance, http is allowed on local connections?!? Generate a self signed SSL cert on start and pin it in the app. Easy.
It is no excuse that other services do not follow these state of the art protection measures.
That’s true for any client that sends data to a server including your browser, email client or any other app. Colota doesn’t operate a server. If you’re concerned about server compromise, that’s a server-side hardening question (disk encryption, access controls, etc.) that’s outside the scope of a client app.
Colota is not a data aggregating service. It’s a local-first app. By default, no data leaves your device. You choose if and where to send it. That’s the opposite of aggregation. It’s the user being in full control, which is exactly what self-hosted software is for.
It is. HTTPS is enforced for all public endpoints. HTTP is only allowed for private/RFC1918 addresses. Forcing TLS on 192.168.x.x would require every self-hoster to set up certificates for their LAN, which is a real barrier for the target audience. Colota already supports self-signed certificates if you install the CA on your device.
I didn’t say that as an excuse. I explained why a client app that supports multiple independent backends can’t enforce payload encryption. Each backend would need to implement the same decryption. That’s a technical reality, not a lack of care about security.
Also again, a server is optional. It works offline and you can just export files with the data from the app.
Most projects in the self-hosted space put the load of transport security on the user or another system, including big ones like Immich.
Not sure why you’ve chosen to be indignant about this particular implementation.
We are talking about a tracking App. Most selfhosted projects do not store such private data. You may can mage the argument for immich but only for ppl who take a picture every 5 min.
That is patently not true, in the self-hosted space or otherwise.
If you want to take some kind of the security stance on pii or other personal data, you may want to take a look at the app’s workflow first before making declarations of “inadequate security”. There are other considerations than simply slapping a self-signed cert on data in transit (or at rest, for that matter). URL encoding, secrets management, api structure, etc.
If you want to architect the security of your data using this app, it is much easier to simply encapsulate or encrypt the transport yourself. A VPN would be fine. An authentication proxy would be another.
Ultimately, your comments on security here need more and better context to meet a reasonable threshold of confronting the dev on it.
I’ve been using this for a few weeks and it’s great. In addition to offline-first, it would be nice to be able to ask Colota: List my trips between date1 and date2 when I was near (ie within x meters from) point y.
I am planning to use this for a long time too, so an export/import data for when I change my phone would be nice. I see Export but not Import.
Also, being able to delete rips between trips between date1 and date2 would be useful. Currently, you can delete 1-by-1 or recent trips only.
Glad it’s working well for you!
Why a dedicated backup server instead of just backing up to a local file that can then be backed up to a service of choice?
Also for profiles, it would make more sense to use Bluetooth to detect a vehicle or WiFi to detect when you’re home vs. Geofencing or Android Auto or speed. How can it tell when you leave the geofence if the GPS is off?
Probably phrased that wrong. There is no backup server. Users can create and add one if they like.
Colota offers out of the box file export (csv,geojson, gpx and kml) and supports hive_partitioning via variables in the endpoint (colota.app/docs/configuration/server-settings#url…).
Colota already uses WiFi for home detection (WiFi pause in geofence zones) and Android Auto/car mode for vehicle profiles.
GPS is only turned off by being connected to a WiFi or being motionless (or both) while being in a geozone. When wifi disconnects or/and motion is recognized the GPS starts again.
Bluetooth detection is the one thing that doesn’t exist. It could be a useful addition. I will note that. Thank you for the feedback!
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
6 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.
[Thread #235 for this comm, first seen 12th Apr 2026, 12:40] [FAQ] [Full list] [Contact] [Source code]
How to tell when you leave the GPS-off area?
GPS is only turned off by being connected to a WiFi or being motionless (or both) while being in a geozone. When wifi disconnects or/and motion is recognized the GPS starts again. There is also an option to just not record locations in a geofence but then the GPS stays on and will still drain some battery.
Ah, got it. So you need WiFi if you want to reliably turn off GPS, that is a good solution.
In addition to wifi, Bluetooth beakons would be good too.
Seeing the same SSIDs (eg in a cinema) might also mean you are not moving, but then how can you tell you are not sitting near another train passenger with their hotspot on?
Yes, another user also already requested this (“Seeing the same SSIDs (eg in a cinema)”). Detecting reliable if you left an area without GPS is never 100% fool proof (e.g. airplane mode turned on or maybe the motion sensor is not even available) so I guess it makes sense to combine different sensors. Seeing same SSID and bluetooth is definitely on the test it out list.
Looks like a good starting point for municipalities implementing live bus location maps.
Can you port this to ios app store?
It’s using react native so it’s definitely possible. Currently it’s not planned, but it’s also not off the table forever (colota.app/docs/faq#is-there-an-ios-version)