Sooraj

After months of quietly adding to it, the Tools directory on my site is at a point I'm willing to call v1. 125 tools across 46 categories. Everything here is something I actually recommend, evaluate, or point people toward. No affiliate links, no sponsorships, no pay-to-rank. Each entry is meant to help you compare options fast, see the tradeoffs, and pick something that fits a real threat model instead of a vibe. What it optimizes for: privacy by default, transparent security practices, day-to-day usability, and a strong fit for threat-model-driven choices. I know it isn't complete. That's the point of shipping v1. A few categories are thin and a couple are missing entirely, and I'd rather hear what you reach for than guess. So: what's the one tool you'd be annoyed to not find here? Project link below.

You don’t need uBlock Origin on Brave. Shields is built into the browser, so it isn’t constrained by Manifest V3. It runs on Brave’s open-source Rust adblock engine and covers network blocking, cosmetic filtering, resource replacement, CNAME uncloaking, and uBlock Origin syntax. It pulls from EasyList, EasyPrivacy, uBO’s own lists, and Brave’s internal lists. uBlock Origin’s own docs say not to pair it with another content blocker. Every extension expands your attack surface.

The caveat is the assurance model. Obsidian itself is NOT fully open source, Sync still requires trusting a proprietary client and service implementation, and the plugin ecosystem can change the risk profile fast. So I would not treat it as a bad tool. I’d treat it as a useful local-first tool with caveats - not an automatic privacy-first default.

I audited Loupe’s source code after seeing its App Store privacy label: “Data Not Collected.” My goal was simple: check whether the public privacy claims match what the app actually does. First, credit where it’s due: Loupe is a thoughtful privacy education app. It shows people, in a very direct way, how much fingerprinting surface iOS exposes through normal public APIs. That kind of transparency is valuable, especially because most users never get to see these signals laid out plainly. Good news: I did NOT find accounts, analytics SDKs, ad SDKs, tracking code, or obvious developer-controlled data exfiltration. The app appears to be mostly local, and export appears to be user-triggered. But I did find an important caveat. Loupe’s App Store copy says nothing is uploaded, synced, or shared unless you export it yourself. In the Photos feature, the app uses Apple’s CLGeocoder to turn photo GPS coordinates into place names. Apple describes CLGeocoder as a network-based geocoding service. That means photo coordinates may leave the device to Apple for geocoding. I did not find evidence that this data goes to Mysk. I also found some disclosure gaps: a few permission prompts say the app reads “counts only,” while the app can display more specific values, including reminder list titles, Bluetooth device names, Bonjour service names, music artists/genres, and photo-derived places. The App Store “Data Not Collected” label may still be technically different from “nothing ever leaves the device,” because Apple’s privacy label focuses on what the developer and its partners collect. But for users, wording matters. If photo coordinates can be sent to Apple, that should be disclosed clearly.

Appreciate the response. To be clear, my audit did not find analytics, tracking code, accounts, or developer-controlled data collection in Loupe. The CLGeocoder point was narrower: photo geotags are coordinates, and Apple documents CLGeocoder as using a network-based service to look up placemarks. So the concern was about the broad “nothing leaves your iPhone” wording, not about Mysk collecting photos or photo data. Putting that lookup behind an explicit consent prompt is the right fix, and updating the permission notes to reflect the actual values shown should close the disclosure gap. I’ll re-check the update once it’s live.

The main issue is the Photos path. If a user grants Photos access, Loupe reads geotagged photo locations and calls CLGeocoder.reverseGeocodeLocation to convert coordinates into human-readable places. Apple describes CLGeocoder as using a network-based service. So the issue is not “Mysk is collecting your photos.” I found no evidence of that. The issue is: the app’s own “nothing leaves your iPhone unless you export” claim needs a caveat, because geotag coordinates may be sent to Apple during reverse geocoding.