this post was submitted on 12 Apr 2026
118 points (98.4% liked)

Selfhosted

58462 readers
463 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
118
Colota 1.x - Open Source Android GPS Tracker with selfhosted backend support (colota.app)
submitted 1 day ago* (last edited 1 day ago) by mxdcodes@lemmy.world to c/selfhosted@lemmy.world
51 comments fedilink hide all child comments
 

Hi there,

recently there has been a post here about Colota and thought you might be interested in a short summary about Colota.

I am tracking my position since several years now mainly with Owntracks (and now Colota) and a simple postgres DB/table.

I am a fan of the indieweb and eat what you cook and with already some million location points collected I recognized some pattern in existing GPS trackers I wasn't happy about:

  1. Battery consumption
  2. Duplicate points while staying in the same location for a long time

So I decided to build my own GPS tracker and called it Custom Location Tracker.

Improved battery consumption should come from disabling GPS entirely in so called "geofences" which are basically circles you draw on a map in the app. With GPS disabled in these you also won't get duplicate points while staying at e.g. home or work.

The app is still quite new (actively developed since early 2026) but has already quite a lot of features which basically all came from user feedback. E.g.:

  • Automatic Tracking profiles which apply different tracking settings while e.g. being connected to Android Auto, moving slower than 6km/h or while the phone is currently charging.
  • The app works fully offline (map will not be visible then) but you can predownload map tiles from a tile server I selfhost or use your own tile server.
  • You can define how locations are synced to your backend. E.g. only for a specific Wi-Fi SSID every 15min, once a day or with every location update.

Overall the app's focus should move to be a mobile location history app. So basically Google Timeline in a mobile app which also supports selfhosted backends (as backup).

The app is fully open-source AGPL-3.0, has no ads, analytics or telemetry and only sends data to your own server (if you want to).

You can download two versions.

  1. Google Play store which uses Fused Location Provider and therefore uses Google APIs. Also works with the sandboxed version by GrapheneOS and microG.
  2. FOSS version which uses Android's native GPS provider with a network location fallback. Available on IzzyOnDroid and hopefully someday on F-droid.

Both can be also downloaded directly from the repo.

you are viewing a single comment's thread
view the rest of the comments
[–] ShortN0te@lemmy.ml 0 points 1 day ago (7 children)

In security and development there is a statement, called "secure by default". That means the default settings are secure. This would encapsulate something like enforced Transport encryption.

Does this mean that the config can not be changed to fit the thread model? No.

[–] mxdcodes@lemmy.world 2 points 1 day ago (4 children)

The default setting is that everything stays on-device. The user then can change the config to fit their own threat model, e.g. by adding a server, choosing HTTP for LAN, etc.

[–] ShortN0te@lemmy.ml -1 points 11 hours ago (3 children)

Thats like saying:

"The SSH Server configuration does not need to be secure because the SSH Server is turned off by default"

[–] mxdcodes@lemmy.world 1 points 10 hours ago (1 children)

That's an interesting reading of what I said, but not what I said. I didn't write that security doesn't matter because the server is off. I wrote that when nothing leaves the device by default, there is no attack surface to secure. That is the definition of secure by default.

Secure by default means the default configuration is safe. By default, Colota stores location data locally and exposes none of it. If you believe that somehow fails the secure-by-default standard, I'd genuinely like to understand how.

If your actual concern is what happens once a user configures a server, that's a fair discussion but it's a different one. I already addressed that above and I'd be curious to hear a specific objection to that setup rather than a general claim that it's insecure. Server compromise risk is inherent to every self-hosted service. That's not a Colota flaw, that's the model. And "users shouldn't have to manage their own infrastructure" is a philosophical position, not a vulnerability. One that doesn't really fit a tool explicitly built for people who want exactly that control.

[–] ShortN0te@lemmy.ml 1 points 10 hours ago (1 children)

By default this applications allows when adding a server, that the communication is not encrypted between the app and the server. This should be configured by default to enforce TLS encryption. If someone would want to disable dis behavior and allow unencrypted communication, then this should take extra steps.

As i commented somewhere else, to say that since it is turned off it is secure by default, is like saying: "The SSH server is turned off by default so the configuration that comes with it does not need to be secure when shipped"

[–] mxdcodes@lemmy.world 1 points 9 hours ago

By default this applications allows when adding a server, that the communication is not encrypted between the app and the server. This should be configured by default to enforce TLS encryption.

That's not true. For public endpoints, HTTPS is enforced. You can't use HTTP. For private IPs, yes HTTP is allowed. So "by default... not encrypted" is not correct and misleading.

load more comments (1 replies)
load more comments (1 replies)
load more comments (3 replies)