Hi there,
recently there has been a post here about Colota and thought you might be interested in a short summary about Colota.
I am tracking my position since several years now mainly with Owntracks (and now Colota) and a simple postgres DB/table.
I am a fan of the indieweb and eat what you cook and with already some million location points collected I recognized some pattern in existing GPS trackers I wasn’t happy about:
- Battery consumption
- Duplicate points while staying in the same location for a long time
So I decided to build my own GPS tracker and called it Custom Location Tracker.
Improved battery consumption should come from disabling GPS entirely in so called “geofences” which are basically circles you draw on a map in the app. With GPS disabled in these you also won’t get duplicate points while staying at e.g. home or work.
The app is still quite new (actively developed since early 2026) but has already quite a lot of features which basically all came from user feedback. E.g.:
- Automatic Tracking profiles which apply different tracking settings while e.g. being connected to Android Auto, moving slower than 6km/h or while the phone is currently charging.
- The app works fully offline (map will not be visible then) but you can predownload map tiles from a tile server I selfhost or use your own tile server.
- You can define how locations are synced to your backend. E.g. only for a specific Wi-Fi SSID every 15min, once a day or with every location update.
Overall the app’s focus should move to be a mobile location history app. So basically Google Timeline in a mobile app which also supports selfhosted backends (as backup).
The app is fully open-source AGPL-3.0, has no ads, analytics or telemetry and only sends data to your own server (if you want to).
You can download two versions.
- Google Play store which uses Fused Location Provider and therefore uses Google APIs. Also works with the sandboxed version by GrapheneOS and microG.
- FOSS version which uses Android’s native GPS provider with a network location fallback. Available on IzzyOnDroid and hopefully someday on F-droid.
Both can be also downloaded directly from the repo.
Most projects in the self-hosted space put the load of transport security on the user or another system, including big ones like Immich.
Not sure why you’ve chosen to be indignant about this particular implementation.
We are talking about a tracking App. Most selfhosted projects do not store such private data. You may can mage the argument for immich but only for ppl who take a picture every 5 min.
That is patently not true, in the self-hosted space or otherwise.
If you want to take some kind of the security stance on pii or other personal data, you may want to take a look at the app’s workflow first before making declarations of “inadequate security”. There are other considerations than simply slapping a self-signed cert on data in transit (or at rest, for that matter). URL encoding, secrets management, api structure, etc.
If you want to architect the security of your data using this app, it is much easier to simply encapsulate or encrypt the transport yourself. A VPN would be fine. An authentication proxy would be another.
Ultimately, your comments on security here need more and better context to meet a reasonable threshold of confronting the dev on it.
In security and development there is a statement, called “secure by default”. That means the default settings are secure. This would encapsulate something like enforced Transport encryption.
Does this mean that the config can not be changed to fit the thread model? No.
Yes, this is what we’re discussing… Are you a bot? Or are you really not following the conversation?
The default setting is that everything stays on-device. The user then can change the config to fit their own threat model, e.g. by adding a server, choosing HTTP for LAN, etc.