Everyone knows all the apps on your phone

(peabee.substack.com)

1160 points by gniting2 days ago

55 comments

captn3m02 days ago
The ACTION_MAIN loophole has been written about before: <a href="https://commonsware.com/blog/2020/04/05/android-r-package-visibility-holes.html" rel="nofollow">https://commonsware.com/blog/2020/04/05/android-r-package-vi...</a>Google refuses to patch this. I wonder what would happen if you submit it to the Android VDP as a permission bypass.There’s also this SO question by the author about the bypass: <a href="https://stackoverflow.com/q/79527331" rel="nofollow">https://stackoverflow.com/q/79527331</a>
- fluidcruft2 days ago
 It seems like the ACTION_MAIN loophole could be fixed (eventually) if apps that declare it are required to actually be launchers. It seems like legitimate integrations should have more specific intents.At that point, Android prompting if random game you just downloaded should be your defaut launcher seems pretty dangerous interaction for sneaky apps to risk. They either cause the user to bounce and report or the fools select it as default launcher, replace their launcher, can't provide the launcher functionality and break the user's home screen and end up getting reported in Play Store. I also assume actually getting published as a launcher-class app at that point brings automated testsuites and other requirements that will be burdensome for developers.
 - robertlagrant1 day ago
 That sounds very sensible.
- 3abiton2 days ago
 > Google refuses to patch this.That's why projects like XPL-Extended (and previously XPrivacyLua), are an absolute need. I never run an android phone without these.
 - rollcat2 days ago
 > If there is one leap that the infosec community consistently fails to make, it is this: people who are not like me, who have different needs and priorities, who have less time or are less technical, STILL DESERVE PRIVACY AND SECURITY.<a href="https://hachyderm.io/@evacide/114184706291051769" rel="nofollow">https://hachyderm.io/@evacide/114184706291051769</a>
 - ignoramous2 days ago
 XPrivactLua and other XposedMod/Magisk extensions break open the app sandbox. It is better to restrict running those on usereng/eng builds (test devices). For prod builds (user devices), I'd recommend using Work Profiles (GrapheneOS supports upto 31 in parallel) or Private Spaces (on Android 15+) to truly isolate apps from one another.
 - v1ne2 days ago
 The question is: Who is the beneficiary of the app sandbox? Is it you, the user, because no malicious processes can taper with your apps? Or is it the corporations, because they prevent you from modifying their apps – which makes you a pure consumer?I think, for the tech-savvy, the latter is more accurate and I think it is very important to be able to crack open these sandboxes and tinker with processes. Be it to inject ad blockers, automate them, modify their appearance, etc. It should be a right of a user to be able to do these things.
 - subscribed2 days ago
 I, the user.Malicious apps sneak through the vetting process all the time.Genuine, honest apps have to process unsafe content (be it we pages, messages) all the time.One exploit should at most make single App vulnerable, not expose everything I have on my phone.Strong, restrictive sandboxing, memory and execution protections are the only safe way.And how is destroying the sandboxing related to having more rights as a consumer? You could still patch and repack them in the way Lucky Patcher does with ads, for example?
 - ignoramous2 days ago
 > I think, for the tech-savvy, the latter is more accurate and I think it is very important to be able to crack open these sandboxes and tinker with processesAnyone tech-savvy that wants to mod their Android (like they'd mod Linux distros), should consider purchasing Android devices (like Pixel) that support ownership transfer (that is, unlocking then relocking the bootloader), and flash CalyxOS/GrapheneOS usereng/eng builds.
 - subscribed2 days ago
 Can't wait for App List Scopes, like we have with Contacts or Storage already. Not a day too early.For a few months all the UK banks I have accounts in send the list of all apps to the mothership.I noticed it first when suddenly Revolut refused to start up because I had an app installed, Natwest and Nationwide at least inform prior to the data collection, but weren't concerned.It ended up with the long overdue confinement of all the banking apps in their dedicated profile, but I'd love to be able to confine them further.
 - HenryBemis2 days ago
 You mentioned NatWest. I remember using NatWest and noticing on NoRoot Firewall (on my Android) it was 'speaking' regularly to Facebook. Of course I had all FB and IG and their IP ranges blocked from the get-go, but still. Why (TF!!!!) would my effing back telling FB that I launched their app? (one could say that they use this or that library, so the code, blah blah blah)This is disgusting and the reason I don't use iOS. The utter lack of firewall! (plus the batterygate scandal)
 - saturnite2 days ago
 I'm on Android 14 and I've been pretty happy with an app called Insular on F-Droid or Island on the Play Store. It let's you install as many instances of an app as you'd like and they'll show up in the work profile, ignorant of the others' existence.
 - 1oooqooq2 days ago
 it's a frontend to work profiles feature.not recommended to run insular anymore. use Shelter for a14
 - pava02 days ago
 What do you mean by "break open the app sandbox"?
 - schnatterer2 days ago
 I found this description about the security risks of rooting very eye-opening <a href="https://madaidans-insecurities.github.io/android.html" rel="nofollow">https://madaidans-insecurities.github.io/android.html</a> It also explains the sandbox.
 dataflow1 day ago
 That link seems to have... an agenda. It's way too hand-wavy (e.g., it doesn't at all attempt to tease out the nuance of whether a rooted phone inherently has a broken security boundary by design, or whether [like on Linux] it's secure as long as the implementation is non-buggy) and seems laser-focused on convincing users that desire sovereignty over their own devices that they might as well jump off a cliff.
 schnatterer22 hours ago
 I'd like to add one more finding about the perils of root access: <a href="https://github.com/chenxiaolong/my-avbroot-setup/blob/c52e44de6e225f66b012cea127de7ad6ddf96fcd/README.md#uid-0" rel="nofollow">https://github.com/chenxiaolong/my-avbroot-setup/blob/c52e44...</a>> The term [rooting] generally also includes the functionality for making runtime code patches (eg. with Zygisk) and making runtime filesystem modifications (eg. Magisk modules).> Out of the many root-enabled apps I've studied or reverse engineered, the vast majority fail to handle arbitrary inputs properly (especially filenames). For example, some root-supporting file managers turn a seemingly benign action like listing a directory into local privilege escalation. This is trivially exploitable, especially with browsers auto-downloading files with server-provided filenames to /sdcard/Download/.To avoid repeated root access UI prompts, some apps spawn a long-running shell session, write commands to stdin, and rely on parsing stdout and searching for the shell prompt to determine when commands complete. This approach is prone to desync, which can lead to commands being skipped or other inputs being interpreted as commands.All in all, I simply do not trust most root-enabled apps to not leave a gaping security hole, so I avoid them entirely. There are apps that do handle root access in what I would consider a more proper way, by spawning a daemon as root and then talking to the daemon over a well defined binary protocol. Unfortunately, this approach is the extreme minority.
 hilbert421 day ago
 As dataflow says that site has an agenda. I've used rooted phones continuously since Android v4 and I've had no trouble. Moreover, I'd posit that much of the crap I remove from phones lowers the attack risk which to some degree offsets the risk of rooting.Granted, I'm not suggesting that everyone should root their phones, in fact in recent years I even stopped suggesting it to my tech-savvy friends (that is unless they approach me for advice).I don't need to lecture about these things but all those who've rooted their phones know the huge advantages—power and control one has over one's phone is enormous.For example, some apps contain so many trackers that normally you'd never use them except they're the only apps suitable for one's purpose. Rooting allows you the user to take control and have them do what you want and not that of the developer.Yes, rooting has its risks but for my purposes its benefits far outweigh them.
 max-privatevoid1 day ago
 Madaidan's articles are well-known to be centered around "security at all costs", and often at the cost of user freedom. That's just not a realistic take when it comes to privacy. What good is absolute security if all it does is secure the device from your "tampering"? Sure, it would be nice if the device were highly secure, but I'd rather it stop spying first.With absolute security, you can rest assured that only Google has access to all of your data, and only Google is allowed to turn off the siphoning.
 schnatterer22 hours ago
 As someone who cherishes the power of root privs, I'd still like to make a point for alternative solutions that came up like distros such as GrapheneOS or CalyxOS or non-root filtering options via VPN. If it weren't for backups I could manage my everyday life without root. For all other cases I would root and later unroot my phone via an OTA update :D <a href="https://github.com/schnatterer/rooted-graphene/" rel="nofollow">https://github.com/schnatterer/rooted-graphene/</a>Hopefully GrapheneOS deliver on their promise to provide a better backup solutions than seedvault.
 ignoramous2 days ago
 A more recent (2023) sandboxing + isolation overview by the Android team: <a href="https://arxiv.org/html/1904.05572v3/" rel="nofollow">https://arxiv.org/html/1904.05572v3/</a> (section 4.3)
 NotPractical1 day ago
 > Android’s security design has fundamentally been based on a multi-party authorization model: an action should only happen if all involved parties authorize it.> these are user, platform, and developer (implicitly representing stakeholders such as content producers and service providers). Any one party can veto the action.How is this not anti-user? It explicitly states that the app developer should be able to veto my decisions...
 ignoramous1 day ago
 Under the shared responsibility model, such veto makes sense. Just because the end-user (the app has no way to determine if it was a thief or a spy or a monkey or the actual device owner) approves of an action doesn't mean the OS and the app have to grant authorization.I can see how such a setup is hostile to power users, but then Android is used by 50% of all humanity, and your guess is as good as mine as to just how many want "sudo make me a sandwich" level of control.
- nexle2 days ago
 Thanks for the link, seems like the loophole is already there since the introduction of the package visibility restriction, and almost everyone and their mother knows how to bypass this restriction.> Google refuses to patch thisWhile I don't believe Google engineers are not aware of this widely used loophole, do you have any source that they refused to fix it?
 - AznHisoka2 days ago
 That loophole was published 5 years ago, it hasnt been fixed since.Do you need someone from Google to explicitly write an official note, notarized, indicating they are refusing to fix it?
 - ignoramous2 days ago
 > refusing to fix itGoogle addressed similar isolation concerns (without breaking a tonne of APIs in incompatible ways) with Private Space and Work Profile: <a href="https://source.android.com/docs/security/features/private-space" rel="nofollow">https://source.android.com/docs/security/features/private-sp...</a>
 - whs2 days ago
 If it's a security issue fix, they should release it in one of the monthly security patch.I also think that private space do not fix the underlying issue. If you have four apps and you don't want them to know about each other you can put one of them in main profile, work profile, app locker and you run out of profile for the last one. The way app locker work doesn't scale to tens of sandbox.
 subscribed2 days ago
 I know you didn't ask for this sort of answer, but you could use user profiles for this.You can have more users on the "standard" AOSP Android as well, but with a certain AOSP-derived you can also have notifications forwarding.Until they add Application List Scopes (I believe it's on the road map), in the exactly the same way users can now lie to apps they have only specific contacts in their contact list and only one or two specific folders in the Storage.
 - 1oooqooq2 days ago
 that proves bad faith.they keep releasing overly complicated features to sidestep the obvious reported vulnerability, to silence power users and please corporate enterprise sysadms.the rest of the 99.9 of users keep the vulnerability, which is very profitable for ad networks. wonder why an ad networks who maintains android would do that.
- ErigmolCt2 days ago
 Submitting it to the Android VDP is a solid idea, though I wouldn't be surprised if it gets waved off as "working as intended."
 - gregw22 days ago
 The right ("as intended", in my view) functionality would be to support a manifest with, say, five apps, and if as a dev you wanted more youd apply to google for an exception (like aws limit increases) with a list of reasons for each app.
 - TeMPOraL2 days ago
 I know people may not remember this, but Android was initially designed with interoperability in mind. It's sad to see both the system development and the community opinion to have turned against it so hard.
- izacus2 days ago
 What do you mean with "refused to patch this"? Google will reject any app publishing attempt that asks for that filter and isn't a launcher on Play store.
 - whatevertrevor2 days ago
 How is that congruent with the article's claim that 31 out of 47 apps they tested had this filter?
 - izacus2 days ago
 No idea, but we did have apps rejected because of similar permissions.
 - cAtte_2 days ago
 "similar". so what you said isn't true then?
 fuckbrownpeople2 days ago
 [dead]
 - jim2012 days ago
 Author claims that this same hack is used widely, including by apps on the Play Store like Snapchat and Facebook.
 - Mindwipe2 days ago
 The HSBC bank app uses this and is in the Play Store.
turblety2 days ago
I still, will never understand the need for native "Apps". To this day, I have never seen an "App" that couldn't simply have been a website/webapp. Most of them would likely be improved by being a webapp.The only benefits I can see of "Apps", are the developer get's access to private information they really don't need.Yeah, they get to be on the "App Store". But the "App Store" is a totally unnecessary concept introduced by Apple/Google so they could scrape a huge percentage in sales.Web browsers have good (not perfect) sandboxing, costs no fees to "submit" and are accessible to everyone on every phone.
- xxprogamerxy2 days ago
 Simple, UX.The reality is, most webapps for mobile just suck. The UX is nowhere near that of a native application. I don't want any text to be selectable. I don't want pull to refresh on every page. I don't want the left-swipe to take me to the previous page.You can probably find workarounds for all these issues. The new Silk library (<a href="https://silkhq.co/" rel="nofollow">https://silkhq.co/</a>) is the first case I've seen that get's very close to a native experience. But even the fact that this is a paid library comes to show how non-trivial this is.
 - fauigerzigerk2 days ago
 >I don't want any text to be selectable. I don't want pull to refresh on every page. I don't want the left-swipe to take me to the previous page.Strange. This inability to select any text has always felt like one of the most hostile things developers could ever do. It feels like pure vandalism.Another thing that causes massive productivity degradation is not being able to keep multiple pages open so you can come back to some state. I cannot imagine how anyone could possibly use these apps for any serious work.The UX of almost all native mobile apps is absolute crap. But it's not their nativeness that makes them crap. I'm not complaining about the idea of operating systems offering non-portable but high performance UI primitives that make use of OS facilities.Many native desktop apps don't have these UX issues (at least not all of them at the same time). It's the mobile UX patterns, conventions and native UI frameworks that are causing this catastrophic state of affairs.
 - whstl2 days ago
 Inability to select text is a pain in the ass when you're midway through learning the language and only wants to translate certain parts. In native apps it's understood (app makers don't really give a shit about me), but when it's in websites it's like a slap in the face :)
 - hombre_fatal2 days ago
 Yeah, the app model of one page open at a time ever is such bad UX. Huge regression from the web. Funnily enough you get around it on an app like Reddit by opening pages in the web browser.
 - umbra0718 hours ago
 > Strange. This inability to select any text has always felt like one of the most hostile things developers could ever do. It feels like pure vandalism.Use Circle to Search? Native capability that works on every single app, and is close to perfect (with the exception of handling text at the very bottom/top of your screen that's covered by your navbar/Google logo).
 - herrvogel-1 day ago
 Every time I try to select a single word in a WhatsApp message I surprised for a second. It’s so strange that most apps that have text as their fundamental content don’t allow you to do this.
 - criddell2 days ago
 On modern mobile and desktop operating systems, you can always copy that portion of the screen to the clipboard and it will recognize the text so you can paste it anywhere.
 - mattl2 days ago
 I’ve noticed that apps can tell when you’re taking a screenshot and often will pop up a little message first which appears in the screenshot.Reddit on iOS was one that did it.
 - tshaddox2 days ago
 Also, if my memory serves, native MacOS apps by default support selecting most text that isn’t part of a clickable element like a button.
 - OrangeMusic1 hour ago
 No, that's absolutely not the case, and it would be very odd and disturbing.
 - mojuba2 days ago
 To be fair, browser apps do have their advantages:- text is selectable- content is zoomable- you can have an ad/nuisance blocker- page source is openWhile native apps have their own advantages:- much smoother experience esp. navigation, scrolling, animations, etc.- better overall performance (JavaScript will always lose to the native binary)- access to hardware opens new possibilities; audio, video accelerators etc.; there's a ton of things you can't do in the browser with audio for example- widgets, some of them are nice and useful too- for publishers: an app icon on the home screen is a reminder, a "hook" of sorts; this is the main reason they push apps over web versions
 - blacklight2 days ago
 All the features you mentioned can also be achieved by a well developed PWA. Of course, minus the widgets or some deeper system integration (like controlling phone calls etc.)
 - mojuba2 days ago
 Try to build a more or less serious music synth in the browser that won’t kill your battery.
 firtoz2 days ago
 Heh, I was actually building one. Haven't considered the battery... Are the web audio APIs bad, or are you forced to use the CPU? I guess with webgpu it may be easier?
 mojuba2 days ago
 I think on iOS you need access on the CoreAudio level if you want to be efficient, ie fill audio buffers on a high priority thread with some lower level static language.
 - divan2 days ago
 > browser apps do have their advantages:These are more like byproduct of the fact that web apps are built on the stack not suited for modern UI apps. It's literally a text typesetting engine pretending to be a rendering engine for high-performance UI.So, it can also be framed as:- everything is selectable, even what shouldn't be - buttons, drawers, video players, etc - content is zoomable, which most of the time just breaks UX in hilariuous ways. Developers have to do extra-work to either disable zoom or make hacks/workarounds."Everything is selectable" and "everything is zoomable" makes total sense if it's a blog post. If it's a UI for the modern app, it does not.
 - rblatz2 days ago
 Disabling zoom is so hostile, why not disable screen readers and put bollards on handicapped ramps while you are at it. It’s literally a middle finger to older people and people with vision issues. If you disable zoom I will not be using your website.
 divan1 day ago
 Luckly most popular operating systems have concept of global text size that can be adjusted, and non-web UI frameworks respect that.
 - mvdtnz1 day ago
 > It's literally a text typesetting engine pretending to be a rendering engine for high-performance UIThis is an outdated view of the web. Catch up or be left behind.
 divan1 day ago
 This is factual view. No matter how many layers of abstraction you put on top, the foundation is always there. Luckily we have better and better support for wasm in browsers, so it's a matter of time when this outdated stack will be replaced with solutions designed from the ground up for the task.
 - nsonha1 day ago
 Web just have defaults that are not suitable for apps. Disable text select is one line of css, not that hard.
 - octacat1 day ago
 + working notifications - adblocker is more of a minus for publishers thoughBut mainly don't expect any good web app integration on mobile, because it would hit the store 30% tax.
 - leipie2 days ago
 As a user I usually want all of those features to work. I regularly get ticked off at apps, because I cannot copy paste like in the browser or the app just closes (and loses all state) because I tried to use the back button. I also encountered apps that just reset, because I dared switch to another app for a second because I wanted to copy paste something into it...
 - nodar862 days ago
 > I don't want any text to be selectableDisabling text selection is not just worse UX, it is actively user-hostile
 - divan2 days ago
 In Photoshop panels, title (like "Layers") are not selectable. How is it worse UX or user-hostile?
 - IshKebab1 day ago
 It's worse on desktop. On mobile it just leads to accidental selection when you were trying to do something else.
 - crazygringo2 days ago
 I have literally never needed to select text in a UX element.In the past, occasionally there would be an error message in a message box dialog that I wanted to copy and paste. And then I discovered that despite it not looking selectable, it actually was.I don't want to accidentally select the text of my menu bar, or of a text box label, or a dialog tab title.
 - sitkack1 day ago
 I, I, I. Empathy is a weakness.Lots of limitations for you to not accidentally do something, maybe there is a way to not accidentally do those things and also help people that need them.
 crazygringo1 day ago
 No, not providing concrete examples is a weakness.You're awfully arrogant in making a judgement about my empathy... if you want to make this personal.Or maybe you can justify why people need to be able to select menu labels in the first place? That's not standard on any OS I've ever used, so it's up to the person who wants to change things to justify why.Maybe be less judgmental of people here on HN, and contribute something factual instead? I at least gave a factual account of my personal experience, which is a data point. Describing one's experience isn't egoism.
 nazgul171 day ago
 A simple and concrete example is, go to Japan, find yourself in need of using any Japanese-only app, be extremely frustrated in not even being able to select text to translate it.At least in recent versions of Android there is that OCR (?) powered functionality to select text when you're in switch-app view.
 umbra0718 hours ago
 Circle to Search can translate everything on your screen without you needing to go through the whole "copy text, open Translate, paste, switch back to app" workflow. You just hold the home button, then press the translate button.
 crazygringo1 day ago
 Thank you for the example!I would suggest that these days you'd be much better off taking a screenshot and putting that into Google Translate.That way all the text remains in-place, and you can keep it as a visual reference to refer to.If you were selecting text, it would wind up in a kind of jumble that would be much harder to use.
 - Aerroon2 days ago
 Most apps for mobile suck too. A lot of them are worse because they are not in a web browser, eg YouTube or Reddit or similar apps that work via urls.Browsers are some of the very few apps that work well on a phone. Most of the other ones feel like a mess (except games I guess).
 - ffsm82 days ago
 Mmh, the examples you've listed are actually super easy to do if you're using a framework such as angular with it's plugins for pwa and touch controls. And prolly tailwind for css/disabling selection if you really want to, but I'd call that an anti feature in almost all cases.
 - xg152 days ago
 In theory. In practice not so much.I've had enough browser apps try that on my phone. Usually they start to lag out and become unbearably slow due to the framework bloat, compared to native apps that have no such issues.
 - jonplackett2 days ago
 You have to wonder about the motivations of the company making the browser that makes it impossible to disable some of these things, and therefore makes real apps so much superior (like swipe to go back on safari - I have never ever swiped back intentionally in over 100000 swipe backs).
 - jodrellblank2 days ago
 “I have never wanted to type the letter ‘e’ in any of the 100,000 times I hit the ‘e’ key on the keyboard; it’s always felt suspicious to me why keyboards even have an ‘e’ key which can’t be disabled” said the perfectly normal hacker news commenter.
 - rezonant2 days ago
 > I have never ever swiped back intentionally in over 100000 swipe backsReal question here, what are you trying to do when you "swipe back"?
 - miramba1 day ago
 Touching something on the left side, like a link, and let my finger touch the glass a tiny bit too long while pulling the finger back. Unwanted swiping happens to me all the time in all directions - may the developers use a touch screen for everything forever!
 - bluedino2 days ago
 Dating apps.By instinct I swipe back like I am in Safari, and that does something else in those.
 - nsonha1 day ago
 This swipe thing violates one of the most basic ux principles by making a destructive action easily triggered by accident.
 - jonplackett1 day ago
 Swipe UP
 - lazycouchpotato1 day ago
 The "pull to refresh" is probably the most annoying one.Other than that, I'd like text to be selectable! I don't like it when apps don't allow you to copy text.I use Copy [1], and when that doesn't work I use the OCR text selection feature on my Pixel phone.[1] <a href="https://play.google.com/store/apps/details?id=com.weberdo.apps.copy">https://play.google.com/store/apps/details?id=com.weberdo.ap...</a>
 - silisili2 days ago
 That's funny, I use Amazon on mobile web, my wife insists on the app.Guess which one of us has way more problems, due to both functionality and a constantly changing layout?
 - wiseowise2 days ago
 UX is when you have less features - got it.
 - blacklight2 days ago
 It doesn't sound like anything that a PWA (paired with some a sync mechanism like Websockets) can't solve. And with WebAssembly the convergence is even more compelling.
 - sota_pop2 days ago
 To go along with this UX argument: it’s always been my perception that native apps often lean towards a stateful design while web apps try for stateless. Maybe that’s too abstract (read - incorrect), but was always just where my intuition landed.
 - andoando2 days ago
 Nothing prevents fhe same UI being available in web though.Iconic mirrors a lot of it, but Apple/google could have just as easily made them native components triggered in the browser
 - starfezzy2 days ago
 That is not an objection. Two decades of webapp progress instead of native app progress would have (and still would) addressed all of that.
 - buyucu2 days ago
 webapp UIs suck because nobody cares about them. They could be a lot better.
- jb19912 days ago
 This is a bizarre take. Are you also suggesting there’s no reason to have a native app on a laptop? Because it’s essentially the same question. There are many things which a native app can do that a browser just cannot do well, or at all. I don’t know what your needs are, but for example if you’re doing heavy video or audio editing, accessing heavy amounts of RAM or utilizing GPU compute or doing other things on the bare hardware, doing that all from a browser is definitely not there yet.
 - nsonha1 day ago
 On desktop you do productive work, your apps need native capabilities. On mobile, apps are primarily consumption, displaying, browsing... no complex interactions.
 - jb19911 day ago
 Lots of people use iPads for content creation. I think your worldview on this topic is a bit narrow. There have also been multiple feature length movies shot on an iPhone, at least two of them by Oscar winning directors! Those weren’t done on a mobile browser.
 - autoexec23 hours ago
 ipads are designed primarily for consumption not creation. I'm sure lots of people manage create something on an ipad anyway but that doesn't mean it's a good tool for the job. Filming a movie on an iphone is just using the camera. I'd be very surprised if anybody making a full length movie with their iphone edited that film on their phone or an ipad.
 jb199121 hours ago
 > Filming a movie on an iphone is just using the camera.Not really. And this is why native apps are necessary. You can't use the built-in camera on an iphone successfully in this way, and I don't know any director who has. They use specialized third-party apps which give them the appropriate control.
 - nsonha17 hours ago
 > Lots of people use iPads for content creation. I think your worldview on this topic is a bit narrowCan we stick to "by and large"? Every year many youtubers make that video of trying to use ipad/samsung dex as the productive computer for a day. Last I checked they always end the same way.
- setopt2 days ago
 > I still, will never understand the need for native "Apps". To this day, I have never seen an "App" that couldn't simply have been a website/webapp.In cases where a native app and web app are both available on iOS, there’s often a huge difference in battery usage and sluggishness. Also, as a sibling poster mentioned, I like having fully “offline” apps as well, for example for maps and notes.I’m not saying that I like how Apple and Google have done this in practice, but I don’t think going webapp-only is the future. For the same reason I won’t replace my real computer with a Chromebook for the foreseeable future.
 - wodenokoto2 days ago
 When the iPhone came out, you had full offline access on PC to Gmail and google docs using Google Gears.Google Gears got deprecated because something something move to standard HTMl and browser features and now we don’t really have any offline web apps.The ability to have non sluggish, offline web apps has existed for decades now, but the interest from providers has been declining and the understanding that this is possible is also declining on the consumer side.
 - wiseowise2 days ago
 > In cases where a native app and web app are both available on iOS, there’s often a huge difference in battery usage and sluggishness.Yeah, like single native instagram draining battery faster than combination of multiple websites that I visit in Safari.> For the same reason I won’t replace my real computer with a Chromebook for the foreseeable future.> real computerWhere most of the modern applications are either web wrappers or Electron apps.
 - alabastervlog2 days ago
 I’m still bitter about Apple backing off their stance against using web tech in apps. Most apps that are really bad, are really bad because they’re just wrapping websites.
 - carlosjobim2 days ago
 > Where most of the modern applications are either web wrappers or Electron apps.Only if you're stuck on a depreciated platform like Linux. If you are on Mac, native applications – real applications – are much more powerful and usable than any web wrapper on Linux.I've noticed Linux users have taken a habit of proposing their broken way of using a computer through the browser for other platforms as well. But on other platforms we are already spoiled with quality software.
 - rlpb2 days ago
 Native applications are way better on Linux, too. But only where they exist. There are plenty of "apps" where there developers have taken shortcuts by getting "Linux support" by using Electron. These app perform noticeably worse and are generally disliked by their users.
 - mattl2 days ago
 Good native Mac apps are on the decline too.
 carlosjobim1 day ago
 What are you missing?
 mattl1 day ago
 I was lamenting the lack of native UI in Blender last night.I’ve been using Nova for the last few years. Increasingly native non-Xcode development tools seem to be few and far between. I have BBEdit and Nova, but a lot of people have switched to VS Code it seems.
 - jampekka2 days ago
 PWAs can be fully offline. Are you sure you understand what you criticize?
 - jtrn2 days ago
 Have you tried building PWAs for large user bases?Here are some of the frustrations I had with PWA's.There are massive differences between browsers and Android/iOS when it comes to storage, access to local files, and size limitations. Proper backup/sync of large files using IndexedDB, Cache API, or localStorage is not as straightforward as native storage.Service workers aren’t designed for complex or long-running computations, But they’re more like lightweight assistants, and you would have a HUGE pain trying to accommodate all the different browser/OS limitations if you need predictable background sync/backup. This seems maybe to be better going forward due to frameworks like Ionic/Capacitor or Workbox.js tho.PWAs are tethered to the web’s security model, which means they’re generally restricted to HTTP and HTTPS for communication. This limits direct access to protocols like SMTP (email) and FTP (file transfer). You’re stuck with web-friendly options like WebSockets or WebRTC, or you’ll need a server to act as a middleman. Building a torrent client would be really annoying due to the limited protocol access. The WebTorrent JavaScript framework, which can run in the browser, does not fully support traditional TCP/UDP torrent protocols directly but instead relies on WebRTC data channels. Therefore, your app will only connect to peers supporting WebRTC, which significantly reduces available torrents and peer counts. Also, there often is an added level of restriction to background processes on mobile.There are also limits to access of the devices APIs: - NFC (partial Web NFC support in Android Chrome) - Bluetooth (Web Bluetooth limited to Chrome Android, absent in iOS) - Native contacts, SMS inbox, telephony, or system-wide calendars. - Some system-level sensors (barometer, precise accelerometer data).Also: Web apps often perform slower on heavy graphics or computation than native apps due to lack of direct GPU access. I have not tested this myself, but I know this has gotten better.Onwards: - PWAs can't directly register as the default handler for specific file types or URL schemes across the OS. - PWAs cannot reliably run background tasks (like precise location tracking, audio playback, VoIP callbacks, or continuous data monitoring) when inactive. - WebAuthn supports biometrics, but native biometric APIs (like Face ID/Touch ID) offer deeper integration for specific app functionality. This is a HUGE need for our firm, as we rely on it for easy authentication for our app, and customers love it over other authentication methods. - PWAs can't easily embed widgets into the OS home screen or system-level UI components like control center integration.YES, PWAs are much more capable than some people think and could, in many instances, work just as well as a native app. (I use GeForce Now on iOS with not many problems.)And this is not even touching on how much easier it is to use Android/iOS SDKs to put together an application, and user expectations (which might be WRONG when they think PWAs are lesser or more insecure, but these attitudes are still reality).All that said, I prefer PWA over native myself due to publication freedom, but I get annoyed when you talk down to people, and you seem to be the one that doesn't understand that there are actual limitations.
 - jampekka2 days ago
 The post mentioned offline usage for maps and notes. Neither are significantly limited by service workers' capabilities. Platform differences are annoying indeed, especially due to the deliberate sabotage by Apple.Sure there are limitations to PWAs, but quite a vast majority of apps don't need the missing features.I find native Android and especially iOS SDKs vastly more difficult and cumbersome to develop for. Doubly so of course if you have to develop for both. Maybe if you're already used to the Android/iOS development mess it is easier short term than to learn something new.
- chme2 days ago
 I get your point partially. All these apps that companies put out in order to collect and manage shopping tokens or to contact their customer service would have been much better as a website.However I still do like to have apps on my devices that just work offline, without distributing my data across services I do not control. And I also do not want to depend on a internet connection, when I am anywhere.I like my offline Osmand/Organic Maps app to show me the trails when I am somewhere in the woods or mountains. I like my apps that instead on using some third party server, connect directly to my other local devices to share data.IMO all (where possible) apps should be developed offline first, and only require internet when necessary, and those apps that cannot work without internet should be web apps, they do not need to be on my devices.
 - oarsinsync2 days ago
 It’s totally possible to distribute a webapp that works offline and stores all your data offline too.Platform owners introduce a bunch of restrictions that create reliability and usability concerns, but the standards already exist to enable a website operator to create a webapp that, after the initial ‘install’, runs entirely offline on the user’s device, and has no need to communicate with the website.
 - layer82 days ago
 It’s not really possible in practice, see <a href="https://news.ycombinator.com/item?id=43522667">https://news.ycombinator.com/item?id=43522667</a>.
- rzz32 days ago
 Im sorry. I really just can’t understand or relate to this at all. Mobile web still feels like such a terrible experience, and apps generally don’t. When’s the last time you tried booking a flight on mobile web? And how do you deal with all of the real estate the browser steals? Having to log in every time when the app can just cache my authentication and FaceID me?
 - wodenokoto2 days ago
 Seriously, booking hotels and flights is so much better on the web. You get multiple windows for easy flight and price comparisons, within and between providers.I don’t understand people who use apps for this. It is such a pain.
 - pasc18782 days ago
 You are comparing desktops to phones.I do most things on my desktop for the reasons you say but on a phone multiple tabs etc is a pain.
 - wodenokoto2 days ago
 No, I’m saying that the booking.com app, or the Skyscanner app or any of their competitors don’t support multiple tabs.Their websites do (although even on new phones you are at a greater risc of a tab being purged and needing a reload, but still you can multi tab on the mobile website)
 pasc18781 day ago
 Ah the difference here is that I can't use multiple tabs on my phone as they are too small. So tabs are only relevant to me on desktops and even then I will often use new windows.
 - rzz31 day ago
 I almost always book via apps. I can compare flights by looking at Kayak (app), then actually book it in the carrier app. I think the workflow just has to adapt to the tools you’re using, and trying to follow the same methods you’d use on desktop just don’t work. I don’t think either particular method is objectively worse than the other for every use case.
 - andelink2 days ago
 Not who you replied to, but I more so do not rely on my phone for anything where I would prefer more screen real estate such as doing comparisons like buying flight tickets. I have never bought flight tickets on my phone, only on my computer. I prefer the bigger screen and keyboard for most things actually
 - whstl2 days ago
 > Having to log in every timeSounds like a broken web app.You are currently using a webapp that doesn't do this. It's called Hacker News, and it never asks me to login every time on my phone.> when the app can just cache my authentication and FaceID meSounds like a broken login form.Hacker News also allows me to login with Face ID on my phone, thanks to my password manager.Optionally webapps can also provide Passkeys.
 - terinjokes2 days ago
 > Sounds like a broken web app.>> You are currently using a webapp that doesn't do this. It's called Hacker News, and it never asks me to login every time on my phone.Every time I visit Hacker News on my iPad I'm logged out. Apple has decided that if you don't visit a website often enough it will expire all your cookies for the site.In practice that means I can log in to HN while I'm at the cafe one weekend and be logged out by the time I visit the next weekend.
 - whstl20 hours ago
 Are you sure? My iPad has been logged on for months... the only that make it log off on the iPad is when I log off on the desktop.Apparently HN does it on purpose and kills alls sessions on all devices when you log off.
 - rzz31 day ago
 Passkeys do definitely make the mobile web experience better, but unfortunately they’re still not widely supported. I’m not saying mobile web apps can’t be good, but a native app allows for a lot of UX optimization.
 - renegat0x02 days ago
 Not so sure. There are a ton of bad apps. They also do not work properly often.Besides companies focus on apps, not on web pages. Less money, less focus, therefore worse experience
 - wiseowise2 days ago
 > When’s the last time you tried booking a flight on mobile web?A week ago, via TravelPerk which is literally a web wrapper.> And how do you deal with all of the real estate the browser steals?What?> Having to log in every time when the app can just cache my authentication and FaceID me?I literally use the same FaceID for my passwords/proton pass. Also, this depends on a website.
- ulrikrasmussen2 days ago
 There are also an increasing number of services which are ONLY available as apps now, including, but not limited to, many financial apps such as Revolut.A big issue with this trend is that unlike the web, the whole Android ecosystem is a walled garden which is strictly controlled by Google. In principle you can run your own custom Android ROM, but in practice this will lock you out from any app which uses Play Integrity API to enforce Google's totalitarian regime which dictates what software YOU are allowed to run on "your" hardware.
 - IshKebab2 days ago
 The worst one is the UK's NHS app, which is only available as an app, despite being just a webview wrapper! I have no idea what they were thinking.
 - cyberpunk2 days ago
 Sometimes it’s a compliance thing, e.g we can only show health data if your device passes some security controls first.
 - WesolyKubeczek2 days ago
 What happens when you visit whatever URL is being wrapped?
 - pasc18782 days ago
 You go to the nhs webpage and it works in the same way.Login is better on the iOS app as you can use touch id/faceId and not userid/password also the webpage asks for cookies as it can't seem to remember the choice
 IshKebab2 days ago
 Really? What's the URL that would allow me to see test results and book appointments?
 pasc18781 day ago
 Unfortunately that seems to depend on who did the test or your GP.There seem to be sites for your GP (which mine does via a .nhs.uk domain it used to be via <a href="https://account.patientaccess.com/" rel="nofollow">https://account.patientaccess.com/</a> which still shows appointments but does not allow booking but still allows requests for repeat prescriptions.) or hospital portal for results.
 - whstl2 days ago
 IME those apps often have the HTML/JS embedded, so you would have to extract the contents, host them somewhere and proxy the API calls.
 - IshKebab2 days ago
 I dunno, I haven't reverse engineered it to find the URL. But I would imagine it gets confused about authentication.
 donalhunt2 days ago
 Would put money it on it using something like '?device_verified=1'.
 - elric2 days ago
 Not only that, but these companies are effectively letting Google decide who they can do business with. It's insane.
- ustad2 days ago
 Its funny to read negative replies to your comment on the shortcoming's of web apps.The browsers are controlled and manipulated by the likes of Apple and Google. These companies have a significant influence on the direction of browser features and limitations, often shaping them to suit their business interests. For example, Apple’s Safari and Google’s Chrome have been criticized for implementing features that reinforce their own ecosystems, such as limiting web push notifications or restricting certain web API functionalities to encourage users toward their native apps. This ultimately means that even in the browser world, the same forces that drive the app store monopolies can still control and restrict what’s possible, even if the web is inherently more open. So while web apps offer more flexibility than native apps in theory, the reality is that Apple and Google’s control over the browsers still limits the true potential of a completely open web.
 - jampekka2 days ago
 > The browsers are controlled and manipulated by the likes of Apple and Google.Who do you think controls Android and iOS native APIs?Web standards at least have public forums and specs, with multiple parties involved. And all the major browser engines are open source and apps built for them are relatively cross-compatible.
- HSO2 days ago
 > the "App Store" is a totally unnecessary concept introduced by Apple/Google so they could scrape a huge percentage in sales.Actually, when the iPhone was introduced, Apple wanted it to have only a few select native apps (like Maps or Mail) and all the rest to be web apps.They were browbeaten into opening an app store by the developers, who wanted to do native apps, not the other way around like you say.
- xenator2 days ago
 During earthquake in Bangkok in Friday Grab (local superior version of Uber) helped me to order taxi and get my kids home. Needless to say that cell phones network collapsed for most of the day. All people want to know what happens and is their family and friends are safe. They definitely have very optimized network layer for poor connections. I bet they can switch to udp or something. I'm glad that it wasn't web app.In many other cases I agree with you.
 - PaulRobinson2 days ago
 99% likely they're using a REST API, which is... HTTP.Even if it's gRPC or something more exotic, it'll be over TLS (you best hope it is).You can have a webapp cached locally on your device. PWAs allow developers to create an SPA you can open from your homescreen, and to do that API interaction the same way as a native app.I hope you and your family are well, and it's great that tech helped. But please, don't think that because this tech worked in this instance it can't be made safer and securer.
 - YetAnotherNick2 days ago
 Switching to UDP won't magically improve your network connectivity. The overhead of WebRTC over UDP isn't too high as well.
- hedora2 days ago
 It’s clearly for data collection. Take the yelp web app for example. It used to be much nicer than the native one. Then, they intentionally defeatured it until it was useless.Also, this situation benefits the google-apple duopoly, since it means superior products (remember Windows Phone 8?) or privacy focused devices (FirefoxOS) have no chance of getting a foothold in the marketplace.The objections I see in sibling comments are nonsense. Modern web supports high frame rates, developer control over the UI, etc, etc.
- dagmx2 days ago
 While many native apps could be web apps, you’re ignoring a very large reasons for native apps:1. Better UX and responsiveness for users, including better offline use.2. Using native hardware APIs. How are you going to do things that require on device video compression, or realtime graphics that are more advanced than GL ES, etc3. Battery life and performance. A native app can use less power than a web view for doing its work, and it can also make use of better async/concurrency/threading than a web view allows for.
- elric2 days ago
 > The only benefits I can see of "Apps", are the developer get's access to private information they really don't need.That's exactly the point. More developer control, less user control. Can't change cookie settings in an app, can't (easily) block ads, can't use developer tools to remove annoying UI elements, can't disable phone home mechanics, can't prevent the developer from profiling you.
- ezequiel-garzon2 days ago
 In the case of termux, by far my favorite app, I have more than 2GB of locally installed packages. How would that work with a browser?
 - hk__22 days ago
 OP talks about apps in general, of course there will always be anecdotic cases like this one (see also <a href="https://xkcd.com/1172/" rel="nofollow">https://xkcd.com/1172/</a>).
- baxtr2 days ago
 How would you make a video app in a browser? ie taking videos and then editing them afterwards
 - sph2 days ago
 GP used hyperbole but was not all wrong. The issue is that most native apps could very well have been web apps. I appreciate that on iOS adding a web app to homescreen is possible, albeit obscure and not many use that feature. I hate that Firefox never really supported PWA for some unfathomable reason.
 - baxtr2 days ago
 Exactly. But GP deliberately said all, not most or many.GPs comment is something that people in politics would called sensational. Extreme rhetoric is great for upvotes because it stirs emotions but it’s not rational.
 - josfredo2 days ago
 I think it’s completely justifiable, since it illustrates the core of the idea. Also, HN users, unlike voters, can see through the framing. If anything, it’s a great way to spark a debate.
 - psychoslave2 days ago
 Do you mean something like <a href="https://commons.m.wikimedia.org/wiki/Commons:VideoCutTool" rel="nofollow">https://commons.m.wikimedia.org/wiki/Commons:VideoCutTool</a> ?
 - baxtr2 days ago
 I mean something like CapCut that has access to the phone camera for capturing video.
 - worksonmine2 days ago
 Browsers have camera and local file access if the user grants permissions, what do you mean isn't possible with the browser?
 psychoslave2 days ago
 I think that the name browser is basically just what is putting people in the wrong track of interpretation. They have been fully fledged VM sandboxes, which incidentally happen to also embed html and pdf interpreter natively.
 - scbzzzzz2 days ago
 The commenter says about most apps. The use case you mentioned requires computing resources. You can do the whole thing on browser too but it is not efficient way . But in the case of delivery apps, finance apps, you don't need much compute as can work exclusively with APIs .
 - tossandthrow2 days ago
 Performance is likely not a reason anymore - and if it is, then it is the platform that imposes it (rust was runs fairly fast in a browser).
 - baxtr2 days ago
 No GPs says there are no apps, which is not most.
- unethical_ban2 days ago
 There is nothing inherently evil about an app, or inherently good about a website - it's only because historically we have allowed crappy app permissions structures and allowing apps to ask for things they don't need.Apps are faster, are more predictable (no auto-reloading or rendering issues) and generally perform better IMO.On the other hand, in reality, you're correct. I think the NYTimes app will collect more data from me than the NYTimes website.
- halper2 days ago
 For me, there are a lot of applications that I want to be able to load regardless of whether I have a connection to the Internet or not: calendar, notes, mail etc. They can sync/send/whatever whenever I am next online.
 - turblety2 days ago
 Ah yeah. While this is mostly implemented terrible, a web app can absolutely do this for you using service workers. So you can install a webapp to your homescreen and use it without an internet connection at all.
 - wruza2 days ago
 Emulate a network layer to serve a pre-packaged bundle. Neat "platform", but as a developer no thanks.While apps are spying etc, making them is usually a no-brainer compared to churning and leaky web stacks. And probably not a single time a webapp loaded for me when I tried it outside standing in the wind trying to figure something out. It was always an app that started and helped and didn't ever scroll horizontally while doing so.
 - ablob2 days ago
 In that case the only difference between a webapp and a normal app would be the permissions, wouldn't it?
 - jspdown2 days ago
 Permissions and performances.But we could argue that if webapps were more used on mobiles, new APIs would have been opened to facilitate cross-app integrations.
 - sgt2 days ago
 You seem to miss the fact that most web app experiences are inferior to that of native app.The disadvantage of native is barrier to install. Once that's done, the experience to the user is simply superior. True native experience, fast and predictable. As a developer it's easier to build those types of apps as well.People who haven't used iOS might not understand this though as they've never seen "how things should be".
 - umbra0717 hours ago
 you think most Android users are using PWAs instead of native apps? lol.
 - PaulRobinson2 days ago
 PWAs can do this.
- nxjx2 days ago
 <a href="https://en.m.wikipedia.org/wiki/Platform_economy" rel="nofollow">https://en.m.wikipedia.org/wiki/Platform_economy</a>Becoming the middle man is the default model that supports scale. No one has come up with anything else to support a world where avg disposable income is close to 0
 - hgomersall2 days ago
 > Becoming the middle man is the default model that supports rent extractionFTFY
- dustingetz2 days ago
 Zuck: Betting on HTML5 was a mistake (2012) <a href="https://www.infoq.com/news/2012/09/Facebook-HTML5-Native/" rel="nofollow">https://www.infoq.com/news/2012/09/Facebook-HTML5-Native/</a><a href="https://www.sencha.com/" rel="nofollow">https://www.sencha.com/</a>, the vendor of the ExtJS framework tried to argue that Facebook was wrong (2012): <a href="https://www.infoq.com/news/2012/12/Fastbook/" rel="nofollow">https://www.infoq.com/news/2012/12/Fastbook/</a>I worked for a company that used Sencha back in the day and wrote the first React integration over their form/datagrid components in 2013. React ate their lunch
- impossiblefork2 days ago
 It has the potential to be faster, more private and more efficient.Absolute absence of lag, glitches, rendering issues, memory use in the kilobytes etc. is possible with native applications.
- tim3332 days ago
 Pokemon Go. You couldn't really do that as a webapp with the VR and stuff.Also with the bank apps I think there's extra security over a webapp - on the iphone they often scan my face.
- graemep2 days ago
 Maps and navigation apps? Desktop integration and sync apps?That said most of the time you are right.I am fairly convinced that some apps are just wrappers around web apps. The Virgin Money (Uk bank brand) app used to ask for cookie permissions on launch and felt very like their website used to (until it was removed and they went app only).
- autoexec23 hours ago
 > The only benefits I can see of "Apps", are the developer get's access to private information they really don't need.this is the actual reason why companies push people to install and use their apps instead of their website.
- Aachen2 days ago
 For one, you couldn't access those webapps without a browser, so that's the need for one app. It would also be a bit annoying if you had to load a webpage when trying to dial a numberOr am I not understanding what you mean when you use the quoted name "Apps"?
- miniBill2 days ago
 Access to Bluetooth devices is a good reason to have an app. I definitely do not want a Bluetooth API in my browser (although Chrome does have something in that direction, I think it's a bad idea)
- dangus2 days ago
 So you never use native apps on your desktop? Why should a computing device not be able to run programs?I feel like an actual security-driven design is a lot better than just relegating everything to the browser.
- sbierwagen1 day ago
 Push notifications. Apps have them on by default, websites have them off by default. 100% of Temu's valuation is because they pester users all the time with nudges to buy stuff, which works.Normies don't turn off notifications. Over the last few years all my relatives have picked up smart watches, (thanks to cell carriers upselling them hard during phone replacements) and in any given conversation at family events they'll be glancing at their wrist every 100 seconds.
 - retrac1 day ago
 Registering for push notifications ought to be a protocol much simpler and lightweight, compared to this spinning up a virtual machine and running a downloaded binary for each channel of notification you wish to receive.
- renegat0x02 days ago
 Many things needs to be an app, but so so many do not require.Many apps are apps just because they can collect your data, and create walled gardens. It is harder to create extensions for existing apps, for web pages it is easier.
- xlii2 days ago
 Any kind of offline cryptography. Imagine Apple Pay being an app. So all sort of digital signatures, documents, checks, payment codes and vouchers, tickets etc.IMO this is in the range of „why we use machines to transport if we all have legs”. Technically true, but applications do more than only UI.I've heard this argument for the past 30 years (we won’t be using apps, everything will be remote console/terminal/webpage/web). Chromebooks were meant for web-first access, and yet native apps are still alive and kicking.
- chamomeal2 days ago
 To me a mobile app is usually just a shorter web app that you can’t zoom onEdit: and I’ll venture a guess that since mobile apps can’t use things like ad blockers, companies probably prefer them. More control over what you look at.
- dbtc2 days ago
 I agree, mostly, but there are definitely some programs I want running on my phone and outside of the default browser.- Timer / alarm clock - Camera - File browser - Offline maps - Another web browserBut not 250MB banking app.
- usrusr2 days ago
 Push notification is the big one. Yes, there is web push, but that's hardly scratching the surface of feature completeness. And incentives to change that aren't really there.
 - wiseowise2 days ago
 That’s a feature.
- miki1232112 days ago
 Yeah, good luck writing a screen reader, a demanding mobile game, a (local) music player, or a warehouse parts lookup app, supporting fully offline use and barcode reading functionality.In 2025? Sure, you can do some (but not all) of that in a browser? In 2010, when those systems were becoming popular? Absolutely not a chance.People forget that Apple initially tried this exact approach. On the first iPhone, that's how you were supposed to do apps. People wanted native so much that they were willing to go the extra mile, jailbreak their device, document the undocumented iPhone SDK and write their own toolchain. The user demand for native was clearly so overwhelming that Apple finally relented and gave in.Even a few years later, Facebook tried hard to have a single, cross-platform HTML5 website instead of bothering with apps. Even then, browsers just weren't there yet, and they probably had the best engineers and resources on that project one could have had for any money.
- ErigmolCt2 days ago
 So many apps are glorified wrappers around web content anyway, and in those cases, native just adds bloat (and tracking)
- LtWorf2 days ago
 Speed, and from that follows battery life.
- immibis2 days ago
 In other words, you believe all computers should be Chromebooks, which can only run Chrome and nothing else?
- zer0zzz2 days ago
 The most basic app, a notepad, I often prefer native. When I go between google keep or notion to apple notes I can tell the difference. If the text is long enough, the web apps just can not load the content.Just to confirm:I dumped all of my notes from my insanely large apple notes (about 16000 lines of text) and pasted them into Google Keep, Notion, Google Docs. With the exception of Google Docs the rest of them flat out froze and I had to kill my browser. Stop trying to tell us that the browser is the answer to everything when most web apps cant do the job of Notepad.exe or vi
 - esperent2 days ago
 > With the exception of Google DocsSo, one out of three webapps that you tested could handle this much text. It suggests that the problem for the other two is their implementation, rather than any limitation of the browser.Of the two that failed, did you also try the app versions to see if they failed too? I really doubt the Notion app could handle 16000 lines of text.
 - turblety2 days ago
 Sorry, I couldn't recreate this. I just built a tiny texteditor app: <a href="https://65cd02a1-8f00-47cb-b1d1-231493de5fc2.paged.net/" rel="nofollow">https://65cd02a1-8f00-47cb-b1d1-231493de5fc2.paged.net/</a>Tried putting 20k lines into it. Loaded instantly, allowed me to scroll and edit flawlessly.But I get your point. I'm on a pretty decent 2022 iPhone, and I'm sure at some stage I would run into a performance hit. But not at 20k lines.
 - eknkc2 days ago
 Note taking apps generally do formatting, markdown like stuff or at least linking to urls in the text etc.You cant slap a plain text field and assume that emulates the actual experience in any way.
 - YetAnotherNick2 days ago
 Now try VSCode in chrome and compare it with apple notes. I use both and VSCode wins hands down in long lines and files.
- roncesvalles2 days ago
 It's an advertisement that you see each time you use your phone.
- djaychela2 days ago
 Working offline?
- gtsop1 day ago
 Very narrow take, it so far fetched i would consider this a bad faith comment.How could you possibly consider intensive games to be "simply" web apps? How about network apps like vpns, wifi analyzers? Have you really not come across such apps or are we meant to think every app is a TODO application?Both web and native has been driven by the same corporate forces, the argument here should be technical only - what can you do on native that you can't on the web. Mixing this technical matter with corporate policies muddies the waters.
- prinny_2 days ago
 Honestly I wonder the same. App stores have big % cuts for the provider, I believe Apple has a 30% cut? Surely this number is big enough to justify spending the resources for a mobile first site?
- nottorp2 days ago
 Imagine a world in which your smartphone's battery lasted more than a day...... and ram requirements for good performance went down by 66% ...
 - WesolyKubeczek2 days ago
 …but give it one little webview…
- NooneAtAll32 days ago
 ...not every app is a worse reddit website?there are games, there are offline programs---website-as-an-app do needs to be squashed, that's something I do agree with you
aucisson_masque2 days ago
That's why I like hacker news.I found this article yesterday and posted it on reddit android, here : <a href="https://old.reddit.com/r/Android/comments/1jmwg4w/everyone_knows_all_the_apps_on_your_phone/" rel="nofollow">https://old.reddit.com/r/Android/comments/1jmwg4w/everyone_k...</a>0 upvote, comment filled with what is either depressed sad people or just bots.Here it's top 2... With mostly interesting comment.Some subreddit are more dead than other but r/android got to be one of the worst.
- diggan1 day ago
 > Some subreddit are more dead than other but r/android got to be one of the worst.Yeah, I'm not sure what exactly is going on with reddit but if dead-internet theory would hold anywhere, it seems to be there.Besides, all the topic/subject subreddits seems moderated by people who hold a vested interest in the topic/subject, to the detriment of their community. I made a submission which went into details about the proprietary license that Meta's Llama is under, and what exactly that license means, and it was removed manually by the moderators of r/LocalLlama without any reasoning + they refuse to answer why it was removed even after trying to understand the rules of the subreddit better.I'm guessing when the last "reddit purge" happened where they replaced a bunch of community moderators with employees from reddit, most of the platform was sold to companies to moderate their own spaces, unfortunately.
 - Mistletoe1 day ago
 Moderation is one of the huge Achilles’ heels of Reddit. I’m confused why Reddit thinks a monarchy with no term limits will work on a website when it has never worked in human history. There is no voting whatsoever where users can give feedback on how they think the moderation or the subreddit is going. You get entrenched subreddits like /r/movies and their obsession with movie posters instead of movie discussion or /r/running, which is incredibly unused because the mods insist on removing almost any discussion of running outside the weekly threads except for idiotic race reports in obscure places that no one reads or cares about.
 - xmprt1 day ago
 The nice thing about reddit is that no one is forcing you to follow such broach subreddits which appeal to the common denominator. In my experience, any subreddit which has more than a few millions members is going to be pretty terrible.Find a more niche subreddit like /r/<city_name>running (although location subreddits fall into a similar trap) or /r/longdistancerunning and you'd probably find them to be more interesting simply because moderators are beholden to a smaller community and their job is more about making things interesting for their niche and cultivating a community rather than just dealing with slurs, bots, and spam.
 - diggan5 hours ago
 > Find a more niche subreddit like /r/<city_name>runningMaybe that works in the US, since half of all reddit users seem to be from there, and for very general topics like running.But for discussing local LLMs, you have just about one place to chose between, and if the moderators somehow are silencing discussions there, there doesn't seem to be much you can do about it.
 - hn_throwaway_991 day ago
 I agree with your comments about the large subreddits, but I also agree with Mistletoe that even many niche subreddits (or at least "midsized" subreddits) suffer from the same moderation problem.Namely, once a subreddit becomes popular or has basically "the default" subreddit name, it's extremely difficult to just start a new subreddit if you don't like the moderation on the old subreddit, because it's so hard to get people to know about or move to the new subreddit. There was some drama years ago where some r/lgbt mods went on a major power trip, which caused other folks to start the r/ainbow sub, but still most folks go to the lgbt reddit as it's what comes up first if you just search for "gay subreddit" or similar.You say "because moderators are beholden to a smaller community", but that's the point - mods aren't really beholden to anyone at all, as it's not like electing mods is a democratic process. Note nor do I think it should be, as being a mod is a ton of grief and labor that people donate for free. But I do think Reddit could make it a lot easier and "fairer" if people wanted to "fork" a subreddit if people wanted to discuss the same topics with the same community, just with different moderation rules.
 MichaelZuo1 day ago
 If someone/some group can’t successfully create a smaller competing subreddit, what prospects would they have to successfully convince over half the existing userbase of a subreddit to formally vote for a “fork”?
 umbra0717 hours ago
 the issue is that it's very hard to even let their desired audience know that they exist.the only feasible way (short of like, scraping every comment made on a subreddit and dm'ing each of those users) to reach the audience you're trying to convince to switch to your alternate subreddit is by... posting on the original subreddit. the original subreddit has no incentive to allow your post, and public moderation logs aren't a thing on reddit, so...
 MichaelZuo13 hours ago
 So…? It still makes no sense to expect there to be any prospects of accomplishing something vastly harder, regardless.
 - Seattle35031 day ago
 As someone who has moderated multiple subreddits, and single handedly brought a subreddit from 0 to 100,00 subscribers, this misunderstands subreddits, moderation, and the relationship between Reddit and moderators. IMO subreddits were supposed to be like random forums on the internet of old, but with a shared substrate. Those forums were singularly owned as well and if you didn't like the operators you moved on, because there was no one you could escalate to.There is fundementally a social contract between Reddit and its moderators. Moderators get autonomy and control, and reddit gets content that keeps users around. As long as Reddit does not pay moderators, autonomy and control is all they can give moderators. I'm investing a lot of effort, and I'd like to retain some control. IMO creating a community is more like starting an open source project on Github with a lot of community contributions.If you take away autonomy and control from moderators, what is in it for the moderator? Imagine if github started seizing projects wholesale, taking them over and installing new maintainers. People would move off the platform.Some people say that moderators are unpaid employees, but IMO that is only to the degree that moderators are required to carry out Reddit's agenda and priorities. We don't call OS maintainers github employees. I don't mind if Reddit benefits from my communities, as long as I can run it the way I want. If you take away autonomy and control, moderators absolutely become unpaid employees.If Reddit didn't like my policies and took my subreddits, I would take that as a strong signal that Reddit is not the place to build my communities. The API debacle, protests, and mod removals caused me to decentralize my community more. I spam a linktree in my subreddit that links to Discord and other resources, exactly to protect against community seizeure by Reddit.I think you touch on some real issues. One is of namespacing; folks can sit on valuable portions of the namespace and basically extract rent. We have the same issues for domains, and haven't solved it there. Some places like github semi-solve it by putting repo's in organizations, but that shifts the namespace issue to the organizational level.The other problem is second generation moderators. Most moderators are terrible at succession planning, and so generally chose terrible successors. Many second generation moderators don't understand the original decisions that shaped the community, and what makes the original community successfully. Reddit should do more to encourage succession planning, and teach moderators how to do it.
 - SV_BubbleTime1 day ago
 You are confused.You seem to think Reddit Inc wants anything but control over the users. They are not at all interested in discussion or being a social network. If they could achieve their real goal without all the annoying comments, they would shut those off instantly.Reddit is a narrative pushing machine first and foremost. The money they make on advertising - IS NOT - from the one of two ads you see per page.The Reddit stock price is not at all reflective of their tech. It’s based on ability to push thoughts to users.
 - dghlsakjg1 day ago
 Their annual report, and their advertiser platform doesn’t really back up whatever it is you are implying here.I would be incredibly surprised to find that reddits officers are willing to risk life ruining fines to lie in their filings about this.
- wruza1 day ago
 Thread success is hit and miss. You can post and there's crickets, or you can post and people pile in. If you click the "past" link under the title, there's a thread from 2 days ago, completely dead.
- lisnake1 day ago
 On the other hand, many interesting links (IMO) I submit to HN also get zero comments
 - kleiba1 day ago
 Worse, I've had submissions (both links and comments) get flagged in the past, and I have no idea why. I suppose they must have validated some HN policy, but if I had more information about the rationale, I could avoid making the same mistake again in the future (all of my submissions where that happened were for genuinely interesting contents or 100% non-offensive opinion comments).
- umbra0717 hours ago
 r/android got hit really hard by the subreddit blackouts. activity is just very low there.
- hnuser1234562 days ago
 The subreddit is mostly younger folks more aligned with the "fanboy" attitude, they downvoted because it was a critique of Android.Hacker news understands the concept of constructive criticism.
 - aio22 days ago
 I wouldn't say understand, but better understands
 - touristtam1 day ago
 It also helps that you need to have a certain _rank_ to be able to downvote on here, as opposed to the default rights you get on reddit.
 - SV_BubbleTime1 day ago
 Exactly this can be seen here if the discussion is about climate.Even better understands might be pushing it. “Better tolerates”
nindalf2 days ago
> Beyond the usual categories, I see there are checks for apps like Tamil Calendar, Odia Calendar, Qibla Direction Finder, mandir apps, astrology apps. They know what they’re doing.This loan app is profiling people on the basis of race (Tamil, Odia) and religion (Qibla Direction Finder is used by Muslims, mandir apps by Hindus).
graemep2 days ago
The HSBC UK Android app look s at what apps you have, and refuses to run if you have apps with certain permissions (such as an alternative launcher) and now refuses to run if you have any apps from outside the Google app store.I have complained about this here before, but the end result was that I asked for a hardware security device and use the website instead.
- qbane2 days ago
 Tired of apps using shady, fragile tricks to refuse to work and claiming that you are "secured" by them
- odiroot2 days ago
 Interestingly FirstDirect app (also part of HSBC) has no such problems. It even ran on my previously rooted phone.
- fudged711 day ago
 That's pretty funny, right? They have to spy on you to tell you what else you are using could be spying on you. Do they happen to say this data is not transmitted to the company?
- switch0072 days ago
 That's beyond absurd. Sounds par for the course with HSBC!
DevKoala2 days ago
> How is knowing whether I have the Xbox or the Playstation app installed on my phone essential to their Swiggy's core functionality? How will knowing if I have the Naukri or Upstox app help them deliver groceries to my doorstep?It is for fingerprinting purposes
- nom2 days ago
 It also checks for popular remote desktop apps (allow incoming connections to the phone) which could be used to increase scam success rate.Same with banks apps, if you are a scammer it's really useful to know beforehand what kind of bank the target uses.There are probably a whole bunch of groups who have a purposes for this kind of info, especially if they can link it to the phone number.
- wutwutwat2 days ago
 fingerprinting is the best case scenario
 - _heimdall2 days ago
 What's the worst case, in your opinion?
 - em3rgent0rdr2 days ago
 The US Customs & Border Control apps ("CBP Home" and "Mobile Passport Control") could check for blacklisted apps and flag you to be deported to an El Salvadorean gulag without due process.
 - _heimdall2 days ago
 Does El Salvador do gulags? I thought that was more of a Russian approach to imprisonment.
 skrebbel2 days ago
 Parent commenter doesn't mean literal gulags, but a similarly bad place sent people to by a similarly bad government.
 touristtam1 day ago
 I think the commenter was asking for a clarification on the hyperbole used. Unsure on the intend being candidly asked or there was an agenda (as it is often the case with political discussions).Hopefully the El Salvador deal is a far cry from the internment camps from the 19th & 20th century.
 __jonas2 days ago
 This is likely in reference to a recent deal the US (Trump) has made with El Salvador, allowing them to ship US citizens off to prisons in El Salvador, whether this is actually possible is not clear at this point though [1].Here is some more information about the conditions in these prisons in El Salvador, CECOT being the most notable one:> Able to hold 40,000 inmates, the CECOT is made up of eight sprawling pavilions. Its cells hold 65 to 70 prisoners each. They do not receive visits. There are no programs preparing them to return to society after their sentences, no workshops or educational programs. They are never allowed outside. [2]I believe the term gulag makes sense in that context despite it not being a forced labor camp. Not sure how this relates to Russia at all (apart from the origin of the term obviously).[1] <a href="https://apnews.com/article/rubio-trump-deportations-usaid-f7a62a10b9a5d81582d05a33ff2281a4" rel="nofollow">https://apnews.com/article/rubio-trump-deportations-usaid-f7...</a>[2] <a href="https://apnews.com/article/el-salvador-us-rubio-prison-de912f6a8199aaa7c8490585dcaa3b87" rel="nofollow">https://apnews.com/article/el-salvador-us-rubio-prison-de912...</a>
 pavel_lishin2 days ago
 > despite it not being a forced labor camp.Well, not yet, anyway.
 - hattmall2 days ago
 Targeting and profiling. Reselling the data.
 - _heimdall2 days ago
 Maybe I'm wrong, but that feels pretty similar to fingerprinting. Usually that's why online services try to fingerprint you, for advertising and data revenue.
 - DevKoala2 days ago
 That is what the fingerprinting is for.
 YetAnotherNick2 days ago
 Fingerprinting is just for identifying user, not getting user data. You can potentially resell things like app usage to credit rating company.
 DevKoala2 days ago
 That is profiling.Fingerprinting is an identification mechanism. It is most commonly used for targeting and profiling.
zx80802 days ago
> For extremely specific use cases such as file managers, browsers or antivirus apps, Google grants an exception by allowing QUERY_ALL_PACKAGES permission, which provides full visibility into installed apps.Why would browser need to enumerate the installed apps?Why?!
- Borealid2 days ago
 When a user visits a play.google.com URL Google wants to be able to show either an "install" or a "launch" button contingent on whether the app is already installed.In other words, blame Google product management.
 - Jach2 days ago
 I don't buy this. Google has this information on their backend, they don't need to query any local state. Indeed, when I visit a play.google.com URL, google checks if my browser is logged in or not. If it is not, the default is "Install" no matter what. If I do have a session, then it's either "Install" if I don't have it installed, or "Install on more devices" if I do have it installed.
 - NoahZuniga2 days ago
 This is true, but if they didn't allow this permission for other browser apps that would be anti-competitive.
 - lurking_swe2 days ago
 this doesn’t make sense and sounds like an excuse IMO.Instead of the browser enumerating all apps, why can’t it check when you visit a page if the current page (ONLY the current page) is installed as an app?
 - jerbear43282 days ago
 How would the OS know if the app that the browser is querying about is actually the current page? For all the OS knows, the user might be quickly visiting a ton of play.google.com pages for the top 1000 apps on the app store.
 - lurking_swe2 days ago
 > How would the OS know if the app that the browser is querying about is actually the current page?Maybe i’m missing something, but it sounds like it would be easy for google to support this functionality by letting developers configure this in their app “bundle”. A property that tells the OS “my app is related to domain example.com”. Make it an array of domains if you must.
 codethief2 days ago
 > A property that tells the OS “my app is related to domain example.com”. Make it an array of domains if you must.Elaborating on the sibling's comment: There is already such a property that apps must set in their manifests in order for them to be able to react to links/intents for domain-associated-with-the-app.com.But it doesn't address the question of how a browser is supposed to be able to open links to domain-associated-with-the-app.com in that app, without Android revealing to the browser whether the app is installed or not. In short: The browser will, by construction, be able to determine which apps you've got installed or not.
 pizza2 days ago
 I mean, do Windows or macOS tell the browser which mail apps you have installed when it handles a mail:// URI?
 josephg2 days ago
 No, but web browsers do have the ability to ask the OS which application is associated with a certain url type.But it doesn’t leak that information to web pages.
 charcircuit2 days ago
 Intent filters can be for domains. It's how deeplinks work. But with querying being locked down you can't know what apps can handle a deeplink.
 - heavenlyblue2 days ago
 make it into a system dialog?
 LordShredda2 days ago
 But God forbid users learn how to use their device. All of this could be prevented by having the users manually pick the application instead.
 - catigula2 days ago
 A minor UX difference doesn't really feel like a great case for reducing user privacy, it makes me a little concerned about priorities... which I already was, really.
 - kelvinjps102 days ago
 These kind of links open the play store app directly and the informstion it's displayed there
- billfruit2 days ago
 Indeed some of these apps really ask for such expansive set of permissions than they need.Obsidian for example asks for permission for entire filesystem, while it really needs to access the files which the user needs it to see.
- nulld3v2 days ago
 File managers need full access as you can use that ability to extract and inspect the code of any apps installed on the system. It is a very useful feature and I would hate for it to be removed.
- Kwpolska2 days ago
 Perhaps it's checking which apps can handle links?
 - mightysashiman2 days ago
 That is managed by the system. Settings > Apps > Default apps > Opening links
- MrStonedOne2 days ago
 [dead]
andsoitis2 days ago
> everyone knows all the alls on your phoneOn Android phones. iPhone doesn’t have this privacy deficiency.
- knlam2 days ago
 Actually you can via private API, which Apple app use all the time but forbid other app to use<a href="https://blog.verichains.io/p/technical-analysis-improper-use-of" rel="nofollow">https://blog.verichains.io/p/technical-analysis-improper-use...</a>
- wkat42422 days ago
 On iOS it's kinda worse in some ways. If you enroll into a company MDM they can see all your apps.On Android if they use the work profile (which is the standard method these days) they can only see the apps inside there.
 - mgriepentrog2 days ago
 Apple introduced account-driven enrollments in 2021[1], which behaves similar to Android's work profile. Managed apps/data are kept in its own APFS volume, and MDM servers don't have access to anything outside of it. They also disallow system-wide commands like wipe device. The only caveat is you need managed Apple IDs[2] to use this enrollment flow, and I doubt many companies have set it up.Regardless, MDM installed app visibility is limited to those users who opt-in to an organization managing their personal device, and isn't an effective way to broadly gather what apps a given person has installed. What's described in this post would work on any user/device, and there's no way to deny/opt-out of specific permissions.[1] <a href="https://developer.apple.com/videos/play/wwdc2021/10136/" rel="nofollow">https://developer.apple.com/videos/play/wwdc2021/10136/</a> [2] <a href="https://support.apple.com/guide/apple-business-manager/use-managed-apple-accounts-axm78b477c81/web" rel="nofollow">https://support.apple.com/guide/apple-business-manager/use-m...</a>
 - wkat42422 days ago
 Yes I know about User Enrolment. The problem is the managed Apple IDs are a complete and total dealbreaker. So I'm not even considering this as an option.The reason is that Apple demands that the UPN (the account ID) and the email address are the same. For us this is not the case (our UPN is our employee number as an email address, whereas our email address is just our name). And obviously we're not going to change this for ten thousand users because Apple wants to (most of which don't have Apple devices because we're a European company). Also, you have to manually decide what happens to each user that has already created an account with their corporate email address and what to do with the content they purchased on it. This is not feasible for a large corp. We have commented this to our Apple account manager for years and years but they simply don't care. If you work in this realm you probably know that Apple doesn't really care about things that matter for their corporate customers anyway. The consumer is their main client and it shows (unlike with Microsoft where it's the opposite).So the whole account-driven enrolment (User Enrolment) as well as everything else depending on managed Apple IDs like DEP for Macs is completely out of the window.The problem in my opinion is that I as an admin can simply query for example all the employees that have something like Grindr installed. Considering the current political climate in the US (or worse, the middle east where this can lead to a death sentence in some cases) it's obvious why this is super bad. And really, why should we be able to do this at all?
 - whs2 days ago
 I'm working on implementing this for the company, and the annoying limitations on iOS is that you can't clone apps. If you want Gmail (as an example) as managed app, you can't have another Gmail as unmanaged app. While the company can't see inside the Gmail managed app (without the app itself explicitly providing that feature), the company can remove Gmail (and any local data inside the app) at any time.Fun fact from the MDM implementation - the most private way (at least to the company policies) to have a company-connected device is to buy a separate phone and install company's MDM on it. On company provided devices, the company may locate company's assets at any time but doing so on a personal device is a privacy breach.
 - wkat42422 days ago
 Yes, Apple hates the idea of work-badged apps that Android has. I have to admit, a lot of our users don't grok it either at first. However once they realise the benefits (the company has much less visibility, AND they can turn off the work section completely with the touch of a button) they usually come around pretty quickly.The bad part of this is that apps have to specifically support the multiple profiles option, otherwise they can't be used for this.And yes, I agree, that is the best way. We have the same restrictions for personal devices. Though I as an admin know we never use the locate functionality (and I know every person who has access to it).
 illiac7861 day ago
 Donyou know if account driven enrolment requires different phone numbers for the MDM managed apps and the personal ones? Specifically for the diaper app for example.
 wkat424218 hours ago
 I don't believe they do, no. The numbers aren't all that important in terms of MDM. We don't even see the number if someone inserts a second private SIM in their company phone. We consider that personal information we shouldn't even know.
 - fashion-at-cost2 days ago
 I would have to strongly recommend nobody enroll a personal device in a company MDM. If the company needs you to have mobile connectivity that badly, they can give you a device.
 - illiac7861 day ago
 I think it’s a personal decision. I really, really do not want to carry two huge slabs around. One is already too much.Account driven MDM enrolment pushes the Pareto front when it comes to privacy/conveniency compromises from my point of view. I will ask my IT if they have already looked at it.
 - fashion-at-cost16 hours ago
 The benefit with the two device approach is when you can not carry both devices for the majority of the time. If i’m not explicitly on call, my work device isn’t with me. Anything anyone says to me will wait until I’m back in the office.If you have the self control to refuse to ever check Slack and disable all notifications/etc on your personal phone when not on call, this doesn’t apply as much. But for me I default to trying to stay on things and forcing myself to disconnect is a net good, even if it does mean I carry two phones at times. My pockets are large.
 - jmb992 days ago
 I mean... isn’t that expected of an MDM? I have always assumed that any company device (i.e. any device enrolled in an MDM) is under 100% control and surveillance of that company. Being able to see my installed apps is the least of my worries.
 - wkat42422 days ago
 No I (as a mobile admin) don't think it should be like that at all, at least not for BYOD devices.Android has this really well worked out with their work profile. It's like having a company VM on your phone. Really great separation.But on Apple we can't use a similar option which I admit does exist, but there's too many strings attached (see the discussion above).
 - asah2 days ago
 get a separate device for work ?
 - pjerem2 days ago
 ask a separate device for work.
 - wkat42422 days ago
 True, if you use it for work they should provide you one.The problem is of course carrying two devices with you.
- WuxiFingerHold2 days ago
 iPhones are less of a privacy nightmare.One of the biggest incentives for creating apps is to scrape all kind of data from the users. Look at how many apps require permission to see you contacts. And how many actually need your contacts to function. That's why I'm still a bit surprised that many seem to be surprised by findings like this one here.
 - josephg2 days ago
 I wish there was an option for “give bogus contacts” which showed the app a list of contacts - but it was all randomly generated junk. Make it so the app can’t tell if the contacts it gets are real or fake.I read a fiction book years ago where there were cameras everywhere. To get privacy, instead of hiding their identities the protagonist paid companies to insert bogus information into the information brokers’ network. So if they tried to figure out where they were on a certain day, 20 records would match. I think this is a much more likely vision of the future.
 - 3np2 days ago
 I guess rather than closing my Google account I should have removed the 2FA and changed the password to a weak one on the HIBP list (:
 - wruza2 days ago
 Look at how many apps require permission to see you contacts. And how many actually need your contacts to function.That is, again, not require but ask for on iphone. I have zero non-functioning apps on my iphone due to denied access to contacts. Even a chinese bluetooth light controller doesn't dare (while refusing to work on android for the same reason).You can hate apple/iphone ecosystem all you want, but let's not sneak false claims into how they actually work.
 - hk__22 days ago
 > I have zero non-functioning apps on my iphone due to denied access to contacts.You don’t have WhatsApp then.
 - nechuchelo2 days ago
 I do and deny it access to contacts. Everything works fine.
 - jen202 days ago
 iOS grants just the contacts you select - including “none” to apps. WhatsApp works fine in that regime.
 - hk__22 days ago
 > Look at how many apps require permission to see you contacts.It is so annoying that it’s either "give access to ALL my contacts and ALL their information (yes, even the notes I took on their favorite things for next Christmas)" or "don’t give access". I wish we could limit the number of contacts and the level of information we give.
 - CharlesW2 days ago
 > It is so annoying that it’s either "give access to ALL my contacts and ALL their information… […] I wish we could limit the number of contacts and the level of information we give.iOS added fine-grained (at the contact level) access to contacts data last year.<a href="https://lifehacker.com/tech/you-can-control-which-contacts-apps-can-access-in-ios-18" rel="nofollow">https://lifehacker.com/tech/you-can-control-which-contacts-a...</a>
 - MBCook1 day ago
 They did the same for photos years ago.Many apps have not updated and perhaps never will.
 CharlesW1 day ago
 They don't need to be, since it's enforced at the OS level. Users can limit permissions to individual contacts regardless of whether iOS apps have been updated to explicitly handle that use case.
 MBCook18 hours ago
 I meant updated yo the newer nicer replacement UIs.For example I know Slack still doesn’t use the single picture picker. They still want access to everything.So iOS lets me limit what they can see, but it’s still a pain compared to just letting me pick the one picture I want.
 - subscribed2 days ago
 Check if GrapheneOS suits your needs. It has "contact scopes", ie you cna literally allow the app to see single contact only.Same with storage scopes: one directory and that's it.
 - mercutio21 day ago
 iOS hasn’t allowed access to contact notes for several years, and last year added support for providing arbitrary subsets of contacts to all apps.
 - normie30002 days ago
 Photo access has improved a lot in this regard recently.
- scarface_742 days ago
 This was somewhat mitigated on iOS a few years ago.You could try to communicate with an app via the custom URI scheme and if it succeeded, it would know you have the app installed. Twitter used this for finger printing.An app has to get a special intent and has to list the apps it wants to use it for.
- neither_color2 days ago
 Speaking of iPhone, Im curious about something. On occasion, I log into the [former] bird app using the web app because it's enough to check up on some key follows.Recently, they released a major update to their LLM feature and I installed the app to check it out. While I had the app installed, every time I checked the mobile website there was a large banner directing me to go to the app. Ad blockers and distraction blockers would not get rid of it. When I deleted the app again, it was gone. What gives? Why does the mobile website know whether I have the app installed? How come content+distraction blockers are enough to block all reminders to use the app when it's not installed, but are irrevocable if I have the app installed?
 - js22 days ago
 Apple calls these Smart App Banners. Webkit cooperates with iOS to present them according to a meta tag in the page:<a href="https://developer.apple.com/documentation/webkit/promoting-apps-with-smart-app-banners" rel="nofollow">https://developer.apple.com/documentation/webkit/promoting-a...</a>You can get rid of them with the Unsmartifier extension.<a href="https://old.reddit.com/r/apple/comments/q55753/unsmartifier_safari_webextension_to_remove_smart/" rel="nofollow">https://old.reddit.com/r/apple/comments/q55753/unsmartifier_...</a>The StopTheMadness extension can also remove them (among many other things... this extension is a must have for me):<a href="https://underpassapp.com/StopTheMadness/support-ios.html" rel="nofollow">https://underpassapp.com/StopTheMadness/support-ios.html</a>
 - hnburnsy2 days ago
 >Apple calls these Smart App Banners. Webkit cooperates with iOS to present them according to a meta tag in the pageJFC. Are they disabled if you ask for the desktop site?
 - uni_baconcat2 days ago
 I think it won’t. I tried open X.com desktop version on iPad, Safari still showed “open with X app”.
 - happyopossum2 days ago
 > Why does the mobile website know whether I have the app installed?To clarify - the mobile website doesn’t. It has meta tags that tell safari what app it’s tied to, and safari displays associated the app banner.
- MBCook1 day ago
 They did, long ago. I remember when it was shut down after someone made the problem public, like this.I’m amazed Android still allowed this in 2022.
- piyuv2 days ago
 Right, only Apple knows, but it’s ok, they’re the good guys
 - andrei_says_2 days ago
 Definitely not “good” but I’m still to see anything remotely resembling the complete disregard for privacy and security typical for the adtech-driven android ecosystem.Just a different business model, not a display of moral values.Sure, Pegasus exists but I don’t think it is commodified yet.
 - jmb992 days ago
 Ignoring the sarcasm...What evidence is there/can you present that Apple is making use of this information in a negative way?How can Apple not have a list of installed apps on your phone while maintaining basic functionality (automatic updates, reinstalling apps from backup, etc)?
 - PaulRobinson2 days ago
 Sort of. They have a list of apps you've bought/installed through app store, and they can figure out what you've deleted based on what your phone is pinging for update checks on.If they went beyond that, or disclosed that knowledge, or allowed an app to get that manifest without your permission, it would destroy their brand image built around privacy, in a way that would cause long-term irreparable damage.They decided to not comply with laws compelling them to add back doors to optional encryption on iCloud storage, rather than tarnish that image, because they know how valuable that trust is.You can dump on Apple all you want, but compared to Google who plead with people to use their browser and phones to improve adtech surveillance they can monetize, I think they're doing OK and are a lot more trustworthy.
 - criddell2 days ago
 > they're the good guysIn a relative way, they definitely are.
- sfoley2 days ago
 It's a clickbait title that needs to be changed to stop spreading misinformation.
- buyucu2 days ago
 apple is the worst product for privacy. The entire ecosystem is closed source. You know nothing about what apple is doing.
- ctippett2 days ago
 Are you sure? I know someone in adtech and I'm pretty sure Apple allows a similar app manifest that allows you to check for specific apps. I could be wrong.
 - czk2 days ago
 Not sure about the manifest but recently I've seen talk about some banking apps using SBSLaunchApplicationWithIdentifierAndURLAndLaunchOptions (undocumented function in SpringBoardServices) [0] to try to launch another app on the phone by the bundle id, and they can determine if it's installed or not.They were using this trick to detect unauthorized apps on the phone.<a href="https://blog.verichains.io/p/technical-analysis-improper-use-of" rel="nofollow">https://blog.verichains.io/p/technical-analysis-improper-use...</a>[0] - <a href="https://gist.github.com/wh1te4ever/c7909dcb5b66c13a217b49ea3e320caf" rel="nofollow">https://gist.github.com/wh1te4ever/c7909dcb5b66c13a217b49ea3...</a>
 - phony-account2 days ago
 > I know someone in adtech and I'm pretty sure Apple allows a similar app manifest that allows you to check for specific apps. I could be wrong.On iOS an app developer will need to register in advance which external applications their app intends to query, and the list needs to be very short and motivated. [1]Incidentally, “I have a friend who says...” isn’t really a good citation anywhere outside Reddit - which HN resembles more and more each day.[1] <a href="https://www.hackingwithswift.com/example-code/system/how-to-check-whether-your-other-apps-are-installed" rel="nofollow">https://www.hackingwithswift.com/example-code/system/how-to-...</a>
 - ctippett2 days ago
 Thanks for the information.I suppose a more appropriate term of phrase would've been "I'd heard anecdotally...", but I agree I was lazy with my original reply. I appreciate the feedback.
 - refulgentis2 days ago
 You're too kind, their reply was extremely rude to you. I have been here 16 years, been an iOS developer just as long, and have no idea why your comment is "Reddit."A simple thought exercise for me is "Which of these two comments is more Reddit?" - I'd say the one that came with curiosity is HN, the one that bats around half truths combatively and invoking Reddit isn't.
 - collingreen2 days ago
 You're nice. I don't appreciate the extremely tired "hn looks more and more like Reddit every day" slop and I think you handled it with grace.
 reaperman2 days ago
 Comparing HN to resdit is explicitly against HN guidelines. Though sometimes I think the only reason it’s never “true” is because Reddit is a moving target. Both HN and reddit get worse over time, so HN never catches up to how bad Reddit is.Also the bots have not invaded HN, which is a truly massive distinction.
 phatskat2 days ago
 > Both HN and reddit get worse over timeI think this is probably true of any online community. I’d wager that an online community needs more users to grow and be sustainable, and more users inevitably means more content, and more content means less _high-quality_ content overall.
 - robin_reala2 days ago
 Could you take a moment of your time to read the last point in the HN Commenting Guidelines? <a href="https://news.ycombinator.com/newsguidelines.html">https://news.ycombinator.com/newsguidelines.html</a>
 - swat5352 days ago
 Is that also the case for alt-store apps available in EU ?
 - refulgentis2 days ago
 I don't think it is worth being dismissive.I snorted when I got to the self-important haughtiness about reddit.Why?- You immediately recognized what they meant.- They weren't advancing a claim, they were indicating a basis for their interrogative, likely to avoid seeming naive when claiming it out of nowhere.- The article we're commenting on describes the same mechanism you claim differentiates iOS. ("register in advance...which applications...intends to query, and the list needs to be very short and motivated.")- I've worked heavily on iOS and Android since 2009. As close to a graybeard as you can get in mobile. I'm searching, reaching, grasping for any sign you've done anything other than Google and link the first article you saw, and I can't find _any_. At all. But I don't think that's wrong. You're trying. Why is it wrong for the person you asked to try too?- There's strong signs you didn't read the article we're commenting on.- If you had, it is unlikely you would have said iOS was differentiated, then laid out the exact same mechanism described in the article.- There's strong signs you didn't read the article you linked.- On iOS you can register URL schemes in a plist, these aren't "external applications you intend to query" and the list does not have to be "very short and motivated"I get cranky too, but, I am grateful I recognize it is very reddit to cry Reddit and edit it out, or delete.
 - phony-account2 days ago
 > There's strong signs you didn't read the article you linked.What could possibly indicate I didn’t read the article? Of course I read it. Isn’t your assumption of my bad faith also explicitly against HN’s guidelines?> On iOS you can register URL schemes in a plist, these aren't "external applications you intend to query" and the list does not have to be "very short and motivated"I’m also an iOS developer- and yes it does.
 cosmic_cheese2 days ago
 Yeah Apple used to be more loose with registered URL schemes, but tightened up a few years ago ands so now if you submit with a huge list of schemes the app has no good reason to use you’re going to get bounced.
 refulgentis2 days ago
 > What could possibly indicate I didn’t read the article?What I laid out, namely, that you described iOS the same as the article, while simultaneously claiming iOS differs significantly.> On iOS you can register URL schemes in a plist, these aren't "external applications you intend to query" and the list does not have to be "very short and motivated"> I’m also an iOS developer- and yes it does.Which part is "yes it does"?We both can agree quite quickly that URL schemes in a plist aren't "registering apps." You can drag this out a couple turns by playing shell games first by ignoring the URL schemes difference, then by making me do the leg work to show it's trivial to find apps with dozens of apps in that list.Either which way, I continue to be taken aback by your snarkiness towards the original post and cries of Reddit given you know you were 100% wrong on this.You're in a really bizarre situation where too much territory was staked out and you're defending it all: you can't claim this was a remotely accurate description and you read the article about Android and iOS is different. It's already a farce, then throw in scolding about how HN is Reddit because of low quality posts...my goodness, my friend.> Of course I read it. Isn’t your assumption of my bad faith also explicitly against HN’s guidelines?No, because I said "There are strong signs", I didn't say "You didn't read it."Also, why would not reading be "bad faith"?You are extremely focused on making attacks and perceiving them in others, please take a step back and note: "But I don't think that's wrong. You're trying. Why is it wrong for the person you asked to try too?" - you shouldn't have to make up an interpretation where gently chiding you for being rude turns into invoking rules and accusing you of bad faith
Tmpod2 days ago
It requires root, but you can block/spoof this with an LSPosed[1] module such as XPrivacyLua[2]. I hear there's also the closed-source AppOps[3], but I've never used it.[1]: <a href="https://lsposed.org" rel="nofollow">https://lsposed.org</a> [2]: <a href="https://github.com/M66B/XPrivacyLua" rel="nofollow">https://github.com/M66B/XPrivacyLua</a> / <a href="https://github.com/0bbedCode/XPL-EX" rel="nofollow">https://github.com/0bbedCode/XPL-EX</a> [3]: <a href="https://appops.rikka.app" rel="nofollow">https://appops.rikka.app</a>
- dheerajvs2 days ago
 I've not heard of XPrivacyLua, which is by the same author of the excellent NetGuard[0], which I've been using for years.Interestingly XPrivacyLua is not supported anymore and the pro companion app will be removed from the Play store by Google because it uses the permission QUERY_ALL_PACKAGES.[1][0]: <a href="https://github.com/M66B/NetGuard" rel="nofollow">https://github.com/M66B/NetGuard</a> [1]: <a href="https://xdaforums.com/t/closed-app-xposed-6-0-xprivacylua-android-privacy-manager-unsupported.3730663/page-325#post-87086407" rel="nofollow">https://xdaforums.com/t/closed-app-xposed-6-0-xprivacylua-an...</a>
 - Tmpod2 days ago
 Indeed, it is a shame. However, XPL-EX is a fork (though with much internal code (re)written at this point) with even more capability, while maintaining the familiar and simple UI. Seems pretty neat!
cheschire2 days ago
Can windows apps (not installed from the MS store) enumerate through the window titles of all open windows? How hard would it be for an app to monitor all of your web traffic based on the title alone?Legit question. ChatGPT isn't super helpful here since it agrees with everything when I'm really looking for someone to say why this isn't really feasible in the real world.
- userbinator2 days ago
 Long-time Win32 programmer here - yes. This is by design. To use an analogy, Windows is like a "high-trust society".There are functions EnumWindows() and EnumChildWindows() specifically for this purpose.See utilities "Windows Modifier v2.00" (when I first downloaded it there were many pages about it, but it's a sign of how forgetful the Internet has become that I barely get any results about it now even searching for that exact name) and Microsoft's own Spy++ (SPYXX.EXE) for an example of this functionality.The solution to an app you don't trust is to not use it at all, or use it in a VM.
 - phyzix57612 days ago
 How do you identify apps that you shouldn't trust? Sometimes trust is assumed only until evidence is given that trust shouldn't be given. Which makes no sense to me. Why was the initial trust so easily given?A solution is to not use third party apps but most people aren't going to go that route. The VM idea is a good option though.
 - pjerem2 days ago
 > Why was the initial trust so easily given?Because this architecture predates the existence of the current privacy nightmare.In fact it predates the general availability of the internet. How could a program you would install from a floppy/compact disk bought on a store behave maliciously if you didn’t or barely had access to the internet ?And then it stayed like this because Windows is heavily marketed as being retro compatible.
 - userbinator1 day ago
 It's also from a time when corporate mass surveillance was universally hated, software was not a service, and "phoning home" or requiring an Internet connection considered unacceptable to the majority of users.
- ranger_danger2 days ago
 Not only can most apps see the titles of all other open windows on the system, but they can log all your keystrokes, take screenshots, record audio/video of you or your screen, or copy/delete all the files in your home directory, without any explicit permission or notification.This is at least true for Windows and most traditional (X11 at least) *nix systems.That is one thing I think Android got right... by default it runs every application as a different user. That means different home folders and no visibility into other apps.
 - esprehn2 days ago
 Originally Android apps could draw over top of any other app though which is a phishing nightmare. It took them a long time to make that a permission, and then everyone granted it until they finally added the bubbles API recently.Permissions are difficult to get right, and Android is unfortunately pretty slow to react.
 - Numerlor2 days ago
 On windows you shouldn't be able to do (most of) these directly with apps running under admin, though that's a small consolation when the browser is a normal process.I'm not sure if we'll get away from these anytime soon as any out of the box solution will inherently limit the user's freedom that has persistently been there for decades on PCs
 - ranger_danger2 days ago
 I have absolutely done all of these things on Windows, even for commercial applications. Programs that keylog (i.e. calls SetWindowsHookEx) sometimes get tagged by antivirus though.
- tredre32 days ago
 > How hard would it be for an app to monitor all of your web traffic based on the title alone?Although not terribly accurate (because of the high variability of page titles), tools like ManicTime and ActivityWatch use windows titles to track your browser history if you don't install the browser plugin.<a href="https://www.manictime.com/" rel="nofollow">https://www.manictime.com/</a><a href="https://activitywatch.net/" rel="nofollow">https://activitywatch.net/</a>
- bcoates2 days ago
 Windows has a whole different (looser, older) security model. There are no security barriers between windows running on the same desktop. (In particular, "UAC is [still] not a security barrier"--when you hit ok/type in a password to elevate a process, you’re effectively elevating the whole desktop and everything you're running.)
 - jorvi2 days ago
 No, that is completely wrong and would be nuts. The only way the whole session gets elevated is if you'd launch explorer.exe with an admin token.The way privilege escalation works on Windows is that pretty much everything gets launched with a standard user access token by default, and processes can request an admin access token in a few ways, UAC being the main one. When a process is supplied that token, that process is elevated.It is more akin to 'sudo' rather than 'su', which makes sense because its progenitor is 'runas' from Windows 2000.
 - bcoates2 days ago
 (Only) the process is elevated, but the process has a window on a shared session, and the OS does not successfully protect processes that share a session (and user, and registry, and disk, etc., etc.) from controlling each other.From an API point of view, only one process is elevated. From a security point of view, if one process is elevated they all are, due to a lack of any effective mechanism that actually stops them.
 - jorvi2 days ago
 No, even then there are things like Mandatory Integrity Control and Windows Message Restrictions / UIAccess. I'd dive into to deeper but I just got home from going out haha. Those terms should help you dig into it though!I do fully agree that desktop OSes are a legacy security model and they can't hold a candle to that of iOS. Android is getting there, but because it also started from mostly an open all-access model it's been having the same warts.
 - SpaghettiCthulu2 days ago
 Can you inject into an elevated process from a non-elevated one?
- myself2482 days ago
 Oh yeah, AutoHotKey's ability to do this actually underlies a lot of useful AHK scripts.
 - yjftsjthsd-h2 days ago
 Right; I think having the API exist is a good thing, it's just a question of making sure that it's only used in ways that the user allows. Your own scripts inspecting and controlling arbitrary windows on your own machine => great, third party programs doing the same thing without your informed consent => bad. (In practice, this means I'm a big fan of extensive permission systems that have the ability to deny or fake responses at the user's direction)
- gruez2 days ago
 Most windows apps aren't sandboxed, so them being able to grab window titles is the least of your worries. Any program can steal your login sessions and passwords if they wanted to.<a href="https://xkcd.com/1200/" rel="nofollow">https://xkcd.com/1200/</a>
 - facile32322 days ago
 Are you essentially discussing like a keylogger? I can't imagine windows intentionally keeps the plaintext password anywhere longer than it needs to be.
 - 9dev2 days ago
 That, but consider also how an application running with your user privileges has full access to the filesystem with those privileges, so it can read your entire home directory, for example. That includes your browser profile with all cookies, and all credentials that applications store there unencrypted. Not to mention how that allows for all the fingerprinting even the most nefarious marketer could wish for.Oh, and the UAC confirmations to elevate your apps permissions to root? People will gleefully confirm them without reading what needs access anyway, so you’re golden to do whatever you want.The security model of Windows doesn’t exist.
 - halfcat2 days ago
 > I can't imagine windows intentionally keeps the plaintext password anywhere longer than it needs to be.Can’t tell if serious or not [1]. Also any program can read any saved password out of Windows Credential Manager.<a href="https://en.wikipedia.org/wiki/Mimikatz" rel="nofollow">https://en.wikipedia.org/wiki/Mimikatz</a>
 - gruez2 days ago
 Obviously there's no way for a malicious program to grab your login credentials that you've entered into an incognito tab that have been closed. There might not be sandboxing, but viruses can't timetravel yet. However that's not going to be much of a defense when many users use password managers, and are terrible at detecting malware (so it's only a matter of time before their passwords are keylogged).
 - misnome2 days ago
 > viruses can't timetravel yet_Windows Recall to the rescue!_
 - Eavolution2 days ago
 Actually windows can keep them in memory for a lot longer than you'd think, hence Mimikatz <a href="https://github.com/ParrotSec/mimikatz" rel="nofollow">https://github.com/ParrotSec/mimikatz</a>
 - justonenote2 days ago
 ita disconcerting to see such naivety around security issues on hn.not that windows is keeping passwords in plaintext, but that it's not immediately obvious that un-sandboxed apps that run on your windows/linux/mac desktop have virtually unlimited other avenues to capture passwords given they can read the entire state of other windows at the very least.I dunno maybe macos is slightly better, and wayland definitely has some things which are better about this, but desktop os and $locally_installed_app means $locally_installed_app basically has root, there is just an exploding amount of vectors.I'd like to see a linux based distrubution use some of the sandboxing in Android, it would be a order of magnitude improvement over what is going on now.
 - facile32322 days ago
 So like a keylogger. Thanks
- edoceo2 days ago
 Yep, not difficult at all.This prompt got me some mostly looks OK Python> Can you make a simple windows program that will get all the window titles from active programs running
 - halfcat2 days ago
 Definitely possible. This is how chat bots worked on AOL in the 90’s, basically the FindWindow and FindWindowEx functions in the win32 API. Hasn’t changed much (if any) since then.
- kelvinjps102 days ago
 In windows you can there is a api for windows titles, I knwo because I was building an app that needed it
hnburnsy2 days ago
>For extremely specific use cases such as file managers, browsers or antivirus apps, Google grants an exception by allowing QUERY_ALL_PACKAGES permission, which provides full visibility into installed apps.'Extreme' my a*. My bank app has this permission, as well as my camera app, contacts app, clock app, Google Home, and on and on. My bank app was moved to an old iPad because of this.
- silenced_trope2 days ago
 yea I used to work for an advertising network and every game that implemented the Android SDK ended up with this permission, it was a way that we used to not show ads for games that the user already had on their phone
weinzierl2 days ago
"the one that blue tick twitter accounts living in certain pin codes of Bengaluru passionately discuss amongst themselves for a week every year"To someone embarrassingly unfamiliar with Indian culture, what does it mean?
- thatloststudent2 days ago
 I want to expand on this more as someone more familiar with Bangalore/Bengaluru.Almost like clockwork, Blume Ventures releases a report every year about the state of the Indian startup ecosystem that year, and since Bengaluru startups are almost all concentrated around Koramangala or HSR layout (these are places inside Bengaluru with their own PIN/address codes), you'll find a lot of people talking about that online.
 - gopkarthik2 days ago
 ^ This.You can read the reports at <a href="https://blume.vc/reports/indus-valley-annual-report-2025" rel="nofollow">https://blume.vc/reports/indus-valley-annual-report-2025</a> or archives at <a href="https://www.indusvalleyreport.com/" rel="nofollow">https://www.indusvalleyreport.com/</a> .The ppt in the blog is from the 2024 report - <a href="https://docsend.com/view/zqgfupfzyud499hn" rel="nofollow">https://docsend.com/view/zqgfupfzyud499hn</a>. The India 1-2-3 framework is old though. IIRC it was coined by a retail sector founder (Kishore Biyani) in the 2000s.Also Koramangala, HSR layout are also the more affluent localities in Bengaluru.
 - weinzierl1 day ago
 Thanks a lot. That makes total sense!
 - pavel_lishin2 days ago
 Would it be analogous to Silicon Valley in America?
- xolve2 days ago
 Bengaluru/Bangalore has hotspots (PIN codes are postal address codes) where there are lots of startups, mostly in ecommerce, ad-tech, online education etc. and they have incentive to upsell you a lot.I guess its referring to someone wannabe influencer buying Twitter(X) premium and posting based on half baked info on customers.Mostly sarcasm, so take with a grain of salt. I can't tell about accuracy, but explaining the cultural context here.
 - weinzierl2 days ago
 Thanks, this is helpful. Is the certain week referring to a specific festival?
 - evertedsphere1 day ago
 presumably the report comes out every year and it's discussed for some time after that
 - xolve2 days ago
 I don't know, sounds like any week.
- moi23882 days ago
 The PowerPoint he talks about and is displayed the line below it
 - weinzierl2 days ago
 I know but that does not clarify the connection between blue tick, certain pin codes and a certain week in the slightest.Sure, these are probably all hints to affluent members of society but I was hoping for a more detailed explanation.
 - banqjls2 days ago
 Blue tick/check = verified Twitter accounts, from when Twitter staff chose who to give the blue tick and only gave it to journalists, technologists, etc that the twitter staff wanted to amplify. Nowadays a blue check simply means you purchased premium, but we remember the original meaning. This is not an Indian thing.PIN codes = postal codes.
 - weinzierl2 days ago
 Yes, the interesting question is which PIN codes is the author hinting at and which week of the year and why. This is what I want to know. I think I can figure out the rest myself.But while we are at it: What is the significance of a cow trading app. Is it used by people who treat cows as sacred or the opposite?
 Slitted1 day ago
 I’m sorry but I have to bring this up: are these comments bait? The questions are a little too naive yet purposeful.
 weinzierl1 day ago
 No, I was just in a different frame, seeking cultural significance while missing the obvious.I expected something more along the lines of:There is this cultural group some people refer to as WASPs, but they usually would not self-apply that designation. They are not a formal organization but more a fixed social group into which an individual is born within a particular system of social stratification.Their cultural lives (and to a large degree their business processes) are organized along an annual cycle starting shortly after the northern winter solstice, even though they claim this is the date of birth of their religious leader. During that time and before a new cycle starts, their businesses practically come to a standstill for a week of celebrations.A certain subgroup of them has become highly influential in the tech industry. Their most prominent leaders and their companies often gather in and around the zip codes 94024, 94040, 94301, 95014, 95030 in an area called "Silicon Valley."
surmoi2 days ago
Exodus Privacy will let you know about this kind of Android apps you should avoid installing <a href="https://exodus-privacy.eu.org/" rel="nofollow">https://exodus-privacy.eu.org/</a>Swiggy is actually a small player in terms of permissions requested, with 'only' 47 Compare it to Weibo with 104, Wechat with 93, Facebook with 85, Snapchat with 71 (granted those apps may offer additional services that require some additional permissions, but they are definitely not worth giving them all your data...)
turrini2 days ago
I don't know if it is just me but I run every class of app in isolated "islands" (like work profiles) on Android. Browsers, banking apps, social media, instant messaging, tools, etc. Almost everything is isolated from another non related group.
- olejorgenb2 days ago
  How?
einszwei2 days ago
Just wow. I assumed that Google patched this few years back but guess they left a few backdoors.
- gruez2 days ago
 It's probably an oversight than a "backdoor". They already have a "frontdoor" in the form of a permission that's pre-granted to them by the OS, so there's little need for them to devise backdoors like the android.intent.action.MAIN query that the blog post mentions.
- iamnotarobotman1 day ago
 I just don't trust Google anymore. They are not the same as they were years ago and have just declined in general.Play Store Review and everything takes weeks sometimes and I can't tolerate that.
- dhosek2 days ago
 I would pretty much assume that any Android phone is a massive privacy leak and security risk. I’d hope that an iPhone is better, but I’d be wrong.
solardev2 days ago
Privacy issues aside, it's kinda cool reading about how Indians use their phones, and also how they use English. I'd never heard "beyond the pale" before, and I'm still not sure what the idea of "multiple Indias" means when some of them are Mexico and some are Africa...?I've also never heard of the majority of the apps being analyzed or tracked. Must be such a different world out there.
- milesrout2 days ago
 Beyond the pale is commonly used in English. A pale is a stake, and it means beyond the boundary (set out by a fence with stakes, hence the phrase) of what is acceptable. It gaines popularity in the mid 19th century. It may be related to the term "the Pale" which referred to the better controlled more Anglicised part of Ireland around Dublin, but there isn't enough evidence to be sure of this. Certainly not an Indianism anyway.>I'm still not sure what the idea of "multiple Indias" means when some of them are Mexico and some are Africa...?Is it not pretty obvious? It is like the phrase "middle America". It doesn't literally mean a different country. It means different wealth categories: the Indians that when considered as a whole are economically equivalent roughly to Mexico, those roughly equivalent to Indonesia (poorer) and those roughly equivalent to Sub-Saharan Africa (poorest). There are ~1b Indians that are still so poor they aren't realistically in the market for your startup app if it wants its customers to ever spend anything, there are ~300m Indians that could be in the market for some apps, but probably mostly free ad-funded ones, and there are ~150m Indians that are quite a good market because they will happily spend money on something that provides value.I got all this just from reading the post btw.
 - solardev2 days ago
 Makes sense, thanks! I love reading about how other cultures do software.
- rashidujang2 days ago
 From the context, what I gather was meant by the idea of "multiple Indias" was the socioeconomic status of different demographics in India and their app usage. The presence of specific apps gives a tell to which demographic they belong to.In other words, the richest demographic used certain apps and was equated to folks in Mexico, followed by the less rich equated to folks in Indonesia and the poor to Sub-Saharan Africa.
- Explore45261 day ago
 It's the average cooldude marketing of self-proclaimed "India 1", denigrating their own people and can't think outside of labeling others as something else.These people are extremely snobbish in person when you go past their sweet talks, who don't understand much about people. I hated the "real" interactions and went back to being an IC in big tech.Part of it is because they don't understand them, part of it is because they "understand" via someone else who told them stuff (like a redditor assuming everything on r/india is true), part of it is their own contempt of culture due to previous reasons ("ah these people are beyond any repair!"). Basically, ignorance in elites.
- nsonha1 day ago
 In some former colonies, the dialect can be a snapshot of the language back in colonial time. Happens to names as well as expressions.I learned this watching a stand-up routine by Malaysian comic Nigel Ng. He was explaining his first name.
photonthug2 days ago
> It's worth acknowledging that there are some legitimate reasons for an app to check which other apps are installed on your phone. For example, an app might check which UPI apps are installed to show relevant payment options.Nope! Nope, nope, nope. If you're wondering how we got into this situation.. well, it's exactly stuff like this. Weird to see someone who's digging into it at all also making excuses for it.No one ever said "I want to avoid a single extra click once every other month, so I guess I better irrevocably open my data/phone/life up completely to megacorp forever". And they certainly did not say this about tinycorp. People just absolutely suck at adversarial thinking, and good guys need to do it for them before bad guys can. Do you want organized crime blackmailing your politicians about dating apps and infidelity? Do you want to make it easy to do large scale targeting of ${vulnerable_people} the next time the cultural or political climate shifts?Come on. Anyway shouldn't the phone OS itself handle this rather than apps launching apps?? If not.. just let people pick a payment option, and then throw an error if the option is not available.
- Explore45261 day ago
 Yes, the phone can handle the UPI intent.What actually needs to be done is to remove the "default" feature and ask every-time.For finer control (get ₹X off on using Y app), apps can make their own intent.
- qwe----32 days ago
 > "I want to avoid a single extra click once every other month, so I guess I better irrevocably open my data/phone/life up completely to megacorp forever"Nah, it's super annoying when I click on a link and don't get redirected to the native app. This happens way more then once a month. Web experiences are much worse for many things.
 - photonthug2 days ago
 Cool but the attitude of “bring on the dystopian future as long as it’s more convenient for some people some of the time” is still confusing to me. Do you imagine that leaked information like this has never gotten someone killed before, and never will in the future?
 - hollow-moe2 days ago
 Good, because this is what Intents are for. No app needs to know all your installed apps to launch them with a link.
djrj477dhsnv2 days ago
Anyone know if GrapheneOS has protection against this?
- switch0072 days ago
 It doesn't afaik. Only indirectly through multiple profilesI was kind of surprised<a href="https://discuss.grapheneos.org/d/13302-query-all-packages-permission-in-grapheneos" rel="nofollow">https://discuss.grapheneos.org/d/13302-query-all-packages-pe...</a><a href="https://discuss.grapheneos.org/d/7800-how-to-mitigate-identifiability-from-google-accessing-installed-apps/9" rel="nofollow">https://discuss.grapheneos.org/d/7800-how-to-mitigate-identi...</a>LaterFor the wider audience: though don't take this as GrapheneOS doesn't care about privacy. I'm sure there are reasons (I didn't read all of the linked threads) and it gives you plenty of other protections and tools - eg profiles, ability to disable all network access by app etc
 - fph2 days ago
 A rationale from the core developer [1]:> I'm sure there are plenty of system APIs providing this information too, and I don't just mean APIs designed to directly provide the information.> It's not useful to prevent directly getting a list of installed applications without preventing detecting which applications are installed, so this specific feature request has to be rejected. It would have to be part of a larger, much more comprehensive feature preventing apps from finding other apps. That implies outright preventing communication with non-system components which is a much different approach to applications and rules out a lot of things. [...]> The request should be for preventing apps from discovering which apps are installed, since anything less than that has no privacy / security value. There's no point in disallowing access to a list while not preventing discovering which apps are installed anyway.The open issue to restrict app visibility is [2].[1] <a href="https://github.com/GrapheneOS/os-issue-tracker/" rel="nofollow">https://github.com/GrapheneOS/os-issue-tracker/</a> issues/149#issuecomment-553590002 [2] <a href="https://github.com/GrapheneOS/os-issue-tracker/issues/2197" rel="nofollow">https://github.com/GrapheneOS/os-issue-tracker/issues/2197</a>
 - djrj477dhsnv2 days ago
 I get what he's saying, but still seems like blocking the easy way of getting a list of apps, while certainty not perfect, would prevent most privacy abuse.
 - aucisson_masque2 days ago
 Yes.Privacy is not an on off switch, it's about making things leak data less.I really don't understand grapheneos development sometimes, like when they refuse to make a setting to invert the back and recent button. Yes it's not part of AOSP but it's so simple to do and a feature that all manufacter offer because people want it, refusing to do that is weird imo.
- subscribed1 day ago
 Not yet but it's on the road map. <a href="https://github.com/GrapheneOS/os-issue-tracker/issues/2197" rel="nofollow">https://github.com/GrapheneOS/os-issue-tracker/issues/2197</a>
therealmarv1 day ago
It's a known fact in the rooting community because some banking apps searching for root only apps!If you root (I advice against doing that) and have LSPosed installed you can hide apps to be seen by every other app with Hide My Applist (HMA) [1] or HMAL (which I like more because it is more minimalistic) [2][1] <a href="https://github.com/Dr-TSNG/Hide-My-Applist" rel="nofollow">https://github.com/Dr-TSNG/Hide-My-Applist</a>[2] <a href="https://github.com/pumPCin/HMAL" rel="nofollow">https://github.com/pumPCin/HMAL</a>
rkagerer2 days ago
Can you see in the Play store before installing an app exactly which other apps it's allowed to talk to? Can you see it on your phone and override?
- gruez2 days ago
 No, not in any straightforward way, although you can theoretically:1. download the APK from a mirror site2. disassemble it to get the android manifest3. inspect the android manifest to check for the things the blog post discusses
RKFADU_UOFCCLEL2 days ago
This is to be expected though, a phone platform isn't exactly Tor Browser. The big API as with any platform will have plenty of ways to fingerprint people even without this one example, unless the developers went far out of their way from the beginning to build prevention in. Much like how on UNIX you can see what processes everyone is running and their command lines.
Yaggo2 days ago
The title should read: "Everyone knows all the apps on your Android phone"
bustling-noose2 days ago
Very simple:Big companies like Swiggy and Zepto will mine the F out of your data. Some of it is for their benefit but some of it they could sell in the future. These so called founders are really just another wolf of app street looking to pump and dump. So when they do dump, or when some VC comes with money, they don’t just sell their app they sell it as a whole package of data and analytics that some company can use to sell their product or something VC can leverage to sell their stock to someone else. It’s not that difficult.As far as smaller apps go these apps outsource their development to people who come with ‘packages’ to develop and maintain their app. These packages are the same logic as above but it’s just that they come from some template so you might be asked for location permission or camera or microphone by some really random app that has nothing to do with it.While the quality of iOS is degrading, some of these things are really important and simply work better on iOS.
DeathArrow2 days ago
>Please remember the next time you casually install an app on your Android device, this information is being broadcast to the whole world. Data brokers will use it to profile you, cross-reference it with data about you from other ad networks and eventually it will be used to decide how much you’ll be asked to pay the next time you order a samosa.Who are those data brokers? Are they publicly known? Do they have an API where a business sends customer ID, mail or something and get an spending profile that helps adjusting price for a particular customer?I know this sounds evil. But didn't banks and insurance companies collaborate to profile their customers since tens of years ago? That is not similarly evil?
amelius2 days ago
> I don’t even know where to begin unpacking this madness. How is knowing whether I have the Xbox or the Playstation app installed on my phone essential to their Swiggy's core functionality?Probably has to do with feeding adtech's hunger for personal information, or fingerprinting maybe (not sure if that's a thing in the context of phone apps).
avsteele2 days ago
If they just audited apps and banned companies from the app store for abuse it would do a lot to curb this behavior. This is feasible, there just aren't THAT many popular apps at any given time.
- whatevertrevor2 days ago
  They could start by at least closing the MAIN intent filter loophole.
HackerThemAll1 day ago
Thank you Google's "top talent" Android devs for this permission system full of loopholes.
TekMol2 days ago
<pre><code> So I downloaded a few dozen Indian apps I could think of on top of my head and started reading their manifest files </code></pre> How do you download apps from the Android app store and read their manifest files?Does this mean one could make a website that lists all those manifest file, so the users could decide against using apps that use this loophole?
- Etheryte2 days ago
 Yes, it's called alternative app stores and there's quite a few of them around.
 - TekMol2 days ago
 Hmm.. how do the apps from the Android app store get into the alternative app stores? And how do you know they are the same app and not altered?
- Explore45261 day ago
 You can get APKs for each installed app
Tewboo2 days ago
It's true, our phones are like little windows into our lives. The apps we have reflect our habits and interests.
bloomingeek2 days ago
Perhaps crazy question: is it a good idea to have two phones now? One for making calls only, with as many apps as possible removed. And another phone for email, web surfing, photos, etc...?edit: Oops, I left out texting. Which phone for that?
- subscribed1 day ago
 If you don't need ANY apps on your main number, good dual-Sim feature phone (but be extremely picky, some are utter trash).The for all the smart stuff, Pixel 6 with GrapheneOS. You can confine various "classes" off apps to dedicated profiles, so they'll never know of each other, and you get a vastly improved security (multiple releases in the month) and significantly improved privacy.
 - bloomingeek1 day ago
 Excellent, thank you.
- dvrj1011 day ago
 phones had/some still have user profile/account option so you can do this on a single phone
 - Explore45261 day ago
 Why is that feature removed by companies? It still exists in vanilla Android, but for some reason the phones sold don't have it.
- monsieurbanana2 days ago
 You still make calls with your phone?
 - bloomingeek2 days ago
 Of course, amazingly that's one of it's best features, enabling you to actually speak to a real person. (it's a type of personal connection that fleshy robots have, for some reason, derided.)But I digress, excusing your bad form of answering a question with a question, I am interested in your opinion of the possible conundrum of the two phone idea.
 - monsieurbanana9 hours ago
 My bad, I didn't knew you wanted a serious answer, I should have known that some people would seriously consider having three separate phones for texting, calling and everything else.For a serious answer then: Rather than segregating phone calling vs the rest, if you want to go to the hassle of maintaining multiple phones, I would put sensitive apps (i.e. bank apps) separated from the rest.But ultimately it depends on which threat model you are trying to mitigate. Most people would worry about protecting their financial information. If you are worried about possible backslash from a fascist state, you shouldn't use normal phone calls at all and switch to a privacy app.OTOH, a dedicated phone just to make phone calls makes sense if your threat model is your significant other.
OutOfHere2 days ago
If Google truly cared about privacy, each app would run in its own strict jail, and permissions would be faked by default. Also, easy malware by Israel or anyone else would not be a thing. As it stands, apps know everything I am doing, and I get targeted spam email rather immediately.
- JumpCrisscross2 days ago
 > If Google truly cared about privacyHave they even been pretending on this front?
 - Speedy2182 days ago
 They put in a lot of work to make it seem like they do believe it or not, I'm not sure how well it is working out for them though.
- brunoqc2 days ago
 > apps know everything I am doingI think I call bullshit on this.But I agree that they could do way more and that they don't seem to care.
nickvec2 days ago
Just curious, why was this targeted specifically at Indian apps?
- wcfields2 days ago
  The author is probably Indian based upon the blogs subtitle of “ tales from indian web rabbit holes. “
- epistasis2 days ago
  The tag line for the blog is "tales from indian web rabbit holes."
- gopkarthik2 days ago
  Because the substack's author focuses on Indian web. From their description: "tales from indian web rabbit holes."
dTal2 days ago
Another fantastic reason to strictly only install apps from F-Droid.
- hnburnsy2 days ago
 My daily driver has minimal apps, most from F-Droid. An old iPad on my IOT network has any other apps needed.
- JohnFen2 days ago
 How does that address the problem? Does F-Droid do some sort of additional screening to keep out apps that do this?
 - marcodiego2 days ago
 First, f-droid only accepts OSS apps, so the incentives for spyware is simply not there. Second, anti-features are explicitly marked on f-droid. Third, f-droid apps are curated like a very rigorous linux repo.
 - JohnFen2 days ago
 Being an OSS app is not sufficient protection. Most OSS apps aren't terribly misbehaved, but some are. Being OSS in and of itself is not anything like a guarantee with this sort of thing.> Third, f-droid apps are curated like a very rigorous linux repo.Yes, I know. My question is is this one of the things they're screening for?
 - johntitorjr2 days ago
 [dead]
 - dandersch2 days ago
 packages on f-droid list all required permissions explicitly, and the mentioned permission seems to be listed as "query all packages: Allows an app to see all installed packages.". It doesn't mark the app as having "anti-features", but you can at least make a more informed decision this way.
 - JohnFen2 days ago
 That's pretty cool, but the article says that most apps that are doing this sort of thing aren't using the query all packages permission and instead are using the facility to provide a specific list of apps they're checking for, which is not permission-gated.
 - wkat42422 days ago
 It is. It specifically says that the apps must be declared in the manifest like other permissions. So it's a specific permission for each app really. F-Droid could query that if it wants to (not sure if it does)
 throwaway2902 days ago
 Did you stop reading before the post got to the MAIN loophole that doesn't require the list of apps in the manifest? How does F-droid describe MAIN?
 wkat42422 days ago
 Yeah I did as the article was a bit long. But I'm sure this is detectable too as it must be in the manifest.
 throwaway2901 day ago
 The article already showed it is detectable. But it is not detected by Google and I am unclear if F-Droid detects it either...
 - duskwuff2 days ago
 > It doesn't mark the app as having "anti-features"I suppose they must be too busy ticking off "anti-features" like "can communicate with non-Free services" to notice that sort of thing.(No, really. F-Droid will tag applications like a Mastodon client as having "anti-feature: Non-Free Network Services", presumably because it can be configured to connect to servers running non-free software?)
marcodiego2 days ago
Well, things are particularly more complicated on my case: I don't use google services and only install apps from f-droid.
anonym292 days ago
You don't have to sacrifice your privacy to use Android. GrapheneOS is a tremendous alternative, and even if you still need some Play Store applications, you can install a GMS compatibility layer and Play Store in either a secondary profile (recommended) or your main profile (not recommended) without granting Google unfettered control over your entire operating system. This compatibility layer offers a better reduction in attack surface and stronger hardening than microG.Alternatively, you can continue with the standard setup, accepting that you’re willingly providing companies with an unprecedented level of access to your personal data. It’s puzzling that many seem more concerned about breaking a familiar routine than about the risks associated with sharing every detail of their lives with companies that, in turn, share that data with one (or more) hostile government(s).There is certainly a lot of justified concern about government overreach and abuse of power on HN. It remains difficult to understand why many with these warranted concerns do nothing to adopt a more coherent and rational approach — such as merely attempting to protect their personal data by not deliberately and voluntarily feeding it entirely to companies that are secretly coordinating with the very same hostile governments these people claim to seriously fear and detest.
- Explore45261 day ago
 The problem is GrapheneOS is Pixel only. They are prohibitively expensive, especially in India where the mobile market is very crowded and you get Snapdragon 8s gen 3 for ₹25k.
nsonha1 day ago
Android is so broken, each app query should be explicitly approved by user, instead of by reviewer like this.
smallnix2 days ago
Nice analysis. Google should take notice. Do worldwide used apps do this too?
- einszwei2 days ago
  From the article - Facebook, Instagram, Snapchat, Subway Surfers, and Truecaller use this too
65102 days ago
If nothing is done why not require competing apps be uninstalled?
zer0zzz2 days ago
My solution to this is to use the apps that come with my phone and avoid relying on anything else. Problem solved. I use signal, uber, MyChart (for my doctor), and some apps for banking but that is about it.
ErigmolCt2 days ago
This is equal parts fascinating and horrifying
anymouse1234562 days ago
IME, Apps usually represent an overly generous amount of contempt for the people who use them.At best, it's a designer's hubris (mixed with contempt) like, "You want to select some text out of your SMS message? I've decided. NOPE."But mostly we're treated with contempt simply because we're an annoyance that is obstructing the goal of serving the actual customer (advertiser) who is paying for the work.App Stores are no mystery. They are a funnel for rent-seekers and adtech info brokers.If you think they are intended to benefit you in any way at all, you are badly mistaken.
zkiihne1 day ago
I used QUERY_ALL_PACKAGES among other things for my app Limit Buddy (<a href="https://www.limitbuddy.com" rel="nofollow">https://www.limitbuddy.com</a>). It would be impossible to make the app without it. But for more normal use cases there's no reason to have it.Apple has a much more robust solution privacy wise with their ScreenTime API but it makes an app like Limit Buddy much harder to build.
aussieguy12341 day ago
If I have Uber, but multiple competing apps on my phone and I grant Uber permissions to see that, will I get cheaper rides?
tmtvl2 days ago
...On Android. I'm sure I don't have that problem on my Ubuntu Touch phone (if only because there are hardly any apps for it).
- nolist_policy2 days ago
  Interesting, how does Ubuntu Touch sandbox apps? Does it have one-time permissions (like Android)?
  - tmtvl1 day ago
    I actually don't know, I was just making a joke about the dearth of applications on UT. I'd expect it to have Snap-type sandboxing, but the Security and Privacy section of the settings app doesn't tell me much.
whalesalad1 day ago
android* phone
daft_pink2 days ago
iPhone users reading this like…. I love my iPhone.
- vanderZwan2 days ago
 If the article explained why iPhone was worse than Android at something they'd be like "whatever, I love my iPhone" so I don't see how that statement adds any new information.
 - hu32 days ago
 I read some hours ago a comment to the effect of "whatever, I don't expect Apple to be good with AI so it's okay for Siri to suck since forever, I still love my iPhone"... I can't help but be amused at a comment defending a 3 trillion USD company technical incompetence.
 - daft_pink1 day ago
 I’m not sure that’s true. I wish there was a foldable version of the iPhone.I just think better privacy and security controls and stricter app guidelines are a reason people choose the iPhone over Android, so this really isn’t a surprise to people that have been paying attention. It’s the tradeoff we make for the walled garden approach, but I think it makes sense for a smart phone and less so for a general purpose computer.
napierzaza2 days ago
[dead]
johntitorjr2 days ago
[dead]
aaron6952 days ago
[dead]
DeathArrow2 days ago
TLDR, want privacy, don't use Google products.
cyb0rg02 days ago
[flagged]
- nindalf2 days ago
  Is this an LLM generated comment, but in the style of a different website? I’d suggest tweaking the prompt.
  - waveringana2 days ago
    the cheap models love hashtags
bpbp-mango2 days ago
android lmao
billfruit2 days ago
Some apps like Obsidian needs permission to access every file on the device. It is surprising Obsidian isn't getting called out on that very much.
- wkat42422 days ago
 It's because it stores the files there so you can sync them with other permissions. And also that your notes aren't deleted like they would be if they were stored in the internal app storage. There's more granular options for filesystem access available but if you implement them you limit yourself to the latest Android releases.According to Exodus it has no trackers and it's an open source app also so you can see what it does (though tbh I didn't check that for the mobile one)If there's apps to call out there's way worse than Obsidian.
 - billfruit2 days ago
 Obsidian isn't open source by most reports.Surely Obsidian do not to see all files on the device, it only really needs to see the files the user needs it to see.
 - wkat42422 days ago
 > Obsidian isn't open source by most reports.On FreeBSD I can build a full copy from source (in fact I have to, there is no binary package). The only issue seems to be licensing, not source availability. Personally I don't care about licensing (I completely ignore it all anyway) and it doesn't stop you from inspecting the source code.I think Obsidian is a really great package, I just happened to have moved over from OneNote which is horrible Microsoft mediocrity and doesn't even have a Linux app. And the web version is really useless, it needs to refresh every day and it can only search within the same tab, not a whole notebook. Such a mess. Obsidian is so quick and efficient <3 And there is full self-hosted syncing available, which I also use.
 - billfruit2 days ago
 Obsidian on Android source seems not available. Even generally the reports seems that source is not available.May be the freebsd build is using some binary library packages?A cursory search indicates that one of the freebsd 'build-scripts' used for installing obsidian uses a binary package for obsidian itself, not building it from source.It strange that about obsidian which seems to be rather popular here has many people thinking that it is open source, when it is not.
 wkat42421 day ago
 You probably mean this one: <a href="https://github.com/jgrafton/freebsd-obsidian" rel="nofollow">https://github.com/jgrafton/freebsd-obsidian</a>That's just a user contributed thing though. It's also just in the official ports collection. There's only a makefile there and some config files for electron (electron is kinda a PITA to compile on FreeBSD because there's no package)Now, it can update itself automatically but it's all JavaScript. No binaries.But it's safe enough for me anyway. Especially because the dev community uses it do much. If it did something untoward it would be noticed quickly.
 billfruit1 day ago
 The "official" packages seems derived from the Nix build for Obsidian, which is using binary caches to get the Obsidian binary is what I could understand.
 - danparsonson2 days ago
 There isn't a permission for that though - it's all or nothing. I agree that it should be more granular; each app should really have its own scoped file storage area by default, with "access anything" being reserved for file browsers, backup software, etc.
 - billfruit2 days ago
 Android already has support for scoped storage. So it is not clear why Obisidian needs the whole file system permission.
 wkat42422 days ago
 Yes but only later Android versions. If you start supporting those you need to move to the corresponding API level and that means to drop support for older ones. They probably don't want to do that yet. This one is Android 10 and up, and the Android 10 version of scoped storage was quite basic IIRC so you probably want an even later one. I guess they still want to support older phones.
 billfruit2 days ago
 At the cost of much lower data privacy for users.
- subscribed1 day ago
 If I'm not mistaken this is because without this permission they can only see audio, video and image files. You wouldn't be able to use it comfortably to do it's job.Personally I use it with Storage Scopes on GrapheneOS.
- elric2 days ago
 I use Storage Scopes on my GrapheneOS android phone, works great. Can decide exactly which files or folders an app gets to access.