It seems like the ACTION_MAIN loophole could be fixed (eventually) if apps that declare it are required to actually be launchers. It seems like legitimate integrations should have more specific intents.
At that point, Android prompting if random game you just downloaded should be your defaut launcher seems pretty dangerous interaction for sneaky apps to risk. They either cause the user to bounce and report or the fools select it as default launcher, replace their launcher, can't provide the launcher functionality and break the user's home screen and end up getting reported in Play Store. I also assume actually getting published as a launcher-class app at that point brings automated testsuites and other requirements that will be burdensome for developers.
> If there is one leap that the infosec community consistently fails to make, it is this: people who are not like me, who have different needs and priorities, who have less time or are less technical, STILL DESERVE PRIVACY AND SECURITY.
XPrivactLua and other XposedMod/Magisk extensions break open the app sandbox. It is better to restrict running those on usereng/eng builds (test devices). For prod builds (user devices), I'd recommend using Work Profiles (GrapheneOS supports upto 31 in parallel) or Private Spaces (on Android 15+) to truly isolate apps from one another.
Thanks for the link, seems like the loophole is already there since the introduction of the package visibility restriction, and almost everyone and their mother knows how to bypass this restriction.
> Google refuses to patch this
While I don't believe Google engineers are not aware of this widely used loophole, do you have any source that they refused to fix it?
The right ("as intended", in my view) functionality would be to support a manifest with, say, five apps, and if as a dev you wanted more youd apply to google for an exception (like aws limit increases) with a list of reasons for each app.
What do you mean with "refused to patch this"? Google will reject any app publishing attempt that asks for that filter and isn't a launcher on Play store.
I still, will never understand the need for native "Apps". To this day, I have never seen an "App" that couldn't simply have been a website/webapp. Most of them would likely be improved by being a webapp.
The only benefits I can see of "Apps", are the developer get's access to private information they really don't need.
Yeah, they get to be on the "App Store". But the "App Store" is a totally unnecessary concept introduced by Apple/Google so they could scrape a huge percentage in sales.
Web browsers have good (not perfect) sandboxing, costs no fees to "submit" and are accessible to everyone on every phone.
The reality is, most webapps for mobile just suck. The UX is nowhere near that of a native application. I don't want any text to be selectable. I don't want pull to refresh on every page. I don't want the left-swipe to take me to the previous page.
You can probably find workarounds for all these issues. The new Silk library (https://silkhq.co/) is the first case I've seen that get's very close to a native experience. But even the fact that this is a paid library comes to show how non-trivial this is.
>I don't want any text to be selectable. I don't want pull to refresh on every page. I don't want the left-swipe to take me to the previous page.
Strange. This inability to select any text has always felt like one of the most hostile things developers could ever do. It feels like pure vandalism.
Another thing that causes massive productivity degradation is not being able to keep multiple pages open so you can come back to some state. I cannot imagine how anyone could possibly use these apps for any serious work.
The UX of almost all native mobile apps is absolute crap. But it's not their nativeness that makes them crap. I'm not complaining about the idea of operating systems offering non-portable but high performance UI primitives that make use of OS facilities.
Many native desktop apps don't have these UX issues (at least not all of them at the same time). It's the mobile UX patterns, conventions and native UI frameworks that are causing this catastrophic state of affairs.
To be fair, browser apps do have their advantages:
- text is selectable
- content is zoomable
- you can have an ad/nuisance blocker
- page source is open
While native apps have their own advantages:
- much smoother experience esp. navigation, scrolling, animations, etc.
- better overall performance (JavaScript will always lose to the native binary)
- access to hardware opens new possibilities; audio, video accelerators etc.; there's a ton of things you can't do in the browser with audio for example
- widgets, some of them are nice and useful too
- for publishers: an app icon on the home screen is a reminder, a "hook" of sorts; this is the main reason they push apps over web versions
As a user I usually want all of those features to work. I regularly get ticked off at apps, because I cannot copy paste like in the browser or the app just closes (and loses all state) because I tried to use the back button. I also encountered apps that just reset, because I dared switch to another app for a second because I wanted to copy paste something into it...
Mmh, the examples you've listed are actually super easy to do if you're using a framework such as angular with it's plugins for pwa and touch controls.
And prolly tailwind for css/disabling selection if you really want to, but I'd call that an anti feature in almost all cases.
You have to wonder about the motivations of the company making the browser that makes it impossible to disable some of these things, and therefore makes real apps so much superior (like swipe to go back on safari - I have never ever swiped back intentionally in over 100000 swipe backs).
It doesn't sound like anything that a PWA (paired with some a sync mechanism like Websockets) can't solve. And with WebAssembly the convergence is even more compelling.
To go along with this UX argument: it’s always been my perception that native apps often lean towards a stateful design while web apps try for stateless. Maybe that’s too abstract (read - incorrect), but was always just where my intuition landed.
This is a bizarre take. Are you also suggesting there’s no reason to have a native app on a laptop? Because it’s essentially the same question. There are many things which a native app can do that a browser just cannot do well, or at all. I don’t know what your needs are, but for example if you’re doing heavy video or audio editing, accessing heavy amounts of RAM or utilizing GPU compute or doing other things on the bare hardware, doing that all from a browser is definitely not there yet.
On desktop you do productive work, your apps need native capabilities. On mobile, apps are primarily consumption, displaying, browsing... no complex interactions.
> I still, will never understand the need for native "Apps". To this day, I have never seen an "App" that couldn't simply have been a website/webapp.
In cases where a native app and web app are both available on iOS, there’s often a huge difference in battery usage and sluggishness. Also, as a sibling poster mentioned, I like having fully “offline” apps as well, for example for maps and notes.
I’m not saying that I like how Apple and Google have done this in practice, but I don’t think going webapp-only is the future. For the same reason I won’t replace my real computer with a Chromebook for the foreseeable future.
When the iPhone came out, you had full offline access on PC to Gmail and google docs using Google Gears.
Google Gears got deprecated because something something move to standard HTMl and browser features and now we don’t really have any offline web apps.
The ability to have non sluggish, offline web apps has existed for decades now, but the interest from providers has been declining and the understanding that this is possible is also declining on the consumer side.
I get your point partially. All these apps that companies put out in order to collect and manage shopping tokens or to contact their customer service would have been much better as a website.
However I still do like to have apps on my devices that just work offline, without distributing my data across services I do not control. And I also do not want to depend on a internet connection, when I am anywhere.
I like my offline Osmand/Organic Maps app to show me the trails when I am somewhere in the woods or mountains. I like my apps that instead on using some third party server, connect directly to my other local devices to share data.
IMO all (where possible) apps should be developed offline first, and only require internet when necessary, and those apps that cannot work without internet should be web apps, they do not need to be on my devices.
It’s totally possible to distribute a webapp that works offline and stores all your data offline too.
Platform owners introduce a bunch of restrictions that create reliability and usability concerns, but the standards already exist to enable a website operator to create a webapp that, after the initial ‘install’, runs entirely offline on the user’s device, and has no need to communicate with the website.
Im sorry. I really just can’t understand or relate to this at all. Mobile web still feels like such a terrible experience, and apps generally don’t. When’s the last time you tried booking a flight on mobile web? And how do you deal with all of the real estate the browser steals? Having to log in every time when the app can just cache my authentication and FaceID me?
Seriously, booking hotels and flights is so much better on the web. You get multiple windows for easy flight and price comparisons, within and between providers.
I don’t understand people who use apps for this. It is such a pain.
Not who you replied to, but I more so do not rely on my phone for anything where I would prefer more screen real estate such as doing comparisons like buying flight tickets. I have never bought flight tickets on my phone, only on my computer. I prefer the bigger screen and keyboard for most things actually
There are also an increasing number of services which are ONLY available as apps now, including, but not limited to, many financial apps such as Revolut.
A big issue with this trend is that unlike the web, the whole Android ecosystem is a walled garden which is strictly controlled by Google. In principle you can run your own custom Android ROM, but in practice this will lock you out from any app which uses Play Integrity API to enforce Google's totalitarian regime which dictates what software YOU are allowed to run on "your" hardware.
Its funny to read negative replies to your comment on the shortcoming's of web apps.
The browsers are controlled and manipulated by the likes of Apple and Google. These companies have a significant influence on the direction of browser features and limitations, often shaping them to suit their business interests. For example, Apple’s Safari and Google’s Chrome have been criticized for implementing features that reinforce their own ecosystems, such as limiting web push notifications or restricting certain web API functionalities to encourage users toward their native apps. This ultimately means that even in the browser world, the same forces that drive the app store monopolies can still control and restrict what’s possible, even if the web is inherently more open. So while web apps offer more flexibility than native apps in theory, the reality is that Apple and Google’s control over the browsers still limits the true potential of a completely open web.
> The browsers are controlled and manipulated by the likes of Apple and Google.
Who do you think controls Android and iOS native APIs?
Web standards at least have public forums and specs, with multiple parties involved. And all the major browser engines are open source and apps built for them are relatively cross-compatible.
During earthquake in Bangkok in Friday Grab (local superior version of Uber) helped me to order taxi and get my kids home. Needless to say that cell phones network collapsed for most of the day. All people want to know what happens and is their family and friends are safe. They definitely have very optimized network layer for poor connections. I bet they can switch to udp or something. I'm glad that it wasn't web app.
99% likely they're using a REST API, which is... HTTP.
Even if it's gRPC or something more exotic, it'll be over TLS (you best hope it is).
You can have a webapp cached locally on your device. PWAs allow developers to create an SPA you can open from your homescreen, and to do that API interaction the same way as a native app.
I hope you and your family are well, and it's great that tech helped. But please, don't think that because this tech worked in this instance it can't be made safer and securer.
It’s clearly for data collection. Take the yelp web app for example. It used to be much nicer than the native one. Then, they intentionally defeatured it until it was useless.
Also, this situation benefits the google-apple duopoly, since it means superior products (remember Windows Phone 8?) or privacy focused devices (FirefoxOS) have no chance of getting a foothold in the marketplace.
The objections I see in sibling comments are nonsense. Modern web supports high frame rates, developer control over the UI, etc, etc.
While many native apps could be web apps, you’re ignoring a very large reasons for native apps:
1. Better UX and responsiveness for users, including better offline use.
2. Using native hardware APIs. How are you going to do things that require on device video compression, or realtime graphics that are more advanced than GL ES, etc
3. Battery life and performance. A native app can use less power than a web view for doing its work, and it can also make use of better async/concurrency/threading than a web view allows for.
> The only benefits I can see of "Apps", are the developer get's access to private information they really don't need.
That's exactly the point. More developer control, less user control. Can't change cookie settings in an app, can't (easily) block ads, can't use developer tools to remove annoying UI elements, can't disable phone home mechanics, can't prevent the developer from profiling you.
GP used hyperbole but was not all wrong. The issue is that most native apps could very well have been web apps. I appreciate that on iOS adding a web app to homescreen is possible, albeit obscure and not many use that feature. I hate that Firefox never really supported PWA for some unfathomable reason.
The commenter says about most apps. The use case you mentioned requires computing resources.
You can do the whole thing on browser too but it is not efficient way .
But in the case of delivery apps, finance apps, you don't need much compute as can work exclusively with APIs .
There is nothing inherently evil about an app, or inherently good about a website - it's only because historically we have allowed crappy app permissions structures and allowing apps to ask for things they don't need.
Apps are faster, are more predictable (no auto-reloading or rendering issues) and generally perform better IMO.
On the other hand, in reality, you're correct. I think the NYTimes app will collect more data from me than the NYTimes website.
For me, there are a lot of applications that I want to be able to load regardless of whether I have a connection to the Internet or not: calendar, notes, mail etc. They can sync/send/whatever whenever I am next online.
Ah yeah. While this is mostly implemented terrible, a web app can absolutely do this for you using service workers. So you can install a webapp to your homescreen and use it without an internet connection at all.
Becoming the middle man is the default model that supports scale. No one has come up with anything else to support a world where avg disposable income is close to 0
I worked for a company that used Sencha back in the day and wrote the first React integration over their form/datagrid components in 2013. React ate their lunch
Very narrow take, it so far fetched i would consider this a bad faith comment.
How could you possibly consider intensive games to be "simply" web apps? How about network apps like vpns, wifi analyzers? Have you really not come across such apps or are we meant to think every app is a TODO application?
Both web and native has been driven by the same corporate forces, the argument here should be technical only - what can you do on native that you can't on the web. Mixing this technical matter with corporate policies muddies the waters.
Maps and navigation apps? Desktop integration and sync apps?
That said most of the time you are right.
I am fairly convinced that some apps are just wrappers around web apps. The Virgin Money (Uk bank brand) app used to ask for cookie permissions on launch and felt very like their website used to (until it was removed and they went app only).
For one, you couldn't access those webapps without a browser, so that's the need for one app. It would also be a bit annoying if you had to load a webpage when trying to dial a number
Or am I not understanding what you mean when you use the quoted name "Apps"?
Many things needs to be an app, but so so many do not require.
Many apps are apps just because they can collect your data, and create walled gardens. It is harder to create extensions for existing apps, for web pages it is easier.
Access to Bluetooth devices is a good reason to have an app. I definitely do not want a Bluetooth API in my browser (although Chrome does have something in that direction, I think it's a bad idea)
Any kind of offline cryptography. Imagine Apple Pay being an app. So all sort of digital signatures, documents, checks, payment codes and vouchers, tickets etc.
IMO this is in the range of „why we use machines to transport if we all have legs”. Technically true, but applications do more than only UI.
I've heard this argument for the past 30 years (we won’t be using apps, everything will be remote console/terminal/webpage/web). Chromebooks were meant for web-first access, and yet native apps are still alive and kicking.
Push notifications. Apps have them on by default, websites have them off by default. 100% of Temu's valuation is because they pester users all the time with nudges to buy stuff, which works.
Normies don't turn off notifications. Over the last few years all my relatives have picked up smart watches, (thanks to cell carriers upselling them hard during phone replacements) and in any given conversation at family events they'll be glancing at their wrist every 100 seconds.
Registering for push notifications ought to be a protocol much simpler and lightweight, compared to this spinning up a virtual machine and running a downloaded binary for each channel of notification you wish to receive.
This makes me wonder if Google would let rot creep into (or possibly already has) to encourage people to use apps and also encourage developers to build on their platform.
To me a mobile app is usually just a shorter web app that you can’t zoom on
Edit: and I’ll venture a guess that since mobile apps can’t use things like ad blockers, companies probably prefer them. More control over what you look at.
Push notification is the big one. Yes, there is web push, but that's hardly scratching the surface of feature completeness. And incentives to change that aren't really there.
Yeah, good luck writing a screen reader, a demanding mobile game, a (local) music player, or a warehouse parts lookup app, supporting fully offline use and barcode reading functionality.
In 2025? Sure, you can do some (but not all) of that in a browser? In 2010, when those systems were becoming popular? Absolutely not a chance.
People forget that Apple initially tried this exact approach. On the first iPhone, that's how you were supposed to do apps. People wanted native so much that they were willing to go the extra mile, jailbreak their device, document the undocumented iPhone SDK and write their own toolchain. The user demand for native was clearly so overwhelming that Apple finally relented and gave in.
Even a few years later, Facebook tried hard to have a single, cross-platform HTML5 website instead of bothering with apps. Even then, browsers just weren't there yet, and they probably had the best engineers and resources on that project one could have had for any money.
The most basic app, a notepad, I often prefer native. When I go between google keep or notion to apple notes I can tell the difference. If the text is long enough, the web apps just can not load the content.
Just to confirm:
I dumped all of my notes from my insanely large apple notes (about 16000 lines of text) and pasted them into Google Keep, Notion, Google Docs. With the exception of Google Docs the rest of them flat out froze and I had to kill my browser. Stop trying to tell us that the browser is the answer to everything when most web apps cant do the job of Notepad.exe or vi
So, one out of three webapps that you tested could handle this much text. It suggests that the problem for the other two is their implementation, rather than any limitation of the browser.
Of the two that failed, did you also try the app versions to see if they failed too? I really doubt the Notion app could handle 16000 lines of text.
Honestly I wonder the same. App stores have big % cuts for the provider, I believe Apple has a 30% cut? Surely this number is big enough to justify spending the resources for a mobile first site?
> Some subreddit are more dead than other but r/android got to be one of the worst.
Yeah, I'm not sure what exactly is going on with reddit but if dead-internet theory would hold anywhere, it seems to be there.
Besides, all the topic/subject subreddits seems moderated by people who hold a vested interest in the topic/subject, to the detriment of their community. I made a submission which went into details about the proprietary license that Meta's Llama is under, and what exactly that license means, and it was removed manually by the moderators of r/LocalLlama without any reasoning + they refuse to answer why it was removed even after trying to understand the rules of the subreddit better.
I'm guessing when the last "reddit purge" happened where they replaced a bunch of community moderators with employees from reddit, most of the platform was sold to companies to moderate their own spaces, unfortunately.
Moderation is one of the huge Achilles’ heels of Reddit. I’m confused why Reddit thinks a monarchy with no term limits will work on a website when it has never worked in human history. There is no voting whatsoever where users can give feedback on how they think the moderation or the subreddit is going. You get entrenched subreddits like /r/movies and their obsession with movie posters instead of movie discussion or /r/running, which is incredibly unused because the mods insist on removing almost any discussion of running outside the weekly threads except for idiotic race reports in obscure places that no one reads or cares about.
Thread success is hit and miss. You can post and there's crickets, or you can post and people pile in. If you click the "past" link under the title, there's a thread from 2 days ago, completely dead.
Worse, I've had submissions (both links and comments) get flagged in the past, and I have no idea why. I suppose they must have validated some HN policy, but if I had more information about the rationale, I could avoid making the same mistake again in the future (all of my submissions where that happened were for genuinely interesting contents or 100% non-offensive opinion comments).
> Beyond the usual categories, I see there are checks for apps like Tamil Calendar, Odia Calendar, Qibla Direction Finder, mandir apps, astrology apps. They know what they’re doing.
This loan app is profiling people on the basis of race (Tamil, Odia) and religion (Qibla Direction Finder is used by Muslims, mandir apps by Hindus).
The HSBC UK Android app look s at what apps you have, and refuses to run if you have apps with certain permissions (such as an alternative launcher) and now refuses to run if you have any apps from outside the Google app store.
I have complained about this here before, but the end result was that I asked for a hardware security device and use the website instead.
That's pretty funny, right? They have to spy on you to tell you what else you are using could be spying on you. Do they happen to say this data is not transmitted to the company?
> How is knowing whether I have the Xbox or the Playstation app installed on my phone essential to their Swiggy's core functionality? How will knowing if I have the Naukri or Upstox app help them deliver groceries to my doorstep?
> For extremely specific use cases such as file managers, browsers or antivirus apps, Google grants an exception by allowing QUERY_ALL_PACKAGES permission, which provides full visibility into installed apps.
Why would browser need to enumerate the installed apps?
When a user visits a play.google.com URL Google wants to be able to show either an "install" or a "launch" button contingent on whether the app is already installed.
I don't buy this. Google has this information on their backend, they don't need to query any local state. Indeed, when I visit a play.google.com URL, google checks if my browser is logged in or not. If it is not, the default is "Install" no matter what. If I do have a session, then it's either "Install" if I don't have it installed, or "Install on more devices" if I do have it installed.
this doesn’t make sense and sounds like an excuse IMO.
Instead of the browser enumerating all apps, why can’t it check when you visit a page if the current page (ONLY the current page) is installed as an app?
A minor UX difference doesn't really feel like a great case for reducing user privacy, it makes me a little concerned about priorities... which I already was, really.
File managers need full access as you can use that ability to extract and inspect the code of any apps installed on the system. It is a very useful feature and I would hate for it to be removed.
Apple introduced account-driven enrollments in 2021[1], which behaves similar to Android's work profile. Managed apps/data are kept in its own APFS volume, and MDM servers don't have access to anything outside of it. They also disallow system-wide commands like wipe device. The only caveat is you need managed Apple IDs[2] to use this enrollment flow, and I doubt many companies have set it up.
Regardless, MDM installed app visibility is limited to those users who opt-in to an organization managing their personal device, and isn't an effective way to broadly gather what apps a given person has installed. What's described in this post would work on any user/device, and there's no way to deny/opt-out of specific permissions.
I would have to strongly recommend nobody enroll a personal device in a company MDM. If the company needs you to have mobile connectivity that badly, they can give you a device.
I mean... isn’t that expected of an MDM? I have always assumed that any company device (i.e. any device enrolled in an MDM) is under 100% control and surveillance of that company. Being able to see my installed apps is the least of my worries.
One of the biggest incentives for creating apps is to scrape all kind of data from the users. Look at how many apps require permission to see you contacts. And how many actually need your contacts to function. That's why I'm still a bit surprised that many seem to be surprised by findings like this one here.
I wish there was an option for “give bogus contacts” which showed the app a list of contacts - but it was all randomly generated junk. Make it so the app can’t tell if the contacts it gets are real or fake.
I read a fiction book years ago where there were cameras everywhere. To get privacy, instead of hiding their identities the protagonist paid companies to insert bogus information into the information brokers’ network. So if they tried to figure out where they were on a certain day, 20 records would match. I think this is a much more likely vision of the future.
Look at how many apps require permission to see you contacts. And how many actually need your contacts to function.
That is, again, not require but ask for on iphone. I have zero non-functioning apps on my iphone due to denied access to contacts. Even a chinese bluetooth light controller doesn't dare (while refusing to work on android for the same reason).
You can hate apple/iphone ecosystem all you want, but let's not sneak false claims into how they actually work.
> Look at how many apps require permission to see you contacts.
It is so annoying that it’s either "give access to ALL my contacts and ALL their information (yes, even the notes I took on their favorite things for next Christmas)" or "don’t give access". I wish we could limit the number of contacts and the level of information we give.
This was somewhat mitigated on iOS a few years ago.
You could try to communicate with an app via the custom URI scheme and if it succeeded, it would know you have the app installed. Twitter used this for finger printing.
An app has to get a special intent and has to list the apps it wants to use it for.
Speaking of iPhone, Im curious about something. On occasion, I log into the [former] bird app using the web app because it's enough to check up on some key follows.
Recently, they released a major update to their LLM feature and I installed the app to check it out. While I had the app installed, every time I checked the mobile website there was a large banner directing me to go to the app. Ad blockers and distraction blockers would not get rid of it. When I deleted the app again, it was gone. What gives? Why does the mobile website know whether I have the app installed? How come content+distraction blockers are enough to block all reminders to use the app when it's not installed, but are irrevocable if I have the app installed?
Definitely not “good” but I’m still to see anything remotely resembling the complete disregard for privacy and security typical for the adtech-driven android ecosystem.
Just a different business model, not a display of moral values.
Sure, Pegasus exists but I don’t think it is commodified yet.
What evidence is there/can you present that Apple is making use of this information in a negative way?
How can Apple not have a list of installed apps on your phone while maintaining basic functionality (automatic updates, reinstalling apps from backup, etc)?
Sort of. They have a list of apps you've bought/installed through app store, and they can figure out what you've deleted based on what your phone is pinging for update checks on.
If they went beyond that, or disclosed that knowledge, or allowed an app to get that manifest without your permission, it would destroy their brand image built around privacy, in a way that would cause long-term irreparable damage.
They decided to not comply with laws compelling them to add back doors to optional encryption on iCloud storage, rather than tarnish that image, because they know how valuable that trust is.
You can dump on Apple all you want, but compared to Google who plead with people to use their browser and phones to improve adtech surveillance they can monetize, I think they're doing OK and are a lot more trustworthy.
Are you sure? I know someone in adtech and I'm pretty sure Apple allows a similar app manifest that allows you to check for specific apps. I could be wrong.
Not sure about the manifest but recently I've seen talk about some banking apps using SBSLaunchApplicationWithIdentifierAndURLAndLaunchOptions (undocumented function in SpringBoardServices) [0] to try to launch another app on the phone by the bundle id, and they can determine if it's installed or not.
They were using this trick to detect unauthorized apps on the phone.
> I know someone in adtech and I'm pretty sure Apple allows a similar app manifest that allows you to check for specific apps. I could be wrong.
On iOS an app developer will need to register in advance which external applications their app intends to query, and the list needs to be very short and motivated. [1]
Incidentally, “I have a friend who says...” isn’t really a good citation anywhere outside Reddit - which HN resembles more and more each day.
It requires root, but you can block/spoof this with an LSPosed[1] module such as XPrivacyLua[2]. I hear there's also the closed-source AppOps[3], but I've never used it.
I've not heard of XPrivacyLua, which is by the same author of the excellent NetGuard[0], which I've been using for years.
Interestingly XPrivacyLua is not supported anymore and the pro companion app will be removed from the Play store by Google because it uses the permission QUERY_ALL_PACKAGES.[1]
Indeed, it is a shame. However, XPL-EX is a fork (though with much internal code (re)written at this point) with even more capability, while maintaining the familiar and simple UI. Seems pretty neat!
Can windows apps (not installed from the MS store) enumerate through the window titles of all open windows? How hard would it be for an app to monitor all of your web traffic based on the title alone?
Legit question. ChatGPT isn't super helpful here since it agrees with everything when I'm really looking for someone to say why this isn't really feasible in the real world.
Long-time Win32 programmer here - yes. This is by design. To use an analogy, Windows is like a "high-trust society".
There are functions EnumWindows() and EnumChildWindows() specifically for this purpose.
See utilities "Windows Modifier v2.00" (when I first downloaded it there were many pages about it, but it's a sign of how forgetful the Internet has become that I barely get any results about it now even searching for that exact name) and Microsoft's own Spy++ (SPYXX.EXE) for an example of this functionality.
The solution to an app you don't trust is to not use it at all, or use it in a VM.
How do you identify apps that you shouldn't trust? Sometimes trust is assumed only until evidence is given that trust shouldn't be given. Which makes no sense to me. Why was the initial trust so easily given?
A solution is to not use third party apps but most people aren't going to go that route. The VM idea is a good option though.
Not only can most apps see the titles of all other open windows on the system, but they can log all your keystrokes, take screenshots, record audio/video of you or your screen, or copy/delete all the files in your home directory, without any explicit permission or notification.
This is at least true for Windows and most traditional (X11 at least) *nix systems.
That is one thing I think Android got right... by default it runs every application as a different user. That means different home folders and no visibility into other apps.
Originally Android apps could draw over top of any other app though which is a phishing nightmare. It took them a long time to make that a permission, and then everyone granted it until they finally added the bubbles API recently.
Permissions are difficult to get right, and Android is unfortunately pretty slow to react.
On windows you shouldn't be able to do (most of) these directly with apps running under admin, though that's a small consolation when the browser is a normal process.
I'm not sure if we'll get away from these anytime soon as any out of the box solution will inherently limit the user's freedom that has persistently been there for decades on PCs
> How hard would it be for an app to monitor all of your web traffic based on the title alone?
Although not terribly accurate (because of the high variability of page titles), tools like ManicTime and ActivityWatch use windows titles to track your browser history if you don't install the browser plugin.
Windows has a whole different (looser, older) security model. There are no security barriers between windows running on the same desktop. (In particular, "UAC is [still] not a security barrier"--when you hit ok/type in a password to elevate a process, you’re effectively elevating the whole desktop and everything you're running.)
No, that is completely wrong and would be nuts. The only way the whole session gets elevated is if you'd launch explorer.exe with an admin token.
The way privilege escalation works on Windows is that pretty much everything gets launched with a standard user access token by default, and processes can request an admin access token in a few ways, UAC being the main one. When a process is supplied that token, that process is elevated.
It is more akin to 'sudo' rather than 'su', which makes sense because its progenitor is 'runas' from Windows 2000.
Right; I think having the API exist is a good thing, it's just a question of making sure that it's only used in ways that the user allows. Your own scripts inspecting and controlling arbitrary windows on your own machine => great, third party programs doing the same thing without your informed consent => bad. (In practice, this means I'm a big fan of extensive permission systems that have the ability to deny or fake responses at the user's direction)
Most windows apps aren't sandboxed, so them being able to grab window titles is the least of your worries. Any program can steal your login sessions and passwords if they wanted to.
Are you essentially discussing like a keylogger? I can't imagine windows intentionally keeps the plaintext password anywhere longer than it needs to be.
Definitely possible. This is how chat bots worked on AOL in the 90’s, basically the FindWindow and FindWindowEx functions in the win32 API. Hasn’t changed much (if any) since then.
>For extremely specific use cases such as file managers, browsers or antivirus apps, Google grants an exception by allowing QUERY_ALL_PACKAGES permission, which provides full visibility into installed apps.
'Extreme' my a*. My bank app has this permission, as well as my camera app, contacts app, clock app, Google Home, and on and on. My bank app was moved to an old iPad because of this.
yea I used to work for an advertising network and every game that implemented the Android SDK ended up with this permission, it was a way that we used to not show ads for games that the user already had on their phone
I want to expand on this more as someone more familiar with Bangalore/Bengaluru.
Almost like clockwork, Blume Ventures releases a report every year about the state of the Indian startup ecosystem that year, and since Bengaluru startups are almost all concentrated around Koramangala or HSR layout (these are places inside Bengaluru with their own PIN/address codes), you'll find a lot of people talking about that online.
The ppt in the blog is from the 2024 report - https://docsend.com/view/zqgfupfzyud499hn. The India 1-2-3 framework is old though. IIRC it was coined by a retail sector founder (Kishore Biyani) in the 2000s.
Also Koramangala, HSR layout are also the more affluent localities in Bengaluru.
Bengaluru/Bangalore has hotspots (PIN codes are postal address codes) where there are lots of startups, mostly in ecommerce, ad-tech, online education etc. and they have incentive to upsell you a lot.
I guess its referring to someone wannabe influencer buying Twitter(X) premium and posting based on half baked info on customers.
Mostly sarcasm, so take with a grain of salt. I can't tell about accuracy, but explaining the cultural context here.
Exodus Privacy will let you know about this kind of Android apps you should avoid installing
https://exodus-privacy.eu.org/
Swiggy is actually a small player in terms of permissions requested, with 'only' 47
Compare it to Weibo with 104, Wechat with 93, Facebook with 85, Snapchat with 71 (granted those apps may offer additional services that require some additional permissions, but they are definitely not worth giving them all your data...)
I don't know if it is just me but I run every class of app in isolated "islands" (like work profiles) on Android. Browsers, banking apps, social media, instant messaging, tools, etc. Almost everything is isolated from another non related group.
It's probably an oversight than a "backdoor". They already have a "frontdoor" in the form of a permission that's pre-granted to them by the OS, so there's little need for them to devise backdoors like the android.intent.action.MAIN query that the blog post mentions.
Privacy issues aside, it's kinda cool reading about how Indians use their phones, and also how they use English. I'd never heard "beyond the pale" before, and I'm still not sure what the idea of "multiple Indias" means when some of them are Mexico and some are Africa...?
I've also never heard of the majority of the apps being analyzed or tracked. Must be such a different world out there.
Beyond the pale is commonly used in English. A pale is a stake, and it means beyond the boundary (set out by a fence with stakes, hence the phrase) of what is acceptable. It gaines popularity in the mid 19th century. It may be related to the term "the Pale" which referred to the better controlled more Anglicised part of Ireland around Dublin, but there isn't enough evidence to be sure of this. Certainly not an Indianism anyway.
>I'm still not sure what the idea of "multiple Indias" means when some of them are Mexico and some are Africa...?
Is it not pretty obvious? It is like the phrase "middle America". It doesn't literally mean a different country. It means different wealth categories: the Indians that when considered as a whole are economically equivalent roughly to Mexico, those roughly equivalent to Indonesia (poorer) and those roughly equivalent to Sub-Saharan Africa (poorest). There are ~1b Indians that are still so poor they aren't realistically in the market for your startup app if it wants its customers to ever spend anything, there are ~300m Indians that could be in the market for some apps, but probably mostly free ad-funded ones, and there are ~150m Indians that are quite a good market because they will happily spend money on something that provides value.
From the context, what I gather was meant by the idea of "multiple Indias" was the socioeconomic status of different demographics in India and their app usage. The presence of specific apps gives a tell to which demographic they belong to.
In other words, the richest demographic used certain apps and was equated to folks in Mexico, followed by the less rich equated to folks in Indonesia and the poor to Sub-Saharan Africa.
It's the average cooldude marketing of self-proclaimed "India 1", denigrating their own people and can't think outside of labeling others as something else.
These people are extremely snobbish in person when you go past their sweet talks, who don't understand much about people. I hated the "real" interactions and went back to being an IC in big tech.
Part of it is because they don't understand them, part of it is because they "understand" via someone else who told them stuff (like a redditor assuming everything on r/india is true), part of it is their own contempt of culture due to previous reasons ("ah these people are beyond any repair!"). Basically, ignorance in elites.
> It's worth acknowledging that there are some legitimate reasons for an app to check which other apps are installed on your phone. For example, an app might check which UPI apps are installed to show relevant payment options.
Nope! Nope, nope, nope. If you're wondering how we got into this situation.. well, it's exactly stuff like this. Weird to see someone who's digging into it at all also making excuses for it.
No one ever said "I want to avoid a single extra click once every other month, so I guess I better irrevocably open my data/phone/life up completely to megacorp forever". And they certainly did not say this about tinycorp. People just absolutely suck at adversarial thinking, and good guys need to do it for them before bad guys can. Do you want organized crime blackmailing your politicians about dating apps and infidelity? Do you want to make it easy to do large scale targeting of ${vulnerable_people} the next time the cultural or political climate shifts?
Come on. Anyway shouldn't the phone OS itself handle this rather than apps launching apps?? If not.. just let people pick a payment option, and then throw an error if the option is not available.
> "I want to avoid a single extra click once every other month, so I guess I better irrevocably open my data/phone/life up completely to megacorp forever"
Nah, it's super annoying when I click on a link and don't get redirected to the native app. This happens way more then once a month. Web experiences are much worse for many things.
Cool but the attitude of “bring on the dystopian future as long as it’s more convenient for some people some of the time” is still confusing to me. Do you imagine that leaked information like this has never gotten someone killed before, and never will in the future?
For the wider audience: though don't take this as GrapheneOS doesn't care about privacy. I'm sure there are reasons (I didn't read all of the linked threads) and it gives you plenty of other protections and tools - eg profiles, ability to disable all network access by app etc
> I'm sure there are plenty of system APIs providing this information too, and I don't just mean APIs designed to directly provide the information.
> It's not useful to prevent directly getting a list of installed applications without preventing detecting which applications are installed, so this specific feature request has to be rejected. It would have to be part of a larger, much more comprehensive feature preventing apps from finding other apps. That implies outright preventing communication with non-system components which is a much different approach to applications and rules out a lot of things. [...]
> The request should be for preventing apps from discovering which apps are installed, since anything less than that has no privacy / security value. There's no point in disallowing access to a list while not preventing discovering which apps are installed anyway.
It's a known fact in the rooting community because some banking apps searching for root only apps!
If you root (I advice against doing that) and have LSPosed installed you can hide apps to be seen by every other app with Hide My Applist (HMA) [1] or HMAL (which I like more because it is more minimalistic) [2]
This is to be expected though, a phone platform isn't exactly Tor Browser. The big API as with any platform will have plenty of ways to fingerprint people even without this one example, unless the developers went far out of their way from the beginning to build prevention in. Much like how on UNIX you can see what processes everyone is running and their command lines.
Big companies like Swiggy and Zepto will mine the F out of your data. Some of it is for their benefit but some of it they could sell in the future. These so called founders are really just another wolf of app street looking to pump and dump. So when they do dump, or when some VC comes with money, they don’t just sell their app they sell it as a whole package of data and analytics that some company can use to sell their product or something VC can leverage to sell their stock to someone else. It’s not that difficult.
As far as smaller apps go these apps outsource their development to people who come with ‘packages’ to develop and maintain their app. These packages are the same logic as above but it’s just that they come from some template so you might be asked for location permission or camera or microphone by some really random app that has nothing to do with it.
While the quality of iOS is degrading, some of these things are really important and simply work better on iOS.
>Please remember the next time you casually install an app on your Android device, this information is being broadcast to the whole world. Data brokers will use it to profile you, cross-reference it with data about you from other ad networks and eventually it will be used to decide how much you’ll be asked to pay the next time you order a samosa.
Who are those data brokers? Are they publicly known? Do they have an API where a business sends customer ID, mail or something and get an spending profile that helps adjusting price for a particular customer?
I know this sounds evil. But didn't banks and insurance companies collaborate to profile their customers since tens of years ago? That is not similarly evil?
> I don’t even know where to begin unpacking this madness. How is knowing whether I have the Xbox or the Playstation app installed on my phone essential to their Swiggy's core functionality?
Probably has to do with feeding adtech's hunger for personal information, or fingerprinting maybe (not sure if that's a thing in the context of phone apps).
If they just audited apps and banned companies from the app store for abuse it would do a lot to curb this behavior. This is feasible, there just aren't THAT many popular apps at any given time.
If Google truly cared about privacy, each app would run in its own strict jail, and permissions would be faked by default. Also, easy malware by Israel or anyone else would not be a thing. As it stands, apps know everything I am doing, and I get targeted spam email rather immediately.
Perhaps crazy question: is it a good idea to have two phones now? One for making calls only, with as many apps as possible removed. And another phone for email, web surfing, photos, etc...?
edit: Oops, I left out texting. Which phone for that?
If you don't need ANY apps on your main number, good dual-Sim feature phone (but be extremely picky, some are utter trash).
The for all the smart stuff, Pixel 6 with GrapheneOS. You can confine various "classes" off apps to dedicated profiles, so they'll never know of each other, and you get a vastly improved security (multiple releases in the month) and significantly improved privacy.
Of course, amazingly that's one of it's best features, enabling you to actually speak to a real person. (it's a type of personal connection that fleshy robots have, for some reason, derided.)
But I digress, excusing your bad form of answering a question with a question, I am interested in your opinion of the possible conundrum of the two phone idea.
First, f-droid only accepts OSS apps, so the incentives for spyware is simply not there. Second, anti-features are explicitly marked on f-droid. Third, f-droid apps are curated like a very rigorous linux repo.
packages on f-droid list all required permissions explicitly, and the mentioned permission seems to be listed as "query all packages: Allows an app to see all installed packages.". It doesn't mark the app as having "anti-features", but you can at least make a more informed decision this way.
You don't have to sacrifice your privacy to use Android. GrapheneOS is a tremendous alternative, and even if you still need some Play Store applications, you can install a GMS compatibility layer and Play Store in either a secondary profile (recommended) or your main profile (not recommended) without granting Google unfettered control over your entire operating system. This compatibility layer offers a better reduction in attack surface and stronger hardening than microG.
Alternatively, you can continue with the standard setup, accepting that you’re willingly providing companies with an unprecedented level of access to your personal data. It’s puzzling that many seem more concerned about breaking a familiar routine than about the risks associated with sharing every detail of their lives with companies that, in turn, share that data with one (or more) hostile government(s).
There is certainly a lot of justified concern about government overreach and abuse of power on HN. It remains difficult to understand why many with these warranted concerns do nothing to adopt a more coherent and rational approach — such as merely attempting to protect their personal data by not deliberately and voluntarily feeding it entirely to companies that are secretly coordinating with the very same hostile governments these people claim to seriously fear and detest.
The problem is GrapheneOS is Pixel only. They are prohibitively expensive, especially in India where the mobile market is very crowded and you get Snapdragon 8s gen 3 for ₹25k.
My solution to this is to use the apps that come with my phone and avoid relying on anything else. Problem solved. I use signal, uber, MyChart (for my doctor), and some apps for banking but that is about it.
IME, Apps usually represent an overly generous amount of contempt for the people who use them.
At best, it's a designer's hubris (mixed with contempt) like, "You want to select some text out of your SMS message? I've decided. NOPE."
But mostly we're treated with contempt simply because we're an annoyance that is obstructing the goal of serving the actual customer (advertiser) who is paying for the work.
App Stores are no mystery. They are a funnel for rent-seekers and adtech info brokers.
If you think they are intended to benefit you in any way at all, you are badly mistaken.
I used QUERY_ALL_PACKAGES among other things for my app Limit Buddy (https://www.limitbuddy.com). It would be impossible to make the app without it. But for more normal use cases there's no reason to have it.
Apple has a much more robust solution privacy wise with their ScreenTime API but it makes an app like Limit Buddy much harder to build.
I actually don't know, I was just making a joke about the dearth of applications on UT. I'd expect it to have Snap-type sandboxing, but the Security and Privacy section of the settings app doesn't tell me much.
If the article explained why iPhone was worse than Android at something they'd be like "whatever, I love my iPhone" so I don't see how that statement adds any new information.
I read some hours ago a comment to the effect of "whatever, I don't expect Apple to be good with AI so it's okay for Siri to suck since forever, I still love my iPhone"...
I can't help but be amused at a comment defending a 3 trillion USD company technical incompetence.
I’m not sure that’s true. I wish there was a foldable version of the iPhone.
I just think better privacy and security controls and stricter app guidelines are a reason people choose the iPhone over Android, so this really isn’t a surprise to people that have been paying attention. It’s the tradeoff we make for the walled garden approach, but I think it makes sense for a smart phone and less so for a general purpose computer.
It's because it stores the files there so you can sync them with other permissions. And also that your notes aren't deleted like they would be if they were stored in the internal app storage. There's more granular options for filesystem access available but if you implement them you limit yourself to the latest Android releases.
According to Exodus it has no trackers and it's an open source app also so you can see what it does (though tbh I didn't check that for the mobile one)
If there's apps to call out there's way worse than Obsidian.
If I'm not mistaken this is because without this permission they can only see audio, video and image files. You wouldn't be able to use it comfortably to do it's job.
Personally I use it with Storage Scopes on GrapheneOS.
The ACTION_MAIN loophole has been written about before: https://commonsware.com/blog/2020/04/05/android-r-package-vi...
Google refuses to patch this. I wonder what would happen if you submit it to the Android VDP as a permission bypass.
There’s also this SO question by the author about the bypass: https://stackoverflow.com/q/79527331
It seems like the ACTION_MAIN loophole could be fixed (eventually) if apps that declare it are required to actually be launchers. It seems like legitimate integrations should have more specific intents.
At that point, Android prompting if random game you just downloaded should be your defaut launcher seems pretty dangerous interaction for sneaky apps to risk. They either cause the user to bounce and report or the fools select it as default launcher, replace their launcher, can't provide the launcher functionality and break the user's home screen and end up getting reported in Play Store. I also assume actually getting published as a launcher-class app at that point brings automated testsuites and other requirements that will be burdensome for developers.
That sounds very sensible.
> Google refuses to patch this.
That's why projects like XPL-Extended (and previously XPrivacyLua), are an absolute need. I never run an android phone without these.
> If there is one leap that the infosec community consistently fails to make, it is this: people who are not like me, who have different needs and priorities, who have less time or are less technical, STILL DESERVE PRIVACY AND SECURITY.
https://hachyderm.io/@evacide/114184706291051769
XPrivactLua and other XposedMod/Magisk extensions break open the app sandbox. It is better to restrict running those on usereng/eng builds (test devices). For prod builds (user devices), I'd recommend using Work Profiles (GrapheneOS supports upto 31 in parallel) or Private Spaces (on Android 15+) to truly isolate apps from one another.
18 replies →
Thanks for the link, seems like the loophole is already there since the introduction of the package visibility restriction, and almost everyone and their mother knows how to bypass this restriction.
> Google refuses to patch this
While I don't believe Google engineers are not aware of this widely used loophole, do you have any source that they refused to fix it?
That loophole was published 5 years ago, it hasnt been fixed since.
Do you need someone from Google to explicitly write an official note, notarized, indicating they are refusing to fix it?
5 replies →
Submitting it to the Android VDP is a solid idea, though I wouldn't be surprised if it gets waved off as "working as intended."
The right ("as intended", in my view) functionality would be to support a manifest with, say, five apps, and if as a dev you wanted more youd apply to google for an exception (like aws limit increases) with a list of reasons for each app.
1 reply →
What do you mean with "refused to patch this"? Google will reject any app publishing attempt that asks for that filter and isn't a launcher on Play store.
How is that congruent with the article's claim that 31 out of 47 apps they tested had this filter?
3 replies →
Author claims that this same hack is used widely, including by apps on the Play Store like Snapchat and Facebook.
The HSBC bank app uses this and is in the Play Store.
I still, will never understand the need for native "Apps". To this day, I have never seen an "App" that couldn't simply have been a website/webapp. Most of them would likely be improved by being a webapp.
The only benefits I can see of "Apps", are the developer get's access to private information they really don't need.
Yeah, they get to be on the "App Store". But the "App Store" is a totally unnecessary concept introduced by Apple/Google so they could scrape a huge percentage in sales.
Web browsers have good (not perfect) sandboxing, costs no fees to "submit" and are accessible to everyone on every phone.
Simple, UX.
The reality is, most webapps for mobile just suck. The UX is nowhere near that of a native application. I don't want any text to be selectable. I don't want pull to refresh on every page. I don't want the left-swipe to take me to the previous page.
You can probably find workarounds for all these issues. The new Silk library (https://silkhq.co/) is the first case I've seen that get's very close to a native experience. But even the fact that this is a paid library comes to show how non-trivial this is.
>I don't want any text to be selectable. I don't want pull to refresh on every page. I don't want the left-swipe to take me to the previous page.
Strange. This inability to select any text has always felt like one of the most hostile things developers could ever do. It feels like pure vandalism.
Another thing that causes massive productivity degradation is not being able to keep multiple pages open so you can come back to some state. I cannot imagine how anyone could possibly use these apps for any serious work.
The UX of almost all native mobile apps is absolute crap. But it's not their nativeness that makes them crap. I'm not complaining about the idea of operating systems offering non-portable but high performance UI primitives that make use of OS facilities.
Many native desktop apps don't have these UX issues (at least not all of them at the same time). It's the mobile UX patterns, conventions and native UI frameworks that are causing this catastrophic state of affairs.
10 replies →
To be fair, browser apps do have their advantages:
- text is selectable
- content is zoomable
- you can have an ad/nuisance blocker
- page source is open
While native apps have their own advantages:
- much smoother experience esp. navigation, scrolling, animations, etc.
- better overall performance (JavaScript will always lose to the native binary)
- access to hardware opens new possibilities; audio, video accelerators etc.; there's a ton of things you can't do in the browser with audio for example
- widgets, some of them are nice and useful too
- for publishers: an app icon on the home screen is a reminder, a "hook" of sorts; this is the main reason they push apps over web versions
12 replies →
As a user I usually want all of those features to work. I regularly get ticked off at apps, because I cannot copy paste like in the browser or the app just closes (and loses all state) because I tried to use the back button. I also encountered apps that just reset, because I dared switch to another app for a second because I wanted to copy paste something into it...
> I don't want any text to be selectable
Disabling text selection is not just worse UX, it is actively user-hostile
8 replies →
Most apps for mobile suck too. A lot of them are worse because they are not in a web browser, eg YouTube or Reddit or similar apps that work via urls.
Browsers are some of the very few apps that work well on a phone. Most of the other ones feel like a mess (except games I guess).
Mmh, the examples you've listed are actually super easy to do if you're using a framework such as angular with it's plugins for pwa and touch controls. And prolly tailwind for css/disabling selection if you really want to, but I'd call that an anti feature in almost all cases.
1 reply →
You have to wonder about the motivations of the company making the browser that makes it impossible to disable some of these things, and therefore makes real apps so much superior (like swipe to go back on safari - I have never ever swiped back intentionally in over 100000 swipe backs).
6 replies →
The "pull to refresh" is probably the most annoying one.
Other than that, I'd like text to be selectable! I don't like it when apps don't allow you to copy text.
I use Copy [1], and when that doesn't work I use the OCR text selection feature on my Pixel phone.
[1] https://play.google.com/store/apps/details?id=com.weberdo.ap...
That's funny, I use Amazon on mobile web, my wife insists on the app.
Guess which one of us has way more problems, due to both functionality and a constantly changing layout?
UX is when you have less features - got it.
It doesn't sound like anything that a PWA (paired with some a sync mechanism like Websockets) can't solve. And with WebAssembly the convergence is even more compelling.
To go along with this UX argument: it’s always been my perception that native apps often lean towards a stateful design while web apps try for stateless. Maybe that’s too abstract (read - incorrect), but was always just where my intuition landed.
Nothing prevents fhe same UI being available in web though.
Iconic mirrors a lot of it, but Apple/google could have just as easily made them native components triggered in the browser
That is not an objection. Two decades of webapp progress instead of native app progress would have (and still would) addressed all of that.
webapp UIs suck because nobody cares about them. They could be a lot better.
This is a bizarre take. Are you also suggesting there’s no reason to have a native app on a laptop? Because it’s essentially the same question. There are many things which a native app can do that a browser just cannot do well, or at all. I don’t know what your needs are, but for example if you’re doing heavy video or audio editing, accessing heavy amounts of RAM or utilizing GPU compute or doing other things on the bare hardware, doing that all from a browser is definitely not there yet.
On desktop you do productive work, your apps need native capabilities. On mobile, apps are primarily consumption, displaying, browsing... no complex interactions.
4 replies →
> I still, will never understand the need for native "Apps". To this day, I have never seen an "App" that couldn't simply have been a website/webapp.
In cases where a native app and web app are both available on iOS, there’s often a huge difference in battery usage and sluggishness. Also, as a sibling poster mentioned, I like having fully “offline” apps as well, for example for maps and notes.
I’m not saying that I like how Apple and Google have done this in practice, but I don’t think going webapp-only is the future. For the same reason I won’t replace my real computer with a Chromebook for the foreseeable future.
When the iPhone came out, you had full offline access on PC to Gmail and google docs using Google Gears.
Google Gears got deprecated because something something move to standard HTMl and browser features and now we don’t really have any offline web apps.
The ability to have non sluggish, offline web apps has existed for decades now, but the interest from providers has been declining and the understanding that this is possible is also declining on the consumer side.
> In cases where a native app and web app are both available on iOS, there’s often a huge difference in battery usage and sluggishness.
Yeah, like single native instagram draining battery faster than combination of multiple websites that I visit in Safari.
> For the same reason I won’t replace my real computer with a Chromebook for the foreseeable future.
> real computer
Where most of the modern applications are either web wrappers or Electron apps.
6 replies →
PWAs can be fully offline. Are you sure you understand what you criticize?
2 replies →
I get your point partially. All these apps that companies put out in order to collect and manage shopping tokens or to contact their customer service would have been much better as a website.
However I still do like to have apps on my devices that just work offline, without distributing my data across services I do not control. And I also do not want to depend on a internet connection, when I am anywhere.
I like my offline Osmand/Organic Maps app to show me the trails when I am somewhere in the woods or mountains. I like my apps that instead on using some third party server, connect directly to my other local devices to share data.
IMO all (where possible) apps should be developed offline first, and only require internet when necessary, and those apps that cannot work without internet should be web apps, they do not need to be on my devices.
It’s totally possible to distribute a webapp that works offline and stores all your data offline too.
Platform owners introduce a bunch of restrictions that create reliability and usability concerns, but the standards already exist to enable a website operator to create a webapp that, after the initial ‘install’, runs entirely offline on the user’s device, and has no need to communicate with the website.
1 reply →
Im sorry. I really just can’t understand or relate to this at all. Mobile web still feels like such a terrible experience, and apps generally don’t. When’s the last time you tried booking a flight on mobile web? And how do you deal with all of the real estate the browser steals? Having to log in every time when the app can just cache my authentication and FaceID me?
Seriously, booking hotels and flights is so much better on the web. You get multiple windows for easy flight and price comparisons, within and between providers.
I don’t understand people who use apps for this. It is such a pain.
4 replies →
Not who you replied to, but I more so do not rely on my phone for anything where I would prefer more screen real estate such as doing comparisons like buying flight tickets. I have never bought flight tickets on my phone, only on my computer. I prefer the bigger screen and keyboard for most things actually
> Having to log in every time
Sounds like a broken web app.
You are currently using a webapp that doesn't do this. It's called Hacker News, and it never asks me to login every time on my phone.
> when the app can just cache my authentication and FaceID me
Sounds like a broken login form.
Hacker News also allows me to login with Face ID on my phone, thanks to my password manager.
Optionally webapps can also provide Passkeys.
3 replies →
Not so sure. There are a ton of bad apps. They also do not work properly often.
Besides companies focus on apps, not on web pages. Less money, less focus, therefore worse experience
> When’s the last time you tried booking a flight on mobile web?
A week ago, via TravelPerk which is literally a web wrapper.
> And how do you deal with all of the real estate the browser steals?
What?
> Having to log in every time when the app can just cache my authentication and FaceID me?
I literally use the same FaceID for my passwords/proton pass. Also, this depends on a website.
There are also an increasing number of services which are ONLY available as apps now, including, but not limited to, many financial apps such as Revolut.
A big issue with this trend is that unlike the web, the whole Android ecosystem is a walled garden which is strictly controlled by Google. In principle you can run your own custom Android ROM, but in practice this will lock you out from any app which uses Play Integrity API to enforce Google's totalitarian regime which dictates what software YOU are allowed to run on "your" hardware.
The worst one is the UK's NHS app, which is only available as an app, despite being just a webview wrapper! I have no idea what they were thinking.
8 replies →
Not only that, but these companies are effectively letting Google decide who they can do business with. It's insane.
Its funny to read negative replies to your comment on the shortcoming's of web apps.
The browsers are controlled and manipulated by the likes of Apple and Google. These companies have a significant influence on the direction of browser features and limitations, often shaping them to suit their business interests. For example, Apple’s Safari and Google’s Chrome have been criticized for implementing features that reinforce their own ecosystems, such as limiting web push notifications or restricting certain web API functionalities to encourage users toward their native apps. This ultimately means that even in the browser world, the same forces that drive the app store monopolies can still control and restrict what’s possible, even if the web is inherently more open. So while web apps offer more flexibility than native apps in theory, the reality is that Apple and Google’s control over the browsers still limits the true potential of a completely open web.
> The browsers are controlled and manipulated by the likes of Apple and Google.
Who do you think controls Android and iOS native APIs?
Web standards at least have public forums and specs, with multiple parties involved. And all the major browser engines are open source and apps built for them are relatively cross-compatible.
> the "App Store" is a totally unnecessary concept introduced by Apple/Google so they could scrape a huge percentage in sales.
Actually, when the iPhone was introduced, Apple wanted it to have only a few select native apps (like Maps or Mail) and all the rest to be web apps.
They were browbeaten into opening an app store by the developers, who wanted to do native apps, not the other way around like you say.
During earthquake in Bangkok in Friday Grab (local superior version of Uber) helped me to order taxi and get my kids home. Needless to say that cell phones network collapsed for most of the day. All people want to know what happens and is their family and friends are safe. They definitely have very optimized network layer for poor connections. I bet they can switch to udp or something. I'm glad that it wasn't web app.
In many other cases I agree with you.
99% likely they're using a REST API, which is... HTTP.
Even if it's gRPC or something more exotic, it'll be over TLS (you best hope it is).
You can have a webapp cached locally on your device. PWAs allow developers to create an SPA you can open from your homescreen, and to do that API interaction the same way as a native app.
I hope you and your family are well, and it's great that tech helped. But please, don't think that because this tech worked in this instance it can't be made safer and securer.
Switching to UDP won't magically improve your network connectivity. The overhead of WebRTC over UDP isn't too high as well.
It’s clearly for data collection. Take the yelp web app for example. It used to be much nicer than the native one. Then, they intentionally defeatured it until it was useless.
Also, this situation benefits the google-apple duopoly, since it means superior products (remember Windows Phone 8?) or privacy focused devices (FirefoxOS) have no chance of getting a foothold in the marketplace.
The objections I see in sibling comments are nonsense. Modern web supports high frame rates, developer control over the UI, etc, etc.
While many native apps could be web apps, you’re ignoring a very large reasons for native apps:
1. Better UX and responsiveness for users, including better offline use.
2. Using native hardware APIs. How are you going to do things that require on device video compression, or realtime graphics that are more advanced than GL ES, etc
3. Battery life and performance. A native app can use less power than a web view for doing its work, and it can also make use of better async/concurrency/threading than a web view allows for.
> The only benefits I can see of "Apps", are the developer get's access to private information they really don't need.
That's exactly the point. More developer control, less user control. Can't change cookie settings in an app, can't (easily) block ads, can't use developer tools to remove annoying UI elements, can't disable phone home mechanics, can't prevent the developer from profiling you.
In the case of termux, by far my favorite app, I have more than 2GB of locally installed packages. How would that work with a browser?
OP talks about apps in general, of course there will always be anecdotic cases like this one (see also https://xkcd.com/1172/).
How would you make a video app in a browser? ie taking videos and then editing them afterwards
GP used hyperbole but was not all wrong. The issue is that most native apps could very well have been web apps. I appreciate that on iOS adding a web app to homescreen is possible, albeit obscure and not many use that feature. I hate that Firefox never really supported PWA for some unfathomable reason.
2 replies →
Do you mean something like https://commons.m.wikimedia.org/wiki/Commons:VideoCutTool ?
3 replies →
The commenter says about most apps. The use case you mentioned requires computing resources. You can do the whole thing on browser too but it is not efficient way . But in the case of delivery apps, finance apps, you don't need much compute as can work exclusively with APIs .
2 replies →
There is nothing inherently evil about an app, or inherently good about a website - it's only because historically we have allowed crappy app permissions structures and allowing apps to ask for things they don't need.
Apps are faster, are more predictable (no auto-reloading or rendering issues) and generally perform better IMO.
On the other hand, in reality, you're correct. I think the NYTimes app will collect more data from me than the NYTimes website.
For me, there are a lot of applications that I want to be able to load regardless of whether I have a connection to the Internet or not: calendar, notes, mail etc. They can sync/send/whatever whenever I am next online.
Ah yeah. While this is mostly implemented terrible, a web app can absolutely do this for you using service workers. So you can install a webapp to your homescreen and use it without an internet connection at all.
5 replies →
PWAs can do this.
https://en.m.wikipedia.org/wiki/Platform_economy
Becoming the middle man is the default model that supports scale. No one has come up with anything else to support a world where avg disposable income is close to 0
> Becoming the middle man is the default model that supports rent extraction
FTFY
Zuck: Betting on HTML5 was a mistake (2012) https://www.infoq.com/news/2012/09/Facebook-HTML5-Native/
https://www.sencha.com/, the vendor of the ExtJS framework tried to argue that Facebook was wrong (2012): https://www.infoq.com/news/2012/12/Fastbook/
I worked for a company that used Sencha back in the day and wrote the first React integration over their form/datagrid components in 2013. React ate their lunch
Very narrow take, it so far fetched i would consider this a bad faith comment.
How could you possibly consider intensive games to be "simply" web apps? How about network apps like vpns, wifi analyzers? Have you really not come across such apps or are we meant to think every app is a TODO application?
Both web and native has been driven by the same corporate forces, the argument here should be technical only - what can you do on native that you can't on the web. Mixing this technical matter with corporate policies muddies the waters.
It has the potential to be faster, more private and more efficient.
Absolute absence of lag, glitches, rendering issues, memory use in the kilobytes etc. is possible with native applications.
Pokemon Go. You couldn't really do that as a webapp with the VR and stuff.
Also with the bank apps I think there's extra security over a webapp - on the iphone they often scan my face.
Maps and navigation apps? Desktop integration and sync apps?
That said most of the time you are right.
I am fairly convinced that some apps are just wrappers around web apps. The Virgin Money (Uk bank brand) app used to ask for cookie permissions on launch and felt very like their website used to (until it was removed and they went app only).
For one, you couldn't access those webapps without a browser, so that's the need for one app. It would also be a bit annoying if you had to load a webpage when trying to dial a number
Or am I not understanding what you mean when you use the quoted name "Apps"?
Many things needs to be an app, but so so many do not require.
Many apps are apps just because they can collect your data, and create walled gardens. It is harder to create extensions for existing apps, for web pages it is easier.
Access to Bluetooth devices is a good reason to have an app. I definitely do not want a Bluetooth API in my browser (although Chrome does have something in that direction, I think it's a bad idea)
So you never use native apps on your desktop? Why should a computing device not be able to run programs?
I feel like an actual security-driven design is a lot better than just relegating everything to the browser.
Any kind of offline cryptography. Imagine Apple Pay being an app. So all sort of digital signatures, documents, checks, payment codes and vouchers, tickets etc.
IMO this is in the range of „why we use machines to transport if we all have legs”. Technically true, but applications do more than only UI.
I've heard this argument for the past 30 years (we won’t be using apps, everything will be remote console/terminal/webpage/web). Chromebooks were meant for web-first access, and yet native apps are still alive and kicking.
Push notifications. Apps have them on by default, websites have them off by default. 100% of Temu's valuation is because they pester users all the time with nudges to buy stuff, which works.
Normies don't turn off notifications. Over the last few years all my relatives have picked up smart watches, (thanks to cell carriers upselling them hard during phone replacements) and in any given conversation at family events they'll be glancing at their wrist every 100 seconds.
Registering for push notifications ought to be a protocol much simpler and lightweight, compared to this spinning up a virtual machine and running a downloaded binary for each channel of notification you wish to receive.
> The only benefits I can see of "Apps", are the developer get's access to private information they really don't need.
this is the actual reason why companies push people to install and use their apps instead of their website.
This makes me wonder if Google would let rot creep into (or possibly already has) to encourage people to use apps and also encourage developers to build on their platform.
To me a mobile app is usually just a shorter web app that you can’t zoom on
Edit: and I’ll venture a guess that since mobile apps can’t use things like ad blockers, companies probably prefer them. More control over what you look at.
I agree, mostly, but there are definitely some programs I want running on my phone and outside of the default browser.
- Timer / alarm clock - Camera - File browser - Offline maps - Another web browser
But not 250MB banking app.
Push notification is the big one. Yes, there is web push, but that's hardly scratching the surface of feature completeness. And incentives to change that aren't really there.
That’s a feature.
Yeah, good luck writing a screen reader, a demanding mobile game, a (local) music player, or a warehouse parts lookup app, supporting fully offline use and barcode reading functionality.
In 2025? Sure, you can do some (but not all) of that in a browser? In 2010, when those systems were becoming popular? Absolutely not a chance.
People forget that Apple initially tried this exact approach. On the first iPhone, that's how you were supposed to do apps. People wanted native so much that they were willing to go the extra mile, jailbreak their device, document the undocumented iPhone SDK and write their own toolchain. The user demand for native was clearly so overwhelming that Apple finally relented and gave in.
Even a few years later, Facebook tried hard to have a single, cross-platform HTML5 website instead of bothering with apps. Even then, browsers just weren't there yet, and they probably had the best engineers and resources on that project one could have had for any money.
So many apps are glorified wrappers around web content anyway, and in those cases, native just adds bloat (and tracking)
Speed, and from that follows battery life.
In other words, you believe all computers should be Chromebooks, which can only run Chrome and nothing else?
The most basic app, a notepad, I often prefer native. When I go between google keep or notion to apple notes I can tell the difference. If the text is long enough, the web apps just can not load the content.
Just to confirm:
I dumped all of my notes from my insanely large apple notes (about 16000 lines of text) and pasted them into Google Keep, Notion, Google Docs. With the exception of Google Docs the rest of them flat out froze and I had to kill my browser. Stop trying to tell us that the browser is the answer to everything when most web apps cant do the job of Notepad.exe or vi
> With the exception of Google Docs
So, one out of three webapps that you tested could handle this much text. It suggests that the problem for the other two is their implementation, rather than any limitation of the browser.
Of the two that failed, did you also try the app versions to see if they failed too? I really doubt the Notion app could handle 16000 lines of text.
Sorry, I couldn't recreate this. I just built a tiny texteditor app: https://65cd02a1-8f00-47cb-b1d1-231493de5fc2.paged.net/
Tried putting 20k lines into it. Loaded instantly, allowed me to scroll and edit flawlessly.
But I get your point. I'm on a pretty decent 2022 iPhone, and I'm sure at some stage I would run into a performance hit. But not at 20k lines.
1 reply →
Now try VSCode in chrome and compare it with apple notes. I use both and VSCode wins hands down in long lines and files.
It's an advertisement that you see each time you use your phone.
Working offline?
Honestly I wonder the same. App stores have big % cuts for the provider, I believe Apple has a 30% cut? Surely this number is big enough to justify spending the resources for a mobile first site?
Imagine a world in which your smartphone's battery lasted more than a day...
... and ram requirements for good performance went down by 66% ...
…but give it one little webview…
...not every app is a worse reddit website?
there are games, there are offline programs
---
website-as-an-app do needs to be squashed, that's something I do agree with you
That's why I like hacker news.
I found this article yesterday and posted it on reddit android, here : https://old.reddit.com/r/Android/comments/1jmwg4w/everyone_k...
0 upvote, comment filled with what is either depressed sad people or just bots.
Here it's top 2... With mostly interesting comment.
Some subreddit are more dead than other but r/android got to be one of the worst.
> Some subreddit are more dead than other but r/android got to be one of the worst.
Yeah, I'm not sure what exactly is going on with reddit but if dead-internet theory would hold anywhere, it seems to be there.
Besides, all the topic/subject subreddits seems moderated by people who hold a vested interest in the topic/subject, to the detriment of their community. I made a submission which went into details about the proprietary license that Meta's Llama is under, and what exactly that license means, and it was removed manually by the moderators of r/LocalLlama without any reasoning + they refuse to answer why it was removed even after trying to understand the rules of the subreddit better.
I'm guessing when the last "reddit purge" happened where they replaced a bunch of community moderators with employees from reddit, most of the platform was sold to companies to moderate their own spaces, unfortunately.
Moderation is one of the huge Achilles’ heels of Reddit. I’m confused why Reddit thinks a monarchy with no term limits will work on a website when it has never worked in human history. There is no voting whatsoever where users can give feedback on how they think the moderation or the subreddit is going. You get entrenched subreddits like /r/movies and their obsession with movie posters instead of movie discussion or /r/running, which is incredibly unused because the mods insist on removing almost any discussion of running outside the weekly threads except for idiotic race reports in obscure places that no one reads or cares about.
9 replies →
Thread success is hit and miss. You can post and there's crickets, or you can post and people pile in. If you click the "past" link under the title, there's a thread from 2 days ago, completely dead.
On the other hand, many interesting links (IMO) I submit to HN also get zero comments
Worse, I've had submissions (both links and comments) get flagged in the past, and I have no idea why. I suppose they must have validated some HN policy, but if I had more information about the rationale, I could avoid making the same mistake again in the future (all of my submissions where that happened were for genuinely interesting contents or 100% non-offensive opinion comments).
r/android got hit really hard by the subreddit blackouts. activity is just very low there.
The subreddit is mostly younger folks more aligned with the "fanboy" attitude, they downvoted because it was a critique of Android.
Hacker news understands the concept of constructive criticism.
I wouldn't say understand, but better understands
2 replies →
> Beyond the usual categories, I see there are checks for apps like Tamil Calendar, Odia Calendar, Qibla Direction Finder, mandir apps, astrology apps. They know what they’re doing.
This loan app is profiling people on the basis of race (Tamil, Odia) and religion (Qibla Direction Finder is used by Muslims, mandir apps by Hindus).
The HSBC UK Android app look s at what apps you have, and refuses to run if you have apps with certain permissions (such as an alternative launcher) and now refuses to run if you have any apps from outside the Google app store.
I have complained about this here before, but the end result was that I asked for a hardware security device and use the website instead.
Tired of apps using shady, fragile tricks to refuse to work and claiming that you are "secured" by them
Interestingly FirstDirect app (also part of HSBC) has no such problems. It even ran on my previously rooted phone.
That's pretty funny, right? They have to spy on you to tell you what else you are using could be spying on you. Do they happen to say this data is not transmitted to the company?
That's beyond absurd. Sounds par for the course with HSBC!
> How is knowing whether I have the Xbox or the Playstation app installed on my phone essential to their Swiggy's core functionality? How will knowing if I have the Naukri or Upstox app help them deliver groceries to my doorstep?
It is for fingerprinting purposes
It also checks for popular remote desktop apps (allow incoming connections to the phone) which could be used to increase scam success rate.
Same with banks apps, if you are a scammer it's really useful to know beforehand what kind of bank the target uses.
There are probably a whole bunch of groups who have a purposes for this kind of info, especially if they can link it to the phone number.
fingerprinting is the best case scenario
What's the worst case, in your opinion?
15 replies →
> For extremely specific use cases such as file managers, browsers or antivirus apps, Google grants an exception by allowing QUERY_ALL_PACKAGES permission, which provides full visibility into installed apps.
Why would browser need to enumerate the installed apps?
Why?!
When a user visits a play.google.com URL Google wants to be able to show either an "install" or a "launch" button contingent on whether the app is already installed.
In other words, blame Google product management.
I don't buy this. Google has this information on their backend, they don't need to query any local state. Indeed, when I visit a play.google.com URL, google checks if my browser is logged in or not. If it is not, the default is "Install" no matter what. If I do have a session, then it's either "Install" if I don't have it installed, or "Install on more devices" if I do have it installed.
1 reply →
this doesn’t make sense and sounds like an excuse IMO.
Instead of the browser enumerating all apps, why can’t it check when you visit a page if the current page (ONLY the current page) is installed as an app?
8 replies →
A minor UX difference doesn't really feel like a great case for reducing user privacy, it makes me a little concerned about priorities... which I already was, really.
These kind of links open the play store app directly and the informstion it's displayed there
Indeed some of these apps really ask for such expansive set of permissions than they need.
Obsidian for example asks for permission for entire filesystem, while it really needs to access the files which the user needs it to see.
File managers need full access as you can use that ability to extract and inspect the code of any apps installed on the system. It is a very useful feature and I would hate for it to be removed.
Perhaps it's checking which apps can handle links?
That is managed by the system. Settings > Apps > Default apps > Opening links
[dead]
> everyone knows all the alls on your phone
On Android phones. iPhone doesn’t have this privacy deficiency.
Actually you can via private API, which Apple app use all the time but forbid other app to use
https://blog.verichains.io/p/technical-analysis-improper-use...
On iOS it's kinda worse in some ways. If you enroll into a company MDM they can see all your apps.
On Android if they use the work profile (which is the standard method these days) they can only see the apps inside there.
Apple introduced account-driven enrollments in 2021[1], which behaves similar to Android's work profile. Managed apps/data are kept in its own APFS volume, and MDM servers don't have access to anything outside of it. They also disallow system-wide commands like wipe device. The only caveat is you need managed Apple IDs[2] to use this enrollment flow, and I doubt many companies have set it up.
Regardless, MDM installed app visibility is limited to those users who opt-in to an organization managing their personal device, and isn't an effective way to broadly gather what apps a given person has installed. What's described in this post would work on any user/device, and there's no way to deny/opt-out of specific permissions.
[1] https://developer.apple.com/videos/play/wwdc2021/10136/ [2] https://support.apple.com/guide/apple-business-manager/use-m...
5 replies →
I would have to strongly recommend nobody enroll a personal device in a company MDM. If the company needs you to have mobile connectivity that badly, they can give you a device.
2 replies →
I mean... isn’t that expected of an MDM? I have always assumed that any company device (i.e. any device enrolled in an MDM) is under 100% control and surveillance of that company. Being able to see my installed apps is the least of my worries.
1 reply →
get a separate device for work ?
2 replies →
iPhones are less of a privacy nightmare.
One of the biggest incentives for creating apps is to scrape all kind of data from the users. Look at how many apps require permission to see you contacts. And how many actually need your contacts to function. That's why I'm still a bit surprised that many seem to be surprised by findings like this one here.
I wish there was an option for “give bogus contacts” which showed the app a list of contacts - but it was all randomly generated junk. Make it so the app can’t tell if the contacts it gets are real or fake.
I read a fiction book years ago where there were cameras everywhere. To get privacy, instead of hiding their identities the protagonist paid companies to insert bogus information into the information brokers’ network. So if they tried to figure out where they were on a certain day, 20 records would match. I think this is a much more likely vision of the future.
1 reply →
Look at how many apps require permission to see you contacts. And how many actually need your contacts to function.
That is, again, not require but ask for on iphone. I have zero non-functioning apps on my iphone due to denied access to contacts. Even a chinese bluetooth light controller doesn't dare (while refusing to work on android for the same reason).
You can hate apple/iphone ecosystem all you want, but let's not sneak false claims into how they actually work.
3 replies →
> Look at how many apps require permission to see you contacts.
It is so annoying that it’s either "give access to ALL my contacts and ALL their information (yes, even the notes I took on their favorite things for next Christmas)" or "don’t give access". I wish we could limit the number of contacts and the level of information we give.
7 replies →
This was somewhat mitigated on iOS a few years ago.
You could try to communicate with an app via the custom URI scheme and if it succeeded, it would know you have the app installed. Twitter used this for finger printing.
An app has to get a special intent and has to list the apps it wants to use it for.
Speaking of iPhone, Im curious about something. On occasion, I log into the [former] bird app using the web app because it's enough to check up on some key follows.
Recently, they released a major update to their LLM feature and I installed the app to check it out. While I had the app installed, every time I checked the mobile website there was a large banner directing me to go to the app. Ad blockers and distraction blockers would not get rid of it. When I deleted the app again, it was gone. What gives? Why does the mobile website know whether I have the app installed? How come content+distraction blockers are enough to block all reminders to use the app when it's not installed, but are irrevocable if I have the app installed?
Apple calls these Smart App Banners. Webkit cooperates with iOS to present them according to a meta tag in the page:
https://developer.apple.com/documentation/webkit/promoting-a...
You can get rid of them with the Unsmartifier extension.
https://old.reddit.com/r/apple/comments/q55753/unsmartifier_...
The StopTheMadness extension can also remove them (among many other things... this extension is a must have for me):
https://underpassapp.com/StopTheMadness/support-ios.html
2 replies →
> Why does the mobile website know whether I have the app installed?
To clarify - the mobile website doesn’t. It has meta tags that tell safari what app it’s tied to, and safari displays associated the app banner.
They did, long ago. I remember when it was shut down after someone made the problem public, like this.
I’m amazed Android still allowed this in 2022.
Right, only Apple knows, but it’s ok, they’re the good guys
Definitely not “good” but I’m still to see anything remotely resembling the complete disregard for privacy and security typical for the adtech-driven android ecosystem.
Just a different business model, not a display of moral values.
Sure, Pegasus exists but I don’t think it is commodified yet.
Ignoring the sarcasm...
What evidence is there/can you present that Apple is making use of this information in a negative way?
How can Apple not have a list of installed apps on your phone while maintaining basic functionality (automatic updates, reinstalling apps from backup, etc)?
Sort of. They have a list of apps you've bought/installed through app store, and they can figure out what you've deleted based on what your phone is pinging for update checks on.
If they went beyond that, or disclosed that knowledge, or allowed an app to get that manifest without your permission, it would destroy their brand image built around privacy, in a way that would cause long-term irreparable damage.
They decided to not comply with laws compelling them to add back doors to optional encryption on iCloud storage, rather than tarnish that image, because they know how valuable that trust is.
You can dump on Apple all you want, but compared to Google who plead with people to use their browser and phones to improve adtech surveillance they can monetize, I think they're doing OK and are a lot more trustworthy.
> they're the good guys
In a relative way, they definitely are.
It's a clickbait title that needs to be changed to stop spreading misinformation.
apple is the worst product for privacy. The entire ecosystem is closed source. You know nothing about what apple is doing.
Are you sure? I know someone in adtech and I'm pretty sure Apple allows a similar app manifest that allows you to check for specific apps. I could be wrong.
Not sure about the manifest but recently I've seen talk about some banking apps using SBSLaunchApplicationWithIdentifierAndURLAndLaunchOptions (undocumented function in SpringBoardServices) [0] to try to launch another app on the phone by the bundle id, and they can determine if it's installed or not.
They were using this trick to detect unauthorized apps on the phone.
https://blog.verichains.io/p/technical-analysis-improper-use...
[0] - https://gist.github.com/wh1te4ever/c7909dcb5b66c13a217b49ea3...
> I know someone in adtech and I'm pretty sure Apple allows a similar app manifest that allows you to check for specific apps. I could be wrong.
On iOS an app developer will need to register in advance which external applications their app intends to query, and the list needs to be very short and motivated. [1]
Incidentally, “I have a friend who says...” isn’t really a good citation anywhere outside Reddit - which HN resembles more and more each day.
[1] https://www.hackingwithswift.com/example-code/system/how-to-...
12 replies →
It requires root, but you can block/spoof this with an LSPosed[1] module such as XPrivacyLua[2]. I hear there's also the closed-source AppOps[3], but I've never used it.
[1]: https://lsposed.org [2]: https://github.com/M66B/XPrivacyLua / https://github.com/0bbedCode/XPL-EX [3]: https://appops.rikka.app
I've not heard of XPrivacyLua, which is by the same author of the excellent NetGuard[0], which I've been using for years.
Interestingly XPrivacyLua is not supported anymore and the pro companion app will be removed from the Play store by Google because it uses the permission QUERY_ALL_PACKAGES.[1]
[0]: https://github.com/M66B/NetGuard [1]: https://xdaforums.com/t/closed-app-xposed-6-0-xprivacylua-an...
Indeed, it is a shame. However, XPL-EX is a fork (though with much internal code (re)written at this point) with even more capability, while maintaining the familiar and simple UI. Seems pretty neat!
Can windows apps (not installed from the MS store) enumerate through the window titles of all open windows? How hard would it be for an app to monitor all of your web traffic based on the title alone?
Legit question. ChatGPT isn't super helpful here since it agrees with everything when I'm really looking for someone to say why this isn't really feasible in the real world.
Long-time Win32 programmer here - yes. This is by design. To use an analogy, Windows is like a "high-trust society".
There are functions EnumWindows() and EnumChildWindows() specifically for this purpose.
See utilities "Windows Modifier v2.00" (when I first downloaded it there were many pages about it, but it's a sign of how forgetful the Internet has become that I barely get any results about it now even searching for that exact name) and Microsoft's own Spy++ (SPYXX.EXE) for an example of this functionality.
The solution to an app you don't trust is to not use it at all, or use it in a VM.
How do you identify apps that you shouldn't trust? Sometimes trust is assumed only until evidence is given that trust shouldn't be given. Which makes no sense to me. Why was the initial trust so easily given?
A solution is to not use third party apps but most people aren't going to go that route. The VM idea is a good option though.
2 replies →
Not only can most apps see the titles of all other open windows on the system, but they can log all your keystrokes, take screenshots, record audio/video of you or your screen, or copy/delete all the files in your home directory, without any explicit permission or notification.
This is at least true for Windows and most traditional (X11 at least) *nix systems.
That is one thing I think Android got right... by default it runs every application as a different user. That means different home folders and no visibility into other apps.
Originally Android apps could draw over top of any other app though which is a phishing nightmare. It took them a long time to make that a permission, and then everyone granted it until they finally added the bubbles API recently.
Permissions are difficult to get right, and Android is unfortunately pretty slow to react.
On windows you shouldn't be able to do (most of) these directly with apps running under admin, though that's a small consolation when the browser is a normal process.
I'm not sure if we'll get away from these anytime soon as any out of the box solution will inherently limit the user's freedom that has persistently been there for decades on PCs
1 reply →
> How hard would it be for an app to monitor all of your web traffic based on the title alone?
Although not terribly accurate (because of the high variability of page titles), tools like ManicTime and ActivityWatch use windows titles to track your browser history if you don't install the browser plugin.
https://www.manictime.com/
https://activitywatch.net/
Windows has a whole different (looser, older) security model. There are no security barriers between windows running on the same desktop. (In particular, "UAC is [still] not a security barrier"--when you hit ok/type in a password to elevate a process, you’re effectively elevating the whole desktop and everything you're running.)
No, that is completely wrong and would be nuts. The only way the whole session gets elevated is if you'd launch explorer.exe with an admin token.
The way privilege escalation works on Windows is that pretty much everything gets launched with a standard user access token by default, and processes can request an admin access token in a few ways, UAC being the main one. When a process is supplied that token, that process is elevated.
It is more akin to 'sudo' rather than 'su', which makes sense because its progenitor is 'runas' from Windows 2000.
2 replies →
Can you inject into an elevated process from a non-elevated one?
Oh yeah, AutoHotKey's ability to do this actually underlies a lot of useful AHK scripts.
Right; I think having the API exist is a good thing, it's just a question of making sure that it's only used in ways that the user allows. Your own scripts inspecting and controlling arbitrary windows on your own machine => great, third party programs doing the same thing without your informed consent => bad. (In practice, this means I'm a big fan of extensive permission systems that have the ability to deny or fake responses at the user's direction)
Most windows apps aren't sandboxed, so them being able to grab window titles is the least of your worries. Any program can steal your login sessions and passwords if they wanted to.
https://xkcd.com/1200/
Are you essentially discussing like a keylogger? I can't imagine windows intentionally keeps the plaintext password anywhere longer than it needs to be.
7 replies →
Yep, not difficult at all.
This prompt got me some mostly looks OK Python
> Can you make a simple windows program that will get all the window titles from active programs running
Definitely possible. This is how chat bots worked on AOL in the 90’s, basically the FindWindow and FindWindowEx functions in the win32 API. Hasn’t changed much (if any) since then.
In windows you can there is a api for windows titles, I knwo because I was building an app that needed it
>For extremely specific use cases such as file managers, browsers or antivirus apps, Google grants an exception by allowing QUERY_ALL_PACKAGES permission, which provides full visibility into installed apps.
'Extreme' my a*. My bank app has this permission, as well as my camera app, contacts app, clock app, Google Home, and on and on. My bank app was moved to an old iPad because of this.
yea I used to work for an advertising network and every game that implemented the Android SDK ended up with this permission, it was a way that we used to not show ads for games that the user already had on their phone
"the one that blue tick twitter accounts living in certain pin codes of Bengaluru passionately discuss amongst themselves for a week every year"
To someone embarrassingly unfamiliar with Indian culture, what does it mean?
I want to expand on this more as someone more familiar with Bangalore/Bengaluru.
Almost like clockwork, Blume Ventures releases a report every year about the state of the Indian startup ecosystem that year, and since Bengaluru startups are almost all concentrated around Koramangala or HSR layout (these are places inside Bengaluru with their own PIN/address codes), you'll find a lot of people talking about that online.
^ This.
You can read the reports at https://blume.vc/reports/indus-valley-annual-report-2025 or archives at https://www.indusvalleyreport.com/ .
The ppt in the blog is from the 2024 report - https://docsend.com/view/zqgfupfzyud499hn. The India 1-2-3 framework is old though. IIRC it was coined by a retail sector founder (Kishore Biyani) in the 2000s.
Also Koramangala, HSR layout are also the more affluent localities in Bengaluru.
Thanks a lot. That makes total sense!
Would it be analogous to Silicon Valley in America?
Bengaluru/Bangalore has hotspots (PIN codes are postal address codes) where there are lots of startups, mostly in ecommerce, ad-tech, online education etc. and they have incentive to upsell you a lot.
I guess its referring to someone wannabe influencer buying Twitter(X) premium and posting based on half baked info on customers.
Mostly sarcasm, so take with a grain of salt. I can't tell about accuracy, but explaining the cultural context here.
Thanks, this is helpful. Is the certain week referring to a specific festival?
2 replies →
The PowerPoint he talks about and is displayed the line below it
I know but that does not clarify the connection between blue tick, certain pin codes and a certain week in the slightest.
Sure, these are probably all hints to affluent members of society but I was hoping for a more detailed explanation.
4 replies →
Exodus Privacy will let you know about this kind of Android apps you should avoid installing https://exodus-privacy.eu.org/
Swiggy is actually a small player in terms of permissions requested, with 'only' 47 Compare it to Weibo with 104, Wechat with 93, Facebook with 85, Snapchat with 71 (granted those apps may offer additional services that require some additional permissions, but they are definitely not worth giving them all your data...)
I don't know if it is just me but I run every class of app in isolated "islands" (like work profiles) on Android. Browsers, banking apps, social media, instant messaging, tools, etc. Almost everything is isolated from another non related group.
How?
Just wow. I assumed that Google patched this few years back but guess they left a few backdoors.
It's probably an oversight than a "backdoor". They already have a "frontdoor" in the form of a permission that's pre-granted to them by the OS, so there's little need for them to devise backdoors like the android.intent.action.MAIN query that the blog post mentions.
I just don't trust Google anymore. They are not the same as they were years ago and have just declined in general.
Play Store Review and everything takes weeks sometimes and I can't tolerate that.
I would pretty much assume that any Android phone is a massive privacy leak and security risk. I’d hope that an iPhone is better, but I’d be wrong.
Privacy issues aside, it's kinda cool reading about how Indians use their phones, and also how they use English. I'd never heard "beyond the pale" before, and I'm still not sure what the idea of "multiple Indias" means when some of them are Mexico and some are Africa...?
I've also never heard of the majority of the apps being analyzed or tracked. Must be such a different world out there.
Beyond the pale is commonly used in English. A pale is a stake, and it means beyond the boundary (set out by a fence with stakes, hence the phrase) of what is acceptable. It gaines popularity in the mid 19th century. It may be related to the term "the Pale" which referred to the better controlled more Anglicised part of Ireland around Dublin, but there isn't enough evidence to be sure of this. Certainly not an Indianism anyway.
>I'm still not sure what the idea of "multiple Indias" means when some of them are Mexico and some are Africa...?
Is it not pretty obvious? It is like the phrase "middle America". It doesn't literally mean a different country. It means different wealth categories: the Indians that when considered as a whole are economically equivalent roughly to Mexico, those roughly equivalent to Indonesia (poorer) and those roughly equivalent to Sub-Saharan Africa (poorest). There are ~1b Indians that are still so poor they aren't realistically in the market for your startup app if it wants its customers to ever spend anything, there are ~300m Indians that could be in the market for some apps, but probably mostly free ad-funded ones, and there are ~150m Indians that are quite a good market because they will happily spend money on something that provides value.
I got all this just from reading the post btw.
Makes sense, thanks! I love reading about how other cultures do software.
From the context, what I gather was meant by the idea of "multiple Indias" was the socioeconomic status of different demographics in India and their app usage. The presence of specific apps gives a tell to which demographic they belong to.
In other words, the richest demographic used certain apps and was equated to folks in Mexico, followed by the less rich equated to folks in Indonesia and the poor to Sub-Saharan Africa.
It's the average cooldude marketing of self-proclaimed "India 1", denigrating their own people and can't think outside of labeling others as something else.
These people are extremely snobbish in person when you go past their sweet talks, who don't understand much about people. I hated the "real" interactions and went back to being an IC in big tech.
Part of it is because they don't understand them, part of it is because they "understand" via someone else who told them stuff (like a redditor assuming everything on r/india is true), part of it is their own contempt of culture due to previous reasons ("ah these people are beyond any repair!"). Basically, ignorance in elites.
In some former colonies, the dialect can be a snapshot of the language back in colonial time. Happens to names as well as expressions.
I learned this watching a stand-up routine by Malaysian comic Nigel Ng. He was explaining his first name.
> It's worth acknowledging that there are some legitimate reasons for an app to check which other apps are installed on your phone. For example, an app might check which UPI apps are installed to show relevant payment options.
Nope! Nope, nope, nope. If you're wondering how we got into this situation.. well, it's exactly stuff like this. Weird to see someone who's digging into it at all also making excuses for it.
No one ever said "I want to avoid a single extra click once every other month, so I guess I better irrevocably open my data/phone/life up completely to megacorp forever". And they certainly did not say this about tinycorp. People just absolutely suck at adversarial thinking, and good guys need to do it for them before bad guys can. Do you want organized crime blackmailing your politicians about dating apps and infidelity? Do you want to make it easy to do large scale targeting of ${vulnerable_people} the next time the cultural or political climate shifts?
Come on. Anyway shouldn't the phone OS itself handle this rather than apps launching apps?? If not.. just let people pick a payment option, and then throw an error if the option is not available.
> "I want to avoid a single extra click once every other month, so I guess I better irrevocably open my data/phone/life up completely to megacorp forever"
Nah, it's super annoying when I click on a link and don't get redirected to the native app. This happens way more then once a month. Web experiences are much worse for many things.
Cool but the attitude of “bring on the dystopian future as long as it’s more convenient for some people some of the time” is still confusing to me. Do you imagine that leaked information like this has never gotten someone killed before, and never will in the future?
Good, because this is what Intents are for. No app needs to know all your installed apps to launch them with a link.
Yes, the phone can handle the UPI intent.
What actually needs to be done is to remove the "default" feature and ask every-time.
For finer control (get ₹X off on using Y app), apps can make their own intent.
Anyone know if GrapheneOS has protection against this?
It doesn't afaik. Only indirectly through multiple profiles
I was kind of surprised
https://discuss.grapheneos.org/d/13302-query-all-packages-pe...
https://discuss.grapheneos.org/d/7800-how-to-mitigate-identi...
Later
For the wider audience: though don't take this as GrapheneOS doesn't care about privacy. I'm sure there are reasons (I didn't read all of the linked threads) and it gives you plenty of other protections and tools - eg profiles, ability to disable all network access by app etc
A rationale from the core developer [1]:
> I'm sure there are plenty of system APIs providing this information too, and I don't just mean APIs designed to directly provide the information.
> It's not useful to prevent directly getting a list of installed applications without preventing detecting which applications are installed, so this specific feature request has to be rejected. It would have to be part of a larger, much more comprehensive feature preventing apps from finding other apps. That implies outright preventing communication with non-system components which is a much different approach to applications and rules out a lot of things. [...]
> The request should be for preventing apps from discovering which apps are installed, since anything less than that has no privacy / security value. There's no point in disallowing access to a list while not preventing discovering which apps are installed anyway.
The open issue to restrict app visibility is [2].
[1] https://github.com/GrapheneOS/os-issue-tracker/ issues/149#issuecomment-553590002 [2] https://github.com/GrapheneOS/os-issue-tracker/issues/2197
3 replies →
Not yet but it's on the road map. https://github.com/GrapheneOS/os-issue-tracker/issues/2197
Can you see in the Play store before installing an app exactly which other apps it's allowed to talk to? Can you see it on your phone and override?
No, not in any straightforward way, although you can theoretically:
1. download the APK from a mirror site
2. disassemble it to get the android manifest
3. inspect the android manifest to check for the things the blog post discusses
It's a known fact in the rooting community because some banking apps searching for root only apps!
If you root (I advice against doing that) and have LSPosed installed you can hide apps to be seen by every other app with Hide My Applist (HMA) [1] or HMAL (which I like more because it is more minimalistic) [2]
[1] https://github.com/Dr-TSNG/Hide-My-Applist
[2] https://github.com/pumPCin/HMAL
The title should read: "Everyone knows all the apps on your Android phone"
This is to be expected though, a phone platform isn't exactly Tor Browser. The big API as with any platform will have plenty of ways to fingerprint people even without this one example, unless the developers went far out of their way from the beginning to build prevention in. Much like how on UNIX you can see what processes everyone is running and their command lines.
Very simple:
Big companies like Swiggy and Zepto will mine the F out of your data. Some of it is for their benefit but some of it they could sell in the future. These so called founders are really just another wolf of app street looking to pump and dump. So when they do dump, or when some VC comes with money, they don’t just sell their app they sell it as a whole package of data and analytics that some company can use to sell their product or something VC can leverage to sell their stock to someone else. It’s not that difficult.
As far as smaller apps go these apps outsource their development to people who come with ‘packages’ to develop and maintain their app. These packages are the same logic as above but it’s just that they come from some template so you might be asked for location permission or camera or microphone by some really random app that has nothing to do with it.
While the quality of iOS is degrading, some of these things are really important and simply work better on iOS.
>Please remember the next time you casually install an app on your Android device, this information is being broadcast to the whole world. Data brokers will use it to profile you, cross-reference it with data about you from other ad networks and eventually it will be used to decide how much you’ll be asked to pay the next time you order a samosa.
Who are those data brokers? Are they publicly known? Do they have an API where a business sends customer ID, mail or something and get an spending profile that helps adjusting price for a particular customer?
I know this sounds evil. But didn't banks and insurance companies collaborate to profile their customers since tens of years ago? That is not similarly evil?
> I don’t even know where to begin unpacking this madness. How is knowing whether I have the Xbox or the Playstation app installed on my phone essential to their Swiggy's core functionality?
Probably has to do with feeding adtech's hunger for personal information, or fingerprinting maybe (not sure if that's a thing in the context of phone apps).
If they just audited apps and banned companies from the app store for abuse it would do a lot to curb this behavior. This is feasible, there just aren't THAT many popular apps at any given time.
They could start by at least closing the MAIN intent filter loophole.
Everyone knows all the apps on your Android phone
How do you download apps from the Android app store and read their manifest files?
Does this mean one could make a website that lists all those manifest file, so the users could decide against using apps that use this loophole?
Yes, it's called alternative app stores and there's quite a few of them around.
Hmm.. how do the apps from the Android app store get into the alternative app stores? And how do you know they are the same app and not altered?
You can get APKs for each installed app
Android is so broken, each app query should be explicitly approved by user, instead of by reviewer like this.
It's true, our phones are like little windows into our lives. The apps we have reflect our habits and interests.
Thank you Google's "top talent" Android devs for this permission system full of loopholes.
If Google truly cared about privacy, each app would run in its own strict jail, and permissions would be faked by default. Also, easy malware by Israel or anyone else would not be a thing. As it stands, apps know everything I am doing, and I get targeted spam email rather immediately.
> If Google truly cared about privacy
Have they even been pretending on this front?
They put in a lot of work to make it seem like they do believe it or not, I'm not sure how well it is working out for them though.
> apps know everything I am doing
I think I call bullshit on this.
But I agree that they could do way more and that they don't seem to care.
Perhaps crazy question: is it a good idea to have two phones now? One for making calls only, with as many apps as possible removed. And another phone for email, web surfing, photos, etc...?
edit: Oops, I left out texting. Which phone for that?
If you don't need ANY apps on your main number, good dual-Sim feature phone (but be extremely picky, some are utter trash).
The for all the smart stuff, Pixel 6 with GrapheneOS. You can confine various "classes" off apps to dedicated profiles, so they'll never know of each other, and you get a vastly improved security (multiple releases in the month) and significantly improved privacy.
Excellent, thank you.
phones had/some still have user profile/account option so you can do this on a single phone
Why is that feature removed by companies? It still exists in vanilla Android, but for some reason the phones sold don't have it.
You still make calls with your phone?
Of course, amazingly that's one of it's best features, enabling you to actually speak to a real person. (it's a type of personal connection that fleshy robots have, for some reason, derided.)
But I digress, excusing your bad form of answering a question with a question, I am interested in your opinion of the possible conundrum of the two phone idea.
1 reply →
Just curious, why was this targeted specifically at Indian apps?
The author is probably Indian based upon the blogs subtitle of “ tales from indian web rabbit holes. “
The tag line for the blog is "tales from indian web rabbit holes."
Because the substack's author focuses on Indian web. From their description: "tales from indian web rabbit holes."
Another fantastic reason to strictly only install apps from F-Droid.
How does that address the problem? Does F-Droid do some sort of additional screening to keep out apps that do this?
First, f-droid only accepts OSS apps, so the incentives for spyware is simply not there. Second, anti-features are explicitly marked on f-droid. Third, f-droid apps are curated like a very rigorous linux repo.
2 replies →
packages on f-droid list all required permissions explicitly, and the mentioned permission seems to be listed as "query all packages: Allows an app to see all installed packages.". It doesn't mark the app as having "anti-features", but you can at least make a more informed decision this way.
6 replies →
My daily driver has minimal apps, most from F-Droid. An old iPad on my IOT network has any other apps needed.
If I have Uber, but multiple competing apps on my phone and I grant Uber permissions to see that, will I get cheaper rides?
Well, things are particularly more complicated on my case: I don't use google services and only install apps from f-droid.
You don't have to sacrifice your privacy to use Android. GrapheneOS is a tremendous alternative, and even if you still need some Play Store applications, you can install a GMS compatibility layer and Play Store in either a secondary profile (recommended) or your main profile (not recommended) without granting Google unfettered control over your entire operating system. This compatibility layer offers a better reduction in attack surface and stronger hardening than microG.
Alternatively, you can continue with the standard setup, accepting that you’re willingly providing companies with an unprecedented level of access to your personal data. It’s puzzling that many seem more concerned about breaking a familiar routine than about the risks associated with sharing every detail of their lives with companies that, in turn, share that data with one (or more) hostile government(s).
There is certainly a lot of justified concern about government overreach and abuse of power on HN. It remains difficult to understand why many with these warranted concerns do nothing to adopt a more coherent and rational approach — such as merely attempting to protect their personal data by not deliberately and voluntarily feeding it entirely to companies that are secretly coordinating with the very same hostile governments these people claim to seriously fear and detest.
The problem is GrapheneOS is Pixel only. They are prohibitively expensive, especially in India where the mobile market is very crowded and you get Snapdragon 8s gen 3 for ₹25k.
Nice analysis. Google should take notice. Do worldwide used apps do this too?
From the article - Facebook, Instagram, Snapchat, Subway Surfers, and Truecaller use this too
If nothing is done why not require competing apps be uninstalled?
My solution to this is to use the apps that come with my phone and avoid relying on anything else. Problem solved. I use signal, uber, MyChart (for my doctor), and some apps for banking but that is about it.
This is equal parts fascinating and horrifying
IME, Apps usually represent an overly generous amount of contempt for the people who use them.
At best, it's a designer's hubris (mixed with contempt) like, "You want to select some text out of your SMS message? I've decided. NOPE."
But mostly we're treated with contempt simply because we're an annoyance that is obstructing the goal of serving the actual customer (advertiser) who is paying for the work.
App Stores are no mystery. They are a funnel for rent-seekers and adtech info brokers.
If you think they are intended to benefit you in any way at all, you are badly mistaken.
I used QUERY_ALL_PACKAGES among other things for my app Limit Buddy (https://www.limitbuddy.com). It would be impossible to make the app without it. But for more normal use cases there's no reason to have it.
Apple has a much more robust solution privacy wise with their ScreenTime API but it makes an app like Limit Buddy much harder to build.
...On Android. I'm sure I don't have that problem on my Ubuntu Touch phone (if only because there are hardly any apps for it).
Interesting, how does Ubuntu Touch sandbox apps? Does it have one-time permissions (like Android)?
I actually don't know, I was just making a joke about the dearth of applications on UT. I'd expect it to have Snap-type sandboxing, but the Security and Privacy section of the settings app doesn't tell me much.
android* phone
iPhone users reading this like…. I love my iPhone.
If the article explained why iPhone was worse than Android at something they'd be like "whatever, I love my iPhone" so I don't see how that statement adds any new information.
I read some hours ago a comment to the effect of "whatever, I don't expect Apple to be good with AI so it's okay for Siri to suck since forever, I still love my iPhone"... I can't help but be amused at a comment defending a 3 trillion USD company technical incompetence.
I’m not sure that’s true. I wish there was a foldable version of the iPhone.
I just think better privacy and security controls and stricter app guidelines are a reason people choose the iPhone over Android, so this really isn’t a surprise to people that have been paying attention. It’s the tradeoff we make for the walled garden approach, but I think it makes sense for a smart phone and less so for a general purpose computer.
[dead]
[dead]
[dead]
TLDR, want privacy, don't use Google products.
[flagged]
Is this an LLM generated comment, but in the style of a different website? I’d suggest tweaking the prompt.
the cheap models love hashtags
android lmao
Some apps like Obsidian needs permission to access every file on the device. It is surprising Obsidian isn't getting called out on that very much.
It's because it stores the files there so you can sync them with other permissions. And also that your notes aren't deleted like they would be if they were stored in the internal app storage. There's more granular options for filesystem access available but if you implement them you limit yourself to the latest Android releases.
According to Exodus it has no trackers and it's an open source app also so you can see what it does (though tbh I didn't check that for the mobile one)
If there's apps to call out there's way worse than Obsidian.
Obsidian isn't open source by most reports.
Surely Obsidian do not to see all files on the device, it only really needs to see the files the user needs it to see.
8 replies →
If I'm not mistaken this is because without this permission they can only see audio, video and image files. You wouldn't be able to use it comfortably to do it's job.
Personally I use it with Storage Scopes on GrapheneOS.
I use Storage Scopes on my GrapheneOS android phone, works great. Can decide exactly which files or folders an app gets to access.