Comment by SoftTalker
7 hours ago
Looks like what you might expect in a standard marketing app from a consultancy. They probably hired someone to develop it, that shop used their standard app architecure which includes location tracking code and the other stuff.
The location tracking code is within the OneSignal SDK - which is just a standard messaging platform for sending emails/push messages to users. It doesn't have some magical permissions bypass, the app itself has to request it.
And r8 which does tree shaking to remove dead code is not smart enough to understand react native so it won't strip it out without extra work from the developer.
Cross referencing these different things in the article to other apps that exist was my first thought as these seem pretty generic and probably reused from somewhere else.
The Polish covid quarantine app was famously adapted from some app for store inspectors or something, as it already implemented most of the required functionalities, like asking for photos via push at random times, sending them along with a location etc.
They likely did a search-and-replace on the brand name, so you had strings like 'your invoices from Home Quarantine inc' in the code.
Not a bad thing per se, getting the app out the door asap was definitely a priority in that project for understandable reasons, but funny nonetheless.