Expected, but just leads to reinforcing the idea that PWAs won’t ever be as good when every one people try from someone with a popular app is so awful.
Recently I've set up Firefox on Android so that it always run in desktop mode. I needed to also change screen width in about:config, because otherwise everything is too small. But after this websites seem to work better.
quite likely that the site has a mobile "mode" and a small-screen mode (for desktop), each made by different teams. some mobile mode website is fine, but others suck. Where as the small-screen mode for desktop tend to be made by the same team/person as the main site (it's a css media query after all) - so it's likely to be more coherent.
Apps can’t tell what you do in other unaffiliated apps nearly as easily at least now on iOS that there is no globally unique identifier that apps can use to track you.
Apps also try to open all links into their own webview, a webview in which they can track all activity.
And that was something that apps on iOS tried to do - see what other apps you were using by opening a url - Apple started restricting that years ago.
FWIW: the website completely errored out on my iPhone until I turned my ad blocker off in Safari.
But I guess apps can run web views that have access to all the same fingerprinting as a standalone browser, minus any ad-blocking plugins (on iOS at least)
For instance, I've installed Mastodon as a PWA and it performs great. Photoprism also works so well I haven't even bothered to look for an app.
There's zero reason the web apps should be so slow.
Uber for example doesn't seem to work from my phone browser.
What surprises me is how many engineers must be involved in this kind of scummy shit and keep it tightly under wraps.
And then their app is just a webview wrapper. But that still gives them more access to your device.
Not long ago Facebook (Meta) was caught spinning up localhost server on Android devices to gather activities outside of the app.
And if you are concerned with your privacy, it’s nonsensical to buy a phone run by an adtech company that only made the operating system in the first place to sell ads and collect your data
Pwa with permissions granted gives access to: Location, create notification, phone state, phone #, IMEI, motion data
Mobile app with permissions gives access to EVERYTHING a pwa gets PLUS, Contacts, sms, notification content, biometrics data, web browsing data, phone activity history, location history, camera access, microphone access, NFC access, near device history, nearby wifi listing, saved wifi networks, Bluetooth device ID, Bluetooth beacons nearby, some device settings, personal data access(photos/music)
And iOS doesn’t allow third party apps to intercept SMS messages.
It was a bit of a longer one, but still far below Instagram's supposed character limit. The fact that they somehow broke copy-paste functionality really baffles me.
It's such a pervasive pattern and somehow always in the direction: the app works better than the website. If there even is a website.
Remember when uber wouldn't work for regulators either?
https://en.wikipedia.org/wiki/Controversies_surrounding_Uber...
Also I don't think these people know how capable PWAs are. There's very little you can't do in a web-app that you can do with a native app.
Can an app uniquely identify me if I don't give it control over my phone number / nearby devices?
Can apps geo-locate me if the location permission has not been granted? (seems like they could just make a network request to their servers and use the IP address of the request for a rough idea).
I _really_ wish using the network was a permission (even if it was an "advanced mode" thing).
[0] https://support.google.com/android/answer/15341885?hl=en
What I want to do is hide my address book and gallery from the app.
It does look like Xposed has successors, but my current approach is to just be selective about installing apps.
But to be honest, other similar dangerous permissions like "view network connections" and "receive data from internet" are also there, categories are for "camera", "microphone" etc.
I suppose that the average user is more concerned about specific features, and since basically almost all apps require internet it may be there to avoid noise. Still, an "internet" category would have been nice...
They could access your Wi-Fi network's BSSID (whose location is often public due to wardriving databases), and in public places, they had partner companies (malls, airports, etc.) whose routers would triangulate your position based on Wi-Fi signal strength and share information like "John is in the food court near McDonald's."
All of this happened without you even needing to connect to their Wi-Fi, because your phone used to broadcast its MAC address if the Wi-Fi was simply on. But now your MAC is now randomized, but it took a lot of time for Google / Apple to this.
no. especially with the value of data. Many apps just link into some advertising sdk that does anything it can get away with.
and it is unfortunate that people are shamed for being conservative (want a tinfoil hat?)
The API is supposed to let apps do things like "route intranet/corporate app traffic over a VPN, let other traffic go through", but you can just as easily use it to drop traffic destined for certain addresses (such as ad servers), or to drop all traffic for specific apps. It's also possible to make decisions like "let this app connect to the internet on wifi but not on data".
It should be noted that system applications (phone OS, Google, sometimes carrier apps) can bind to specific network interfaces bypassing this API entirely. This means you can't use this API to 100% block internet access to preinstalled apps, even though apps will need to explicitly implement networking code to bypass such firewalls.
It should be noted that Google doesn't really like apps abusing the VPN API like this, in past because of the massive privacy risk. Google cut a bunch of these apps from Google Play, though there's not much they can do about APKs you download from F-Droid or github.
Given it's a "VPN", would it work alongside real VPN?
Even browsers can identify* you, if they really want to.
*not as cleanly though, could be tricky for fingerprinting to track one user across different devices/browsers/netowrks.
Recent discussion on fingerprinting: https://news.ycombinator.com/item?id=46016249
But the general pattern is that you install some stupid vendor crapplet, and the first thing it does, is ask for every permission on your phone. Native apps can access a lot more stuff than ones restricted to a WebView sandbox. That's why they want you to use them.
No thankee.
They can "fingerprint" devices more easily. They have access to all kinds of subsystems, like Bluetooth, NFC, gestures (at low level), etc. Many require the user to give permission, but the first thing the app does, is ask for permission. As long as the statement in the request passes Apple muster, the app won't fail review, I seriously doubt that Apple will test after the app has shipped, to make sure that they stick to their word.
Some of this can be caught by the App Review process, if they do things like access private APIs, but we keep reading about clever app developers (and there are a lot of really smart crooks out there) that can fool the App Review testers. I read about a dodgy app that detected when it was in review, and modified its behavior (ala Volkswagen).
Really, I am not sure if there's a way to ensure the app works the same after review, than during. I would probably put a 4-day timer on it, starting the day of submission. After the timer expires, the app starts accessing private APIs via a hand-coded assembly interface. I would hope that Apple has already thought about this (It wouldn't be too difficult to test -just run it on a device with an advanced clock).
Bluetooth
https://developer.mozilla.org/en-US/docs/Web/API/Web_Bluetoo...
Accelerometer
https://developer.mozilla.org/en-US/docs/Web/API/Acceleromet...
So it’s a great conspiracy that apps have permission to do things after you explicitly give it permission?
No one is claiming that the app review process helps protect your privacy. The challenge is find something a native app can do surreptitiously to track you more than a website without you giving it permission bypassing OS safeguards.
And on iOS an app can’t access your NFC chip without you giving it permission.
That’s where a “social engineering” approach can be helpful. The permission request can be quite bland, to a non-technical person.
And yes, a native app with the program counter can definitely do stuff a Web site can’t. Run machine code, for instance.
We would hope the app sandbox is good enough to catch it.
“Running machine code” is not a security vulnerability. If your browser isn’t secure all sorts of exploits can happen from a web browser. That’s how a lot of the early iOS jailbreaks worked.
No problem, but we can each do our own thing.
If you are in the US, have a great Thanksgiving holiday. I sincerely hope it’s a warm, loving event.
Everyone commenting here is being hand wavy
I used to write machine code, but I don’t, anymore. I am quite aware of how powerful it is, so I have to assume that the very smart people at Apple -who deal with current-day machine code- have a handle on dealing with it.
I guarantee that hackers do.
When you go to a website, they have always known the originating IP address.
Given the security record of app stores, probably not.
I needed a couple of grocery items and happened to be next to an Amazon Fresh. Cool, let’s try it! Went in, found everything I needed and went to self checkout. When it was time to pay, the machine wouldn’t accept Apple Pay. I ask an employee who helpfully informs me that I can pay with physical cards or my Amazon account.
I didn’t have my physical cards, nor wanted to do my Amazon account so I had to leave empty handed. Why don’t they accept Apple Pay? Because they can’t track you. If you use a physical card, they can likely link that card number to an Amazon account and thus attribute the purchase to a person. If you pay with contactless payment they get a one time token that they can’t tie to anyone.
(It appears that Amazon Fresh has not opened any locations in MA. That's fine with me.)
I once accidentally paid for AppleCare with apple pay (a mistake), so when at some point I switched phones I had to get new secondary card numbers tied to my physical cards. The old secondaries went away when I wiped my old phone, so AppleCare was no longer able to draw the monthly payment. The number in the invoice was likewise not the original physical card number, but some other number.
Whether the secondary numbers are easier or impossible to track is certainly a question, but I believe there's always a number.
https://en.wikipedia.org/wiki/FedNow
These don't require external middle men (like credit card companies) and are therefore almost free. Unfortunately the US is late to the party (in India and some other countries these are already widely used for years), so many banks don't support FedNow yet.
Apple charges for the interchange.
This is the same reason that Walmart doesn’t accept it.
Walmart doesn’t accept Apple Pay because they want you to use their app and think they are big enough not to.
You can pay with credit card swipe/insert.
You cannot pay with credit card tap-to-pay, or mobile device.
Swipe versus tap-to-pay has literally nothing to do with an app. But it's because of the extra charge.
---
It's funny that you know it's more expensive, and yet claim that is unrelated.
There is a reason that there are a lot more places that don’t accept Amex than don’t accept tap to pay. You see this a lot internationally.
Just this year alone, every mom and pop place I went to in Costa Rica, Canada, UK and France accepted Apple Pay but only merchants in the UK widely accepted Amex.
Walmart will have a negotiated deal with Amex.
Costco used to take exclusively Amex. So it is possible.
In any case, it’s not only the transaction cost but also the availability of an alternative. Forcing a different credit card network is different friction than forcing swipe vs tap. (Or using the Walmart app.)
There are plenty of companies that don’t accept Amex and every Amex user knows that they need to carry a none Amex card with them. Either that or they have never left the country which is doubtful for the Amex demographic.
And I have no idea why this is even an argument on a post about companies wanting you to use their app
https://www.cnet.com/personal-finance/credit-cards/why-wont-...
https://www.macrumors.com/2025/01/23/walmart-reiterates-why-...
Obviously if you're not competent or are lazy with whitelisting apps when you need them to use the internet and then disabling it again this will be unhelpful to you; continue to feed the machine.
See ya, jerks.
I know there's various data apps can collect. On iOS at least it seems like you have to grant permission for the app to access most of it. But how on Earth is this supposed to work? How does the app on my phone know if I just got paid?
I think it's also saving me money!
Not sure iOS has anything equivalent
The problem with "apps" isn't the surreptitious attempts to access remote servers for data collection, surveillance and tracking/ads. Websites do more or less the same thing. The problem is that the corporate mobile OS sucks, it's user-hostile and exceedingly difficult to try to control
The advantage of websites is they do not require using a computer running a corporate mobile OS
This behaviour is pretty prevalent worldwide, I believe. Especially the phone plan setup use case happened to me in Bangkok, too. This happens to me in India at gas stations, cafes and even local supermarkets. All want me to install their apps, and the first step is to log in with my mobile number.
With auto-detection of mobile numbers/Google Accounts on Android, it's even easier to create an account in one click.
any social things i add as pwa through the browser.
not interested in any of those fast food or store apps. never selling ad-space (and privacy) on my own device to save $2 on a hamburger and some fries, and even if i did want them, chances are high they wouldn't run on my device anyway (feature not bug) lol
thankfully in my area, we have some good local places where you can order food just fine over their website. and if it didn't work over the website, i can simply do it the old-fashioned way, pick up the phone and say "i'd like to place an order for XYZ.."
I've resorted to using the online web app.
Regulators sleeping at the wheel on this one.
> but the new trend is surveillance pricing. A company will know that you just got paid and so charge you just a bit more for your chicken nuggets than they do when you haven’t been paid in two weeks.
First of all, no, a company has no idea when you get paid. The reality of lots of apps (like McDonald's) is discount pricing. You pay full price at the store if you're a rich person who can't be bothered with apps. Downloading an app and creating an account is the modern equivalent of cutting out coupons or buy-10-get-one-free cards -- price-conscious consumers will go to the trouble and get cheaper prices. They're just loyalty programs. Price discrimination like this is nothing new, and it lets rich people subsidize the lower costs for people with less money.
These apps run in sandboxes. There's not much to surveil. Obviously don't grant them permissions to see your contacts or track your location all the time. Will the app be able to tie all your purchases to a single identity? Of course. But the stores already do that anyways if you use the same credit card for each purchase.
I don't mind downloading apps for the 5-10 stores/restaurants I go to most. Beyond that, I obviously won't because it's too much of a hassle. But the loyalty discounts I get save me real money. I have no problem with that.
A coupon could still be an image you find online that can be scanned and that’s it. Apps are totally not necessary unless they squeeze something out of the user.
Caring about your privacy and using an OS by an adtech company is kind of orthogonal…
however, people said that you couldn't be de-anonymized, yet Meta/Yandex found a way of linking your app to other apps through localhost. Supposedly, that has "stopped". Which to me just suggests they've found a different method to achieve the same goal. again, if you think these companies with their entire existence being able to gain details about you are not trying any/everything, you are just being naive.
Still waiting on that citation for iOS specifically…
If they are using your IP address to track you, a website can do that just as easily.
So no, the McDonalds app doesn't know when you got paid directly. But it does know that you bought a cheeseburger in the last two weeks of every month, and it knows that your grocery expenses are higher in the first two weeks of every month, and you tend to eat at a restaurant in the first week of every month, and you take less ubers in the last week of every month; it's not hard to conclude that you get paid at the start of the month.
And that's without your banking app selling your info, which it might do. In which case it knows exactly when you get paid, and your probable current bank balance right now when you place your cheeseburger order.
To you and me, the consumer, the value of an app is "the same" as the old loyalty cards. But the value to the company is huge! How often you open the app (how often are you thinking about their food), how often you accept an offer, what the price of the offer is, what card you used to pay, where were you when you opened the app etc etc.
Going to be fun times when in 10 years time they sell all that information to your health insurance provider for them to go "Holy hell" and jack your insurances prices up 5 times over.
But sure, we got 20c off a burger.
First, let's not miss the forest for the trees. We're engaging in a common "hacker" watering hole. Our opsec skills are very likely not representative of what your average person has, and the point of the article is to educate the average person.
Second, most of those apps require you give your pound of data upfront, or they won't work correctly until you grant permissions.
Next, it's not the same if the establishment I'm buying chicken nuggets from ties down my credit card to my identity or if it does the same plus a ton of extra data that I've been forced to grant.
Also, one of the main concerns from the article is surveillance pricing... So yeah, you sure "saved" a bunch ($100) over the course of 1 year at a restaurant, but overall you're worse off because some data broker managed to have all airlines raise your flight prices by $500 because they learned that you're going to have to attend your best mate's wedding.
And last, but not least, the article mentioned the binding arbitration clause that one blindly signs away when accepting the app's ToS:
> Walking into a restaurant to buy a cheeseburger, there’s no way a company can force you to enter a contractual agreement that includes binding arbitration. Downloading an app, however, requires agreeing to a “Terms of Service,” and those can absolutely include a binding arbitration clause, and that clause can be applied even to cases outside the app. This happened to Jeffrey Piccolo when his wife died of food poisoning in a Disney World. Disney made a motion to dismiss because a couple years back, Jeffrey had signed up for a free trial of Disney+, which included a binding arbitration clause, which meant that if Jeffrey wanted to complain about how Disney murdered his wife, they’d have to settle it out of court with a mediator that Disney hired. No jury, no judge, no oversight. [...]
I have no words to describe how depraved that is.
I can’t think of a single iOS app I’ve installed in over 15 years that forced me to give it unnecessary permissions for it to work
McDonalds doesn't hire them either. But, they will pay a bigger share of the arbitration fees than you do.
>they’d have to settle it out of court with a mediator that Disney hired
It would be a mediator hired by JAMS, a neutral 3rd party.
Arbitration between businesses acting in good faith makes perfect sense. Arbitration between an individual customer of a large corporation is nothing but a violation of that individual's basic rights.
You only need to make two changes to make your native app a better choice than your web portal, even for privacy:
1) Make your app open-source, and remove all the tracking.
2) Don't make a web portal. Your website should just be a website that displays information, not 5 MB of JS+WASM with a load of security issues.
I am skeptical, though, of the price discrimination claims. If McDonald's decides that the right price of a Big Mac for me is $1 and for you $4, that creates an arbitrage opportunity. You can pay me $3, and I pocket $2. The result is that I buy more big macs, and they bump my price up. You buy less, and they take your price down. Now it just trades at the market rate it was before, but with more steps.
Says who?
>For another, no one would buy them, they’d think it’s a scam.
I think what's needed is a third (fourth?) party as I outlined in a sibling comment
But imagine trying to sort out X number of people who each want a different basket of items from, say, the Walmart app. Each of those items fluctuating daily in price for each customer independently makes arbitrage almost prohibitively difficult to coordinate.
The best case scenario is something like Steam sales, where a wishlist function notifies you when items you've "watched" are on sale. There are third parties like, for example, Deku Deals that track this pricing data across time for console games.
But Amazon is already trying to banish external AI agents from any access to its data. And what does a price history graph even mean if prices are specific to each customer and stochastically varied each day to induce impulse purchases?
They can respond with litigation, as Amazon already is against third-party LLM agents accessing their marketplace. They can respond by banning accounts for violating the terms of service, making examples out of those who profit the most. They can watch the external marketplaces and cancel (undelivered/unfulfilled) sales they believe are linked to arbitrage.
All they need to do is make it inconvenient enough to discourage 80-90% of customers from participating in arbitrage.
They want each customer effectively siloed in an ephemeral, eternal now: whatever the phone screen presents in this moment, and little else. The consumer may have a few scattered memories for context when presented with a potential purchase, but ideally isn't tracking prices or doing much research. The goal is to create those circumstances and (within them) reduce friction spending money as close as possible to zero.
Do that to as many customers as you can. Subvert their software and turn their own computers against them to achieve it. Instill learned helplessness and stimulus-response leading to purchase. Unit price and revenue will sort themselves out once you have a bunch of addled addicts staring at your shiny products in a digital environment you design and control.
That's the game. And that's why these companies will oppose arbitrage with all they can bring to bear, and fight with the brutal jealousy of gangs defending turf.
I feel sorry for their database because I was a teenager with a bunch of guitar pedals and an ongoing need for 9V batteries. I made up a LOT of phone numbers.
“Nope.”
Already pisses me off that companies make a profile of me based on credit card numbers. I’ve had this number for decades. I’m sure you could build a complete profile of me based on my cell number, and this is the only “social” site I use. I got off fb in 2008, never even joined the rest (twitter, insta, reddit, et. al.) just because my phone number has been raped out of anyone else who has my name and number in their phone.
If you don’t trust your operating system to follow your instructions when using an app, then why do you trust the same operating system with your browser?
Do you have any evidence to support your conspiracy theory?
These are from the Firefox website
Of course it also knows your device, operating system version, screen resolution, phone orientation, etc.
Not to mention that websites can track you across other websites.
What information do you think apps have without your permissions that websites don’t?
https://developer.mozilla.org/en-US/docs/Web/API/Geolocation...
https://developer.mozilla.org/en-US/docs/Web/API/Acceleromet...
https://developer.mozilla.org/en-US/docs/Web/API/Navigator/g...