[HN Gopher] Don't Download Apps
___________________________________________________________________
Don't Download Apps
Author : speckx
Score : 149 points
Date : 2025-11-26 19:51 UTC (3 hours ago)
(HTM) web link (blog.calebjay.com)
(TXT) w3m dump (blog.calebjay.com)
| jamesbelchamber wrote:
| I've been dutifully following this approach for a little while
| now and it's had the nice side effect of pushing me to smaller
| and more local options.
|
| I think it's also saving me money!
| VerifiedReports wrote:
| Giving your phone number is just as bad. I was buying stuff at
| World Market and they had big signs touting 20% off some
| things... but when you got the counter they told you didn't get
| that unless you coughed up your real working mobile number so you
| could receive some BS code.
|
| See ya, jerks.
| xiaomai wrote:
| Native phone apps give me the creeps. I assume the developer's
| are able to track me in various ways even without my giving
| permissions. Is that an unfounded fear on my part?
|
| Can an app uniquely identify me if I don't give it control over
| my phone number / nearby devices?
|
| Can apps geo-locate me if the location permission has not been
| granted? (seems like they could just make a network request to
| their servers and use the IP address of the request for a rough
| idea).
|
| I _really_ wish using the network was a permission (even if it
| was an "advanced mode" thing).
| noman-land wrote:
| Simply your IP address can be used to track you so any app or
| website you visit knows roughly where you are with every http
| request unless you use an always on VPN. It can also
| fingerprint you in various ways without the need for any
| special permissions.
| bji9jhff wrote:
| Then the VPN provider does geolocation instead and get the
| list of hosts you accessed
| xiaomai wrote:
| Agree with you about fingerprinting (also a bummer). I guess
| the difference here though is that I must be actively
| engaging with a website in order for it to be tracking me,
| but an app (I assume) can be tracking me basically whenever
| it wants.
| encom wrote:
| >Is that an unfounded fear on my part?
|
| Given the security record of app stores, probably not.
| disambiguation wrote:
| Netguard solves this, available on the play store and F droid
|
| https://netguard.me/
| Flere-Imsaho wrote:
| Pro tip: use the fdroid version as it allows you to set a
| host file to also filter ads, etc.
|
| https://github.com/M66B/NetGuard/blob/master/ADBLOCKING.md
| lsaferite wrote:
| I love netguard. Some apps refuse to work without network
| access, but most work fine. The lack of ads is great.
| n4bz0r wrote:
| How does it work without root? Any app can just block other
| apps from connecting to the internet?
| jeroenhd wrote:
| An app can use the VPN API to intercept network traffic.
| This is all done with plenty of security popups (one to
| inform you an app is trying to register as a VPN, the
| another popup when it's first activated, and the while it's
| active there's a permanent notification that says "your
| connection may be monitored" with a quick button to kill
| the VPN).
|
| The API is supposed to let apps do things like "route
| intranet/corporate app traffic over a VPN, let other
| traffic go through", but you can just as easily use it to
| drop traffic destined for certain addresses (such as ad
| servers), or to drop all traffic for specific apps. It's
| also possible to make decisions like "let this app connect
| to the internet on wifi but not on data".
|
| It should be noted that system applications (phone OS,
| Google, sometimes carrier apps) can bind to specific
| network interfaces bypassing this API entirely. This means
| you can't use this API to 100% block internet access to
| preinstalled apps, even though apps will need to explicitly
| implement networking code to bypass such firewalls.
|
| It should be noted that Google doesn't really like apps
| abusing the VPN API like this, in past because of the
| massive privacy risk. Google cut a bunch of these apps from
| Google Play, though there's not much they can do about APKs
| you download from F-Droid or github.
| throw4039 wrote:
| Network is a permission on Android, it's just that phone
| manufacturers and likely Google don't want you to be able to
| control it. Most custom ROMs, including GrapheneOS expose it
| properly, often at the install dialog.
| TrianguloY wrote:
| On play store you can see the permissions that an app uses
| and they are grouped by category. Have full network access is
| set in the "others" category, same as notifications and
| vibration. This is a category where (supposedly) permissions
| are automatically granted.
|
| But to be honest, other similar dangerous permissions like
| "view network connections" and "receive data from internet"
| are also there, categories are for "camera", "microphone"
| etc.
|
| I suppose that the average user is more concerned about
| specific features, and since basically almost all apps
| require internet it may be there to avoid noise. Still, an
| "internet" category would have been nice...
| lsaferite wrote:
| They really should just let me spoof all the permissions and
| associated data for apps if I don't want them to have the
| access.
| frizlab wrote:
| They can track you on a website perhaps even more reliably than
| on an app, at least on iOS...
| galleywest200 wrote:
| The difference is I am not carrying around my desktop
| computer, the location data stays static.
| raw_anon_1111 wrote:
| You realize that if you are concerned about apps tracking you
| without you explicitly giving it your location, a website could
| do the same since there are browser APIs that can retrieve the
| same information only gated by the same OS controls?
|
| When you go to a website, they have always known the
| originating IP address.
| snthd wrote:
| Facebook & Yandex used apps to correlate browsing sessions to
| the app user.
|
| https://localmess.github.io/
| jampa wrote:
| In the beginning of Android / iOS, just installing an app and
| registering was enough for the company to get your device's MAC
| address and thus your indoor location with accurate precision.
|
| They could access your Wi-Fi network's BSSID (whose location is
| often public due to wardriving databases), and in public
| places, they had partner companies (malls, airports, etc.)
| whose routers would triangulate your position based on Wi-Fi
| signal strength and share information like "John is in the food
| court near McDonald's."
|
| All of this happened without you even needing to connect to
| their Wi-Fi, because your phone used to broadcast its MAC
| address if the Wi-Fi was simply on. But now your MAC is now
| randomized, but it took a lot of time for Google / Apple to
| this.
| Flere-Imsaho wrote:
| Android 15 supports Private Space [0] that is essentially a
| separate profile you can install apps into that you can put to
| sleep. Basically I put all low trust apps into it, but can
| still access easily enough.
|
| [0] https://support.google.com/android/answer/15341885?hl=en
| ChrisMarshallNY wrote:
| iOS always asks for permissions. I suspect the same is true for
| unrooted Android.
|
| But the general pattern is that you install some stupid vendor
| crapplet, and the first thing it does, is ask for every
| permission on your phone. Native apps can access a lot more
| stuff than ones restricted to a WebView sandbox. That's why
| they want you to use them.
|
| No thankee.
| encom wrote:
| An annoying trend I've noticed is being asked for phone number or
| email at checkout (IRL). I bought a blood pressure meter a few
| days ago, and the salesman asked "what phone number should I put
| on the order?" Zero. Fuck off. I guess most people just answer
| out of reflex, or believe it's required to complete the purchase.
| It's creepy and irritating.
| kirtakat wrote:
| [Your Area Code]-867-5309 is what I always use - alas they are
| becoming wise to that
| dylan604 wrote:
| [areaCode]-555-1212 is one I use, but any 555 prefix will
| work as it is not meant for actual phone numbers.
|
| https://en.wikipedia.org/wiki/555_(telephone_number)
| phyzome wrote:
| I've used 213-456-7890 a few times on throwaway things.
| 867-5309 wrote:
| cool example :)
| raw_anon_1111 wrote:
| This has been a thing since the 1990s when I worked at Radio
| Shack.
| didgetmaster wrote:
| I often use my old landline number when stores ask me for a
| phone number. I gave it up about 20 years ago. I feel a little
| sorry for the guy who has it now (only a little sorry) because
| whoever it was reassigned to, probably gets many spam calls on
| my behalf.
| gishh wrote:
| "Can I have your phone number for this order?"
|
| "Nope."
|
| Already pisses me off that companies make a profile of me based
| on credit card numbers. I've had this number for decades. I'm
| sure you could build a complete profile of me based on my cell
| number, and this is the only "social" site I use. I got off fb
| in 2008, never even joined the rest (twitter, insta, reddit,
| et. al.) just because my phone number has been raped out of
| anyone else who has my name and number in their phone.
| doctor_radium wrote:
| As a teenager I worked at a discount store, and sometimes ran
| the service desk, which (among many other things) involved
| processing returns. The returns form included a spot for "phone
| number", to which some customers would respond, "my number is
| unlisted". We honored that. Today in the USA, it seems the
| phone number is the new Social Security Number, which everybody
| wants to use for tracking. Stores used to give out physical
| discount cards (which I wasn't keen on either...) but now
| (obviously because it saves them money) so many stores have
| switched to a system where your account is tracked through a
| phone number or an app or both. No thank you.
| mmcclure wrote:
| I switched to using PWAs for social media apps for similar
| reasons the author outlines. A pleasant, but somewhat unintended
| consequence is that I just use them a lot less because the
| experience is pretty bad. It makes me a little sad because I've
| always believed in the PWA dream, but the reality is that they're
| bad because companies certainly don't want to make an experience
| that rivals the app they really want you to download.
|
| Expected, but just leads to reinforcing the idea that PWAs won't
| ever be as good when every one people try from someone with a
| popular app is so awful.
| georgefrowny wrote:
| I'm convinced many companies purposely gimp their web sites to
| drive people to apps.
|
| Uber for example doesn't seem to work from my phone browser.
|
| What surprises me is how many engineers must be involved in
| this kind of scummy shit and keep it tightly under wraps.
| jsheard wrote:
| > I'm convinced many companies purposely gimp their web sites
| to drive people to apps.
|
| And then their app is just a webview wrapper. But that still
| gives them more access to your device.
| grvdrm wrote:
| Instagram - major offender.
| tifik wrote:
| I was wondering if it's just me. I am using Brave on iOS
| with all the possible blockers enabled, so I'm not
| surprised when some website doesn't work well. Instagram
| literally freezes solid after 5-15s of being on the
| website, so I usually only quickly scan the top 2-3 posts
| in the feed. I only follow people I know personally, so
| this is usually enough to do once or twice a day and stay
| up to date. If I see a close friend posted a story I kinda
| want to see then it usually takes two or three hard closes
| of the browser to actually see it. Sucks, but sucks less
| than being mental gamed into doomscrolling every time I get
| an app notification.
| chipheat wrote:
| Oddly effectively because I end up using it less in general
| grvdrm wrote:
| Exactly - me too. But infuriating when I try.
| wffurr wrote:
| When someone sends me an Instagram link I edit to
| imginn.com instead.
| 6c696e7578 wrote:
| I would say use flickr, but that's shitified now.
| PaulHoule wrote:
| By the stopwatch it takes 3x longer for me to upload a
| photo to the Instagram web app than it does to Mastodon.
| Facebook's blue website works pretty well but the Instagram
| site comes across like something that was vibe coded in a
| weekend or maybe a straw man that was made to prove SPAs
| are bad. Contrast that to the Mastodon application produced
| by a basically unfunded application that's fast and
| reliable.
| jeroenhd wrote:
| PWAs can be good, but for a lot of social media, they're only
| as good as their website experience. Many (most) companies seem
| to make their website intentionally slow and buggy, probably
| with the idea that users only need to use their web UI for a
| short while because they lost access to their apps or
| something.
|
| For instance, I've installed Mastodon as a PWA and it performs
| great. Photoprism also works so well I haven't even bothered to
| look for an app.
| jbombadil wrote:
| 100% agree. The level of tracking has gotten to absurd levels.
|
| I needed a couple of grocery items and happened to be next to an
| Amazon Fresh. Cool, let's try it! Went in, found every tu ing I
| needed and went to self checkout. When it was time to pay, the
| machine wouldn't accept my Apple Pay. I ask an employee who
| helpfully informs me that I can pay with physical cards or my
| Amazon account.
|
| I didn't have my physical cards, nor wanted to do my Amazon
| account so I had to leave. Why don't they accept Apple Pay?
| Because they can't track you. If you use a physical card, they
| can likely link that card number to an Amazon account and thus
| attribute the purchase to a person. If you pay with contactless
| payment they get a one time token that they can't tie to anyone.
| StilesCrisis wrote:
| Walmart is the same. I believe it's very very slightly more
| expensive to process Apple Pay payments (Apple's getting a tiny
| fractional amount of the sale), and this was the actual
| sticking point.
| dylan604 wrote:
| Walmart rolled out their own QR code payment plan just so
| they didn't have to revshare anything. When you're the size
| of Walmart, you can get away with those types of decisions
| even though they are technically very much inferior
| paulddraper wrote:
| > Why don't they accept Apple Pay?
|
| Apple charges for the interchange.
|
| This is the same reason that Walmart doesn't accept it.
| raw_anon_1111 wrote:
| Every credit card company charges interchange fees. Apple
| charges an additional .15 cents.
|
| Walmart doesn't accept Apple Pay because they want you to use
| their app and think they are big enough not to.
| piperswe wrote:
| No, they don't. Apple isn't involved with the transaction
| processing at all, the phone just acts as an EMV device to
| transmit the payment details to the terminal.
| phyzome wrote:
| In Massachusetts, they also would have been required to accept
| cash, as all business locations are.
|
| (It appears that Amazon Fresh has not opened any locations in
| MA. That's fine with me.)
| aduitsis wrote:
| IIUC, contactless payment via apple pay does have a secondary
| card number of sorts that's linked to your original card.
|
| I once accidentally paid for AppleCare with apple pay (a
| mistake), so when at some point I switched phones I had to get
| new secondary card numbers tied to my physical cards. The old
| secondaries went away when I wiped my old phone, so AppleCare
| was no longer able to draw the monthly payment. The number in
| the invoice was likewise not the original physical card number,
| but some other number.
|
| Whether the secondary numbers are easier or impossible to track
| is certainly a question, but I believe there's always a number.
| sholain wrote:
| We need strong regulation.
| raw_anon_1111 wrote:
| This is dumb. Websites have many more ways to track you across
| websites than apps have to track you if you don't explicitly give
| them unnecessary permissions.
| chitza wrote:
| "never hand your phone over the counter" - do people actually
| hand over their phones to random strangers? I'd never do that
| unless I really know the person
| jasonjmcghee wrote:
| Occasionally restaurants to pay for something if you don't have
| a credit card. But never had them go take it somewhere.
| jovial_cavalier wrote:
| Generally agree with the sentiment, I basically only have banking
| apps, messaging apps, and a browser on my phone.
|
| I am skeptical, though, of the price discrimination claims. If
| McDonald's decides that the right price of a Big Mac for me is $1
| and for you $4, that creates an arbitrage opportunity. You can
| pay me $3, and I pocket $1.50. The result is that I buy more big
| macs, and they bump my price up. You buy less, and they take your
| price down. Now it just trades at the market rate it was before,
| but with more steps.
| nerdponx wrote:
| This is all fine and valid but the real problem is that binding
| arbitration is legal.
| spiritplumber wrote:
| I think if someone yoinks your phone and installs stuff on it the
| basic options are "call the cops" or "make them call the cops".
| koakuma-chan wrote:
| People who create download our app pop-ups need to go to jail.
| siliconc0w wrote:
| One possible future to look forward to is one where everyone is
| essentially forced to become a commodity player that exposes an
| API for your AI Agent to order food, book a rideshare, book a
| ticket, check flight status or whatever. I don't think they'll go
| willingly but the market may force their hand.
| pharrington wrote:
| Downloading software? On MY handheld computer??
| BenFranklin100 wrote:
| Just another confirmation that the majority of the IT industry
| depends on spying in order to be profitable and for developers to
| make a good living. It's a disgrace really.
___________________________________________________________________
(page generated 2025-11-26 23:00 UTC)