One correction to some comments here: an iOS app cannot list all apps that are installed. You can only check for specific apps/schemes (LSApplicationQueriesSchemes) by specifying apps you are looking to query for installation status or open. You cannot provide a large list of unrelated applications since Apple rejects that during app review.
Apple added these restrictions because installed app lists can be used for fingerprinting and privacy invasive profiling.
Yes indeed, the limit is 50 which is of course enough to fully profile "regular people" who only have a handful of apps. Also don't forget, Meta/Google/TikTok/WhateverPalantir are updated weekly which means they can tweak their LSApplicationQueriesSchemes list and cover even more apps if they want to.
You cannot provide a large list of unrelated applications since Apple rejects that during app review.
Thank you for the clarification!
You cannot provide a large list of unrelated applications since Apple rejects that during app review.
It does not need to be a large list though I think? You just need a small list that is very discriminative and adds enough additional entropy to uniquely identify you in combination with the other data leaked.
I don't understand why internet access isn't opt-in for apps. Preventing exfiltration would prevent much of this harm, and most apps don't have any need to access the internet in the first place. Why am I creating a GE account to read my blood pressure? At least I know it's taking advantage of me. But this is clearly abusive behavior
This isn't effective because Little Snitch only sees the domains so apps can just serve the trackers on the same domain as essential services making blocking impossible.
The only way to prevent malicious apps from affecting your privacy is to not install them or not give them network access.
AOSP has network as a regular permission for apps, so on Lineage at least (idk about Graphene as I haven't used it) you can disable network for any app including google play services etc. I have no idea why most phone companies remove this permission from their roms but android itself supports it perfectly fine.
It's nice to be able to toggle it (it's also possible to revoke this permission on GrapheneOS). However, it is imperfect, since apps within the same profile can still communicate through IPC, so if apps cooperate, network access can still be achieved. I would guess that Play Services is one of the larger offenders, since many apps communicate with Play Services and as far as I understand (but I may be mistaken) Play Services does work that involves internet access on behalf of other apps.
You could of course disable network access to Play Services, but at least for me that broke a bunch of apps or made them unreliable.
What AOSP ROMs need besides the network permission toggle is IPC scopes functionality, akin to storage scopes.
See my comment upthread, it helps a bit, but does not close this hole since apps within the same profile can communicate through IPC, so other apps could provide network access on their behalf. I think the best example is probably Play Services, which provides functionality for a lot of apps and will communicate with Google, etc.
(Yes, you can disable network access to Play Services, but it sometimes breaks things and the general point of IPC as a hole still stands.)
And you can limit which contacts you share with nosy app like WhatsApp, and give access to only specific scope of file folders. Horrifying to think all the years every app got everything it wanted and did not have to ask and couldn't be stopped (I had a rooted phone for firewall capability for a while )
Yeah it asks on app install if you want to grant network permissions. It's just a little checkbox. You can of course manage it afterwards in app settings or permissions manager.
Damn. The "iPhone last setup or erased on ..." is really nasty. What can a user really do about that? I feel like this should be fudged somehow by the OS.
Seems like in general the iPhone was not designed to avoid fingerprinting from installed apps. Only protection would be avoid installing apps and use the web browser when possible.
This. This is why everyone who wants to fingerprint and collect tons of data on end users pushes them hard on installing an app. The amount of valuable data is 10x whatâs available in the browser
And it is not just the fingerprinting, it is also that a good number of people will install an ad/tracker blocker in their browser, but almost nobody knows or cares about the multiple trackers that most apps have.
To make it worse, Apple's naming undermines consciousness about this issue, since they have an option to block cross-app/site tracking (which IIRC blocks access to the advertising identifier), but called it "Allow Apps to Request to Track". A lot of people seem to hold the belief that disabling this option blocks all in-app trackers. It just blocks one way to correlate, but as this app shows, there are other ways to correlate (as well as correlating server-side using IP addresses, etc.).
On this topic, I somehow missed that Apple added a generic URL filtering API to macOS/iOS 26, which extends Safari filtering to the whole OS (well, as long as apps are using Apple's APIs). It's not perfect, but a nice addition to DNS-based blocking:
Aside from technical methods to address this, all this in-app tracking must be a violation of the GDPR, no? I can't imagine this all falls under legitimate interest.
> all this in-app tracking must be a violation of the GDPR, no?
Probably, but we're gonna have to wait for the courts to weigh in for a definitive answer.
Same with the very popular pay-or-accept-tracking model. An Austrian court found it illegal, but we'll probably have to wait for a case to make it all the way to the ECJ.
Cut your selection of apps and find/build privacy respecting alternatives for the remainder. Im trying to do this. Music is now locally hosted, Youtube is sorta kinda coming along. I've been working on reversing some of my more basic iOS apps to extract the data/endpoints they use and write my own apps. Fable really helped with this and Opus just does not cut the mustard. I hope it comes back. :/
Ah, thatâs funny. Too bad those privacy nutrition labels are only honor system.
They give that one completely up to businesses, then, to devs. They also thought they should let an app maker prohibit screen recording, which might promote development since it protects revenue of e.g. subtitling apps as one example. But end result is you even end up with a black screen when recording the iPhone Mirroring app from a Mac.
Apple owes us a better balance here. iCloud Private Relay for all apps (why only Safari?! and Mail and HTTP) as a start, and plugging some of the privacy holes Loupe exposes. They donât want us abusing free trials I suppose.
```Based on a binomial/Poisson distribution and a baseline of 21 million U.S. device sales per release, a fingerprint relying on "seconds since setup" fails to uniquely identify individuals. In the high-density Early Adopter phase, you will share your exact setup second with an average of 1.01 other people (a total matching pool of ~2 people). Six months into the cycle, you will still share that second with an average of 0.68 other people.```
In the U.S., device setup time (to the second) very conservatively gets you clubbed into a single group of 100 individuals as an "advanced persistent threat" tracker. Even compressing activations to "80/20 during business hours" the math kindof maxes out at a pool of ~5 people, and assuming worst case "20x" of that still means you're still pretty darned identifiable.
If you get ~6-8 more bits of entropy (eg: Device Type + Capacity is easily 2-3 bits, and Time Zone is probably another 2-3 bits) you're cooked!
Just using IP address, device storage, device name, and similar signals, we can identify a user. It isnât difficult to correlate these data points. Apps like Facebook also force developers to use their SDKs for even small features.
Allowing an app to access the pasteboard without the user explicitly pasting into the app is weird to me. Maybe the thing I have in the pasteboard is not for this app but left over from use in another app. Since there's no easy way to clear the pasteboard, this will happen often. Maybe it's because I'm not an app dev that this doesn't make sense to me????
Whatâs an easier way? Iâm assuming they want the app to be able to detect when âaâ, was copied, then âbâ and then âaâ again, so just looking at the value probably isnât enough.
Why does a random app (with no special permissions given to it) get access to so much info, and why doesn't Apple tell users this (important) info? Why can't Apple make a long list of check boxes so users can dis/allow on a per-category and per-app basis?
E.g. I had no idea a random app you install (and give no permissions to) instantly has a list of every app installed on the device (e.g. can infer whether you're dating [or cheating!] from presence of tinder/bumble/hinge). That alone seems instantly monetizable by unscrupulous actors via 'is-my-partner-cheating' as a service: charge $10 to give a probable answer.
Loupe itself can see if you have tinder/bumble/hinge installed (verify for yourself: install tinder, then install loupe, don't give it any permissions, and it can tell if you have tinder installed or not). So the answer is: buy the data from any app your partner has installed! Or more easily, a data aggregator which will have already combined data from hundreds/thousands of apps.
So your partner only needs to have had 1 single app from the list that sells user data to a data aggregator for this to work. They do not need to have installed some special app.
Here's a random Slate article about apps getting your data and selling it to aggregators/brokers, who sell it to third-parties (you, or I, could be one of those third parties).
> How Shady Companies Guess Your Religion, Sexual Orientation, and Mental Health And sell that data to the highest bidder.
They don't, utilise the fact that every single iPhone app has access to what other apps are installed! - purchase that info from literally any iPhone app or aggregator that has it for that user. Curious how much this would cost to purhcase - a working credit card goes for $5-10 on the black market so 'apps installed on X's iphone' might be, like, 10c?
Which even halfway credible app developer would sell you that info? You know thatâs illegal right? You might get some stupid indie developer to do this but no chance for anything even half big.
But if you can get actually get this data, maybe try to do this on yourself and write a blogpost about it. I highly doubt youâll be able to.
I've never made an iOS app and don't have plans to. But my assumption is ~every >= medium-sized iOS app would be monetised by selling data to aggregators.
Even if that was the case - which it isn't - the aggregator data isn't keyed by the user in question. That is highly illegal pretty much everywhere and would get you in a lot of trouble. You can't "just" find out which apps an arbitrary person has installed on their phone. That's not how it works.
Okay it's weird but the first thing that came to mind. Logic: if I can think of a monetisable, nefarious application in 10 seconds, then it stands to reason that very many nefarious applications would be possible with more time/effort.
Not just possible, currently being implemented. People are murdered every year using this information. Last year a US politician was assassinated by someone who tracked them by buying this information from aggregator. You thought of a tame use case!
It would be even better if app devs weren't pieces of shit making apps whose sole purpose is to gather all of this data to sell to other pieces of shits while skinning their app as a game or other app to trick users into thinking it's worth installing.
Fighting devs being able to make money in this manner is not dissimilar to getting made a drug dealers. As long as users want their product, they will sell the product.
This is neat and interesting, truly, but the classic âwhat now?â emerges. I guess the only answer is âthrow out my iPhoneâ? Otherwise this kind of seems like a circuitous ad to make people get worried and download Psylo, which I see has in-app purchases. Iâm not trying to come at you here, but itâs just hard not to feel suspicious online these days.
Don't install apps outside trustable apps that don't embed tracking. Even if you cannot uninstall every app, the fewer you have, the less cross-app tracking. Also donate to and consider installing privacy-conscious alternative phone OSes. They may not have closed all holes (yet), but at least their incentives are aligned with yours.
âJust donât use itâ only gets you so far and isnât always an option. Also, as some have mentioned in this thread, many sites now make the mobile experience so painful (or remove key features) so as to force you onto the app.
I am against cars for the most part, but I canât just get rid of my car. In this case, I canât get rid of Slack (and other apps) because of work and unfortunately I do not work at a company that will buy me a work phone for work things.
Ultimately this has to start at a more root level. We need to claw back privacy.
I'm not saying it's not a problem and I understand you have to use some apps. I'm just saying that currently the only way to effectively prevent apps gathering and selling this info is to never install the app in the first place.
Maybe it worked the first time. After that you're just back to the same level as other drivers in that county, but you could get benefits in other counties.
Though there is a difference what store apps and non-store apps can do. I think is about store apps which are âsandboxedâ and have to use public api to request then access information which non-store apps can access without.
Yea, it's infuriating that most of the HN crowd thinks the apps are better then web. Apps can spy on you way more than web. It's the reason every website says "please download the app". If it was better for them to spy on you via the website they wouldn't ask you to download the app.
Apps like TikTok can know which username we logged in with, even if we uninstall and reinstall the app. This is egregious, as many companies like Facebook have SDKs embedded in many apps, allowing them to accurately interconnect user activity.
Apple should be ashamed that they aren't putting effort to randomize these fingerprints....
Yes. Got my ps and ws mixed up. I was just reading about the Mt. Rushmore project (I was curious whether or not it was a WPA project -it wasnât, officially).
One correction to some comments here: an iOS app cannot list all apps that are installed. You can only check for specific apps/schemes (LSApplicationQueriesSchemes) by specifying apps you are looking to query for installation status or open. You cannot provide a large list of unrelated applications since Apple rejects that during app review.
Apple added these restrictions because installed app lists can be used for fingerprinting and privacy invasive profiling.
But a single app can request to know the presence of up to 50 apps, right?
And a data broker/aggregator can purchase such data from many (e.g. thousands) of apps and aggregate it, then sell it.
Yes indeed, the limit is 50 which is of course enough to fully profile "regular people" who only have a handful of apps. Also don't forget, Meta/Google/TikTok/WhateverPalantir are updated weekly which means they can tweak their LSApplicationQueriesSchemes list and cover even more apps if they want to.
You cannot provide a large list of unrelated applications since Apple rejects that during app review.
Thank you for the clarification!
You cannot provide a large list of unrelated applications since Apple rejects that during app review.
It does not need to be a large list though I think? You just need a small list that is very discriminative and adds enough additional entropy to uniquely identify you in combination with the other data leaked.
It is terrifying to learn that apps are allowed knowledge about any other app being installed on my phone. Where can I see that list?
> Apple added these restrictions because installed app lists can be used for fingerprinting and privacy invasive profiling.
And this was heavily exploited by Facebook before Apple patched it
I don't understand why internet access isn't opt-in for apps. Preventing exfiltration would prevent much of this harm, and most apps don't have any need to access the internet in the first place. Why am I creating a GE account to read my blood pressure? At least I know it's taking advantage of me. But this is clearly abusive behavior
Better yet, a tool like Little Snitch should be built into the OS. Give me a detailed log of every network requests, to which domains, with what data.
This isn't effective because Little Snitch only sees the domains so apps can just serve the trackers on the same domain as essential services making blocking impossible.
The only way to prevent malicious apps from affecting your privacy is to not install them or not give them network access.
I derive lots of value from Little Snitch on my Mac, so this approach is more effective than not having anything.
And yes, having the ability to deny any app network access on iOS would be great.
AOSP has network as a regular permission for apps, so on Lineage at least (idk about Graphene as I haven't used it) you can disable network for any app including google play services etc. I have no idea why most phone companies remove this permission from their roms but android itself supports it perfectly fine.
It's nice to be able to toggle it (it's also possible to revoke this permission on GrapheneOS). However, it is imperfect, since apps within the same profile can still communicate through IPC, so if apps cooperate, network access can still be achieved. I would guess that Play Services is one of the larger offenders, since many apps communicate with Play Services and as far as I understand (but I may be mistaken) Play Services does work that involves internet access on behalf of other apps.
You could of course disable network access to Play Services, but at least for me that broke a bunch of apps or made them unreliable.
What AOSP ROMs need besides the network permission toggle is IPC scopes functionality, akin to storage scopes.
GrapheneOS lets you restrict the internet access of any app on install.
But yes, agreed it should be everywhere.
See my comment upthread, it helps a bit, but does not close this hole since apps within the same profile can communicate through IPC, so other apps could provide network access on their behalf. I think the best example is probably Play Services, which provides functionality for a lot of apps and will communicate with Google, etc.
(Yes, you can disable network access to Play Services, but it sometimes breaks things and the general point of IPC as a hole still stands.)
I'm not an Android user. What's a profile? Is that a user thing or a developer thing?
And you can limit which contacts you share with nosy app like WhatsApp, and give access to only specific scope of file folders. Horrifying to think all the years every app got everything it wanted and did not have to ask and couldn't be stopped (I had a rooted phone for firewall capability for a while )
Yeah it asks on app install if you want to grant network permissions. It's just a little checkbox. You can of course manage it afterwards in app settings or permissions manager.
They also added the sensors permission.
Damn. The "iPhone last setup or erased on ..." is really nasty. What can a user really do about that? I feel like this should be fudged somehow by the OS.
Seems like in general the iPhone was not designed to avoid fingerprinting from installed apps. Only protection would be avoid installing apps and use the web browser when possible.
This. This is why everyone who wants to fingerprint and collect tons of data on end users pushes them hard on installing an app. The amount of valuable data is 10x whatâs available in the browser
And it is not just the fingerprinting, it is also that a good number of people will install an ad/tracker blocker in their browser, but almost nobody knows or cares about the multiple trackers that most apps have.
To make it worse, Apple's naming undermines consciousness about this issue, since they have an option to block cross-app/site tracking (which IIRC blocks access to the advertising identifier), but called it "Allow Apps to Request to Track". A lot of people seem to hold the belief that disabling this option blocks all in-app trackers. It just blocks one way to correlate, but as this app shows, there are other ways to correlate (as well as correlating server-side using IP addresses, etc.).
On this topic, I somehow missed that Apple added a generic URL filtering API to macOS/iOS 26, which extends Safari filtering to the whole OS (well, as long as apps are using Apple's APIs). It's not perfect, but a nice addition to DNS-based blocking:
https://adguard.com/en/blog/apple-url-filter-system-wide-fil...
The author of Wipr added support to Wipr 2 as an extra in-app purchase:
https://kaylees.site/wipr2-whats-new.html#filtr
Aside from technical methods to address this, all this in-app tracking must be a violation of the GDPR, no? I can't imagine this all falls under legitimate interest.
> all this in-app tracking must be a violation of the GDPR, no?
Probably, but we're gonna have to wait for the courts to weigh in for a definitive answer.
Same with the very popular pay-or-accept-tracking model. An Austrian court found it illegal, but we'll probably have to wait for a case to make it all the way to the ECJ.
Cut your selection of apps and find/build privacy respecting alternatives for the remainder. Im trying to do this. Music is now locally hosted, Youtube is sorta kinda coming along. I've been working on reversing some of my more basic iOS apps to extract the data/endpoints they use and write my own apps. Fable really helped with this and Opus just does not cut the mustard. I hope it comes back. :/
The intended âprotectionâ is the ToS, which requires apps to disclose what they are tracking and whether they perform cross-premise tracking.
Often it's not the app itself doing tracking or cross-premise tracking, but data is passed to installed third party SDKs that do.
Ah, thatâs funny. Too bad those privacy nutrition labels are only honor system.
They give that one completely up to businesses, then, to devs. They also thought they should let an app maker prohibit screen recording, which might promote development since it protects revenue of e.g. subtitling apps as one example. But end result is you even end up with a black screen when recording the iPhone Mirroring app from a Mac.
Apple owes us a better balance here. iCloud Private Relay for all apps (why only Safari?! and Mail and HTTP) as a start, and plugging some of the privacy holes Loupe exposes. They donât want us abusing free trials I suppose.
These days many things don't work on browser. Even reddit is very difficult as we get constant nagging.
Thatâs usually a warning the service is malware that wants you to install an app for deeper tracking.
Brave blocks those switch to app notices by default.
old.reddit.com
For now but you know theyâre coming for that ass.
Maybe I'm being really thick, but why is this information that the OS would make available to apps?
Maybe itâs derived
It's probably the app checking the last modified timestamp on some filesystem location that's only touched during setup.
Edit: It's not a last modified timestamp, it's a volume creation timestamp: https://github.com/mysk-research/loupe/blob/2262efd4456ecba8...
Is the threat model tracking across multiple apps to correlate what you're doing? In that case, a single app wouldn't show you the fudging.
```Based on a binomial/Poisson distribution and a baseline of 21 million U.S. device sales per release, a fingerprint relying on "seconds since setup" fails to uniquely identify individuals. In the high-density Early Adopter phase, you will share your exact setup second with an average of 1.01 other people (a total matching pool of ~2 people). Six months into the cycle, you will still share that second with an average of 0.68 other people.```
In the U.S., device setup time (to the second) very conservatively gets you clubbed into a single group of 100 individuals as an "advanced persistent threat" tracker. Even compressing activations to "80/20 during business hours" the math kindof maxes out at a pool of ~5 people, and assuming worst case "20x" of that still means you're still pretty darned identifiable.
If you get ~6-8 more bits of entropy (eg: Device Type + Capacity is easily 2-3 bits, and Time Zone is probably another 2-3 bits) you're cooked!
Just using IP address, device storage, device name, and similar signals, we can identify a user. It isnât difficult to correlate these data points. Apps like Facebook also force developers to use their SDKs for even small features.
Volume creation date is pretty egregious. I don't see any reason that and Pasteboard changeCount should be so granular.
The "Installed Apps Probe" leak also surprised me. It is better than the current state of Android, though.
Graphene is way ahead of this
Apps on grapheneos can see a list of other apps in the same profile.
Pasteboard counter exists to help apps to not ask again about the same item in the buffer.
And nothing stops from using reset it every day.
Why do you need a count for that? Couldnât they just generate a UUID every time the clipboard changes?
Allowing an app to access the pasteboard without the user explicitly pasting into the app is weird to me. Maybe the thing I have in the pasteboard is not for this app but left over from use in another app. Since there's no easy way to clear the pasteboard, this will happen often. Maybe it's because I'm not an app dev that this doesn't make sense to me????
iOS will ask for pasteboard permission every time an app wants to read the actual contents.
& we can set ask each time, always allow, never allow per app.
Would you elaborate on both points?
Any way to reset it as an end user? (Not enough awareness of the issue for search engines to find much.)
I think something like a per boot delta added to a (per app?) random base would preserve such functionality.
Just generate a new random value instead of incrementing
Even that is overkill if all you're interested in is if a change occured.
Whatâs an easier way? Iâm assuming they want the app to be able to detect when âaâ, was copied, then âbâ and then âaâ again, so just looking at the value probably isnât enough.
This is excellent. Seeing this makes me appreciate how much visual awareness tools like this are needed.
I built something similar, for the web. https://neberej.github.io/exposedbydefault/
Github: https://github.com/neberej/exposedbydefault
Why does a random app (with no special permissions given to it) get access to so much info, and why doesn't Apple tell users this (important) info? Why can't Apple make a long list of check boxes so users can dis/allow on a per-category and per-app basis?
E.g. I had no idea a random app you install (and give no permissions to) instantly has a list of every app installed on the device (e.g. can infer whether you're dating [or cheating!] from presence of tinder/bumble/hinge). That alone seems instantly monetizable by unscrupulous actors via 'is-my-partner-cheating' as a service: charge $10 to give a probable answer.
Thatâs a stupid idea, how would you even get this âis-my-partner-cheatingâ on your partners phone?
Loupe itself can see if you have tinder/bumble/hinge installed (verify for yourself: install tinder, then install loupe, don't give it any permissions, and it can tell if you have tinder installed or not). So the answer is: buy the data from any app your partner has installed! Or more easily, a data aggregator which will have already combined data from hundreds/thousands of apps.
So your partner only needs to have had 1 single app from the list that sells user data to a data aggregator for this to work. They do not need to have installed some special app.
Here's a random Slate article about apps getting your data and selling it to aggregators/brokers, who sell it to third-parties (you, or I, could be one of those third parties).
> How Shady Companies Guess Your Religion, Sexual Orientation, and Mental Health And sell that data to the highest bidder.
https://slate.com/technology/2023/04/data-broker-inference-p...
And how would the is-my-partner-cheating get their app onto the victims device to detect the other apps?
They don't, utilise the fact that every single iPhone app has access to what other apps are installed! - purchase that info from literally any iPhone app or aggregator that has it for that user. Curious how much this would cost to purhcase - a working credit card goes for $5-10 on the black market so 'apps installed on X's iphone' might be, like, 10c?
Which even halfway credible app developer would sell you that info? You know thatâs illegal right? You might get some stupid indie developer to do this but no chance for anything even half big.
But if you can get actually get this data, maybe try to do this on yourself and write a blogpost about it. I highly doubt youâll be able to.
Most app publishers are halfway credible at best, so it's not much of a problem. Even the halfway credible ones often use SDKs that do this.
I've never made an iOS app and don't have plans to. But my assumption is ~every >= medium-sized iOS app would be monetised by selling data to aggregators.
Even if that was the case - which it isn't - the aggregator data isn't keyed by the user in question. That is highly illegal pretty much everywhere and would get you in a lot of trouble. You can't "just" find out which apps an arbitrary person has installed on their phone. That's not how it works.
My understanding is it's common practice. E.g. How Shady Companies Guess Your Religion, Sexual Orientation, and Mental Health And sell that data to the highest bidder. https://slate.com/technology/2023/04/data-broker-inference-p...
Of all things, this is where you went?
Okay it's weird but the first thing that came to mind. Logic: if I can think of a monetisable, nefarious application in 10 seconds, then it stands to reason that very many nefarious applications would be possible with more time/effort.
Not just possible, currently being implemented. People are murdered every year using this information. Last year a US politician was assassinated by someone who tracked them by buying this information from aggregator. You thought of a tame use case!
For anyone without an iPhone or doesn't want to install the app you can see a demo here (same video different platforms):
https://odysee.com/@techlore:3/permission-not-required-the-o...
https://www.youtube.com/watch?v=_n_SpEWtqog
https://inv.nadeko.net/watch?v=_n_SpEWtqog
https://techlore.tv/w/d7dh4P7y4dVngNoL7u7s3B
Is something similar already available for Android phones?
Privacy is a real issue! Does the iOS allow an ext dev app to read its system info? If yes, does it easily comply?
/me wonders of the privacy label should actually mention that it reads everything and the kitchen sink!!!
This is why I avoid installing apps and donât have a lot of them.
...wouldn't it be better to have a pocket computer you own?
It would be even better if app devs weren't pieces of shit making apps whose sole purpose is to gather all of this data to sell to other pieces of shits while skinning their app as a game or other app to trick users into thinking it's worth installing.
Fighting devs being able to make money in this manner is not dissimilar to getting made a drug dealers. As long as users want their product, they will sell the product.
Most people don't know and we are seeing that things get slipped in at a later date
Just use the browser, it's fine 99% of the time.
if you think "desktop" operating systems aren't even worse on this, you're very mistaken
Phones are quite useful.
Sweet, been wanting this a while. Just mentioned last month and here it is! https://news.ycombinator.com/item?id=48187972
This is neat and interesting, truly, but the classic âwhat now?â emerges. I guess the only answer is âthrow out my iPhoneâ? Otherwise this kind of seems like a circuitous ad to make people get worried and download Psylo, which I see has in-app purchases. Iâm not trying to come at you here, but itâs just hard not to feel suspicious online these days.
Don't install apps outside trustable apps that don't embed tracking. Even if you cannot uninstall every app, the fewer you have, the less cross-app tracking. Also donate to and consider installing privacy-conscious alternative phone OSes. They may not have closed all holes (yet), but at least their incentives are aligned with yours.
The only way to prevent this right now is to avoid installing apps that are doing this.
âJust donât use itâ only gets you so far and isnât always an option. Also, as some have mentioned in this thread, many sites now make the mobile experience so painful (or remove key features) so as to force you onto the app.
I am against cars for the most part, but I canât just get rid of my car. In this case, I canât get rid of Slack (and other apps) because of work and unfortunately I do not work at a company that will buy me a work phone for work things.
Ultimately this has to start at a more root level. We need to claw back privacy.
I'm not saying it's not a problem and I understand you have to use some apps. I'm just saying that currently the only way to effectively prevent apps gathering and selling this info is to never install the app in the first place.
this is fantastic, just great really, and honestly makes one stick out so easily, reminfs me a lot of that license plate xkcd
https://xkcd.com/1105/
Maybe it worked the first time. After that you're just back to the same level as other drivers in that county, but you could get benefits in other counties.
Would love this for MacOS as well.
Fortunately, if you read the README (and decide to go past the âthis was mostly built by AIâ part,
> Loupe also builds for macOS. The Mac version is mostly complete, but a few things still need work before it's polished.
> and decide to go past the âthis was mostly built by AIâ part
I got that feeling just seeing the title use "native" as a synonym of "not a website".
What âappsâ do you use on a mac?
Probably a ton since macOS apps are literally distributed as .app bundles.
Though there is a difference what store apps and non-store apps can do. I think is about store apps which are âsandboxedâ and have to use public api to request then access information which non-store apps can access without.
Google Chrome, VS Code, among others
Well âtheyâ can technically âreadâ anything your user can.
Apps installed via the MAS have sandboxing applied to them, so this isn't really true.
Yes but chrome is not from MAS. I have none MAS apps installed because they are simply not available via MAS.
Yea, it's infuriating that most of the HN crowd thinks the apps are better then web. Apps can spy on you way more than web. It's the reason every website says "please download the app". If it was better for them to spy on you via the website they wouldn't ask you to download the app.
There are plenty of other (better?) reasons why developers might want to push apps.
More APIs, less friction selling stuff, business presence right on the homescreen.
Apps like TikTok can know which username we logged in with, even if we uninstall and reinstall the app. This is egregious, as many companies like Facebook have SDKs embedded in many apps, allowing them to accurately interconnect user activity.
Apple should be ashamed that they aren't putting effort to randomize these fingerprints....
Thatâs just keychain. Itâs not even fingerprinting.
This is probably Keychain, right?
It's likely to be trolled by the WPA folks, who will insist that WPAs are just as insecure as native apps, so there's no difference ...
But very cool.
You mean PWA?
Yes. Got my ps and ws mixed up. I was just reading about the Mt. Rushmore project (I was curious whether or not it was a WPA project -it wasnât, officially).