upvote

points

by iancarroll5 hours ago |
comments
upvoteby Groxx4 hours ago|
next
[-]
The permissions snippet they show also doesn't include location, and you can't request location at runtime at all without declaring it there.

I'd verify all this stuff for myself, but Play won't install it in my phone so I can't really get the APK. Maybe because I use Graphene...? but I don't know all the ways they can restrict it, maybe it's something else (though for a pixel 9a it's rather strange if it's hardware based).

--- EDIT ---

To be specific / add what I can check, this is what my Play Store "about -> permissions" is showing:

    Version 47.0.1 may request access to
    Other: 
      run at startup
      Google Play license check
      view network connections
      prevent phone from sleeping
      show notifications
      com.google.android.c2dm.permission.RECEIVE
      control vibration
      have full network access
which appears fairly normal, and does not include location, and I think Play includes runtime location requests there. Maybe there's a version-rollout happening, or device-type targeting?
reply
upvoteby frizlab5 hours ago|
prev|
next
[-]
> it doesn't request location permissions anywhere, despite the claims in the article

The article does not claim the app requests the location. It claims it can do it with a single JS call.

reply
upvoteby esprehn4 hours ago|
parent|
next
[-]
It can request with a JS call. It can't passively collect it without you approving first. The article is written like calling that JS function will turn on location tracking without consent.
reply
upvoteby mattdeboard4 hours ago|
parent|
[-]
He explicitly says he can't determine it, but that the location tracking as configured will turn on once the user grants consent. All true statements.

How would you have written it differently

reply
upvoteby logifail3 hours ago|
parent|
[-]
"If the user chooses to opt-in and grants location-tracking permission, the app is then, and only then, able to track the user's location?"
reply
upvoteby ceejayoz1 hours ago|
parent|
next
[-]
But that's not true; it could easily fallback to other forms of geolocation like using the current IP.
reply
upvoteby buzzerbetrayed1 hours ago|
parent|
[-]
Good lord. So could literally any app on the planet
reply
upvoteby mattdeboard56 minutes ago|
parent|
prev|
[-]
You would be lying if you wrote that because you do not know if that is true.
reply
upvoteby dmitrygr4 hours ago|
parent|
prev|
[-]
> The article does not claim the app requests the location. It claims it can do it with a single JS call.

so can ... any other code anywhere on a mobile device? That is how API work...

reply
upvoteby david_allison4 hours ago|
parent|
[-]
You need to state the permissions you *may* request/use in AndroidManifest.xml. This data can then be displayed to users pre-installation.

From the (limited) article, it doesn't seem they do this: https://thereallo.dev/blog/decompiling-the-white-house-app#p...

----

EDIT: I'm mistaken. From the Play Store[0] it has access to

* approximate location (network-based)

* precise location (GPS and network-based)

[0] https://play.google.com/store/apps/details?id=gov.whitehouse...

This seems to disagree with:

> The location permissions aren't declared in the AndroidManifest but requested at runtime

*shrug*, someone should dig deeper. It looks like the article may not match reality.

reply
upvoteby Groxx2 hours ago|
parent|
[-]
What version do you see? 47.0.1 doesn't have that for me: https://news.ycombinator.com/item?id=47557033
reply
upvoteby david_allison29 minutes ago|
parent|
[-]
Very unusual: 47.0.1 is showing these permissions when on my MacBook viewing the store entry.

The Play Store doesn't show these permissions when viewed on my Pixel 9 Pro, and the APK doesn't have these permissions when downloaded/extracted.

reply
upvoteby dijksterhuis5 hours ago|
prev|
next
[-]
what version are you on?

from the iphone app store: version 47.0.1 - minor bug fixes - 34 minutes ago

while the parent posted 18 minutes ago

they may have patched the location stuff as part of the “minor bug fixes”?

reply
upvoteby filoleg4 hours ago|
parent|
next
[-]
I have the iOS version from yesterday, haven't updated the app yet.

No location permission request prompting encountered. In system settings, where each app requesting location data is listed, it isn't present either.

reply
upvoteby 5 hours ago|
parent|
prev|
[-]
deleted
reply
upvoteby liveoneggs2 hours ago|
prev|
[-]
how do you know it didn't lie during the decompilation?
reply
upvoteby BoorishBears2 minutes ago|
parent|
[-]
It doesn't have to lie: unfortunately libraries that are essentially a full application themselves (complete with their own permissions) are not uncommon on mobile.

So it could come across a manifest that includes location permissions and some code that would (if enabled) send location, but it might do a bad job properly tracing

reply