The permissions snippet they show also doesn't include location, and you can't request location at runtime at all without declaring it there.

I'd verify all this stuff for myself, but Play won't install it in my phone so I can't really get the APK. Maybe because I use Graphene...? but I don't know all the ways they can restrict it, maybe it's something else (though for a pixel 9a it's rather strange if it's hardware based).

--- EDIT ---

To be specific / add what I can check, this is what my Play Store "about -> permissions" is showing:

    Version 47.0.1 may request access to
    Other: 
      run at startup
      Google Play license check
      view network connections
      prevent phone from sleeping
      show notifications
      com.google.android.c2dm.permission.RECEIVE
      control vibration
      have full network access

which appears fairly normal, and does not include location, and I think Play includes runtime location requests there. Maybe there's a version-rollout happening, or device-type targeting?

> it doesn't request location permissions anywhere, despite the claims in the article

The article does not claim the app requests the location. It claims it can do it with a single JS call.

what version are you on?

from the iphone app store: version 47.0.1 - minor bug fixes - 34 minutes ago

while the parent posted 18 minutes ago

they may have patched the location stuff as part of the “minor bug fixes”?

And r8 which does tree shaking to remove dead code is not smart enough to understand react native so it won't strip it out without extra work from the developer.

Cross referencing these different things in the article to other apps that exist was my first thought as these seem pretty generic and probably reused from somewhere else.

You omitted these items immediately above that line:

Injects JavaScript into every website you open through its in-app browser to hide cookie consent dialogs, GDPR banners, login walls, signup walls, upsell prompts, and paywalls.

Has a full GPS tracking pipeline compiled in that polls every 4.5 minutes in the foreground and 9.5 minutes in the background, syncing lat/lng/accuracy/timestamp to OneSignal's servers.

Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds. If that account is compromised, arbitrary code runs in the app's WebView.

Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.

Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.

Has no certificate pinning. Standard Android trust management.

Ships with dev artifacts in production. A localhost URL, a developer IP (10.4.4.109), the Expo dev client, and an exported Compose PreviewActivity.

Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation.

Scrolling is extremely poorly behaved on that page for me too, Firefox 149 Windows 10. Which is quite ironic coming from an article that mainly criticizes the web dev aspects of the app!

Scrolling is so laggy it's annoying to follow on mobile (FF 151.0a1)

Does it for me too, chrome on a thinkpad

Not what you meant, but works fine on

Firefox 148.0.2 (Build #2016148295), 15542f265e9eb232f80e52c0966300225d0b1cb7 GV: 148.0.2-20260309125808 AS: 148.0.1 OS: Android 14

I agree, the website of the original article is kinda terrible

Not if someone can issue the certificate signed by the CA your phone trust.

Imagine being in a cafe nearby, say, embassy of the certain north African country known for pervasive and wide espionage actions, which decides to hijack traffic in this cafe.

Or imagine living in the country where almost all of the cabinet is literally (officially) being paid by the propaganda/lobbying body of such country.

Or living int he country where lawful surveillance can happen without the jury signoff, but at a while of any police officer.

Maybe its not common but frequent enough.

Not if you are part of an org that uses MDM and pushes their own CA to devices.

Every default setup on every website and app for the last five or so years has been encouraging users to add pronouns, making it difficult to avoid it, even my iPhone asks me to add each person’s pronouns when I add a new contact. I don’t know why Siri needs to know that, but it’s there. There’s one website I use that won’t let you sign up as a contributor without “completing your profile”, which includes mandatory pronouns.

I guess there’s some workplaces where it’d be useful for me to update these, probably the ones Apple PMs work in.

Aren't the banners for EU page visitors. I don't think there is a US law about this, is there?

Yes, this is a major UX improvement considering I remove those with uBlock Origin anyway.

Indeed.

I'd love it somehow taken out of it and made available for the general public. Custom uBlock / Adblock filers will be probably the easiest.

I too love it when US imperialism invades digital spaces, just ignore how the US treats people critical of its own government (not just referring to the Trump admin here) then yeah sure great.

Let me know when this can ignore malware/adware from US companies then I'll give accolades.

"Amateur hour" is basically their theme. They were swept in on a wave of distrust for people who know what they're talking about. They were elected to tear down Chesterton's fence, even (and especially) the parts holding in the face-eating leopards.

To mix the metaphors further, they (the politicians and their supporters) fancy themselves the kind to dream of things that never were and ask why not. Why not have a war in Iran? You won't know until you give it a try.

Using somebody's stuff is different than hot-linking directly to a hosted version of it, even just from the perspective that dude could delete it at any time and break the whole app.

All good for you to make those choices for yourself. Your response seems to be show ignorance of all the recent supply chain attacks that have occurred. You can imagine that given the situation with the shoe gifts that many high up members of the administration and cabinet members are running this app.

I don't know if you're being serious or not, but in case you are: There is a difference between (re)using other people's open sourced code, hopefully reviewed, and giving anyone in control of the third party repository the ability to run arbitrary code on your user's devices. Even if the "random GitHub repo" doesn't contain any malicious code right now, it may well contain some tomorrow.

It's always a better idea to make a local copy of it.

Imagine they're downloading a project directly from your GitHub account. Even if you're not doing anything malicious and have no intention of doing anything malicious even after you've been aware of this, now all of a sudden your GitHub account / email is a huge target for anyone that wants to do something malicious.

The dependencies weren't vendored, meaning their behavior can change at any time if a malicious actor gains control of that third-party repo.

This is bad for security.

Even in the apps I've worked on, you won't find us loading arbitrary JS from a random GitHub user's account.

This was probably payed for, with tax payer money, coming from an official government entity.

If any of those 3 is true, the bar should be higher than what someone just did in their free time? I would surely expect more.

Nah, I suspect any app that's loading arbitrary JS from somebody's random GitHub page would get called out for that behavior. We're getting supply chain attacks daily.

That is some impressive willful ignorance. “If it was anybody else threatening to beat this guy up for what he was saying, you’d probably praise them. But a cop does it one time and …”

Are you upset people are being critical of a shabbily run government program?