It’s pretty interesting to me that Cloudflare is collecting additional client-side data for individual customers. This is not widely done by most anti-bot solutions.
A bit skeptical of how this article is written as it seems to be mostly written by AI. Out of curiosity, I downloaded the app and it doesn't request location permissions anywhere, despite the claims in the article.
I've noticed Claude Code is happy to decompile APKs for you but isn't very good at doing reachability analysis or figuring out complex control flows. It will treat completely dead code as important as a commonly invoked function.
The permissions snippet they show also doesn't include location, and you can't request location at runtime at all without declaring it there.
I'd verify all this stuff for myself, but Play won't install it in my phone so I can't really get the APK. Maybe because I use Graphene...? but I don't know all the ways they can restrict it, maybe it's something else (though for a pixel 9a it's rather strange if it's hardware based).
--- EDIT ---
To be specific / add what I can check, this is what my Play Store "about -> permissions" is showing:
Version 47.0.1 may request access to
Other:
run at startup
Google Play license check
view network connections
prevent phone from sleeping
show notifications
com.google.android.c2dm.permission.RECEIVE
control vibration
have full network access
which appears fairly normal, and does not include location, and I think Play includes runtime location requests there. Maybe there's a version-rollout happening, or device-type targeting?
There's a specific writing style for globalized English that AI's use. And then this post also had none of the stylistic flourishes that a real author might add. And then simple things like constructing a table of 68 libraries or whatever organized by relatively subjective categories. That is something that nobody is going to do by hand.
There is a new term "load-bearing" which is used a lot in my usage of AI. Has anyone else encountered this term being used a lot in their conversations? Or is it a quirk of personalization?
I use load-bearing all the time in conversation. People need to be careful that just because they don’t use certain phrases, it doesn’t automatically mean AI.
Both you and parent are making a lot of load-bearing assumptions.
As someone who likes to use a lot of em dashes in writing -- the 'heuristics' that AI 'hunters' like to use need a lot of further refinement before I would trust them with anything. And yet there are legions of anti-AI crusaders out there wielding them like weapons.
These folks are reinforcing a bias against all kinds of people, particularly those who are not native English speakers and were very likely taught 'globalized' English in their language training.
There are also fashions. So people could be using "load-bearing" more because it's fashionable. Like "lets double-click on that", or "spinning rust", etc
I've heard it a lot from podcasts that are towards the abundance movement. I think its common within the rationalise movement.
Personally I really like it for "load-bearing assumptions". Because it let's you work with assumptions whilst pointing out the potential issues of that assumption.
Apparently just like OP, you didn't read the article either. Just because the app doesn't ask for permission in the manifest doesn't mean it can't be acquired at runtime. It's very publicly documented [0].
> Haven't you heard? It's cool to dislike things "because AI".
There's no explicit rules against it, but I cannot stand this type of sarcastic im anti-everyone-else commentary. Super reddit-coded, and you could have made your point without it. There's a lot of discussion to have about that point actually, but I'm pretty sure we've all been collectively scrolling long enough to just kind of roll our eyes at this stuff.
I read through it. I get some AI vibes. Probably a little bit of both.
It can request with a JS call. It can't passively collect it without you approving first. The article is written like calling that JS function will turn on location tracking without consent.
That would allow you to see the local network IP (not actually sure you even get that, tbh). To get more detailed information about IP configuration, you need Location permission. Been there, done that. Most Android network information calls provide degraded information if you have not been granted Location permissions.
It doesn't have to lie: unfortunately libraries that are essentially a full application themselves (complete with their own permissions) are not uncommon on mobile.
So it could come across a manifest that includes location permissions and some code that would (if enabled) send location, but it might do a bad job properly tracing
I think you should make proper counter arguments instead of dismissing something because they used a specific tool.
Ad-HomineLLM is a logical fallacy IMO and adds little value. I would hope eventually HN and other sites add this to the guidelines similar to other claims like vote manipulation etc.
GP was arguing against the OP, not a comment, and AI written posts are fair game.
Also, the comment you responded to was criticizing the attack to the substance of the post based on who/what wrote is. The comment neologism actually fits, IMO.
Verizon did manage to convince the FCC that this was enough a problem to change their settlement agreement[0] requiring more frequent unlocks. If you believe their numbers, they lost 700,000 phones to fraud in 2023, although a lot of those were probably any unlocked phone that defaulted on its payments.
Although I don’t like Flock, I’m a bit skeptical of the claims in the article. Most screenshots appear to be client-side JavaScript snippets, not API responses from this key.
In the bug bounty community, Google Maps API key leaks are a common false positive, because they are only used for billing purposes and don’t actually control access to any data. The article doesn’t really prove ArcGIS is any different.
Security for maps is basically impossible. Maps tend to have to be widely shared within government and engineering, and if you know what you're looking for, it's remarkably straightforward to find ways to access layers you would normally have to pay for. It's a consequence of the need to share data widely for a variety of purposes -- everything from zoning debates within a local county to maps for broadband funding across an entire country create a public need to share mapping information. Keys don't get revoked once projects end as that would result in all the previously published links becoming stale, which makes life harder for everyone doing research and planning new projects.
Moreover, university students in programs like architecture are given access to many map layers as part of the school's agreements with the organizations publishing the data. Without that access, students wouldn't be able to pick up the skills needed to do the work they will eventually be hired for. And if students can get data, then it's pretty much public.
Privacy is becoming (or already is) nearly impossible in the 21st century.
Even in mainland China, where iOS does have a large amount of changes to comply with local regulations, Apple does not pre-install any apps from anyone.
China doesn't require pre-installed apps but the Chinese government require all data processing and storage to be conducted within China with complete source code access.
India chose to back off on data sovereignty [0] because it would have had a side effect of making Indian IT Offshoring less competitive plus to help make negotiating a US-India BTA easier [1].
I don't think there is any reason to assume they would allow forced code execution just because they allow data residency for mainland accounts. And unfortunately, China is likely a much larger and more profitable consumer market than India - presumably they can still export phones produced inside India without this.
This is an interesting point. Is there anyone in mainland china that does do not install WeChat plus AliPay installed? It is hard to live without it! Literally, you can buy a kilo of veg from a wet market stall and pay with AliPay.
GFW does indeed have man in the middle capabilities per the recent leaks of Geedge tech used in it. Your laptop might throw a warning for the fake signed cert, but devices in China that trust Chinese root CAs would not.
It’s great that you have coverage across multiple countries. I’ve noticed most budget apps cannot handle multiple currencies at all, much less automated sync across multiple countries.
that's indeed the idea! it started with me finding out that I'm missing on a lot of great personal finance apps because bank sync is mostly catered towards the US, and mostly use a single provider, so wanted to change that :)
Not an expert but my understanding is that active authentication only occurs after the basic “I can see the MRZ data” authentication passes first. You can’t skip proving you can read the MRZ in any scenario.
reply