> The article does not claim the app requests the location. It claims it can do it with a single JS call.
so can ... any other code anywhere on a mobile device? That is how API work...
> The article does not claim the app requests the location. It claims it can do it with a single JS call.
so can ... any other code anywhere on a mobile device? That is how API work...
You need to state the permissions you *may* request/use in AndroidManifest.xml. This data can then be displayed to users pre-installation.
From the (limited) article, it doesn't seem they do this: https://thereallo.dev/blog/decompiling-the-white-house-app#p...
----
EDIT: I'm mistaken. From the Play Store[0] it has access to
* approximate location (network-based)
* precise location (GPS and network-based)
[0] https://play.google.com/store/apps/details?id=gov.whitehouse...
This seems to disagree with:
> The location permissions aren't declared in the AndroidManifest but requested at runtime
*shrug*, someone should dig deeper. It looks like the article may not match reality.
What version do you see? 47.0.1 doesn't have that for me: https://news.ycombinator.com/item?id=47557033
Very unusual: 47.0.1 is showing these permissions when on my MacBook viewing the store entry.
The Play Store doesn't show these permissions when viewed on my Pixel 9 Pro, and the APK doesn't have these permissions when downloaded/extracted.