I switched to using PWAs for social media apps for similar reasons the author outlines. A pleasant, but somewhat unintended consequence is that I just use them a lot less because the experience is pretty bad. It makes me a little sad because I’ve always believed in the PWA dream, but the reality is that they’re bad because companies certainly don’t want to make an experience that rivals the app they really want you to download.
Expected, but just leads to reinforcing the idea that PWAs won’t ever be as good when every one people try from someone with a popular app is so awful.
What's funny is that desktop versions of websites in a lot of cases are responsive, and work fine on small screen. BUT at the same time the mobile version is crappy and lacks some features (or just shows "download our app").
Recently I've set up Firefox on Android so that it always run in desktop mode. I needed to also change screen width in about:config, because otherwise everything is too small. But after this websites seem to work better.
quite likely that the site has a mobile "mode" and a small-screen mode (for desktop), each made by different teams. some mobile mode website is fine, but others suck. Where as the small-screen mode for desktop tend to be made by the same team/person as the main site (it's a css media query after all) - so it's likely to be more coherent.
And you don’t realize that social media apps put cookies on other websites so they know you have been to another website and then start showing you ads based on your interests?
Apps can’t tell what you do in other unaffiliated apps nearly as easily at least now on iOS that there is no globally unique identifier that apps can use to track you.
Apps require you to sign in so they've got you immediately. They can share all your activity with whoever they want. Websites (many) do not require you to login (youtube, reddit, hacker news, etc....)
Apps also try to open all links into their own webview, a webview in which they can track all activity.
All privacy-respecting browsers block 3rd party cookies by default now, which prevents that kind of tracking. There's still other forms of fingerprinting they can use, but those can be used in apps as well.
PWAs can be good, but for a lot of social media, they're only as good as their website experience. Many (most) companies seem to make their website intentionally slow and buggy, probably with the idea that users only need to use their web UI for a short while because they lost access to their apps or something.
For instance, I've installed Mastodon as a PWA and it performs great. Photoprism also works so well I haven't even bothered to look for an app.
The absolutely batshit insane part is that the 'native apps' are almost certainly created using web technologies which call the exact same APIs as the web app.
There's zero reason the web apps should be so slow.
You can't use Facebook Messenger on the web at all, unless you go to Facebook and switch to the desktop version. Then it's a simple matter of zooming in without accidentally clicking anything, using their fiddly interface to load up the conversation you're interested in, and get bounced around the screen as the input focus changes around.
I don't know if big companies even know how to make web apps. Honestly. Which is extra insane to me because there's so much investment in web technologies. On my team at $BigTech there's like 1 or 2 people out of 30 people on our team that knows web, the rest are mobile. I'm a web guy but I refuse to touch our web-app because they butchered the tech stack and I don't have the energy to deal with that BS. We still have an mobile-web version distinct from the 'desktop' version because.... I don't know why, whoever wrote it never learned about responsive web design and we never bothered to move out of the stone ages because if people want to use the app on their phone, they should download the native app of course! And by "native" I mean we built our own half-baked framework so that we could cross-compile for Android and iOS.
Also I don't think these people know how capable PWAs are. There's very little you can't do in a web-app that you can do with a native app.
I have had a FOSS web app for learning arithmetic for quite a few years. I occasionally review it, and make changes. Each year Chrome and Safari both nip at the edges of what allows a PWA to be OK. No one really cares until one has to write documentation helping folks install the PWA and avoid issues that did not affect the PWA a few years ago. I mean really, are Tim and Sundar really that afraid ?? I guess so. They have dozens of millions on the line. Capitalism... gotta luv it.
Hmm, I'm making a site and I planned on using a PWA for the app experience instead of a native app. Am I setting up for a bad time? I'm not too worried about the installation hurdle, my potential early adopters are motivated and smart.
If you're using React, I'd recommend using Silk (silkhq.com) to create native-like bottom sheets, pages, sidebar, etc.
Most animations, including the swipe, are hardware-accelerated, and it deals with a lot of common issues you encounter on the mobile web (body scrolling, on-screen keyboard, etc).
Native phone apps give me the creeps. I assume the developer's are able to track me in various ways even without my giving permissions. Is that an unfounded fear on my part?
Can an app uniquely identify me if I don't give it
control over my phone number / nearby devices?
Can apps geo-locate me if the location permission has not been granted? (seems like they could just make a network request to their servers and use the IP address of the request for a rough idea).
I _really_ wish using the network was a permission (even if it was an "advanced mode" thing).
Android 15 supports Private Space [0] that is essentially a separate profile you can install apps into that you can put to sleep. Basically I put all low trust apps into it, but can still access easily enough.
Network is a permission on Android, it's just that phone manufacturers and likely Google don't want you to be able to control it. Most custom ROMs, including GrapheneOS expose it properly, often at the install dialog.
On play store you can see the permissions that an app uses and they are grouped by category. Have full network access is set in the "others" category, same as notifications and vibration. This is a category where (supposedly) permissions are automatically granted.
But to be honest, other similar dangerous permissions like "view network connections" and "receive data from internet" are also there, categories are for "camera", "microphone" etc.
I suppose that the average user is more concerned about specific features, and since basically almost all apps require internet it may be there to avoid noise.
Still, an "internet" category would have been nice...
In the beginning of Android / iOS, just installing an app and registering was enough for the company to get your device's MAC address and thus your indoor location with accurate precision.
They could access your Wi-Fi network's BSSID (whose location is often public due to wardriving databases), and in public places, they had partner companies (malls, airports, etc.) whose routers would triangulate your position based on Wi-Fi signal strength and share information like "John is in the food court near McDonald's."
All of this happened without you even needing to connect to their Wi-Fi, because your phone used to broadcast its MAC address if the Wi-Fi was simply on. But now your MAC is now randomized, but it took a lot of time for Google / Apple to this.
What do you mean? The MAC address is used to identify the device within the same network segment. A program running on the device cannot derive location information just from the MAC address. It's a meaningless number. What the MAC address can do is make you visible to other devices in the same network segment. So for example, a wireless router can know you're nearby because your known MAC address has joined the network, but this is a problem regardless of what apps your phone is running.
Simply your IP address can be used to track you so any app or website you visit knows roughly where you are with every http request unless you use an always on VPN. It can also fingerprint you in various ways without the need for any special permissions.
Agree with you about fingerprinting (also a bummer). I guess the difference here though is that I must be actively engaging with a website in order for it to be tracking me, but an app (I assume) can be tracking me basically whenever it wants.
iOS always asks for permissions. I suspect the same is true for unrooted Android.
But the general pattern is that you install some stupid vendor crapplet, and the first thing it does, is ask for every permission on your phone. Native apps can access a lot more stuff than ones restricted to a WebView sandbox. That's why they want you to use them.
You realize that if you are concerned about apps tracking you without you explicitly giving it your location, a website could do the same since there are browser APIs that can retrieve the same information only gated by the same OS controls?
When you go to a website, they have always known the originating IP address.
Not entirely true. Browsers are paranoid by default (because visiting a website is as easy as clicking a link). Operating systems aren't (because the user explicitly installed an app, it's been "vetted" by app store experts, and because... well, the OS vendor wants you to build native apps and not a website, so they have to make it worth the extra trouble of building a separate app for each platform instead of one website that works everywhere).
Also, browsers tend to bring their own sandbox (on top of what the OS already does). For example, Chromium was able to mitigate Meltdown/Spectre before OS vendors shipped an update (except on iOS where browsers can't bring their own engines, so iPhone users had to wait for Apple to ship an OS update...)
100% agree. The level of tracking has gotten to absurd levels.
I needed a couple of grocery items and happened to be next to an Amazon Fresh. Cool, let’s try it! Went in, found everything I needed and went to self checkout. When it was time to pay, the machine wouldn’t accept Apple Pay. I ask an employee who helpfully informs me that I can pay with physical cards or my Amazon account.
I didn’t have my physical cards, nor wanted to do my Amazon account so I had to leave empty handed. Why don’t they accept Apple Pay? Because they can’t track you. If you use a physical card, they can likely link that card number to an Amazon account and thus attribute the purchase to a person. If you pay with contactless payment they get a one time token that they can’t tie to anyone.
IIUC, contactless payment via apple pay does have a secondary card number of sorts that's linked to your original card.
I once accidentally paid for AppleCare with apple pay (a mistake), so when at some point I switched phones I had to get new secondary card numbers tied to my physical cards. The old secondaries went away when I wiped my old phone, so AppleCare was no longer able to draw the monthly payment. The number in the invoice was likewise not the original physical card number, but some other number.
Whether the secondary numbers are easier or impossible to track is certainly a question, but I believe there's always a number.
Walmart is the same. I believe it's very very slightly more expensive to process Apple Pay payments (Apple's getting a tiny fractional amount of the sale), and this was the actual sticking point.
Walmart rolled out their own QR code payment plan just so they didn't have to revshare anything. When you're the size of Walmart, you can get away with those types of decisions even though they are technically very much inferior
No, they don't. Apple isn't involved with the transaction processing at all, the phone just acts as an EMV device to transmit the payment details to the terminal.
One possible future to look forward to is one where everyone is essentially forced to become a commodity player that exposes an API for your AI Agent to order food, book a rideshare, book a ticket, check flight status or whatever. I don't think they'll go willingly but the market may force their hand.
"never hand your phone over the counter" - do people actually hand over their phones to random strangers? I'd never do that unless I really know the person
Yeah I've seen younger people hand it over to railway workers, airport gate agents, event employees etc whenever something does not immediately work or the worker has a query. Very reckless and pretty common
Incredibly concerning, but it's just another outcome of anxiety disorders
Blogger in question here, Taiwan is so utterly app dependent it's a pretty common thing at banks, hospitals etc. And the apps here have so atrocious UX that nobody bothers to teach you how to use them, staff are used to just doing things for e.g. old people that can't figure it out.
Giving your phone number is just as bad. I was buying stuff at World Market and they had big signs touting 20% off some things... but when you got the counter they told you didn't get that unless you coughed up your real working mobile number so you could receive some BS code.
I'll do you one better, download a no root firewall that channels all of your traffic through a fake VPN which then drops it. You will be amazed at how many ads you don't see.
Obviously if you're not competent or are lazy with whitelisting apps when you need them to use the internet and then disabling it again this will be unhelpful to you; continue to feed the machine.
I am not super technical (blue collar electrician) but I use a PiHole (/r/PiHole or Pi-Hole.net) to block the majority of online tracking/advertising.
Extremely intuitive, relatively inexpensive... you can even force your entire network to obey ad-blocking lists (I tell my DHCP router to issue DNS lookups to PiHole; if individual machines need to be un-filtered they manually set DNS to 192.168.0.1 [router] instead of default PiHole) .
I don't carry a cell phone / use apps, but I know there is a method to make your on-the-go queries also filter through your home network's PiHole .
Very similarly, I use NextDNS, with all the filters enabled except few exceptions that I manually add.
It's basically like a Raspberry Pi hole; but on cloud, very easy to configure and with so many options and ready-to-use blocklists. It's free up to 3 million queries a month.
On Android there a gotchya - google play services is capable of acting as a
transparent proxy so remember you MUST also disables google services framework / play services internet access to truly block some apps from using the web (I learned this when a webcam app 'icsee' bypassed the VPN firewall by using play services proxy network access.
There is a bug in older android which allows data to leak past the VPN while the device is starting and if you disable/enable the VPN connection mid connection.
Facebook appears to have a caching component as it will send a large databurst when it's connection is restored.
Here's a typical article but the reason firewall isn't standard is you won't get ads and that juicy data stream stops. You will find some apps punish you for restrictions to their internet - learn which ones and uninstall them.
https://www.airdroid.com/mdm/android-firewall-settings/
> A company will know that you just got paid and so charge you just a bit more for your chicken nuggets than they do when you haven’t been paid in two weeks.
I know there's various data apps can collect. On iOS at least it seems like you have to grant permission for the app to access most of it. But how on Earth is this supposed to work? How does the app on my phone know if I just got paid?
Readit News
Expected, but just leads to reinforcing the idea that PWAs won’t ever be as good when every one people try from someone with a popular app is so awful.
Recently I've set up Firefox on Android so that it always run in desktop mode. I needed to also change screen width in about:config, because otherwise everything is too small. But after this websites seem to work better.
quite likely that the site has a mobile "mode" and a small-screen mode (for desktop), each made by different teams. some mobile mode website is fine, but others suck. Where as the small-screen mode for desktop tend to be made by the same team/person as the main site (it's a css media query after all) - so it's likely to be more coherent.
Thanks for sharing.
Apps can’t tell what you do in other unaffiliated apps nearly as easily at least now on iOS that there is no globally unique identifier that apps can use to track you.
Apps also try to open all links into their own webview, a webview in which they can track all activity.
Deleted Comment
For instance, I've installed Mastodon as a PWA and it performs great. Photoprism also works so well I haven't even bothered to look for an app.
There's zero reason the web apps should be so slow.
Maybe the best web app I've used.
Uber for example doesn't seem to work from my phone browser.
What surprises me is how many engineers must be involved in this kind of scummy shit and keep it tightly under wraps.
And then their app is just a webview wrapper. But that still gives them more access to your device.
Remember when uber wouldn't work for regulators either?
https://en.wikipedia.org/wiki/Controversies_surrounding_Uber...
Also I don't think these people know how capable PWAs are. There's very little you can't do in a web-app that you can do with a native app.
Deleted Comment
and don’t mentally differentiate how they’ve put it on their homescreen once it’s there.
Plenty of great crossplatform webapps, if you’re not exclusively using social media or spyware. Often even if you are!
Most animations, including the swipe, are hardware-accelerated, and it deals with a lot of common issues you encounter on the mobile web (body scrolling, on-screen keyboard, etc).
Disclaimer: I'm the creator of Silk.
Can an app uniquely identify me if I don't give it control over my phone number / nearby devices?
Can apps geo-locate me if the location permission has not been granted? (seems like they could just make a network request to their servers and use the IP address of the request for a rough idea).
I _really_ wish using the network was a permission (even if it was an "advanced mode" thing).
[0] https://support.google.com/android/answer/15341885?hl=en
What I want to do is hide my address book and gallery from the app.
But to be honest, other similar dangerous permissions like "view network connections" and "receive data from internet" are also there, categories are for "camera", "microphone" etc.
I suppose that the average user is more concerned about specific features, and since basically almost all apps require internet it may be there to avoid noise. Still, an "internet" category would have been nice...
They could access your Wi-Fi network's BSSID (whose location is often public due to wardriving databases), and in public places, they had partner companies (malls, airports, etc.) whose routers would triangulate your position based on Wi-Fi signal strength and share information like "John is in the food court near McDonald's."
All of this happened without you even needing to connect to their Wi-Fi, because your phone used to broadcast its MAC address if the Wi-Fi was simply on. But now your MAC is now randomized, but it took a lot of time for Google / Apple to this.
no. especially with the value of data. Many apps just link into some advertising sdk that does anything it can get away with.
and it is unfortunate that people are shamed for being conservative (want a tinfoil hat?)
https://netguard.me/
https://github.com/M66B/NetGuard/blob/master/ADBLOCKING.md
Even browsers can identify* you, if they really want to.
*not as cleanly though, could be tricky for fingerprinting to track one user across different devices/browsers/netowrks.
Recent discussion on fingerprinting: https://news.ycombinator.com/item?id=46016249
Deleted Comment
https://localmess.github.io/
But the general pattern is that you install some stupid vendor crapplet, and the first thing it does, is ask for every permission on your phone. Native apps can access a lot more stuff than ones restricted to a WebView sandbox. That's why they want you to use them.
No thankee.
Given the security record of app stores, probably not.
When you go to a website, they have always known the originating IP address.
Also, browsers tend to bring their own sandbox (on top of what the OS already does). For example, Chromium was able to mitigate Meltdown/Spectre before OS vendors shipped an update (except on iOS where browsers can't bring their own engines, so iPhone users had to wait for Apple to ship an OS update...)
I needed a couple of grocery items and happened to be next to an Amazon Fresh. Cool, let’s try it! Went in, found everything I needed and went to self checkout. When it was time to pay, the machine wouldn’t accept Apple Pay. I ask an employee who helpfully informs me that I can pay with physical cards or my Amazon account.
I didn’t have my physical cards, nor wanted to do my Amazon account so I had to leave empty handed. Why don’t they accept Apple Pay? Because they can’t track you. If you use a physical card, they can likely link that card number to an Amazon account and thus attribute the purchase to a person. If you pay with contactless payment they get a one time token that they can’t tie to anyone.
(It appears that Amazon Fresh has not opened any locations in MA. That's fine with me.)
I once accidentally paid for AppleCare with apple pay (a mistake), so when at some point I switched phones I had to get new secondary card numbers tied to my physical cards. The old secondaries went away when I wiped my old phone, so AppleCare was no longer able to draw the monthly payment. The number in the invoice was likewise not the original physical card number, but some other number.
Whether the secondary numbers are easier or impossible to track is certainly a question, but I believe there's always a number.
Apple charges for the interchange.
This is the same reason that Walmart doesn’t accept it.
Walmart doesn’t accept Apple Pay because they want you to use their app and think they are big enough not to.
Incredibly concerning, but it's just another outcome of anxiety disorders
See ya, jerks.
Obviously if you're not competent or are lazy with whitelisting apps when you need them to use the internet and then disabling it again this will be unhelpful to you; continue to feed the machine.
Extremely intuitive, relatively inexpensive... you can even force your entire network to obey ad-blocking lists (I tell my DHCP router to issue DNS lookups to PiHole; if individual machines need to be un-filtered they manually set DNS to 192.168.0.1 [router] instead of default PiHole) .
I don't carry a cell phone / use apps, but I know there is a method to make your on-the-go queries also filter through your home network's PiHole .
It's basically like a Raspberry Pi hole; but on cloud, very easy to configure and with so many options and ready-to-use blocklists. It's free up to 3 million queries a month.
There is a bug in older android which allows data to leak past the VPN while the device is starting and if you disable/enable the VPN connection mid connection.
Facebook appears to have a caching component as it will send a large databurst when it's connection is restored.
Here's a typical article but the reason firewall isn't standard is you won't get ads and that juicy data stream stops. You will find some apps punish you for restrictions to their internet - learn which ones and uninstall them. https://www.airdroid.com/mdm/android-firewall-settings/
I know there's various data apps can collect. On iOS at least it seems like you have to grant permission for the app to access most of it. But how on Earth is this supposed to work? How does the app on my phone know if I just got paid?