[photochemsyn]

This is a fairly broad problem across the whole phone app world, isn't it? For example, I bought an iOS app for LAN analysis, but then deleted it when it turned out it wouldn't work unless you gave it access to your physical location (I assume that was for their data marketing side business).

Also, any data information collected by a US company also has 'a nonzero chance of being handed over to the American authorities for any reason whatsoever'.

The only real solution is data protection laws that can be enforced not just by governmental authorities, but also by individual and class-action lawsuits against companies that violate those laws.

[sofixa]

> This is a fairly broad problem across the whole phone app world, isn't it? For example, I bought an iOS app for LAN analysis, but then deleted it when it turned out it wouldn't work unless you gave it access to your physical location (I assume that was for their data marketing side business).

I don't know how iOS works, but on Android location data permissions are requested for anything involving networking (including Bluetooth, WiFi). Why? Because access to those could be used to estimate where the user is physically located, so gating it behind the location permission is a good way to ensure nobody exploits that. It's not necessarily obvious when you're presented with the permission screen though.

[magic_hamster]

If it's really a case of gating permissions, I still don't like it.

I used a few apps that utilize Bluetooth without asking for location, even when they aren't the obvious use case (like headphones), although admittedly it's been a while since then.

Afair, I don't recall the Mimo app asking me to turn on wifi for the stabilizer. But maybe yes and I just turned it off after connecting to the device. The operation of the stabilizer is through Bluetooth.

[squeaky-clean]

For the majority of smartphone's existence no permission was necessary, probably because no one ever considered it. Then it was learned stores, for example Target, were using their mobile app to broadcast Bluetooth signals in order to track shoppers movement around the store. So around 2019 Android added it to the general location permission to use Bluetooth for anything other than audio transmission to/from a paired device if device pairing is handled by the OS, hidden from the app.

In late 2021 Android changed it to a separate "ACCESS_FINE_LOCATION" permission, while Apple still keeps it under the general bluetooth permission (while the popup mentions it can be used to track your location).

[autoexec]

> So around 2019 Android added it to the general location permission to use Bluetooth for anything other than audio transmission to/from a paired device if device pairing is handled by the OS, hidden from the app.

Stores don't need your permission or even their own app to be installed on your phone in order to use bluetooth to track people as they move around their stores. If you have bluetooth enabled on your device at all it can be used to track you.

The store just needs to place inexpensive low powered beacons around their store and they will record and log every device that passes within range.

[sofixa]

I think the person you're responding to is misremembering the scandal. It was that Facebook, Google and similar (iirc it was mostly Facebook, Google were doing this with WiFi networks they had built an index of through Street View) would use Bluetooth on your phone to scan for nearby devices, and match them against known other devices and their location, thus deducing who you meet and where.

They even have a patent for that exact thing: https://www.wired.co.uk/article/facebook-phone-tracking-pate...

[squeaky-clean]

No. It was the Target app and it associated it to your Target Circle account.

https://techcrunch.com/2017/09/20/target-rolls-out-bluetooth...

[squeaky-clean]

But if they want to match it to your Target Circle account they need you to be using the app. Also iOS uses BLE address randomization to make tracking a specific individual more difficult. Having your app blast out a known ID bypasses this

https://techcrunch.com/2017/09/20/target-rolls-out-bluetooth...

[magic_hamster]

> This is a fairly broad problem

Permission greed is definitely an issue but it's still the choice of every developer, and there are still plenty of apps that do not do this. You were right to refuse using the app if you don't trust it.

> Handed over to the American authorities

At least on paper they need to have a reason, unless the corporation is very accommodating which also happens. But some companies are more strict about this and at least in theory accessing private information is not as easy in western countries. Or so I'd like to believe. I'm not sure in China you can tell the government official to come back when they have a warrant in a meaningful way.

> The only real solution is data protection laws

Sign me up! Unfortunately, the current state of things makes a lot of money for some parties, and legislators don't really have an incentive to do anything about this. However, it sends a very clear message when the Pentagon closes the door on some companies or when certain vendors like Huawei or ZTE are banned altogether.

[myself248]

> At least on paper they need to have a reason,

No they don't.

They need a reason to get a warrant. But if they simply buy the data from a broker, they don't need any reason at all, and there is utterly no oversight.

[ryandrake]

> Permission greed is definitely an issue but it's still the choice of every developer, and there are still plenty of apps that do not do this. You were right to refuse using the app if you don't trust it.

In fact, at least for Apple, their app store guidelines have, for a long time, prohibited apps from refusing to work without permissions. The app is supposed to gracefully degrade if the user does not consent to any particular permission. Their language seems to have softened[1] a bit since I last looked at it, but the intent is pretty clear: The developer can't just kill the app or prevent it from being used just because someone denied a permission.

1: https://developer.apple.com/app-store/review/guidelines/

[WrtCdEvrydy]

> but then deleted it when it turned out it wouldn't work unless you gave it access to your physical location (I assume that was for their data marketing side business).

In order to use bluetooth or internet access through wireless means you must request location access because it's assumed that you can match a person's location with the access points and bluetooth devices around them (BL beacons). It sucks but Android is semi-right on it. Something that doesn't use wireless means of communication doesn't need location access.

[dTal]

That seems a bit broken. The permission to send data over the network should be distinct from the permission to know the name of the SSID.

[happyopossum]

iOS handles this differently - there is a distinct permission for accessing local networks and devices, and another for location. Within location, you can choose precise or vague.

[squeaky-clean]

Sort of off-topic complaint, but I wish Apple didn't make the Precise Location permission status viewable by apps. There's no reason they need to know if I'm obfuscating my location from them, and many apps look for this setting and refuse to work with Precise Location disabled.

For example the McDonald's app doesn't allow you to use coupons unless you enable the precise location permission.

[WrtCdEvrydy]

Some of it comes down to whether the app should rely on that positional data... like for catching an uber or something.

I do think that's exploiting the ecosystem and I have a feeling one well placed complaint with Apple would cause a stern message to McDonald's... does the app tell you it's because of your location accuracy?

[squeaky-clean]

It specifically says to turn on Precise Location

https://imgur.com/a/zrs0rQl

For reference, you can click any deal and get a 6 letter code to use in-store at the counter or on their touchscreen ordering booths. But you can't see the code unless you give them precise location.

[WrtCdEvrydy]

So android provides "coarse" or "precise" which maps to "wireless" or "gps" but the prompt tells you the app can get your location for either one.

[petre]

That's just Google muddying the waters and claiming they respect user privacy, but then the phone asks for precise location every single time.

[LeifCarrotson]

> I assume that was for their data marketing side business

You're confused: Their primary business is data marketing. LAN analysis or anything useful the apps might do are a side business at best.