[frizlab]

> it doesn't request location permissions anywhere, despite the claims in the article

The article does not claim the app requests the location. It claims it can do it with a single JS call.

[esprehn]

It can request with a JS call. It can't passively collect it without you approving first. The article is written like calling that JS function will turn on location tracking without consent.

[mattdeboard]

He explicitly says he can't determine it, but that the location tracking as configured will turn on once the user grants consent. All true statements.

How would you have written it differently

[logifail]

"If the user chooses to opt-in and grants location-tracking permission, the app is then, and only then, able to track the user's location?"

[mattdeboard]

You would be lying if you wrote that because you do not know if that is true.

[ceejayoz]

But that's not true; it could easily fallback to other forms of geolocation like using the current IP.

[rerdavies]

That would allow you to see the local network IP (not actually sure you even get that, tbh). To get more detailed information about IP configuration, you need Location permission. Been there, done that. Most Android network information calls provide degraded information if you have not been granted Location permissions.

[quesera]

If an app can make an HTTP request, the app can know the user's public IP address and the geolocation derived from that.

This data has well-known limitations, but I think it is the fallback people are talking about here.

[buzzerbetrayed]

Good lord. So could literally any app on the planet

[dmitrygr]

> The article does not claim the app requests the location. It claims it can do it with a single JS call.

so can ... any other code anywhere on a mobile device? That is how API work...

[david_allison]

You need to state the permissions you *may* request/use in AndroidManifest.xml. This data can then be displayed to users pre-installation.

From the (limited) article, it doesn't seem they do this: https://thereallo.dev/blog/decompiling-the-white-house-app#p...

----

EDIT: I'm mistaken. From the Play Store[0] it has access to

* approximate location (network-based)

* precise location (GPS and network-based)

[0] https://play.google.com/store/apps/details?id=gov.whitehouse...

This seems to disagree with:

> The location permissions aren't declared in the AndroidManifest but requested at runtime

*shrug*, someone should dig deeper. It looks like the article may not match reality.

[Groxx]

What version do you see? 47.0.1 doesn't have that for me: https://news.ycombinator.com/item?id=47557033

[david_allison]

Very unusual: 47.0.1 is showing these permissions when on my MacBook viewing the store entry.

The Play Store doesn't show these permissions when viewed on my Pixel 9 Pro, and the APK doesn't have these permissions when downloaded/extracted.