惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Hacker News
The Hacker News
F
Full Disclosure
Cloudbric
Cloudbric
Blog — PlanetScale
Blog — PlanetScale
W
WeLiveSecurity
N
News and Events Feed by Topic
T
Troy Hunt's Blog
V2EX - 技术
V2EX - 技术
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
B
Blog
GbyAI
GbyAI
C
Check Point Blog
B
Blog RSS Feed
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Recorded Future
Recorded Future
The Last Watchdog
The Last Watchdog
N
News and Events Feed by Topic
T
The Blog of Author Tim Ferriss
O
OpenAI News
V
V2EX
人人都是产品经理
人人都是产品经理
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
IT之家
IT之家
WordPress大学
WordPress大学
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Security @ Cisco Blogs
C
Cisco Blogs
Security Latest
Security Latest
S
Security Affairs
V
Visual Studio Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Hacker News - Newest:
Hacker News - Newest: "LLM"
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Microsoft Azure Blog
Microsoft Azure Blog
Last Week in AI
Last Week in AI
AWS News Blog
AWS News Blog
雷峰网
雷峰网
Apple Machine Learning Research
Apple Machine Learning Research
PCI Perspectives
PCI Perspectives
博客园_首页
U
Unit 42
Google DeepMind News
Google DeepMind News
Hugging Face - Blog
Hugging Face - Blog
Project Zero
Project Zero
Cisco Talos Blog
Cisco Talos Blog
The Register - Security
The Register - Security
N
Netflix TechBlog - Medium
L
LINUX DO - 热门话题
H
Hacker News: Front Page

Adactio

June 16th, 2026, 11:12am June 16th, 2026, 10:16am Enhancing with CSS Grid Lanes How building an HTML-first site doubled our users overnight Speaking in Dublin June 13th, 2026, 9:09pm A tale of two browsers Sarah Canary by Karen Joy Fowler June 12th, 2026, 5:59pm The Field Guide to CSS Grid Lanes June 12th, 2026, 12:24pm June 12th, 2026, 8:58am June 11th, 2026, 6:22pm June 11th, 2026, 6:20pm June 10th, 2026, 6:25pm June 10th, 2026, 10:14am June 9th, 2026, 8:50pm June 9th, 2026, 1:55pm June 8th, 2026, 7:45pm June 8th, 2026, 4:32pm Amsterdamming June 5th, 2026, 3:16pm June 4th, 2026, 8:21pm June 2nd, 2026, 8:37pm 25 years of The Session Happy Monday everyone, and let's talk about gender and ethnicity ratios at tech events. AI and the Rise of Mediocrity May 28th, 2026, 7:24pm Picture at an exhibition May 27th, 2026, 9:41pm May 27th, 2026, 1:52pm May 25th, 2026, 8:03pm Gaeltacht cois Tamaise 2026 May 25th, 2026, 3:07pm May 23rd, 2026, 8:06pm May 23rd, 2026, 8:31am May 22nd, 2026, 3:38pm May 22nd, 2026, 8:19am May 22nd, 2026, 7:22am May 21st, 2026, 8:19pm Brigid by Kim Curran May 20th, 2026, 7:12pm The value is in the difficulty - Annotated May 17th, 2026, 6:21pm May 15th, 2026, 4:19pm Tito as Gaeilge The closing talks at UX London 2026 Three things about data WebKit Features for Safari 26.5 May 11th, 2026, 4:17pm I knew my writing students were using AI. Their confessions led to a powerful teaching moment | Micah Nathan Gideon The Ninth by Tamsyn Muir May 8th, 2026, 3:55pm Better Browser Caching with No-Vary-Search May 7th, 2026, 9:55am May 7th, 2026, 7:49am The schedule for UX London 2026 Google’s Prompt API Reminder: You Can Stitch Together Lots of Little HTML Pages With Navigations For Interactions Netizen | Derek Sivers April 30th, 2026, 7:59pm April 29th, 2026, 8:12pm April 27th, 2026, 7:47pm April 25th, 2026, 12:03pm April 25th, 2026, 12:00pm April 25th, 2026, 8:03am April 24th, 2026, 7:57pm April 24th, 2026, 5:12pm Two Paradigms for Enhancing HTML Tags Summary punishment It's Not AI. It's FOMOnetization. Alistair Davidson / validation-enhancer · GitLab Never Lose Form Progress Again :: Aaron Gustafson Dilation Expansion artifacts April 19th, 2026, 6:03pm Finn Mac Cool by Morgan Llywelyn April 17th, 2026, 7:58am April 16th, 2026, 6:42pm Threat models No-stack web development Design and Engineering, As One · Matthias Ott April 14th, 2026, 7:21am April 13th, 2026, 7:47pm April 11th, 2026, 8:39am April 10th, 2026, 5:36pm My salary history Conference organising in 2026 April 7th, 2026, 8:32pm TinyStart AI Might Be Our Best Shot At Taking Back The Open Web | Techdirt April 6th, 2026, 12:46pm The AI Great Leap Forward April 4th, 2026, 6:42pm April 3rd, 2026, 5:27pm April 2nd, 2026, 8:58pm April 2nd, 2026, 4:32pm Web Day Out - 12 March 2026 Mistrust HTML Video Poster Image: Enable Responsive Images and ALT Text for Poster
Native Apps Should Be Avoided Whenever Possible — No One's Happy
No One's Happy · 2026-05-15 · via Adactio

TL;DR: What you should do:

  • Openly refuse apps, and vocally advocate for the web instead.
  • Try not to install any apps if you don’t need to.
  • If a service has a functioning website, use it instead.
  • Revoke all permissions by default, including background location, microphone, and camera permissions for anything that doesn’t require them to function.
  • Audit your installed apps. Uninstall all apps you don’t actively need.
  • Treat every “download our app” prompt with skepticism.

For more information check out my Guide: A Very Basic Framework for Apps to Avoid

Most native apps collect far more data than their website equivalents ever could. They request permissions to hardware, sensors, and background processes that browsers deliberately restrict. The third-party software embedded in these apps frequently transmits your location, device identifiers, and behavioral data to third parties before you even see a consent prompt. This data is in tandem bought, sold, and aggregated by brokers. It has been used to out individuals, track immigrants, and enable prosecution over reproductive healthcare.

The White House App

On March 27, 2026, the Trump administration released an official White House app for iOS and Android. Within hours, two independent security researchers decompiled it and published their findings. [1] The app is a textbook example of everything wrong with the native app model.

Apple requires apps to submit a privacy manifest disclosing what data they collect. The White House app declared an empty array. Zero data collection. Meanwhile, the actual binary contained ten analytics frameworks, including the full OneSignal SDK with a sub-framework specifically for location tracking. [2] The GPS pipeline polled precise coordinates every 4.5 minutes in the foreground and every 9.5 minutes in the background, syncing everything to OneSignal’s commercial servers. A boolean flag in OneSignal’s server responses could remotely enable or disable GPS tracking without an app update and without Apple review.

An Exodus Privacy audit identified three embedded trackers, one of which was Huawei Mobile Services Core. [3] The app’s privacy policy, last updated January 20, 2025, makes no mention of GPS tracking, OneSignal, or background data collection.

Nearly everything in the app is available on whitehouse.gov. The app’s unique additions are push notifications, a pre-filled text message to the President, and an ICE tip button (also available on ice.gov). What it actually added at scale was a surveillance pipeline: 77% of the app’s network requests go to third parties, not whitehouse.gov.

The Software Embedded in Apps

Most people think of apps as products built by a single company. In practice, the average app is a thin wrapper around dozens of third-party software packages, each with its own data collection pipeline and commercial incentives. When you grant an app permission to access your location, every package embedded in that app inherits that permission. A single package can appear in hundreds of apps, feeding location data on millions of people to a single aggregator.

In January 2025, a hacker breached Gravy Analytics and leaked roughly 30 million location records collected from 3,455 apps — dating, fitness, gaming, and health apps among them. [4] The FTC subsequently banned Gravy Analytics from selling Americans’ location data, [5] but by then the data was already circulating on cybercrime forums.

In a separate case, Google paid $391.5 million to settle claims from 40 states for continuing to collect location data even when users explicitly disabled location tracking. [6]

Why Everyone Should Care

Governments are some of the biggest buyers. Military and intelligence agencies purchase location data from prayer apps, dating apps, and fitness trackers. [7] Immigration enforcement uses it to locate and detain people. Police departments buy it to surveil suspects, protesters, and entire neighborhoods — sidestepping warrant requirements entirely. [8] Courts have issued “geofence” orders demanding records on every device near a location at a given time, sweeping up everyone at a political rally, a school board meeting, or a gun show alongside any actual suspects. [9] After Roe v. Wade was overturned, law enforcement used location data to track trips to abortion clinics. [10] None of this required a court order, because the data was commercially available.

It’s not just governments. Employers buy location data to monitor workers. Stalkers and abusive partners exploit family tracking apps like Life360. Insurers, landlords, and advertisers all participate in the same marketplace. Data brokers sell information sorted by sensitive categories: people who visit addiction clinics, people who attend certain churches, people who go to gun shops and shooting ranges. [11] The same data that tracks someone to an abortion clinic tracks someone to a firearms dealer, and nothing prevents a future administration from using it to build an unofficial gun owner registry without passing a single law. Nothing prevents a foreign adversary from buying it either — China, Russia, or any nation-state can purchase American location data through the same brokers that sell to U.S. companies. [12] There are virtually no restrictions in the United States on buying, selling, or weaponizing this kind of data. There is no comprehensive federal privacy law. And there isn’t likely to be one soon. The best we can do is minimize the data we share in the first place.

What Apps Can Do That Websites Can’t

Update (May 22, 2026): This section has been updated with corrections from Alex Russell, who helped design many of the browser APIs that make these capabilities possible. His work on Project Fugu has been instrumental in closing the gap between native apps and the web — while keeping users in control. Thank you to Alex for reaching out and making this article more accurate. His work, and input is incredibly valuable.

The core argument for using the website instead of the app comes down to what each platform is technically capable of doing without your knowledge.

CapabilityNative AppWebsite / PWA
Background location trackingYes, can poll GPS continuouslyNo
Run at device startupYesYes (PWA, with user permission, never in background)
Access biometric hardwareYesLimited (WebAuthn, user initiated)
Modify or delete device storageYesLimited (File System Access API, explicit user permission per file/folder)
Embed invisible third-party softwareYes, all inherit granted permissionsNo, scripts visible in page source
Transmit data before consent promptYes (common with third-party software)Restricted by browser policies
Push notifications while closedYesYes (PWA, user opt in required)
Access contacts, call logs, SMSYes (if permitted)Contacts only (Contact Picker API, explicit per-selection)
Prevent phone from sleepingYesYes (Screen Wake Lock API, with user permission)
Camera and microphoneYes (persistent if granted)Yes (per session, prompted each time)
Offline functionalityYesYes (via service workers)

The pattern is clear: where the web has closed the gap, it has done so with explicit user permission, visible indicators, and no silent background operation. Native apps inherit permissions across every embedded third-party package and can operate without the user’s awareness. The browser is the security boundary. Websites operate within it. Native apps bypass it.

The Access Provided by Default is Enough to Do Real Harm

The moment you install an app, before you allow a single permission prompt, it can:

  • Reach any server on the internet
  • Read your IP address, device model, OS version, timezone, country, carrier, and network type
  • Generate and persist a unique identifier tied to your device
  • Run code at device startup (Android) and wake up in the background
  • Fingerprint your device by combining the above into a signature that follows you across sessions
  • Grant all of this same access to every third-party software package embedded in the app
  • Compare this data to other datasets to infer your identity, demographics, interests, and habits

The runtime permission prompts you actually see (location, camera, contacts) are helpful while annoying, but the majority of the default access permissions do not require your consent.

A website, by contrast, starts with almost none of this: no persistent identifier, no background execution, no third-party software inheritance, no startup hooks.

Some Things Need to Be Apps, But Most Don’t

Some things need to be apps. AR and VR, real-time games, anything talking to NFC or Bluetooth hardware, serious audio and video work, accessibility tools. These are legitimate cases where the browser sandbox is the limitation. In these circumtances, I personally use a full computer as opposed to my phone.

Almost nothing else qualifies. Your banking, your travel, your grocery store, the restaurant down the street — none of it needs an app. And rewards be damned. No rewards are worth the data you are willingly giving them.

Same goes for hardware. If a thermostat or a fitness tracker can’t be set up without a proprietary app, that’s a flaw in the product, not a feature. I immediately avoid such products. You’re buying an ongoing relationship with someone else’s servers and guaranteeing that you’ll forget that corporations are watching everything they can.

Conclusion

I avoid most apps. It turns out this is easier than most people assume, because the app is almost never the only option. It is just the option the company wants you to take and not enough people question.

We are at a very specific time in humanity right now. Where aggregating data is a currency, and it is actively being utilized at a scale never before seen. I recommend you at least take stock of what you’re freely giving away.


References

1. I Decompiled the White House’s New App (Thereallo, March 28, 2026) and Security Analysis of the Official White House iOS App (atomic.computer, March 27, 2026). Two independent researchers decompiled the app on Android and iOS within hours of release.

2. Security Analysis of the Official White House iOS App (atomic.computer). Documents the empty privacy manifest, OneSignal SDK with ten sub-frameworks, and the remote GPS toggle via server response.

3. Exodus Privacy Report: gov.whitehouse.app. Automated audit identifying three embedded trackers including Huawei Mobile Services Core. Additional context in Fedware: 13 Government Apps That Spy Harder Than the Apps They Ban (Sam Bent).

4. A breach of Gravy Analytics’ huge trove of location data threatens the privacy of millions (TechCrunch, January 13, 2025). For the specific 3,455-app figure, see Gravy Analytics leak: How to protect your location data (Kaspersky, February 18, 2025).

5. FTC Finalizes Order Prohibiting Gravy Analytics, Venntel from Selling Sensitive Location Data (FTC, January 14, 2025).

6. Google to pay $391.5 million in location tracking settlement with 40 states (TechCrunch, November 14, 2022).

7. Location Tracking Tools Endanger Abortion Access. Lawmakers Must Act Now. (EFF, December 6, 2024). Documents military, ICE, and law enforcement purchase of commercial location data.

8. Fog Revealed: A Guided Tour of How Cops Can Browse Your Location Data (EFF, August 31, 2022). Documents how Fog Data Science purchased billions of location data points from apps and sold access to local law enforcement agencies without warrants or public oversight.

9. Tracking Phones, Google Is a Dragnet for the Police (New York Times, April 13, 2019). Documents the Sensorvault database and geofence warrants sweeping up bystanders.

10. A mom and son are charged in Idaho after a teen is taken to Oregon for an abortion (NPR, November 2, 2023). Police used cellphone geolocation data to track the trip to a Planned Parenthood in Bend, Oregon.

11. Facebook Promised to Remove “Sensitive” Ads. Here’s What It Left Behind (The Markup, May 12, 2022). Documents how sensitive ad-targeting categories (race, religion, health, sexual orientation, political causes) persist in the ad-broker ecosystem despite stated removals. See also The Markup’s Blacklight tool for real-time third-party tracker inspection.

12. Data Brokers and the Sale of Americans’ Mental Health Data (Joanne Kim, Duke University Sanford School of Public Policy Tech Policy Lab, February 2023). Researchers purchased sensitive data on U.S. military personnel and mental health patients from data brokers, demonstrating that foreign adversaries could do the same. See also GAO: Internet Privacy — Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility (GAO, January 2019).