What's funny is that desktop versions of websites in a lot of cases are responsive, and work fine on small screen. BUT at the same time the mobile version is crappy and lacks some features (or just shows "download our app").

Recently I've set up Firefox on Android so that it always run in desktop mode. I needed to also change screen width in about:config, because otherwise everything is too small. But after this websites seem to work better.

And you don’t realize that social media apps put cookies on other websites so they know you have been to another website and then start showing you ads based on your interests?

Apps can’t tell what you do in other unaffiliated apps nearly as easily at least now on iOS that there is no globally unique identifier that apps can use to track you.

PWAs can be good, but for a lot of social media, they're only as good as their website experience. Many (most) companies seem to make their website intentionally slow and buggy, probably with the idea that users only need to use their web UI for a short while because they lost access to their apps or something.

For instance, I've installed Mastodon as a PWA and it performs great. Photoprism also works so well I haven't even bothered to look for an app.

I'm convinced many companies purposely gimp their web sites to drive people to apps.

Uber for example doesn't seem to work from my phone browser.

What surprises me is how many engineers must be involved in this kind of scummy shit and keep it tightly under wraps.

I have had a FOSS web app for learning arithmetic for quite a few years. I occasionally review it, and make changes. Each year Chrome and Safari both nip at the edges of what allows a PWA to be OK. No one really cares until one has to write documentation helping folks install the PWA and avoid issues that did not affect the PWA a few years ago. I mean really, are Tim and Sundar really that afraid ?? I guess so. They have dozens of millions on the line. Capitalism... gotta luv it.

Personally my experience with PWAs has been solid, on Firefox w control over JS. I still use them a lot less because I don't stay signed in.

Android 15 supports Private Space [0] that is essentially a separate profile you can install apps into that you can put to sleep. Basically I put all low trust apps into it, but can still access easily enough.

[0] https://support.google.com/android/answer/15341885?hl=en

Network is a permission on Android, it's just that phone manufacturers and likely Google don't want you to be able to control it. Most custom ROMs, including GrapheneOS expose it properly, often at the install dialog.

In the beginning of Android / iOS, just installing an app and registering was enough for the company to get your device's MAC address and thus your indoor location with accurate precision.

They could access your Wi-Fi network's BSSID (whose location is often public due to wardriving databases), and in public places, they had partner companies (malls, airports, etc.) whose routers would triangulate your position based on Wi-Fi signal strength and share information like "John is in the food court near McDonald's."

All of this happened without you even needing to connect to their Wi-Fi, because your phone used to broadcast its MAC address if the Wi-Fi was simply on. But now your MAC is now randomized, but it took a lot of time for Google / Apple to this.

> Is that an unfounded fear on my part?

no. especially with the value of data. Many apps just link into some advertising sdk that does anything it can get away with.

and it is unfortunate that people are shamed for being conservative (want a tinfoil hat?)

Netguard solves this, available on the play store and F droid

https://netguard.me/

> Can an app uniquely identify me

Even browsers can identify* you, if they really want to.

*not as cleanly though, could be tricky for fingerprinting to track one user across different devices/browsers/netowrks.

Recent discussion on fingerprinting: https://news.ycombinator.com/item?id=46016249

Simply your IP address can be used to track you so any app or website you visit knows roughly where you are with every http request unless you use an always on VPN. It can also fingerprint you in various ways without the need for any special permissions.

Facebook & Yandex used apps to correlate browsing sessions to the app user.

https://localmess.github.io/

iOS always asks for permissions. I suspect the same is true for unrooted Android.

But the general pattern is that you install some stupid vendor crapplet, and the first thing it does, is ask for every permission on your phone. Native apps can access a lot more stuff than ones restricted to a WebView sandbox. That's why they want you to use them.

No thankee.

You realize that if you are concerned about apps tracking you without you explicitly giving it your location, a website could do the same since there are browser APIs that can retrieve the same information only gated by the same OS controls?

When you go to a website, they have always known the originating IP address.

>Is that an unfounded fear on my part?

Given the security record of app stores, probably not.

They can track you on a website perhaps even more reliably than on an app, at least on iOS…

In Massachusetts, they also would have been required to accept cash, as all business locations are.

(It appears that Amazon Fresh has not opened any locations in MA. That's fine with me.)

IIUC, contactless payment via apple pay does have a secondary card number of sorts that's linked to your original card.

I once accidentally paid for AppleCare with apple pay (a mistake), so when at some point I switched phones I had to get new secondary card numbers tied to my physical cards. The old secondaries went away when I wiped my old phone, so AppleCare was no longer able to draw the monthly payment. The number in the invoice was likewise not the original physical card number, but some other number.

Whether the secondary numbers are easier or impossible to track is certainly a question, but I believe there's always a number.

Walmart is the same. I believe it's very very slightly more expensive to process Apple Pay payments (Apple's getting a tiny fractional amount of the sale), and this was the actual sticking point.

> Why don’t they accept Apple Pay?

Apple charges for the interchange.

This is the same reason that Walmart doesn’t accept it.

If someone had an easy set up for this documented so the less technically-inclined could do so, it’d be a great public service.

You can use my phone number, +61 400 000 000 :)

Because another app knows you got paid, and that information was sold to some data broker, and now McDonald's knows.

For me I have a recurring calendar appointment reminder for when I get paid. So anything that requests calendar access would know that.

Occasionally restaurants to pay for something if you don't have a credit card. But never had them go take it somewhere.

It's definitely dystopian: "we reserve the right to be judged by the judge we have been treating to yearly all-inclusive vacations and to whom we've been paying his grandchildren's college tuitions."

LOL in the name of security, HDFC is trying to move their OTP verification to be almost entirely app-only, (not open-source TOTP which can be generated by authenticator/any other auth app; you can only use HDFC's app for that even if you want to log in via desktop).

Regulators sleeping at the wheel on this one.

Its more than coupons. These apps track your location, usage and so on then sell this data to a 3rd party. Coupons don’t do that. Do you read full useragreement you accept when installing apps? Most people wouldn’t understand the legalese in those.

A coupon could still be an image you find online that can be scanned and that’s it. Apps are totally not necessary unless they squeeze something out of the user.

Individually, yes, each app cannot obtain much data. But all the apps sell their bit of data to a third party, and buy the resulting profile about you, because they can identify you.

So no, the McDonalds app doesn't know when you got paid directly. But it does know that you bought a cheeseburger in the last two weeks of every month, and it knows that your grocery expenses are higher in the first two weeks of every month, and you tend to eat at a restaurant in the first week of every month, and you take less ubers in the last week of every month; it's not hard to conclude that you get paid at the start of the month.

And that's without your banking app selling your info, which it might do. In which case it knows exactly when you get paid, and your probable current bank balance right now when you place your cheeseburger order.

McDonalds has been shown multiple times to use their app to figure out how much someone is really willing to play for their slop: https://www.stuff.co.nz/money/350476761/mcdonald-s-under-fir...

To you and me, the consumer, the value of an app is "the same" as the old loyalty cards. But the value to the company is huge! How often you open the app (how often are you thinking about their food), how often you accept an offer, what the price of the offer is, what card you used to pay, where were you when you opened the app etc etc.

Going to be fun times when in 10 years time they sell all that information to your health insurance provider for them to go "Holy hell" and jack your insurances prices up 5 times over.

But sure, we got 20c off a burger.

That's a beautiful strawman argument; let me have a tussle with it to see if it holds on its own.

First, let's not miss the forest for the trees. We're engaging in a common "hacker" watering hole. Our opsec skills are very likely not representative of what your average person has, and the point of the article is to educate the average person.

Second, most of those apps require you give your pound of data upfront, or they won't work correctly until you grant permissions.

Next, it's not the same if the establishment I'm buying chicken nuggets from ties down my credit card to my identity or if it does the same plus a ton of extra data that I've been forced to grant.

Also, one of the main concerns from the article is surveillance pricing... So yeah, you sure "saved" a bunch ($100) over the course of 1 year at a restaurant, but overall you're worse off because some data broker managed to have all airlines raise your flight prices by $500 because they learned that you're going to have to attend your best mate's wedding.

And last, but not least, the article mentioned the binding arbitration clause that one blindly signs away when accepting the app's ToS:

> Walking into a restaurant to buy a cheeseburger, there’s no way a company can force you to enter a contractual agreement that includes binding arbitration. Downloading an app, however, requires agreeing to a “Terms of Service,” and those can absolutely include a binding arbitration clause, and that clause can be applied even to cases outside the app. This happened to Jeffrey Piccolo when his wife died of food poisoning in a Disney World. Disney made a motion to dismiss because a couple years back, Jeffrey had signed up for a free trial of Disney+, which included a binding arbitration clause, which meant that if Jeffrey wanted to complain about how Disney murdered his wife, they’d have to settle it out of court with a mediator that Disney hired. No jury, no judge, no oversight. [...]

I have no words to describe how depraved that is.

And surely a for-profit extrajudicial court system that holds a monopoly on extrajudicial courts is going to be a fair and impartial resolver of disputes, especially when the defendant is essentially a valued repeat customer and the plaintiff is some nobody and not a major revenue source. What could possibly go wrong?

Arbitration between businesses acting in good faith makes perfect sense. Arbitration between an individual customer of a large corporation is nothing but a violation of that individual's basic rights.

Arbitrage between McDonalds burgers doesn’t really work. It’s not a meaningful open market - someone paying $1/burger can’t go in and buy 100 burgers and sell them to someone else for $3. For one reason, it’s illegal. For another, no one would buy them, they’d think it’s a scam.

Which is why there is such a big push against automated usage of apps/etc, so that nobody could implement such a system.

This assumes the information is clear and consistent enough across time and distance for arbitrage to happen. Pricing in-app, per customer, changing per day would introduce too much unpredictability for most customers to attempt arbitrage. If people in a group all check their apps, and the person with the best prices orders for everyone, it could work in the context of a shared meal.

But imagine trying to sort out X number of people who each want a different basket of items from, say, the Walmart app. Each of those items fluctuating daily in price for each customer independently makes arbitrage almost prohibitively difficult to coordinate.

The best case scenario is something like Steam sales, where a wishlist function notifies you when items you've "watched" are on sale. There are third parties like, for example, Deku Deals that track this pricing data across time for console games.

But Amazon is already trying to banish external AI agents from any access to its data. And what does a price history graph even mean if prices are specific to each customer and stochastically varied each day to induce impulse purchases?

As a teenager I worked at a discount store, and sometimes ran the service desk, which (among many other things) involved processing returns. The returns form included a spot for "phone number", to which some customers would respond, "my number is unlisted". We honored that. Today in the USA, it seems the phone number is the new Social Security Number, which everybody wants to use for tracking. Stores used to give out physical discount cards (which I wasn't keen on either...) but now (obviously because it saves them money) so many stores have switched to a system where your account is tracked through a phone number or an app or both. No thank you.

I often use my old landline number when stores ask me for a phone number. I gave it up about 20 years ago. I feel a little sorry for the guy who has it now (only a little sorry) because whoever it was reassigned to, probably gets many spam calls on my behalf.

The more effective way to do this that is popping up everywhere is a loyalty program that uses your phone number as the identifier. Buy 10 coffees, get one free, but the purchases are only tracked if you input your phone number.

[Your Area Code]-867-5309 is what I always use - alas they are becoming wise to that

This has been a thing since the 1990s when I worked at Radio Shack.

“Can I have your phone number for this order?”

“Nope.”

Already pisses me off that companies make a profile of me based on credit card numbers. I’ve had this number for decades. I’m sure you could build a complete profile of me based on my cell number, and this is the only “social” site I use. I got off fb in 2008, never even joined the rest (twitter, insta, reddit, et. al.) just because my phone number has been raped out of anyone else who has my name and number in their phone.

The fact that apps have permissions settings has lulled you into a false sense of confidence.

Native apps have privileged access to far more personal data on your device. A website has, what, cookies and fingerprinting? You can already mitigate this on Firefox but even if not, it isn't in the same league