On iOS an app developer will need to register in advance which external applications their app intends to query, and the list needs to be very short and motivated. [1]
Incidentally, “I have a friend who says...” isn’t really a good citation anywhere outside Reddit - which HN resembles more and more each day.
[1] https://www.hackingwithswift.com/example-code/system/how-to-...
[1]: https://lsposed.org [2]: https://github.com/M66B/XPrivacyLua / https://github.com/0bbedCode/XPL-EX [3]: https://appops.rikka.app
Can’t tell if serious or not [1]. Also any program can read any saved password out of Windows Credential Manager.
They were using this trick to detect unauthorized apps on the phone.
https://blog.verichains.io/p/technical-analysis-improper-use...
[0] - https://gist.github.com/wh1te4ever/c7909dcb5b66c13a217b49ea3...
Google refuses to patch this. I wonder what would happen if you submit it to the Android VDP as a permission bypass.
There’s also this SO question by the author about the bypass: https://stackoverflow.com/q/79527331
https://developer.apple.com/documentation/webkit/promoting-a...
You can get rid of them with the Unsmartifier extension.
https://old.reddit.com/r/apple/comments/q55753/unsmartifier_...
The StopTheMadness extension can also remove them (among many other things... this extension is a must have for me):
Google addressed similar isolation concerns (without breaking a tonne of APIs in incompatible ways) with Private Space and Work Profile: https://source.android.com/docs/security/features/private-sp...
Although not terribly accurate (because of the high variability of page titles), tools like ManicTime and ActivityWatch use windows titles to track your browser history if you don't install the browser plugin.
Regardless, MDM installed app visibility is limited to those users who opt-in to an organization managing their personal device, and isn't an effective way to broadly gather what apps a given person has installed. What's described in this post would work on any user/device, and there's no way to deny/opt-out of specific permissions.
[1] https://developer.apple.com/videos/play/wwdc2021/10136/ [2] https://support.apple.com/guide/apple-business-manager/use-m...
Tried putting 20k lines into it. Loaded instantly, allowed me to scroll and edit flawlessly.
But I get your point. I'm on a pretty decent 2022 iPhone, and I'm sure at some stage I would run into a performance hit. But not at 20k lines.
Interestingly XPrivacyLua is not supported anymore and the pro companion app will be removed from the Play store by Google because it uses the permission QUERY_ALL_PACKAGES.[1]
[0]: https://github.com/M66B/NetGuard [1]: https://xdaforums.com/t/closed-app-xposed-6-0-xprivacylua-an...
I was kind of surprised
https://discuss.grapheneos.org/d/13302-query-all-packages-pe...
https://discuss.grapheneos.org/d/7800-how-to-mitigate-identi...
Later
For the wider audience: though don't take this as GrapheneOS doesn't care about privacy. I'm sure there are reasons (I didn't read all of the linked threads) and it gives you plenty of other protections and tools - eg profiles, ability to disable all network access by app etc
Becoming the middle man is the default model that supports scale. No one has come up with anything else to support a world where avg disposable income is close to 0
The reality is, most webapps for mobile just suck. The UX is nowhere near that of a native application. I don't want any text to be selectable. I don't want pull to refresh on every page. I don't want the left-swipe to take me to the previous page.
You can probably find workarounds for all these issues. The new Silk library (https://silkhq.co/) is the first case I've seen that get's very close to a native experience. But even the fact that this is a paid library comes to show how non-trivial this is.
https://blog.verichains.io/p/technical-analysis-improper-use...
https://www.sencha.com/, the vendor of the ExtJS framework tried to argue that Facebook was wrong (2012): https://www.infoq.com/news/2012/12/Fastbook/
I worked for a company that used Sencha back in the day and wrote the first React integration over their form/datagrid components in 2013. React ate their lunch
Swiggy is actually a small player in terms of permissions requested, with 'only' 47 Compare it to Weibo with 104, Wechat with 93, Facebook with 85, Snapchat with 71 (granted those apps may offer additional services that require some additional permissions, but they are definitely not worth giving them all your data...)
Here is some more information about the conditions in these prisons in El Salvador, CECOT being the most notable one:
> Able to hold 40,000 inmates, the CECOT is made up of eight sprawling pavilions. Its cells hold 65 to 70 prisoners each. They do not receive visits. There are no programs preparing them to return to society after their sentences, no workshops or educational programs. They are never allowed outside. [2]
I believe the term gulag makes sense in that context despite it not being a forced labor camp. Not sure how this relates to Russia at all (apart from the origin of the term obviously).
[1] https://apnews.com/article/rubio-trump-deportations-usaid-f7...
[2] https://apnews.com/article/el-salvador-us-rubio-prison-de912...
> I'm sure there are plenty of system APIs providing this information too, and I don't just mean APIs designed to directly provide the information.
> It's not useful to prevent directly getting a list of installed applications without preventing detecting which applications are installed, so this specific feature request has to be rejected. It would have to be part of a larger, much more comprehensive feature preventing apps from finding other apps. That implies outright preventing communication with non-system components which is a much different approach to applications and rules out a lot of things. [...]
> The request should be for preventing apps from discovering which apps are installed, since anything less than that has no privacy / security value. There's no point in disallowing access to a list while not preventing discovering which apps are installed anyway.
The open issue to restrict app visibility is [2].
[1] https://github.com/GrapheneOS/os-issue-tracker/ issues/149#issuecomment-553590002 [2] https://github.com/GrapheneOS/os-issue-tracker/issues/2197
I found this article yesterday and posted it on reddit android, here : https://old.reddit.com/r/Android/comments/1jmwg4w/everyone_k...
0 upvote, comment filled with what is either depressed sad people or just bots.
Here it's top 2... With mostly interesting comment.
Some subreddit are more dead than other but r/android got to be one of the worst.
You can read the reports at https://blume.vc/reports/indus-valley-annual-report-2025 or archives at https://www.indusvalleyreport.com/ .
The ppt in the blog is from the 2024 report - https://docsend.com/view/zqgfupfzyud499hn. The India 1-2-3 framework is old though. IIRC it was coined by a retail sector founder (Kishore Biyani) in the 2000s.
Also Koramangala, HSR layout are also the more affluent localities in Bengaluru.
iOS added fine-grained (at the contact level) access to contacts data last year.
https://lifehacker.com/tech/you-can-control-which-contacts-a...
Apple has a much more robust solution privacy wise with their ScreenTime API but it makes an app like Limit Buddy much harder to build.
If you root (I advice against doing that) and have LSPosed installed you can hide apps to be seen by every other app with Hide My Applist (HMA) [1] or HMAL (which I like more because it is more minimalistic) [2]
That's just a user contributed thing though. It's also just in the official ports collection. There's only a makefile there and some config files for electron (electron is kinda a PITA to compile on FreeBSD because there's no package)
Now, it can update itself automatically but it's all JavaScript. No binaries.
But it's safe enough for me anyway. Especially because the dev community uses it do much. If it did something untoward it would be noticed quickly.
Other than that, I'd like text to be selectable! I don't like it when apps don't allow you to copy text.
I use Copy [1], and when that doesn't work I use the OCR text selection feature on my Pixel phone.
[1] https://play.google.com/store/apps/details?id=com.weberdo.ap...
There seem to be sites for your GP (which mine does via a .nhs.uk domain it used to be via https://account.patientaccess.com/ which still shows appointments but does not allow booking but still allows requests for repeat prescriptions.) or hospital portal for results.
Hopefully GrapheneOS deliver on their promise to provide a better backup solutions than seedvault.
> The term [rooting] generally also includes the functionality for making runtime code patches (eg. with Zygisk) and making runtime filesystem modifications (eg. Magisk modules).
> Out of the many root-enabled apps I've studied or reverse engineered, the vast majority fail to handle arbitrary inputs properly (especially filenames). For example, some root-supporting file managers turn a seemingly benign action like listing a directory into local privilege escalation. This is trivially exploitable, especially with browsers auto-downloading files with server-provided filenames to /sdcard/Download/.
To avoid repeated root access UI prompts, some apps spawn a long-running shell session, write commands to stdin, and rely on parsing stdout and searching for the shell prompt to determine when commands complete. This approach is prone to desync, which can lead to commands being skipped or other inputs being interpreted as commands.
All in all, I simply do not trust most root-enabled apps to not leave a gaping security hole, so I avoid them entirely. There are apps that do handle root access in what I would consider a more proper way, by spawning a daemon as root and then talking to the daemon over a well defined binary protocol. Unfortunately, this approach is the extreme minority.