Thereallo, after spelunking inside the APK bundle for the Android version:
Has a full GPS tracking pipeline compiled in that polls every
4.5 minutes in the foreground and 9.5 minutes in the background,
syncing lat/lng/accuracy/timestamp to OneSignal’s servers.Loads JavaScript from a random person’s GitHub Pages site
(lonelycpp.github.io) for YouTube embeds. If that account is
compromised, arbitrary code runs in the app’s WebView. […]Is any of this illegal? Probably not. Is it what you’d expect from
an official government app? Probably not either.
Hanlon’s razor: “Never attribute to malice that which is adequately explained by stupidity.”
The app is, at least temporarily, popular. As I type this it’s #3 in the iOS App Store top free apps list, sandwiched between Claude and Gemini. I don’t know how similar the iOS app is to the Android one, but I took one for the team and installed it, and after poking around for a few minutes, it hasn’t even prompted me to ask for location access. It’s a crappy app, to be sure. A lot of flashing between screen transitions. When you open an article, there’s a “< Back” button top left, and an “X” button top right. Both buttons seem to do the same thing. There’s no share sheet for “news” articles, which seems particularly stupid. You can’t even copy a link to an article and share it manually.
But the iOS version has a clean privacy report card in the App Store, and I don’t see anything in the app that makes me doubt that. It seems like the Android version is quite different.
