Hacker News new | past | comments | ask | show | jobs | submit login

Sure, but Google/Android has added fine grain GPS permissions in Android 10+ so we have the option to say "just track when using app" instead of "no" or "all the time".

The problem, now, is rolling it out due to fragmentation.

This is great, and everything you’ve said is true.

But the change in iOS13 is the regularly occurring pop up alert to prompt users to pick a lower permission for apps they don’t use often that are also tracking location.

As others have mentioned, iOS has had the fine grain permission for a while. What’s new is the regular prompt.

Android 10 also has a similar prompt via notifications.

thankfully most people use android 10 as regularly as later iOS versions.

I really wish iOS and Android would implement coarse grain location. My weather app doesn't need to know where I am exactly, within a couple of miles is usually fine. The "find the nearest store" just needs to know within a few blocks. The problem with GPS level location is that if I'm at home, I'm nearly personally identified.

If I know the rough location of your work and the rough location of your home I can almost certainly identify you: https://crypto.stanford.edu/~pgolle/papers/commute.pdf

Don't quote me on this, but I believe iOS already has this.. But it's the developer that needs to say they'll use this type of location data - which of course they won't.

Android has had that distinction since version 1, actually.


Some apps do use coarse permission (which maps roughly to wifi/cell tower location).

Yes, but I can't say "sorry, you're only getting coarse location" to an app that wants precise location permission.

So we'll start seeing that on a significant percentage of Android devices around, um... 2025, then? Man I do not miss the horrible support for updates in that ecosystem one bit.


I don't think Google originally planned it this way, but their release strategy gives them an interesting gradient of users that I think benefits them. (This is entirely off the cuff, I may be sticking my foot in my mouth.)

Early adapters, who are more likely to engage with the bigger questions raised by tech, are likely to use new devices with the latest revision of what Google thinks you should share with the advertising world - lately, this has been giving users slightly more control. Meanwhile, older and cheaper devices (a much larger segment) mostly run older OSes that more more data-sponge-friendly.

So the picky and wealthier customers have reason to tell others "Google is getting better" while everyone else keeps feeding the beast.

Yes, you're right.

The inference you haven't made yet is what the proportions of the users in the "early adopter" and "general user" categories are in countries that are NOT the United States or Europe.

Hint: most of Google's Android users aren't in the US or Europe at all. Instead they're in countries where there are much more pressing social, political, or economic issues for governments to address that easily sideline privacy concerns with minimal lobbying funds.

On the flip side of this, Apple can focus on privacy and security as a brand largely because their customer base consists almost entirely of the affluent and business class of society worldwide. Everyone who would otherwise be exploitable is priced out.

Yep. I'm sorry to say a lot of people here have a fundamentally imperialist stance towards the rest of the world. It comes out in all sorts of ways. Of course, we're not the only country with that outlook, just (currently) the dominant one.

I agree with everything you wrote, but note that Apple's attempt to brand itself as privacy aware is self serving and works only because privacy is such a vague topic the population doesn't really know how to reason precisely about it. Their affluent users don't actually care more than anyone else, but it lets them virtue signal to their friends a little bit without having to make any actual sacrifices of features or usability.

Take the end to end encryption in iMessage. It doesn't mean anything: like all such schemes Apple can push a new key to your friends phones, or a software update that selectively disables it, at any time they want. There may already be back doors there nobody knows about. The user could never detect this nor do anything about it even if they did. But Apple use it to claim they care about privacy.

On advertising, Apple only decided advertising was bad and privacy invasive after their own iAd initiative flopped completely. When Jobs thought Apple could compete directly with Google on advertising he was all about how beautiful and usable Apple ads would be.

Apple's all about privacy except they want you to upload everything to their cloud. They're all about privacy except they have root on all your devices. Note: this is unlike Android, where the root keys for the devices are owned by OEMs who sandbox and review/audit Google's software, and the OEMs in turn don't have access to the Google cloud data. Some Android devices don't even use Google services at all.

For Apple privacy is a marketing angle. It can be seen in the way the latest iOS/Android versions don't differ from each other in any significant respects.

A wonderful system were the tech illiterate remains an everlasting source of personal information for sale on ad exchanges.

It is almost irrelevant for existing users what has been added in Android version n + 1, because they will never get updated to n + 1. The joys of the Android vendor ecosystem. Even very expensive phones like Sony get about 1 (mid) or 2 (high-end) major upgrade only, and that's still not guaranteed. Project Treble did nothing to fix this.

We should just force companies by law to provide software patches for anything that can connect to a network for at least five years, better ten, or be liable for security problems.

Then they will provide something. In the best case regular security updates, I can imagine any reasonable way to force them to add new features during support period.

It's trivial, actually.

Google would need to make it a requirement for bundling their services. Since the major distributers are utterly dependent on Google/Android, they'd do it.

Making it a legal requirement would be challenging, but making it a de facto requirement for all major phone vendors is easy.

> The joys of the Android vendor ecosystem.

Even when going with official Google phones: my Nexus 5 is way out of date OS-wise.

My Google Pixel 1 stopped getting even security updates recently, and it's the last flagship Google phone with headphone port.

Your Nexus 5 came out 7 years ago, it's unreasonable to expect that the latest Android would even run properly on it when the rest of the world has moved on.

Why? A 7 year old midrange PC or laptop will run latest Windows or Linux just fine.

> it's unreasonable

Is it? Slower than on more recent ones I agree. But processors architecture and components has not changed a lot.

If Microsoft manages 10 years on wildly more diverse hardware with their OS, I don't see why it is not possible on official Google phones.

my iphone 6s receives iOS updates to this day. it eats through the battery like there's no tomorrow but it works well otherwise.

This is unfortunately why in my opinion there is no way around installing a custom ROM (requiring you to buy a phone with good community support).

An added benefit of that is a removal of the manufacturer's bloat ware and the ability to compile things yourself, allowing you to modify everything.

If there's no good unofficial/open source software for the device, don't buy it or you're going to be miserable in 0-2 years.

All Android phones before P are vulnerable to a flaw that allows background camera use:


That might actually be the majority of active Android devices if you look at the marketshare statistics.

I think it's actually somewhat embarrassing that the tech industry hasn't been able to provide a low cost, reasonably secure smartphone platform that can be used for more than a year or two. The only people who can remain secure are the ones who can afford either new Android phones or slightly less new iPhones.

Security is like a luxury item, and the worst part is that most people don't even realize it.

There are GNU/Linux phones around now (the Librem 5, though it may still be stuck as WIP, and the PinePhone, which I think had a first batch sent out a while ago), but the app support will be lacking and they'll likely be stuck as niche forever.

There was windows phone, but the market wanted apps!

Related to this, I almost wanted to mention the “sins” of the major platforms.

Android: not fixing fragmentation after all this time. Essentially, people with less money get less security.

Apple: not making true budget phones with the same lengthy support windows, though this might change as they emphasize services.

Microsoft: leaving the smartphone market entirely. I used to use Windows Phone and it was clearly better than Android. Android was slow and getting updates was a pipe dream. Windows Phone was like a less locked-down iPhone, and around Windows Phone 8.1 the app marketplace wasn’t half bad.

Had Microsoft put out quality flagship phones consistently on a yearly basis on all four major US carriers, they’d still be making smartphones. But people who wanted windows phones were stuck waiting for Microsoft to reorganize Nokia while they mostly crapped out budget phones and had one or two outdated flagship exclusive to a particular carrier.

Windows Phone 10 arrived too late, it wasn’t as good of an update as 8.1, and it arrived after a long drought of phones.

That's not "vulnerable to a flaw". You make it sound like there's some sort of security bug or buffer overflow in the OS that lets any app turn on the camera at will.

The "flaw" is that apps you explicitly gave permission to use the camera, can use it! All they've done in P is notice that they can tighten the permission even further so the app has to be in the foreground to use that permission.

The lack of this wasn't a vulnerability though. Mobile operating systems have been implementing finer grained permissions and security through their entire lifespans. For sure that trend will continue. If we spin every improvement to privacy controls as "fixing a vulnerability" it's just a form of crying wolf that will lead people to ignore security updates even more than they already do.

The parent didn't say "vulnerability" in the "security vulnerability" sense. They sad "vulnerable to a flaw", i.e. there is a design flaw and those versions have that design flaw - meaning users of it are vulnerable to apps taking advantage of that design flaw. I'd say it leaves users "vulnerable", and it's definitely a "flaw". It may be an API working as intended - but that doesn't mean it isn't flawed to the point of being embarrassing.

Reading this it seems to imply that iOS doesn't support this (sorry if not!), but it does and has for a very long time.

wrong implication, you're right.

Google Services commonly exempt themselves from those kinds of "privacy protections". Google's happy protecting your privacy from other companies, just as long as they continue to get special access.

I got one of those today for Waze. I set it to only collect when it's in use.

I'm not talking about Google's apps, I'm talking about Google Services. This is the system library that sits just above Android itself and is used as a dependency by most third-party Android apps these days. An app asks for your location? They aren't asking Android for it, they're asking Google for it. See more details here: https://arstechnica.com/gadgets/2018/07/googles-iron-grip-on...

Not only do I like having the ability to limit GPS per app, but I can also disable background data and enforce 'energy saver mode' (aka make background tasks infrequent) on an individual app basis.

Except you can't for Google Play Services, the key "app" that every other app needs for all the Google APIs. So sure, individual apps can't get your local, but Google still can almost always.

We can also easily mock GPS on Android and there are apps for that.

Great, you've covered 0.1% of the Android user base.

Are we talking about things we like, use and do, or are we in a pissing contest about who's team is winning?

We're talking about privacy protections for all users, not just HN users. The change in iOS 13 doesn't allow you to do anything that wasn't possible before, the settings have existed for years. It "just" periodically asks if you really want to let that app access your location in the background all the time, showing you a map where it did so in the last few days. And according to the article, people are saying "no" a lot.

Users will disallow tracking if prompted. The average user won't go out of their way to spoof location data, though.

Apps can detect this, and some apps will ban you if you mock your location.

Wait, they'll ban me from their privacy-invading malvertising? Where do I sign up?

that's a special case in my opinion since the gameplay revolved around your location

Some location-based dating apps will do this.

yay "solutions"

Average users won't disable tracking unless prompted.

Which is why Android now has a prompt.

iOS has had this for several major versions.

iOS also has this feature so I’m not sure what your point is.

I think their point was that Android users are now similarly empowered to block "offline" tracking. ("offline" meaning "when the app isn't open"). Further, maybe it's that true if that feature were a true existential threat to Google, they wouldn't have implemented it in Android.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact