Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm guessing they used some framework and the libraries they used ask for a broad set of permissions because they offer access to their functions. But they're not necessarily used.

Also considering they're asking for a permission for a protocol that was shut down 7 years ago, the framework must be quite old. Android permissions were less granular back then.

I know someone in Germany and their covid tracking app tells you when and where you were close to someone who was last tested positive. So everyone does it the same way, recording location.



It only tells you on which day you had "one" or "multiple" contacts with "low" or "high" risk. It's Bluetooth based, and the CoronaWarnApp doesn't even access location data.

See https://www.bundesregierung.de/breg-de/themen/corona-warn-ap...

"Data which can make a person identifiable, in particular location data, is not selected, used or stored."


Hmm. Maybe my friend knew exactly where he was then.

Too bad I can't edit the original comment any more.

Never trust friends :)


> I know someone in Germany and their covid tracking app tells you when and where you were close to someone who was last tested positive. So everyone does it the same way, recording location.

Not sure about Germany, but in France the app doesn't track location. It tracks nearby devices (with Bluetooth, rotating identifiers frequently), and when one marks oneself as positive, it informs the central server of the identifiers used in the last X days, which then other apps checks against their list of known identifiers that were close.

So there is no recording of location.


My friend was definitely told where he was on the last contact. Doesn't mean his location left the phone though.

[He didn't get Covid this time, but off topic for this discussion.]

Edit: or maybe it's on topic because the location was at some amusement park outdoors. Since he knew where and it was relatively safe, he didn't have to worry much about the test results...


No, definitely not. There is no location info anywhere in the app, and never has been.

Obviously you can enter "library visit" in your contact diary manually, but even then there is no location involved, it's just a string of characters.


There isn't even a specific point in time given, only the day.


I believe in android bluetooth requires some location permission, because it can be used to identify your location.


> Also considering they're asking for a permission for a protocol that was shut down 7 years ago, the framework must be quite old. Android permissions were less granular back then.

That’s not how PlayStore permissions work. You have to target a certain Android version to release update apps and that version dictates how permissions work. You can’t get around those requirements by using an old framework.


Yeah, but old framework needed one permission that split into 3. Now it asks for all 3 permissions because they didn't hold to think that they only need 2 of them, and even those not always.


Ah of course, I didn't think about that.


Giving the benefit of the doubt to naivety is reckless in a security context.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: