https://news.ycombinator.com/item?id=47555556 https://news.ycombinator.com/item?id=47577761
> All HTTPS traffic was decrypted and logged. No modifications were made to the traffic. The app was used as any normal user would use it.
Is it really that simple to inspect network traffic on an iPhone, namely to get it to trust the user-installed cert? I do quite a bit of network inspection on Android and I find it to be painful, even if the apps don't use certificate pinning.
Regardless, it highlights the importance of having control of our own devices, including the ability to easily inspect network traffic. We have the right to know where our data is being sent, and what data is being sent.
I recall during COVID it was discovered that Zoom was sending traffic to China. There was also the recent case of Facebook tracking private mobile browsing activity and sending it to their servers via the FB app. Imagine how much questionable traffic goes unnoticed due to the difficulty in configuring network inspection for apps.
Apps that do use cert pinning is a whole other matter, I’ve tried unsuccessfully a few times to inspect things like banking apps. Needs a rooted device at the minimum.
https://www.trickster.dev/post/setting-up-rooted-android-emu...
Meanwhile I've always found it amusing that there's a loud, probably corporate-owned/Big-Tech-brainwashed subset of the "security" crowd who complains about MITM proxies.
It's shocking how many third party connections an average website opens. It's particularly true for news websites. Interestingly, atomic.computer also attempts to load Cloudflareinsights and some Google fonts, both of which are denied on my network. This is precisely the kind of requests that make it trivially possible for Google to follow people around the Internet, and the vast majority of webmasters are complicit of this.
a government app shouldnt have crazy analytics and tracking and whatever. but i dont think loading google fonts or embedding youtube videos is really all that wild in the grand scheme of things.
given the title, i was half expecting some sort of egregious list with, like, palantir and some ICE domains or something. i dont like the app, but google? facebook? that is pretty boring.
the title probably should focus on nature/severity of the requests. titling it with a % of all requests feels bait-y if google/facebook/twitter isnt off in its own category. they have all sorts of dumb little requests to all sorts of domains that really inflate the numbers.
I would be interested to see how this compares to industry standard though, 77% doesn't seem outrageous to me given all the trackers and advertising code I've seen over the years. It wouldn't surprise me if this is inline with many apps people install and don't think twice about.
In Australia, apps handling government data must comply with the PSPF (Protective Security Policy Framework) and the ISM, which explicitly restrict data flows to untrusted third parties. A government app routing 77% of requests externally would fail an IRAP assessment on day one.
The fix is straightforward: self-host fonts, use first-party analytics, and treat every external request as a data exfiltration vector. Government digital teams know how to do this — the question is whether anyone is actually reviewing the network behavior post-deployment
Honestly—why? What is in this traffic that mandates heightened scrutiny? It strikes me as simply about brand.
gruez•1h ago
edit: they seemed to have updated the store listing, so the "data collected" section is correct.
iterateoften•1h ago
gruez•1h ago
aplummer•1h ago
SV_BubbleTime•1h ago
abustamam•1h ago
gruez•1h ago
charcircuit•35m ago
tr_user•1h ago
jmalicki•1h ago
amazingman•1h ago
jmalicki•15m ago
gruez•1h ago
mattbuilds•1h ago
gruez•1h ago
The relevant part of B2C is the 2C part, not the B. Mass market apps are generally ridden with telemetry and SDKs. Moreover I'm not sure how you think it's a "fair question" to go from a remark about how other apps are equally bad, to thinking I want the US government to operate as a business. It's like doing:
A: "I called the IRS and was put on hold for 2 hours, can you believe that?"
B: "To be fair that's the experience calling into most businesses, like banks or the cable company"
A: "Wow so you think we should be running the IRS like a bank?"
>I think most people would except an official government app to be held to a higher standard than the average B2C app.
Is this a "yes, in an ideal world that's how things should be" type of statement, or are you claiming "yes, government agencies have a track record of delivering technical excellence on software projects, and this particular project was especially bad"? The former is basically a meaningless platitude, and I don't think anyone seriously thinks the latter is true.
ryandrake•1h ago
1: https://news.ycombinator.com/item?id=47596187
gruez•53m ago
The flip side of "whataboutism" is "isolated demands for rigor"[1]. Going back to the IRS example, is it a fair retort to point out that IRS's hotline only sucks as much as any other large organization's hotline, or is it "whataboutism"?
[1] https://slatestarcodex.com/2014/08/14/beware-isolated-demand...
chirau•37m ago
gruez•25m ago
See my earlier comment about how this is a meaningless platitude.
>Businesses intentionally throttle customer service lines for profit reasons. The government should not.
None of this was presupposed in the original comment, only that wait times are long.
neya•1h ago
neya•1h ago
If so, why do you think lobbying exists?
I'm not saying it should be run like a business, but it is naive to think it isn't run like one.
nkozyra•1h ago
Specifically because it's not a natural market. There are people who secure a 2-year, consequence-free term to impact U.S. law, at the behest of people with money.
Lobbying is special interests dictating decisions that often are not financially, morally, or otherwise ideal/beneficial to the other party (the United States and its people). This wouldn't fly at any corporation or business because there would be direct impacts on the bottom line or reputation of the company.
lobf•35m ago
Would you like to be able to ask your representative to focus on a particular issue?
refulgentis•1h ago
That makes me net more surprised after reading your comment.
You're not surprised the white house is worse than any other app you've seen by 20%?
gruez•1h ago
???
commoner•1h ago
dwattttt•1h ago