Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

All privacy-respecting browsers block 3rd party cookies by default now, which prevents that kind of tracking. There's still other forms of fingerprinting they can use, but those can be used in apps as well.


What are these other forms that apps can use?


A combination of data about your browser/os/hardware/locale configuration https://amiunique.org


You realize you just made my point for me that websites can track you more easily than apps…

FWIW: the website completely errored out on my iPhone until I turned my ad blocker off in Safari.


Whoops, I misread your post, my bad.

But I guess apps can run web views that have access to all the same fingerprinting as a standalone browser, minus any ad-blocking plugins (on iOS at least)


With a browser, you have the ability to block cookies, block whole hosts/domains, alter DOM content, alter tracking URL's, and (often) disable low level features you don't like. With apps, not so much.


And still waiting for examples of how apps can track you better. If the server wants to track you by your originating IP, all of the client side blocking will do nothing


What is your definition of "track you" in this context?

If it's to pinpoint a unique device accessing a website even through VPNs and/or other IP changes, there are an untold number of ways that apps can track you better than a website.

Apps have access to many device-specific APIs in addition to all the web ones, and every additional bit of information used can be added to the mix to create an even more unique fingerprint of the specific device accessing a website.

For example with phones, an app (even if it's mostly just a webview) may now also have access to your phone model, phone number, maybe your contacts or GPS location, and many other things.


A website Can easily deduce your phone model based on the browser agent attribute which tells the operating system and the screen resolution with a fair degree of certainty, an app can’t get your phone number, it can get your GPS with your permission. But so can a web page with your permission. There is a standard JavaScript API for it. Contacts are also gated by permissions.

And there is a Contact Picker API for browsers

https://developer.mozilla.org/en-US/docs/Web/API/Contact_Pic...


> an app can’t get your phone number

Apps can absolutely get your phone number:

https://stackoverflow.com/questions/2480288/programmatically...


VPN, TOR...


And once you install a VPN on your phone it also keeps apps from revealing your IP address.


Some apps can/will detect that an OS-level VPN has been activated though, and refuse to work at all. Spectrum TV does this for example, as well as some banking and other types of apps.


Yes and sites can also fairly reliably detect when a user is coming from a well known IP address block belonging to a VPN or VPS provider. It’s a built in feature of I know at least AWS

https://aws.amazon.com/about-aws/whats-new/2020/03/aws-waf-a...


Assuming you are using a "well known IP address block belonging to a VPN or VPS provider", yes, but it is also possible to setup VPNs/proxies outside of well-known IP blocks.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: