Thereallo, after spelunking inside the APK bundle for the Android version:

• Has a full GPS tracking pipeline compiled in that polls every 4.5 minutes in the foreground and 9.5 minutes in the background, syncing lat/lng/accuracy/timestamp to OneSignal’s servers.

• Loads JavaScript from a random person’s GitHub Pages site (lonelycpp.github.io) for YouTube embeds. If that account is compromised, arbitrary code runs in the app’s WebView. [...]

Is any of this illegal? Probably not. Is it what you’d expect from an official government app? Probably not either.

Hanlon’s razor: “Never attribute to malice that which is adequately explained by stupidity.”

The app is, at least temporarily, popular. As I type this it’s #3 in the iOS App Store top free apps list, sandwiched between Claude and Gemini. I don’t know how similar the iOS app is to the Android one, but I took one for the team and installed it, and after poking around for a few minutes, it hasn’t even prompted me to ask for location access. It’s a crappy app, to be sure. A lot of flashing between screen transitions. When you open an article, there’s a “< Back” button top left, and an “X” button top right. Both buttons seem to do the same thing. There’s no share sheet for “news” articles, which seems particularly stupid. You can’t even copy a link to an article and share it manually.

But the iOS version has a clean privacy report card in the App Store, and I don’t see anything in the app that makes me doubt that. It seems like the Android version is quite different.

Update 1: Someone on Reddit claims to have analyzed the iOS app bundle and discovered similar code as in the Android app, but I still don’t see any way to actually get the iOS app to even ask for location permission. I think there might be code in the app that never gets called. Like I wrote above, it’s clearly not a well-crafted app. If anyone knows how to get the iOS app to actually ask for location access, let me know how. Here’s another analysis of the iOS app.

Update 2: I installed the Android version of the app too, and just like on iOS, the only permission it asks for is to send notifications. Maybe they will in a future software update, but as far as I can see, the app never even tries to check the device’s location, on either platform.

Stop scaling headcount. Scale your workspace.

Most security teams don’t have a talent problem, they have a noise problem. Manual phishing remediation, chasing risky OAuth permissions, and auditing file shares shouldn’t be a full-time job.

Material Security unifies your cloud workspace, bringing detection and response for email, files, and accounts into one place. It’s security that actually works: augmenting the native gaps in Google and Microsoft without the usual enterprise bloat.

Stop fighting fragmented consoles and start focusing on strategy. It’s time to simplify your SecOps.

See how Material scales.

Paul Graham:

So when you have a world defined only by brand, it’s going to be a weird, bad world.

Graham’s thoughtful essay focuses on the mechanical watch industry. But I disagree with his conclusion. I think the market for mechanical watches has never been more fun or vibrant than it is today. The action, for me at least, isn’t with the high-end luxury Swiss brands. It’s with the indies, from companies like Baltic and Halios.

It’s also interesting to ponder Graham’s essay in the context of other industries. I think it’s self evident that the entire market for phones — the most popular and lucrative consumer devices in the world — is defined by a single brand, and every competitor just copies that one brand with varying degrees of shamelessness. That’s bad and weird.

Scott Knaster:

The Big Mac is about 22 times the size of the little Mac.

My thanks to WorkOS for once again sponsoring the week at DF. Their latest is a CLI that launches an AI agent, powered by Claude, that reads your project, detects your framework, and writes a complete auth integration into your codebase. No signup required. It creates an environment, populates your keys, and you claim your account later when you’re ready.

But the CLI goes way beyond installation. WorkOS Skills make your coding agent a WorkOS expert. workos seed defines your environment as code. workos doctor finds and fixes misconfigurations. And once you’re authenticated, your agent can manage users, orgs, and environments directly from the terminal. See how it works at WorkOS’s website.

See also: WorkOS just completed another Launch Week. This one, for Spring 2026, does not disappoint with its custom UI and theme. Even if you don’t have a need for WorkOS you should check out their Launch Week site just for fun.