BMLT Search appears to require precise location

[chapmangeo]

If I enable "Location" privilege for the Android 14 BMLT App (4.4.0) on my Pixel 7 but deny precise location (ACCESS_COURSE_LOCATION vs ACCESS_FINE_LOCATION), the app will not locate meetings in Map or Current Location search.

You should not require precise location. Approximate (Google Services) location provides a 100-meter (328 foot) radius which is more than adequate for a meeting search. Many privacy-conscious users prefer not to allow exact location to be released when the app function does not need it.

Per Google's developer guidelines, unless the app has a legitimate need for precise location, it "must work if the user only decides to grant permission for approximate location only". This has been true since Android 12. I have not reviewed the code, but I suspect you are attempting to use the old API to request your location, and likely are not asking for both privileges in your manifest.

Android's current best prectice is to request COURSE location in your manifest, then attempt GetLastLocation() and, if it fails (the locator task is not running) either create the task, or (the solution I use) call GetCurrentLocation(). See this link: https://developer.android.com/develop/sensors-and-location/location/retrieve-current

[jbraswell]

I'm not the maintainer of this app, but this may not be using Android APIs at all. Capacitor embeds a web view (basically a web browser) in a simple app and just runs static JavaScript. It's probably using JavaScript's getCurrentPosition https://developer.mozilla.org/en-US/docs/Web/API/Geolocation/getCurrentPosition.

[chapmangeo]

OK, I'm an Android developer; I avoid JS for the obvious security reasons. I'll download the source and take a look. The problem with implementing an app in JS is, of course, that you are at the mercy of the implementor, and there are as many JS implementations as there are web browsers.

Thanks for the prompt responses. I'm front-ending for one of our members (I'm CTANA's IT Services coordinator) who emailed the issue to me.

[jbraswell]

There aren't any serious security concerns that I'm aware of in running a local JavaScript application. I say this as someone who has worked in security for a couple decades.

JavaScript, as of ECMA6, really is like 99% standardized across all major browsers for years now. CSS has a bit more variation, but the JavaScript APIs are stable, and unless you're doing some really weird and complex async stuff, you won't notice the differences in engine between say chrome, Firefox, and safari.

The nice thing about developing an app in JavaScript is that it's cross platform. It is going to work the same on iOS and Android from a single codebase. For small volunteer teams, this makes a lot of sense. Things like Flutter and React Native serve the same purpose with a more native feel.

The downside to developing an app like this is in JavaScript is that you don't get that nice native feel. There are ways to get at the native APIs using capacitor plugins, but they always feel a bit awkward to use.

I think the maintainer of this app is most comfortable with typescript and capacitor, so here we are.

If you wanted to use the native APIs for location you could probably submit a PR to use some capacitor plugin. I'm sure PRs would be appreciated.

Let me know if you'd like to be added to our Slack. I'm pretty easy to track down on Facebook - Jonathan Braswell.