I think OP needed "emergency service is cash up front".
In a different domain, this is the painful lesson of almost anyone who tries to help people in a bind -- you can try to help, but yours is unlikely to be the advice that sets them straight, so you shouldn't get too invested with unproven or, especially, proven unreliable actors.
This brilliantly captures what I see from YouTubers who do off-road vehicle recovery. People are super nice until the bill comes, then you learn “only release the vehicle on payment.”
It's worth keeping in mind that the only practical "saving" for the OP will result in not doing the job at all, since this client most likely doesn't actually have the money and never will.
It should be, oh, short-term rush job in a foreign country for a sketchy client? That is most definitely cash up front time. Oh, you can't afford that? Sucks to be you, not going to do it.
I've worked on a three letter sports orgs (one of NFL, NBA, NHL, etc) Android app.
I always joke that we could probably tell you what color and type your underwear is on any random day with how much data is siphoned off your phone.
As for loading random JS, yeah also seen that done that before. "Partner A wants to integrate their SDK in our webviews." -> "Partner A" SDK is just loading a JS chunk in that can do whatever they want in webviews, including load more files.
Don't get me started on the sports betting SDKs...
Though we do have a Security team constantly scanning SDKs and the endpoints for changes in situations like this.
> As for loading random JS, yeah also seen that done that before.
Partner A is not random JS. The assumption there is 1) you have some official signed agreement with them and 2) you've done your due diligence to ensure you can use them in this way.
It's not just some person's GH repo who can freely change that file to whatever they want.
Hotlinking is as old as the internet, and a well-worn security threat.
When I was at a FAANG, we used to joke that when senior leadership is totally out of ideas, they announce a hackathon. It was a way for them to continue the charade of being "leaders" without having any ideas.
Apple has allowed Facebook, TikTok etc. to track users across devices AND device resets via the iCloud Keychain API.
When you log into FB on any account on any device, then install FB on a new device, or even after you erase the device, they know it's you even before you log in. Because the info is tied to your Apple iCloud account.
And there's no way for users to see or delete what data other companies have stored and linked to your Apple ID via that API.
It's been like this for at least 5 years and nobody seems to care.
None that I found. You can test it right now yourself. Install FB, log in, delete FB, reinstall FB. Your previous login info will be there.
That would be fine if users could SEE what has been stored and DELETE it WITHOUT going through the app and trusting it to show you everything honestly.
What's even worse is that it silently persists across DEVICE reinstalls.
Erase and reset your iPhone/iPad. Sign into the same iCloud account. Reinstall FB. Your login info will still be there.
Buy a new iPhone/iPad. Sign into the same iCloud account. Reinstall FB. Your login info will still be there.
reply