Which live location sharing service is recommended?

A developer discusses using Claude AI to build a privacy-focused live location sharing service, highlighting the trade-offs between vibe-coded mobile apps and hand-coded cryptography. The conversation covers map tile leakage risks, post-compromise security, and geofence notification privacy.

you definitely have some nice privacy benefits by going device based approach. Two thoughts on this: is everything in your project vibe-coded with Claude though or you are still managing something yourself? Honestly, the majority is Claude. I was using this project as an opportunity to really see how much coding agents can help my productivity. In a green-field project where there’s a small core of hard design stuff the e2ee protocol and a very large chunk of fairly trivial stuff the mobile application code , it does very well. Quite frankly, I would not have been able to spare the time for a weekend project this ambitious without it. As long as the person behind it knows what they’re doing, it is probably of a great help and project would not even be live otherwise. I think the key question is whether the person behind knows what they’re doing, as you say. A hand-coded app by someone who doesn’t know anything about applied cryptography, vs a vibe-coded app where the designer knows a bit more, I think the latter probably is safer Personally, I enjoy solving hard problems, via code or not. I will be honest: I hate writing mobile app code. It’s almost always filled with boilerplate and cruft–the ratio of “solving hard problems” to “lines of code” is far too low to be rewarding, which usually puts me off mobile app development. Wouldn’t that then negate map tile leakage to some degree? Yes, but my point was that if you’re using Grid’s protomaps endpoint, you’re leaking your range requests to them, and that they probably have less traffic to hide in than Google or Apple’s endpoints, and their endpoint is exclusively for people sharing location. Now, I think the general community view of protomaps specifically is that “hey, it’s maps in a single file, so what is there to leak”, but that’s sort of incorrect–it uses HTTP Range to request the part of the map you are zoomed to IIUC , so a malicious server or MiTM can still obviously know where you are browsing to. So compromising identity key won’t compromise master key. Yes, but what I meant was that in all probability both are compromised via the same mechanism password compromise . if your password is compromised then obviously your keys are compromised. Right, this is what I mean about PCS. If a system has PCS, it can “heal” after transient key compromise. So with the Signal double ratchet, not only are old epoch keys discarded PFS, i.e., someone who compromises you in the future cannot use the compromised keys to decrypt old captured traffic , but new keys are not derivable deterministically from a transient compromise, so the next epoch is once again secure. You lose this property by tying key rotation to the IK/MK. If you used a DH ratchet, as Signal and Where do, you’d get PCS on epoch rotations even if the password were compromised , though this is only helpful if you alert users on new session establishment instead of blindly trusting the IK/MK. The nice thing about this scheme is that if Alice loses her phone and bootstraps a new one, Bob is alerted. At first I had simple enter/exit pings, but I switched to hashes just to minimise available data and to possible extend this for some event base features in the future. It seems to me you could achieve this without the hash/place IDs by just having Alice send the server a message when she enters a location Bob is subscribed to, and have the server do a push notification. That way, the server knows Alice entered a geofence, but not which geofence. I thought https://github.com/danmarg/where/blob/feat/fcm/docs/fcm-wakeup.md about using FCM to wake devices to make background pings more reliable, but the privacy tradeoffs we are talking about seem to me somewhat unavoidable–even if the messages are zero content unlike yours , they still leak metadata in an undesirable way. probably would be better if those hashes would be per member as well Yep I’m happy to talk through these design issues a bit more. Maybe drop me an email?