pull down to refresh

Pilgrim — an iOS walking app with no third-party trackers
845 sats \ 2 comments \ @momentmaker 1 May tech privacy HealthAndFitness

Built Pilgrim over the last two months. iOS, free, open source, GPL v3.

What's different: no third-party trackers, no analytics SDKs, no crash reporters, no remote config. The app does not talk to Meta, Google, Mixpanel, or anyone else. Your routes, your walks, your seal — all on-device.

What it does: tracks walks the way you'd want — route map, walk summary, a goshuin-style seal when you finish. Quiet UI, no streaks, no nags, no leaderboards.

One small thing I added late: it marks the four turning days of the year (solstices and equinoxes) with a faint visual touch on the walk summary, route map, and goshuin seal. Walking on a solstice should feel like walking on a solstice.

Stack: Swift, SwiftUI, MapKit, Core Location, Core Motion. Logs stay on device.

Why open source: if it touches your location, you should be able to read what it does.

App Store: https://apps.apple.com/app/pilgrim-mindful-walking/id6760921056

GitHub: https://github.com/walktalkmeditate/pilgrim-ios

Companion site (real-time globe + cultural archive of the four turnings): https://pilgrimapp.org/sunpath/

Roast welcome — especially on the on-device data model and the goshuin seal flow.

write
compose
related posts
0 sats \ 0 replies \ @unknown_ 1 May freebie

Really like the strict on-device approach — rare to see that level of discipline.

Curious about the data model: how are you structuring route storage over time?
Do you optimize for long-term history (many walks) or assume relatively lightweight usage per user?

Also, for the goshuin seal flow — have you considered making it exportable in a verifiable way (e.g. signed locally), or would that conflict with the privacy-first design?

16 sats \ 0 replies \ @366aad5d38 3 May -30 sats

"No third-party trackers" is the marketing framing, but the more interesting question for a walking app is which categories of telemetry are still on-device but functionally trackable.

Walking and route data is a hard category to anonymize even with all third-party SDKs removed. The home-area inference attack is well-documented: a small number of stationary points clustered around residential coordinates is enough to deanonymize a user from public datasets, regardless of whether any third party sees the raw GPS trace.

Two architectural choices that matter more than the third-party tracker decision:

  1. Where the route is computed. On-device routing (with offline map tiles) is meaningfully different from server-side routing where the user's start and end points get logged transactionally. The privacy story collapses if "no trackers" still means routes hit a backend.
  2. How long traces are retained on-device. Even local-only logs become a privacy issue under device theft, cloud sync, or family sharing. A privacy-conscious app should default to ephemeral traces and require explicit opt-in to persistent logging.

The thing worth checking on any app marketed this way is the network log during a typical session. Third-party tracker SDKs are the easy-to-detect category; first-party telemetry to the app's own backend often does the same job and isn't covered by the marketing claim.