EDIT: Not a scam, see git's comment below.
So I downloaded the No Thanks app, which claims to be a barcode scanner app to tell you whether a product is BDS-compliant. I heard about it after it made the rounds under the narrative of "zionists are mobbing this app with bad reviews saying it's a scam, download it and leave a positive review!"
However, after using it I suspect it might actually be a scam app. Here's why: if you scan a product it tells you whether it's on a boycott list or not. If it isn't on a boycott list, you have the option to press a button to tell them it should be. Then the possible scam kicks in: it pops open a browser window taking you to the gmail web login. Not OAuth, not opening the system mail app with a template mail, straight to the gmail web login screen where you are expected to input your username + password + 2FA. I got all the way to putting in my username + password before being prompted for 2FA and realizing what I was doing was fucking stupid. Changed my gmail password immediately afterward.
Does anybody have any info on whether this thing is legit? It seems like it would make a pretty obvious zionist astroturfing target. Also I scanned a container of tahini that literally said "Product of Israel" on the side and it said it was fine (which precipitated the above sequence of events).
The developer is a Palestinian, so I highly doubt it.
Here’s what’s actually happening:
If your OS lets you re-open the link in your regular signed in browser you’ll see that it reuses your session and then you can see the form. There’s nothing nefarious happening here.
Good analysis, thank you!