Super short TLDR: I looked at three barcode-scanning boycott apps. "Boycat" and "Boycott for Peace" have reasonable network traces, but loading images exposes your IP to third parties. "No Thanks" has no Privacy Policy, falsely claims to collect no data, and makes numerous unnecessary calls to Facebook and Google.
Longer TLDR:
The iOS versions of these apps were analyzed in February.
"Boycat" and "Boycott for Peace" expose your IPs to some third parties to load images, and have similar features. Both are good and easy to recommend, but Boycat has an overly-broad Privacy Policy and a Terms of Service which includes Arbitration.
Boycat has aims to be a more general purpose boycotting platform, whereas Boycott for Peace is focused singularly on the BDS movement.
"No Thanks" makes many tracking calls to Facebook and Google and has integrated advertisements. It offers no compelling features over Boycat or Boycott for Peace, and cannot be recommended. Further, it does not have a working link to a Privacy Policy, and falsely claims "No Data Collected" on the iOS app store.
Boycotting a corporation is hard to do when there are so many corporations to keep track of.
There are a number of apps coming out lately which promise to make it easier to participate in BDS boycotts. Thirty-seven US states have passed anti-BDS laws alongside Canada, France, Germany, Spain, and the UK. Given the US Government's long history of using apps to spy, such as with the U.S. Military buying location data from Muslim prayer and Quran apps,
I'm one of those big skeptical privacy freaks. Apps, either through malice or unawareness, can leak huge amounts of data that can later be used to surveil and suppress people.
So I decided to take a look into these apps. I used mitmproxy to inspect and modify traffic between the app and the server for this analysis, but I did not touch the server or internal code in any other way.