Comment by ozim
20 days ago
Tell that to all those assholes that are making malware and scamming society on billions.
Most of users are not able to keep themselves safe in the internet - they want to install all kind of crap without thinking too much.
All of this is companies making it possible that average Joe could just click links, install any kind of crap and still be somewhat secure.
This is not related to malware or scams, and using that is nothing but a PR smoke screen.
While Android is vulnerable, especially to user stupidity, people mostly get scammed by fake credit card charges or by giving access to their notifications and contacts allowing for spam.
And yes, while there are "infected" APK's for popular apps , this again isn't the case here.
The real case here is money.
Apple earns $27B from commision on apps, while Google earns about $3B. Why?
Because Android users are "less willing to pay", which includes pirated APK's and "unlocked" app versions. Eliminating the possibility of using these for 99% of the people will be enough to force them to pay for that app/service in the end, raising the Play store revenues.
Do not trust Google when it comes to "doing it for the user" - their mission is to establish as strong of a monopoly on the platforms and extract as much value as possible. They spent more money on lawyers & policy lobbyists in the last 10 years trying to keep Android closed than some S&P500 companies are worth.
Their incentive is even stronger: most users of ReVanced for example unlock YouTube, which belongs to Google. In that case we are talking about 100% revenue loss, not 30% app commission. This goes for NewPipe, etc.
I wonder if OsmAnd, Termux, F-Droid would survive this or will be casualties. Who will authenticate for a decentralized open source app that has 100 active contributors?
Exactly, especially when Google can revoke your account or keys at anytime.
Basically this give Google the way to blacklist any app you release now, in or out the play store for the sake of "security".
It's just about control and finally squashing the app that aren't to Google taste.
I can't image that ad blockers or ReVanced has any real impact on YouTube. I'm the only one I know using either. So that's 1 in about 300 maybe?
1 reply →
Well of course they are not "doing it for the user" but that would be a different discussion if scams and malware were out of the picture.
Doesn't this kill two birds with one stone?
Forcing users to pay for apps rather than install pirated APK's and unlocked apps both raises Google's revenue and reduces the risks of malware and scams.
The consequence is naturally, the savvy users who know how to avoid risks lose the ability to have more control over their phone.
This assumes that Google actually does reduce malware and scams within their garden, but they do not. They are just as prevalent (perhaps more so) within the apps that Google certifies.
So the only thing it kills is the risks to Google's revenue, not the risks to users' security.
My opinion on this changed as we helped elderly parents with declining capabilities. The internet is an extremely dangerous place for those less cognitively able.
It is extremely hard to live without the internet - it's almost impossible - everything from your bank to your doctor to restaurants to the barber that wants to be paid by Venmo. Taking away your parent's internet connection is even harder than taking away their driver license. (And also more isolating.)
There is no law enforcement; there's no consequence for scammers; there's no technology stack that is safe for the less able. It's a brutal Wild West where the weakest are attacked without recourse, flooded with misinformation and lies, and targeted by significant financial scams.
Okay and how does play protect and play integrity prevent this? Anyone?
Hint: it does not. Look around the play store, it's 80% malware and scams.
Why is this the case? Because it has to be or Google goes bankrupt. Google is an inherently parasidic company. They make their money off of advertisement, scams, and conjobs. The more shit the digital world is for you, the better for them. You will always have an adversarial relationship with Google.
They don't want ads that don't lie. They don't want apps that are honest. They don't want to limit notifications. They don't want to get rid of email spam.
The reason Apple devices are so much more pleasant for everyday use and there's so much less scams and adware isn't because Apple is a saint. Its because ultimately Apple doesn't give much of a fuck if they screw over con artist, because that's not the thing keeping them from bankruptcy.
1 reply →
Yes, but this doesn't do absolutely anything to prevent this.
I've helped elderly family members and non-techie ones who barely know how to open a facebook account - none of them had "malware apps" installed. Their problems were mostly these:
- Websites asking for notification permission just to spam with unrelated malware or porn notifications
- Their calendars being filled with events that are nothing but links to porn or gambling sites, leading to constant notifications
- Apps that don't work yet are filled with ads - blood pressure meter on your phone, sugar level measurements, step trackers - filled with ads and trying to get 1000$ purchases
- An app actually being a launcher filling your screen with ads.
- Hell, even I, as someone who has deep intimate knowledge of Google Play Billing, got scammed by an app when upgrading from their weekly to their monthly offer, with them now charging both.
Google can intervene at any point here, they have reviewers, they control the store, they control the browser, hell, they basically control the device. And they have rules and policies for it, but it's convenient for them to ignore it. They have their cash cows and will fight tooth and nail to protect them as long as it makes them profit.
1 reply →
I set my parents up with a computer and locked it down nice and good. A few months later they called me asking me about this full screen message they couldn't figure out how to make go away that was demanding they call Apple or Google for tech support.
I was able to remote in and close it. Then I noticed the message saying uBlock Origin had been disabled in Chrome (because Google broke ad blocking).
Thanks Google.
1 reply →
Driving is also extremely dangerous for the less congnitive able, that doesn't mean that we should let BMW decide where and when you are allowed to drive.
We also don't trust old people to live on their own, that doesn't mean we force every adult into dormitories.
4 replies →
Then maybe it should be more opt-in. We're losing settings and configurability as time goes on. And like encryption it can be a one way street, requiring a full reset to turn it off. That's open security. This is a cash grab
you're describing the dangers of the open internet, but this is about the dangers of non-app-store apps. android already makes it quite difficult to side-load non-app-store apps; certainly not something a tech-illiterate user could do by accident.
> Tell that to all those assholes that are making malware and scamming society on billions.
So like Google?
Software that acts against the wishes of the user is malware, let's not forget that.
Completely agree. We seem to have forgotten the word "spyware", I don't see it used anymore because it became the norm. But let's call things by what they are.
Exactly this; the vast majority of people cannot be trusted with root access. And for those that can, the majority won't need or want it.
While I do believe root access should be possible, it shouldn't be easy. Because I'm confident my dad who wants to pirate F1 instead of pay for whichever overpriced premium streaming platform bought the rights this year would root his ipad and install a dodgy stream player if it was easy.
My 75 year old mother has root access, and she is perfectly fine.
> Tell that to all those assholes that are making malware and scamming society on billions.
And then? I don't know how many times I've downloaded APKs, including obviously malicious ones by accident. But not once has it ever been installed - not even when it was deliberate. The only way I ever 'sideloaded' anything is using 3rd party stores (just fdroid and aurora in my case), which themselves had to be installed via ADB after enabling developer mode. If you have that much skill, you're almost surely skilled enough to understand the security implications of sideloading and choose wisely.
And there are far worse malware available on play store than anything on fdroid repositories, if anything at all - anonymous or not. I hope you remember the SimpleMobileApps fiasco. People who installed it from fdroid were safe from the malicious update, but those who did it from play store were not, when the entire suite was turned into a spyware overnight. Not to mention the tea and boxscore apps scandal. Neither would have made it into fdroid. Google cares the least bit about security, if that isn't clear from the spyware tht each new android phone comes bundled with.
In all, Google's claim of security here is deceptive and farcical. The actual target is going to be the patched apps like revanced, root access software and anything else similar that allows the savvy user to escape the unfair and arbitrary limitations imposed by Google. The ultimate target is the users' pockets. This entire discussion is full of people reaffirming that conclusion. But scapegoats will be found and sacrificed regardless. Let's just not for once. Google deserves the atmost and undiluted contempt and condemnation for their greed and their willingness to erode consumer rights that underlie such dishonestly worded hostile and unilateral decisions.
To install 3rd party APKs on Android involves deliberately removing some guard rails. You need to allow it in settings, you need to enable developer mode, you need to agree to each individual source as a trusted source. If people are still blaming malware on this, when malware exists in the actual Play store, then they're delusional.
Right now, the average Joe can't click a link and install a 3rd party app. Meanwhile, you can install malware from the actual authorised sources, or even just come across a vulnerablity in chrome.
Keeping your devices up to date with security patches will save orders of magnitude more people from malicious software than stopping 3rd party app installation.
I occasionally develop Android apps for myself (mostly out of curiosity and experimentation, but sometimes out of a need for some particular functionality). I'm not going to apply for some developer permit and verification just to do this. I may as well buy a damn iPhone.
> You need to allow it in settings, you need to enable developer mode, you need to agree to each individual source as a trusted source. If people are still blaming malware on this, when malware exists in the actual Play store, then they're delusional.
To be fair to the security folks at Google, people will follow these steps like clockwork. The only thing they care about is getting the app on their device.
The root cause of all of this: banking/finance/payment apps figure they can trust your device, because no one has regulated a universal trust root into existence. Google encouraged this with SafetyNet/Play Integrity, and convincing Visa/MasterCard that devices can be trusted for contactless payments.
Now there's one gaping hole left: you can still install unverified software from anywhere, and said software will use all tricks possible to convince users to grant accessibility permissions and give up the keys to the kingdom. There have been many attempts over the years to make this harder, but malicious apps are getting even more sophisticated, to the point of installing shortcuts to entire fake versions of your banking app on the home screen.
So Google is being pressured by governments and markets to make it harder to produce installable malware, when a better way to prevent malware while protecting user freedom is already here: passkeys. You cannot steal passkeys with a third-party app, no matter what tricks you try, because they are tied to domains and APK signatures. Stop trusting stealable credentials and you stop needing to trust the entire hardware and software stack behind the app calling your backend.
I think we should actively make the web more hostile again.
Google themselves promotes malware - take a look at the play store. Adware, adware, adware, name meant to confuse people, more adware, probably has a keyloggers, adware adware, probably steals your data, adware adware.
For fucks sake, Meta is at the point they're pulling malware tactics to sell ads.
Circumventing permissions for app to browser talking? Really? FOR ADS? Thats where we're at?
I'm over it. Anyone who thinks this has even the faintest thing to do with malware is legitimately delusional. Not misinformed, delusional.
Malware is not a huge problem that requires restructuring the entire ecosystem to be closed and authoritarian. Nobody I know has ever had problems with malware or scams on Android.
This has nothing to do with malware, and has everything to do with locking down the Android ecosystem to keep out competitors to Google's services.
Take away all these freedoms and users will still get scammed. It doesn't help and it's not the real point.
I know literally 0, 0 people who have installed malwares or had their smartphones hacked in their life times.
The very few I know that have had this happen where all computer users, and virtually all victims of social hacking such as "hey, I'm from IT department, sending you an email, could you please...". A friend of mine exposed sensible data of thousands of customers of her bank like this.
well, as someone working in a department that also has Fraud detection responsibilities, the amount of users that lose tons of money because of scam apps, spoofed apps, identity stealing apps, is big. Like insanely big. I am all for it that these apps get significantly harder for the average joe to install or run on their phones.
It's a considerable number well into the 8 figures $/year that we have to cover (Granted this number is not specifically smartphones, also includes desktops, but I know smartphones is the bigger piece nowadays.)
(insuring this is near impossible, there is always a large part risk we have to pay ourselves and cannot cede to a reinsurer)
The problem isn't play protect or whatever the fuck, because 80% of the play store is malware, adware, and spyware anyway.
The problem is actually Google and other big tech.
Let's consider: why are users installing so many apps?
Because, on desktop, this doesn't happen. We don't ask people to download and run an EXE to look at their friends funny cat photos. No, we open the web browser.
The reason we have so many apps on mobile is because we require the malware. Google requires the malware. We need to be able to run privileged and unsandboxed code on users devices and this is the world that Apple and Google have created.
Users shouldn't be fucking downloading apps for 90% of the stuff they do anyway - including the non malicious apps! But they do, because they have no choice.
Think about it. Provide a web interface and miss out on juicy spyware? Or install executables on your customers systems? Apps are far too enticing for big tech.
it's very common in india
… who know about it.
> scamming society on billions
so somehow my friends and family got hacked, lost money but don't know about it?
actually i know of one case where my mom got billed for airbnb even tho she didn't book the ticket but pretty sure I had her password in a text file so might've been me that got hacked on my PC.
Airbnb refunded her and then had no more issues. So 1 case in my entire life and it probably wasn't on a mobile device.
4 replies →
You don't have to prevent root access. You just have to inform user of the risks, void warranties if you want but let users do whatever they want with the hardware that they own.
> "void warranties if you want "
Please don't push the Overton Window any further. Installing my own software on my own PC should never void the hardware vendor's warranty. That delegitimizes the core concept of a PC.
(A horrific possible dystopia just flashed through my mind: "I'd love to throw out Chrome and install Firefox so that I could block ads, but, the laptop is expensive, and I can't afford voiding the warranty". I bet Google would *love* that world. Or, a UK version: "I'd love to use a VPN, but, regulation banned them from the approved software markets, and anything else would permanently set the WARRANTY_VIOLATED flag in the TPM").
This is where it's heading, and I see this as the real driving force behind secure boot on x86_64.
It depends on what your software does; if it removes hardware protections then your warranty should be voided. Of course, those protections are either hardware or impossible to remove, like emergency cooling / lowering voltage when stuff overheats.
> You just have to inform user of the risks
Warnings aren't always enough, sometimes we have to lock people down and physically prevent them from harming themselves.
It's not always people being stupid. I recall reading an article by someone who got scammed who seemed generally quite knowledgeable about the type of scam he fell for. As he put it, he was tired, distracted, and caught at the right time.
Outside of that, a lot of the general public have a base assumption of "if the device lets me do it, it's not wrong," and just ignore the warnings. We get so many stupid pop-ups, seemingly silly warning signs (peanuts "may contain nuts") that it's easy to dismiss this as just one example of the nanny state gone mad.
Please read again the sentence you just typed.
> We have to lock people down and physically prevent them from harming themselves.
You can apply this argument to literally anything, and taken to its logical conclusion, this is exactly what will happen.
2 replies →
> sometimes we have to lock people down and physically prevent them from harming themselves
Seriously ill people as an exceptional last resort though, right? Or just everyone?
4 replies →
Even if it's illegal? (like transmitting on forbidden frequencies)
It's not always the user who's installing software. Lots of people depend on other people to manage their devices. Manufacturers like the hardware they delivered to be trusted so users trust it regardless of who handled it.
I always hear as the excuse but it is ridiculous. If the user wants to transmit on "illegal" frequencies, all he has to do is to change the country setting in their Wi-Fi router, et voilà, illegal transmissions.
The entire Android OS has about as much access to radios than your average PC, if not less. In fact, even on recent android devices, wireless modems still tend to show up to the OS as serial devices speaking AT (hayes) (even if the underlying transport isn't, or even if the baseband is in the same chip). Getting them to transmit illegal frequencies is as much easy or hard as is getting a 4G USB adapter to do it.
At least in EU, transmitting is illegal, having hardware to transmit is not.
That's why people can buy TX/RX SDRs and Yaesu transceivers without a license.
AFAIK the radioamateur world, serious violations of frequency plans are rare and are usually quickly handled by regulators. OTOH, everyone is slightly illegal, e.g. transmitting encrypted texts or overpowering their rigs, but that's part of the fun.
1 reply →
> Even if it's illegal? (like transmitting on forbidden frequencies)
That's not relevant here. If frequencies are illegal, it should be impossible to program it in such a way. But even otherwise, it's the responsibility of the user to follow local laws. If I have a PTT phone, it's not legal for me to use forbidden frequencies just because it's possible. Why do these manufacturers care about what doesn't concern them when they violate even bigger laws all the time?
> It's not always the user who's installing software. Lots of people depend on other people to manage their devices.
That should be up to the user. Here we are talking about users who want to decide for themselves what their device does. You're talking as if giving the user that choice is the injustice. Nope. Taking away the choice is.
> Manufacturers like the hardware they delivered to be trusted so users trust it regardless of who handled it.
I see what you did here. But here is the thing. Securing a device is not antithetical to the user's freedom. That was what secure boot chain was originally supposed to accomplish until Microsoft managed to corrupt it into a tool for usurping control from the user.
Manufacturer trust is a farce. They should be deligating that trust to the user upon the sale of the device, through well proven concepts as explained above. They chose to distrust the user instead. Why? Greed!
2 replies →
Especially if it's illegal (like speaking against the government, in some countries).
Maybe this is a bit of a hot take, but I think any government that has the ability to absolutely prevent people from breaking the law is a government with far too much power. I'm all in favor of law enforcement, but at some point it starts to cross over the line from enforcement to violation of people's free will.
Yes, very clear warnings; I could live with a small permanent icon in the status bar (via the GPU firmware) etc. But absolutely should not void warranties (overclocking might but never just root).
If you can't destroy your own hardware by rooting, do you have true root access?
1 reply →
I don't think users understand the risks. I'm broadly accepting of the protection of end users through mechanisms. Peoples entire lives are managed through these small devices. We need much better sandboxing to almost create a separate 'VM' for critical apps such as banking and messaging.
The problem is Dunning Kruger effect.
The people who shouldn't disable these security features tend to be the first to do so. And then complain the loudest when the enter the "find out" phase.