Comment by Intermernet
21 days ago
To install 3rd party APKs on Android involves deliberately removing some guard rails. You need to allow it in settings, you need to enable developer mode, you need to agree to each individual source as a trusted source. If people are still blaming malware on this, when malware exists in the actual Play store, then they're delusional.
Right now, the average Joe can't click a link and install a 3rd party app. Meanwhile, you can install malware from the actual authorised sources, or even just come across a vulnerablity in chrome.
Keeping your devices up to date with security patches will save orders of magnitude more people from malicious software than stopping 3rd party app installation.
I occasionally develop Android apps for myself (mostly out of curiosity and experimentation, but sometimes out of a need for some particular functionality). I'm not going to apply for some developer permit and verification just to do this. I may as well buy a damn iPhone.
> You need to allow it in settings, you need to enable developer mode, you need to agree to each individual source as a trusted source. If people are still blaming malware on this, when malware exists in the actual Play store, then they're delusional.
To be fair to the security folks at Google, people will follow these steps like clockwork. The only thing they care about is getting the app on their device.
The root cause of all of this: banking/finance/payment apps figure they can trust your device, because no one has regulated a universal trust root into existence. Google encouraged this with SafetyNet/Play Integrity, and convincing Visa/MasterCard that devices can be trusted for contactless payments.
Now there's one gaping hole left: you can still install unverified software from anywhere, and said software will use all tricks possible to convince users to grant accessibility permissions and give up the keys to the kingdom. There have been many attempts over the years to make this harder, but malicious apps are getting even more sophisticated, to the point of installing shortcuts to entire fake versions of your banking app on the home screen.
So Google is being pressured by governments and markets to make it harder to produce installable malware, when a better way to prevent malware while protecting user freedom is already here: passkeys. You cannot steal passkeys with a third-party app, no matter what tricks you try, because they are tied to domains and APK signatures. Stop trusting stealable credentials and you stop needing to trust the entire hardware and software stack behind the app calling your backend.