Comment by tadfisher

> You need to allow it in settings, you need to enable developer mode, you need to agree to each individual source as a trusted source. If people are still blaming malware on this, when malware exists in the actual Play store, then they're delusional.

To be fair to the security folks at Google, people will follow these steps like clockwork. The only thing they care about is getting the app on their device.

The root cause of all of this: banking/finance/payment apps figure they can trust your device, because no one has regulated a universal trust root into existence. Google encouraged this with SafetyNet/Play Integrity, and convincing Visa/MasterCard that devices can be trusted for contactless payments.

Now there's one gaping hole left: you can still install unverified software from anywhere, and said software will use all tricks possible to convince users to grant accessibility permissions and give up the keys to the kingdom. There have been many attempts over the years to make this harder, but malicious apps are getting even more sophisticated, to the point of installing shortcuts to entire fake versions of your banking app on the home screen.

So Google is being pressured by governments and markets to make it harder to produce installable malware, when a better way to prevent malware while protecting user freedom is already here: passkeys. You cannot steal passkeys with a third-party app, no matter what tricks you try, because they are tied to domains and APK signatures. Stop trusting stealable credentials and you stop needing to trust the entire hardware and software stack behind the app calling your backend.