Comment by notepad0x90
3 months ago
This is the worst of both worlds, you can spread your malware as a sideloaded apk just fine, but when it's so big that you're probably burned anyways, then you need to verify your account.
I think a better compromise would have been for google to require developer verification, but also allow third party appstores like f-droid that don't require verification but still are required to "sign" the apks, instead of users enabling wide-open apk sideloading. that way, hobbyists can still publish apps in third party stores, and it is a couple of more steps harder for users to fall for social engineering,because they now have to install/enable f-droid, and then find the right malicious app and download it. The apk downloaded straight from the malicious site won't be loaded no matter what.
Google can then require highlighting things like number of downloads and developer reputation by 3rd party appstores, and maybe even require an inconsistent set of steps to search and find apps to make it harder to social engineer people (like names of buttons, ux arrangements, number of clicks,etc.. randomize it all).
What frustrated me on this topic from the beginning is that solutions like what I'm proposing (and better ones) are possible. But the HN prevailing sentiment (and elsewhere) is pitchforks and torches. Ok, disagree with google, but let's discuss about how to solve the android malware problem that is hurting real people, it is irresponsible to do otherwise.
It's not super clear from the post, but if I read it correctly there are two modifications suggested.
What you describe as "worst of both worlds" is about point 1. I'm not sure point 2 is powerful enough to suppor things like f-droid, but again, we'll see.
malware are good at getting users to click past scare screens unfortunately. this isn't a solved problem, even with desktop browsers.
If you don't look both ways when you cross the road, then you may get hit by a car. The solution is to pay attention.
It's acceptable to build a system where human error can lead to catastrophic consequences, even death. Every time you go outside you encounter many of these systems.
Not everything in life can be made 100% safe, but that's no reason to stop living.
2 replies →
There are definitely things you could do to improve it though. E.g. you can't activate "I know what I'm doing" mode while on the phone or for 1 hour after a phone call. Someone else suggested a one-day cooldown.
Also for the specific scam they mentioned, why do apps even have permission to intercept all notifications?? Just fix that!
1 reply →
> Google can then require highlighting things like number of downloads and developer reputation by 3rd party appstores
F-droid doesn't want to track number of installs because that is an invasion of privacy.
> require developer verification, but also allow third party appstores like f-droid that don't require verification
Now you've moved the problem from Google gatekeeping apps to Google gatekeeping app stores. We don't want either.
Then i guess you can't publish apps? One of those issues where i should be "writing to my congressman" or whatever I guess. the problem is real and people like you are being obtuse, unwilling to find a solution or a compromise. Something as simple as number of installs is an invasion of privacy? how? it's a number, you increment a counter when someone hits download, that's it.
Yeah, if google gets to have rules over what happens by apps that have their seal of approval. that's how seals of approvals work. you're not entitled to these things. you don't have the right to publish to the android platform, if Google, wary of anti-trust suits allows a 3rd party app store, it can institute reasonable requirements.
If an appstore is willingly hosting malware, should Google still provide their seal of approval? That was supposed to be rhetoric, but I wouldn't be surprised if you told me that they should.
This is willful ignorance, I only hope you educate yourself on the harms caused by malware and malicious actors and consider taking a practical approach to finding solutions instead of dying on every single hill.
> Then i guess you can't publish apps?
I want to distribute apps (someone might also want to simply sell them), not publish them
I don't need a publisher, internet is a publishing media already
> you don't have the right to publish to the android platform
then let me install an alternative OS on the HW i legally bought and own or pay me back.
> the harms caused by malware and malicious actors
life is full of people doing harms and malicious actors, but we don't let Google or any other company gatekeep our lives
4 replies →
How about the harms of fascist authoritarian governments that will use this functionality to ban any apps they don't like? Why do you people only care about malware and not essential fundamental freedoms that affect us every fucking day?
2 replies →
> people like you are being obtuse, unwilling to find a solution or a compromise.
How are people being obtuse for refusing to compromise for solutions on a problem which doesn’t exist?
You can’t misrepresent the situation, establish that one American company having absolute control on what people do with their devices is somehow the norm and then complain that people won’t meet you halfway.
1 reply →
> hobbyists can still publish apps in third party stores
I shouldn't need an internet connection just to make an app for a device I own.
Why do I need a store to install something on my phone that I own?