Comment by ramshanker
3 months ago
Ancedotal: I used to believe in this "freedom to install". Than my Father got scammed (~$1000) in the name of Electricity recharge. The APK was sent over WhatsApp. Now I am not so sure how to implement this freedom. At the bare minimum there has to be big red warnings.
One thing which can immediately improve security is forbidding SMS read access forever. Just like Apple does. No App should be able to read SMS.
So your father: 1. Downloaded a weird file from a stranger
2. Went to the settings and about pyone sceeen
3. Tapped the thing 5 times to activate developer mode
4. Activated installing from third party sources despite the warning there
5. Installed the APK
May I suggest the problem is not that this is possible, but a lack of education? If your father is the type that would jump into the bathtub with a toaster because someone on whatsapp told them to do so, I am afraid it is not the existence of toasters that is the issue.
Yes, education around these scams and their methods could be better, but there is also a reason they target the elderly and vulnerable. Unless something else terrible happens, I assume I will count in one or both of those groups eventually. I feel like when I get there, I would appreciate empathy rather than disdain, if I were ever taken advantage of.
Regardless, you do not actually need to enable developer settings to install APKs from unknown sources (at least, not on my Samsung). When you open an APK from within another app (e.g. Google Drive or WhatsApp), Android "helpfully" forwards you straight to the relevant security settings page, allowing you to immediately toggle the "Install unknown apps" permission for that specific app. It's a streamlined flow, only a couple of taps, no scrolling/searching/reading, therefore likely easy to coach a victim into performing.
So, I expect what the Android team is alluding to in the original post is to enable additional friction like you describe.
One does not need to enable developer mode to install a 3rd party APK.
eh, think this is a bit much to ask. Are we going to educate a majority of the baby boomers who just never got a feel for how technology works? Yeah, my Dad also just got scammed by a phishing scheme on his PC (and if a scammer had walked him through how to install an apk on his phone, he'd probably do that too).
In my humble opinion, in the design of a UI or any type of system, kind of have to go where the users take you to some degree. And Android, being an OS for consumer devices, should be geared toward the masses and the mistakes they'll make.
Should we ban refilling your own cars oil because some idots keep filling coolant into it?
I worked in IT support and I am deeply aware with the issues people are having. Some issues are systemic (aka bad design) and those should be fixed. Other issues are human.
It may not seem like it, but I have the patience of an angel, because I remember when computers where new to me. I like people to understand. Understanding is power. But when I did work in IT support I saw some things. Grown adults repeatedly clicking away error messages without reading them while I stand and watch over their shoulder. When I ask them what their error message read they say they don't know. Then we read it together and they go: "Ohhh".
Yeah. Ohhh. You have a weird error that prevents you from working and there is a red error message and you don't bother to read it. That isn't a technological problem that is a educational problem.
I stand by what I said, we cannot dumb down our system because people don't care, are lazy and act dumb. Because that leads to a cycle where it gets ever dumber and lazier all while making life hell for people who are not dumb or lazy.
If you want to use a car you need to know certain things. Same is true for digital systems, the internet, a smartphone, a toaster, a hair dryer, a knife, a simple plastic bag, etc. The solution is education, not dumbing down the world.
3 replies →
I wrote a longer post about that elsewhere but there is morally no good justification to restrict everyone else's devices just because a small minority falls for scams. This is a very principal issue in a free society and in most societies we allow all kinds of individual risk taking because we believe that adults should make their own choices even if that means that some people sometimes make mistakes.
On a side note, it is technically very feasible to help antivirus and security software makers to lock down phones for people who would benefit from it. For example, you could have a strict whitelisting approach for vulnerable users (e.g. elderly, bitcoin entrepreneurs, annoying kids, Google engineers) who prefer it that way, making installation of arbitrary software impossible. Giving up choices voluntarily is fine, taking away choices by force is not fine.
> The APK was sent over WhatsApp.
Why did your father enable installing APK packages from third party sources? That's a setting buried deep inside the developer settings, which themselves have to be activated with a very arcane manipulation
I believe this only works this way on some android forks, iirc you are talking about Samsung. Stock android would show a warning "do you want to install apk from this app?" and lead you to a settings page that enables apk installs from this particular app. No need to separately enable the ability to install apks in general.
I always thought this is a very weird flow, it adds hoops yet accomplishes nothing because the hoops are all trivial and the same for every app.
This is also how it works on my Samsung Galaxy S21. There's no need to enable developer settings.
3 replies →
> No App should be able to read SMS.
I disagree - one feature in KDE Connect that is super useful is being able to forward your notifications, including your text messages. This would also harm non Android smartwatches, such as the recently revived Pebble.
There seems to be a whole market of Google Play developer accounts and apps for sale, developers like myself regularly get emailed by scammy companies offering to buy the account or to publish an app, and malware is regularly found on Google Play[0]. There's no reason to believe that bad actors would be stopped by install restrictions if their scam is effective enough to overcome the financial hurdles
[0] https://www.bleepingcomputer.com/news/security/malicious-and...
The built in Android SMS app seems to be horrible in every incarnation I've seen. The one that comes with the Pixel, the one Samsung has. Some may like it, but I can't stand them. I tend to install my own SMS app in each case, and I don't use computers to be locked into something I don't prefer.
It's my tool. Mine. I'll do with it as I please.
I agree there are issues. But preventing installs aren't the answer, just like removing all windows and doors from a house isn't the answer to neighbourhood crime.
I'd be more inclined to say the problem is allowing apps to be funded by advertising. If all apps were paid apps, and using personal data in any way was immensely, "thrown in jail" illegal, then you'd find yourself approving access to contacts, SMS, Pii quite rarely.
It would really stand out in such a case.
"What?! I've been using my phone for 10 years, and some app wants to see my contacts. Why?? No one reputable asks for that, ever!"
So much of the problem with the internet is that Pii is paying the way.
On GrapheneOS, when I install anything, it flat out asks me if I want to give it internet access at all. SMS could be the same way. Off by default, try to grant it, big warnings.
At a certain point, if you have big warnings saying "Are you serious?!" and people turn it on, it entirely ends up being the end user's fault.
- warning - SMS read access
So you do know - inform users, increase privacy,...?
Genuinely curious: would you mind telling more about how your father got scammed and how the adversary managed to get your father to install an app from WhatsApp?
I receive all my SMS messages through a separate app, because my SMS provider is not my TelCo. Please propose solutions that will not harm people like me.
For real? No, thanks I'd like to keep my SMS app
Freedom and protecting tech illiterate people are not mutually exclusive.
Our right to choose install software on our own devices should not be encroached because over-trusting elderly follower scammers instructions.
We can protect people like your dad with an opt-in system like parental controls. Have a responsible family member lock the system down however you deem fit.
Sounds like an iPhone is the better option for your dad.