← Back to context

Comment by idiotsecant

3 days ago

I think you've omitted the next section, which seems more relevant. It seems like they will still allow installs, just hide it behind some scare text. Seems reasonable?

55 comments

idiotsecant

Reply
joecool1029  3 days ago

> It seems like they will still allow installs, just hide it behind some scare text.

This was already the case for enabling sideloading at system level: it warned you. Nobody really says having this toggle is a bad thing, basically the user shouldn't get an ad network installing apk's just browsing around the web without their informed consent (and android has been found to be vulnerable to popunder style confirmations in the past).

They also already had the PlayProtect scanning thing that scans sideloaded APK's for known malware and removes it. People already found this problematic since what's to stop them pulling off apps they just don't like, and no idea what if any telemetry it sends back about what you have installed. There have been a handful of cases where it proved beneficial pulling off botnet stuff.

Finally, they also have an additional permission per-application that needs to be enabled to install APK's. This stops a sketchy app from installing an APK again without user consent to install APK's.

The question is: How many other hurdles are going to be put in place? Are you going to have to do a KYC with Google and ping them for every single thing you want to install? Do you see how this gets to be a problem?

bityard  3 days ago

The whole point of TFA, if you read it, is that they SAID they would do that, but there has since been ZERO evidence that they actually will. This feature is not present in anything they have released since that statement.

BadBadJellyBean  3 days ago

Why is it reasonable that installing software is behind an "advanced flow" what ever that means? I find it not very reasonable at all that the only way to install software on my phone is by jumping through hoops. I don't think it reasonable that the Play Store is the only portal. I don't even find it reasonable to call installing software "sideloading". Downloading and installing software from a vendor's page has been the norm for decades before smart phones came along but all of a sudden when it is on a small screen the user can not be trusted? That's ridiculous and not at all reasonable.

  • llbbdd  3 days ago

    It's not the screen size, it's the demographic shift. By 2000, only half of U.S. households had a shared living room PC, mostly for work and/or games. Everybody having a phone in their pocket later was a change that we did very much have to account for. Non-technical people can be scammed very easily into life-ruining mistakes with a little social engineering and a little bit of access to powerful tools already on their devices.

    I remember when big sites started having to put big banners in your browser console warning you that if you weren't a dev and someone told you to paste something there, you had been scammed, and not to do it. They had to do that because the average Facebook user could be tricked very easily by promises of free FarmVille items or the opportunity to hack someone else's account, and those are fairly low stakes bait. Now people bank with real money on their phones.

    • drnick1  2 days ago

      > Now people bank with real money on their phones.

      Maybe the real solution here is not to. Pay cash when you can (better privacy), else use a credit card. Other types of "banking" such as sending wires is best done on a big screen anyway. The idea that everything can and should be done on a phone is terribly misguided.

    • heavyset_go  3 days ago

      And yet the Play Store and App Store are the largest vectors of scams and malware out there, to the tune of billions of dollars a year.

      We should be prioritizing securing our systems so that they run only what we want them to run, instead of putting all of that trust in gatekeepers who make money when they let you get scammed.

      5 replies →

Xelbair  3 days ago

No, because it isn't something that should be up to google's control.

  • tux1968  3 days ago

    Why not? It's their operating system, and they're trying to balance quite a few competing priorities. Scammers are not a threat to dismiss out of hand (i've had family who were victims).

    For it to be truly considered open source, you should be able to fork it and create your own edits to change the defaults however you wish. Whether that is still a possibility or not, is a completely separate issue from how they proceed with their own fork.

yjftsjthsd-h  3 days ago

> We are designing this flow specifically to resist coercion, ensuring that users aren't tricked into bypassing these safety checks while under pressure from a scammer. It will also include clear warnings to ensure users fully understand the risks involved, but ultimately, it puts the choice in their hands.

I've lived through them locking down a11y settings "to resist coercion, ensuring that users aren't tricked into bypassing these safety checks while under pressure from a scammer", and it's a nightmare. It's not just some scare text, it's a convoluted process that explicitly prevents you from just opening the settings and allowing access. I'm not giving them the benefit of the doubt; after they actually show what their supposed solution is we can discuss it, but precedent is against them.

> Seems reasonable?

No. As I said before, any solution that disadvantages F-Droid compared to the less trustworthy Google Play is a problem.

Zak  3 days ago

> It seems like they will still allow installs, just hide it behind some scare text.

That describes the current (and long-established) behavior. App installation is only from Google's store by default and the user has to manually enable each additional source on a screen with scare text.

Macha  3 days ago

It's deliberately written to be vague and not say anything, and given the original intention, it's hard to believe that means it should be interpreted generously.