Comment by fragmede
5 days ago
But unfortunately, it turns out that some people you interact with aren't actually your friend. That guy that seems totally legit and just wants your sister to install his fun little game/app that he wrote is actually trying to get her to install an app that's going to track your location and read all your messages and copy all your photos. To keep her safe from the "actually" bad people, of course.
By default their app cannot though because Android uses proper sandboxing and gated API access. So you actually have to give the app location access, access to your messages and access to your photos.
Well, unless you use one of the many crappy Android devices that never get security updates, are running old kernels, old vendor security patch levels, miss all Android security patches, except applying the backported security bulletins every three months (1-2 months late). Yet, Google is happy to certify them as Android devices.
It was never about security, it is about control. If it was about security, they would have revoked the GMS licenses of pretty much every vendor outside Google themselves and maaaaybe Samsung, until vendors actually started caring about security. If it was about security, there would not be as many scam apps in the Play Store itself.
Back to your sister, the proper solution is to educate her (and everyone else) not to give apps unfettered access when they ask you to, plus let Google implement more security measures that systems like GrapheneOS already have (contact scopes, sensor permissions, network access permissions, etc.).
The tricky bit with that is it would get a monopoly lawsuit from manufacturers with a lot more money to throw around quickly. The biggest problem in improving android security posture is getting manufacturers to have robust security and release updates without getting monopoly lawsuits.
It also doesn't help that mobile carriers can delay updates for months. Thanks T-Mobile.
It also doesn't help that "robust security" often is the problem in the first place.
People forget to ask the most important question: security for whom, and from what.
You mean those crappy devices that let me record my phone calls and let the voice recorder continue recording the lecture even when the screen is locked?
>going to track your location and read all your messages and copy all your photos. To keep her safe from the "actually" bad people, of course.
The guy's name? Google. ;-)
Actually, what Google does is totally legit because they pester you constantly about "sharing your location/photos/installing Gemini" until you accidentally press yes, and they can say they have your consent. So they are actually the good guys.
I concur, and find it abhorrent. And wish more people would kick up a stink about this. We need a publication or channel that talks about rights like this. I don't know of any that do a decent job. I donate to my local best option.
As opposed to the Play Store where you search for "ChatGPT" and end up on a scam app which read all your messages and copy all your photos?
And that example isn't random, I just tried and the first result for me is a counterfeit app with the logo of chatgpt copied .
> That guy that seems totally legit and just wants your sister to install his fun little game/app that he wrote is actually trying to get her to install an app that's going to track your location and read all your messages and copy all your photos.
Is "that guy" in the room with us right now?
No. Thankfully the FBI caught them and they're in prison now.
So, what you're saying is that Google should work on better privacy controls. Right? Right???
Let's ban passwords because you could give me your password
Hilarious example to use, because that literally is an effort that’s underway.
Thousands of people get scammed and have their lives ruined every year, so deprecating passwords is absolutely the right move
Yeah, no. The actual solution is
1. Stop requiring computers/phones for everything. Your 91 year old grandma isn't going to make her way through your super cool very intuitive 2FA magic link email confirmation system, and I don't WANT to make my way through your super cool very intuitive 2FA magic link email confirmation system.
2. teach the people who need to use computers, how to use them.
1 reply →
That's why passkeys were introduced. Can not fish them
Which is a problem because someone you need to.
The industry still doesn't understand the concept of delegation of authority and the fundamental role it plays in everyday life.
It also doesn't understand the idea of people making mistakes and the need to have robust recovery paths either.
Forced "Log in with a magic link!" wants to say hello