Comment by Retr0id

4 months ago

> the malware captures their two-factor authentication codes

Aren't we supposed to have sandboxing to prevent this kind of thing? If the malware relies on exploiting n-days on unpatched OSes, they could bypass the sideloading restrictions too.

Codes arrive via SMS, which is available to all apps with the READ_SMS permission. This isn't an OS vuln. It is a property of the fact that SMS messages are delivered to a phone number and not an app.

On the Play store there is a bunch of annoying checking for apps that request READ_SMS to prevent this very thing. Off Play such defense is impossible.

  • If they restricted sideloaded apps from sniffing SMS then I wouldn't mind all that much.

    • There are about a half dozen permissions that are regularly abused by malware. These permissions are also extremely useful for a ton of completely legitimate features.

      I am pretty confident that if Google had enabled this policy only for apps which use these permissions that the community would still be upset.

  • Only require Developer Registration for apps with READ_SMS then.

    • There are about a half dozen permissions that are regularly abused by malware. These permissions are also extremely useful for a ton of completely legitimate features.

      I am pretty confident that if Google had enabled this policy only for apps which use these permissions that the community would still be upset.