← Back to context

Comment by kovek

4 months ago

What if we asked users if they want extra protection? I think that would be nice..

This is the status quo. APK installation is disabled by default, and there is a warning when you go to enable it.

  • It's not just the status quo, it's a nightmare to enable. Somehow between Google Play Advanced Protection and Google Account Advanced Protection I have to resort to several reboots and adb + USB debugging sideload to get an app loaded. @.@

  • The point is "a warning" is not enough to communicate to people the gravity of what they are doing.

    It is not enough to write "be careful" on a bag you get from a pharmacy... certain medications require you to both have a prescription, and also to have a conversation with a pharmacist because of how dangerous the decisions the consumer makes can be.

    Normal human beings can be very dumb. It's entirely reasonable to expect society to try to protect them at some level.

    • OK so make the warning more annoying. Have a security quiz. Cooldown period of one day to enable. Require unlock via adb connected to laptop.

      There are alternative solutions if the true goal is maintaining user freedom while protecting dumb users. But that is not the true goal of the upcoming changes.

      2 replies →

    • Sure, but I don't think decreasing chances of scam-by-app on Android by some minuscule amount is in any way comparable to prescription drugs.

      3 replies →

You can add 5 layers of "are you sure you want to do this unsafe thing" and it just adds 5 easy steps to the scam where they say "agree to the annoying popup"

  • You could even make this an installation-time option. If you want to enable the switch afterwards, you have to do a factory reset. Then, the attackers convincing the victims would get nothing.

    • Or make sideloading available only after 24 hours since enabling it. I would enable it on my new devices and wait 24 hours before installing F-Droid and other apps. Not a problem. Scammers might wait one day too but it decreases the chances of success because friends and family members can interfere.

      But I'm afraid that this is security theater and the true goal is to protect revenues by making it hard or impossible to install apps that impact Alfabet bottom line (eg third party YouTube clients.)

      2 replies →

    • And now if I want to send a .apk to someone, they have to wipe their entire phone to install it? No thanks.

    • That's... brilliant. Enough work to not be able to talk it though over the phone to someone not technical. A sane default for people who don't know about security. And a simple enough procedure for the technically minded and brave.

      It solves the 'smartest bear / dumbest human' overlap design concern in this situation.

  • Think about it the way you think about reading the fine print on agreements you sign. These can also have bad consequences.

    But I guess not reading the TOS is another wide problem, also fueled by companies like Google.