← Back to context

Comment by hbn

4 days ago

> ADB installs are not impacted by the waiting period, so that is an option if you need to install certain unregistered applications immediately.

Someone is just going to make a nice GUI application for sideloading apks with a single drag-and-drop, so if your idea is that ADB is a way to ensure only "users who know what they're doing" are gonna sideload, you've done nothing. This is all security theatre.

13 comments

hbn

Reply
tbodt  4 days ago

> “For a lot of people in the world, their phone is their only computer, and it stores some of their most private information,” Samat said.

Not applying the policy to adb installs makes a lot more sense if the people this is trying to protect don't have a computer

  • RulerOf  4 days ago

    I've seen a few apps that run locally on Android and hook into the ADB connection over loopback networking to do certain things.

    This just adds the step of "download Cool ABD Installer from the play store" to the set of directions I would think.

    • NotPractical  4 days ago

      Google could easily put an end to that if they wanted. Just block adb access from the loopback address and VPN. I'm surprised this isn't already in place. The setup flow for those apps you're referring to is awkward enough that it's clear it was never intentional to be able to access adb on-device.

  • eclipxe  4 days ago

    You can run adb install locally without a computer

    • grishka  4 days ago

      If you mean things like Shizuku or local adb connection through Termux, it's quite an awkward process to set up even for someone like me who's been building Android apps since 2011. Like, you can do if you really really need it, but most people won't bother. You have to do it again after every reboot, too.

      2 replies →

Retr0id  4 days ago

The scammers don't even need to make a GUI, they just need to get you to enable adb-over-tcp and bridge that to their network somehow - an ssh client app would do the trick.

  • ForHackernews  4 days ago

    How many people do you suspect are gullible enough to fall for these scammers but also competent enough to install an SSH client and enable port-forwarding for an ADB proxy? Like fifteen people worldwide?

    • plst  4 days ago

      How many people are gullible enough right now to plug a phone to a laptop over USB and execute an exe on an operating system with no sandboxing at all? ADB even seems to work over webusb. (at that point you may as well give up on hacking the phone, but I digress). That's exactly why I believe the problem is more complicated and why Google's solution is not really fixing anything, not for the users.

      1 reply →