Comment by lwkl
4 days ago
A minuscule amount of nerds being slightly annoyed is definitely worth when it hinders scammers from ruining a persons live.
4 days ago
A minuscule amount of nerds being slightly annoyed is definitely worth when it hinders scammers from ruining a persons live.
There's no way this is really about scammers. I have never heard of scammers pushing sideloaded apps upon their victims in order to carry out their scams.
Would welcome evidence to the contrary. Is this truly a threat model that's seen in the wild?
My gut says no because social engineering is about hijacking legitimate, first-party processes. Scammers attack login credentials, MFA flows, and use first-party apps to maintain access (think remote control software like TeamViewer). These apps come from the Play Store, not from meticulously curated collections like F-Droid, and not from somebody pressuring you to sideload an APK.
And if scammers decide to use sideloading as an attack vector -- then like all the other security gates that can be defeated via social engineering, I expect they will find an end-run around this one as well. Either on a technical basis, or by social-engineering users into bumbling past it and on to the next stage of the scam.
Build an idiot-proof system and society will build a better idiot. And yeah, the rest of us only wind up slightly annoyed, _for now_, until Google tightens their grip further on some other flimsy pretext.
>There's no way this is really about scammers. I have never heard of scammers pushing sideloaded apps upon their victims in order to carry out their scams.
I also never got targeted by pig butchering scams[1], and neither did my immediate friends/family, so I guess those must not exist either?
[1] https://en.wikipedia.org/wiki/Pig_butchering_scam
You don’t need malicious apps for this, it’s common to use real crypto exchanges and get them to send you money. How does google’s approach solve that?
And here are apps straight from the App Store [0] that are outright scams. How dos this protect people from these?
[0]: https://arstechnica.com/information-technology/2023/02/pig-b...
I didn't say the scams don't exist. I am of course aware of these types of scams.
But again, I've never heard of sideloading being used as an attack vector here. Nor have I ever seen reporting on it.
I figure Krebs or somebody would have written about this if it was an issue.
> I have never heard of scammers pushing sideloaded apps upon their victims in order to carry out their scams.
Maybe not scammers, but an abusive partner could sideload an application on your phone to spy on you. I've seen that before within my relatives.
I doubt a one-day wait will solve this though. Abusers have persistent physical access to the device, often over a span of years :(
It won't make a dent in scammers' revenue.
No, it is not. This is moving the goalposts. The original issue is developer verification. No appreciable harm prevention can or will come from forcing devs to identify themselves.
That's because most fraud uses social tactics and LEGITIMATE tools/software.
Impinging on my property rights cannot and will not protect fraud victims.
oh to be young and naive...