Comment by danpalmer
4 days ago
I'm genuinely interested in proposals for other ways to differentiate knowledgeable users enabling side loading for reasons like OSS, vs naive users enabling it at the instruction of scammers to install malware.
The one time per device (not per app/install) is annoying, but seems like a reasonable tradeoff between preventing bad installs and allowing legit installs. I can't think of any obviously better ways.
I realise some disagree with the entire premise. I think refusing to accept the reason given doesn't advance the discussion though and I am very interested in what a better experience that is trying to solve the same problems could look like.
If you can get someone to do all these steps, you can get someone to wait 24 hours as well.
We use Android based devices internally with apps which aren't signed. I've had way too much trouble with Google flagging an internal app as problematic and then getting no where with Google "support" when we still used Google play.
The 24 hour wait is especially problematic because we often simply factory reset a device and preload it of there is any form of trouble.
This is just a power grab to lock down the ecosystem more. And ironically this seems to because of the Epic lawsuit. Google is now aligning with the absolute minimum they saw Apple needed to implement.
This was never about safety. It was all about control. Desktop OSes have always allow installing any softwares and the world is still spinning. Not even macos overreach this hard.
There's no solutions because they specifically crafted the problem to not be solvable. No amount of compromises will stop them from advancing further.
I think Google is trying to solve the problem at the wrong level - people do not really understand their computing devices enough to understand the risks, they never had to learn or were taught how to use such devices, they were only told it's easy and to not ask questions. The interfaces are designed in a way that allows them to get by with almost no understanding of anything. Which is why such solutions may also be bypassed by a determined attacker. Such scams only really expose this fact. So there is no good way to differentiate between the two groups.
My solution is educating about smartphones and computers first. Not in an in-depth way, but people need to understand what "application", "verified" means and what are the risks. I think android cleaned up the abstraction enough to make this possible.
Being able to tell if an app came from a trusted company or not is a good thing, but I would rather such a solution be managed in an OS-independent way, not controlled by Google. Applications not authenticated by a company should not be second-tier citizens, but there should be a clear warning (and the users should already know the difference before even seeing this warning).
I think the scams and phishing also expose another important problem that nobody tried to tackle yet - you can't authenticate calls, sms messages or emails. There is no good way of telling if it's actually your bank calling you, or if it's just a scammer.
In the end, we also need to accept that not all scams can be prevented, at some point if someone is calling as a friend of your family member, and is asking to urgently transfer money to an unknown account, and you fall for this... I really can't think of a technological measure that would've helped, it's only you and your common sense.
> My solution is educating about smartphones and computers first.
98% of people literally do not care and/or are too dumb to understand. You could force them at gunpoint to sit in the education class, and give them a simple basic quiz afterwards, and they'd get half the answers wrong. They will continue to not even read what's on their screen, and just click the big highlighted button every time they see one.
Yet somehow they are not too dumb to get a driving license or operate a gas stove. I would argue that operating a car is much more complicated than operating a smartphone.
At some point, if you are unwilling to learn basic facts about your environment, and you don't have a guardian, then you will get hurt. I don't necessarily mean by a computer. I think that's fine and I don't think a patronizing solution by a corporation that clearly wants more control over society is a necessary help.