@Gargron Imagine buying something from a local store instead of amazon was called "sideshopping" and there's a massive campaign to delegitimize buying items from stores not approved by amazon. Completely absurd. Why accept that exact ideology when it comes to installing software on your phone?
0
3
0
Denzil Ferreira
denzilferreira@techhub.social@Gargron the review process at Google can be a PITA, but for a good reason. Permissions to access more than an app really needs can be exploited for harvesting private information on a seemless update that most won't even notice. Side loaded apps downloaded from say APK mirror can have been tampered with using smali edits and you won't know. What Google should do is certified dev signing keys to trace and confirm if an APK is legit or not and coming from the actual dev, regardless of being side loaded.
1
0
0
David Chisnall (*Now with 50% more sarcasm!*)
david_chisnall@infosec.exchangeExcept that, it doesn't prevent malware. Note that this news article is from today. I went to find the most recent example of this and it turns out that I didn't even have to go back as far as yesterday.
Proper safety is done by reducing kernel attack surface, reducing the size of the TCB, and making it easy for applications to respect the principle of least privilege so that ones that don't stand out as things that obviously request more permissions than they should have.
0
0
0
The Animal and the Machine
taatm@mathstodon.xyz@Gargron
I like the term “rent seeker”.
Like Jaywalker is the rent seeker for car companies.
0
0
0
@Gargron
Especially as this newest move of Google is redundant: play protect is already built in all Google play services using phones.
It already flashed and remains suspicious Appa and known malware from all sources.
So how exactly is locking down the signing keys for apps that are allowed to run at all and connecting them with government ID for developers helping security?
This purely an anticompetitive measure.
0
0
0