Android developer verification: Balancing openness and choice with safety
51 points by sknebel
51 points by sknebel
If Android's sandbox and permission systems actually worked, then the mere act of installing an app from an arbitrary source would be as harmless as visiting an arbitrary website. I think that requiring this process, with the 1-day cooldown and all, to grant certain permissions to any app, could be justified, but not making it difficult to install apps from arbitrary sources.
It depends on what you mean by “work”
You have to understand that some non-trivial percent of people have never and will never ready a permissions prompt before tapping “give it all away”.
The only reason you don’t need this system on the web is that there is no prompt.
That was their point. Maybe this kind of scare and cooldown is needed for certain permissions. It should then happen at that level, even for verified devs, not at the "install app with no permissions" level
There are permission prompts on the web though! To access my location, to send notifications, to use the camera or microphone etc.
As already mentioned there are permission prompts on the web. "Permissionable" things are not the issue at all! You can't have a manageable permission "to fool the user into typing their secrets into a fake box".
I think that requiring this process, with the 1-day cooldown and all, to grant certain permissions to any app, could be justified, but not making it difficult to install apps from arbitrary sources.
Even if you didn't allow any permissions during this 1-day cooldown period, if you can get the user to install the malicious app you already won. The scammer can say something like "oh, we need to setup your account here, this will take one-day, please open the app tomorrow". And them send a SMS or WhatsApp for the person reminding them to open the app so they can get rich with Bitcoin or whatever.
I am sure the proposed system is not perfect either, but in the end that is all about the trade-offs.
Why does Google think that it is on them to make this trade-off? Do you think they care about scammers at all? (please go watch a dozen ads on YouTube and count how many are for obvious scams before answering)
Why does Google think that it is on them to make this trade-off?
Because goverments are putting pressure on them to do something. Big Tech wouldn't do anything that means more work and less money for them unless there is a significant push from goverments.
And IMO, that is fine, if this helps reduce the chance that my mom is targeted by a scammer, I am happy to wait 1 day to install my apps.
This feels like malicious compliance.
"Yes, we're keeping sideloading, but we'll make it so inconvenient, that many users will likely not bother because of the perceived chore of the process."
Who does this help, really? Truly gullible people won't listen. Power users are also hampered pointlessly. At most this is to cover themselves legally, but I don't think that has been an issue so far. The existence of a temporary / permanent picker is also worrisome, because it could imply that in the future they'll say "Oh, we saw that most users just picked the temporary option, so for safety's sake, we're removing the permanent option."
Just let people do their thing with the hardware they own...
I think the 24 hour cooldown is plausibly going to be quite effective at shutting down many scams. A lot of scams rely on high-adrenaline human psychology. We'll see how well it works though.
Just let people do their thing with the hardware they own...
I think some degree of paternalism is quite important here, sorry. (This is true of life in general, which is full of mass psychological hacks without a good way to deploy the equivalent of security patches.)
I think some degree of paternalism is quite important here, sorry.
Some time in the future, we will look back to this era and ask ourselves what went wrong.
Why wait? ;)
Because the deleterious effects of today's prevalent mindset are not yet in full force. When I'm warning people about concerning developments and get tired of arguing, I just wait. If I am right indeed, the passage of time will do all the work for me.
I think scammers will just go "Your phone takes a day to prepare, we will call you tomorrow!"
Yes, but that’s 24 hours for people to think and maybe even having an idle chat with a friend/family member that goes “No! Don’t!”. A lot of scams rely on keeping peoples brain busy in a conversation.
Just to be clear: I’m not a friend of the thing they propose, but the 24h cooldown is the smallest of my issues and maybe even the most effective.
Google has no right to be my parent. They can offer paternalism all they want, but as long as I can't reject, I don't believe for a second that this is done with the well-being of scam victims as the main priority.
Give me at least a toggle on first boot: do you want this mandatory "sleep on it first" feature or not?
If Google truly cared, they'd ship alternate fake profiles baked into the system. Enter a fake code, get a convincing fake profile with nothing of value for the scammer to take. Alas, that also has value against e.g. state actors, so of course Google doesn't care.
I don't think a rights framework is helpful to understand or address vulnerabilities caused by human psychology.
I'm very sympathetic to the scam problem, having seen a metric ton of financial scams being pulled off in India targeting people's phones, specifically via the Unified Payments Interface system that a large percentage of the country now relies on.
It sucks that the solution makes things harder for the relatively smaller subset of power users but everything I read in this post makes me confident Google is engaging with the feedback around this constructively. The 24 hour cooldown will definitely be annoying but as a one off thing it's quite fine.
It's frustrating to me that "using an app not registered with Google" would make you a "power user" though... I don't like normalizing the idea that one company should be the arbiter of who can and can't verify apps for people's phones. I generally find apps from F-Droid more trustworthy than those I find in the Play Store, and this scheme treats the former as dangerous and the latter as perfectly safe.
It would be one thing if Google had designed this system such that e.g. an independent nonprofit could provide a similar registration service, and phone makers or distributions could configure their phones to trust that as well. But no, Google's making themselves the only authority here.
I mean, that's the real problem, right? Play store is full of scam apps, F-Droid isn't, but Play Store is considered secure. Play Integrity API considers a vendor Android that hasn't been patched for 3 years secure, but not a fully up-to-date GrapheneOS. It's all theatre.
There is a tiny community of weirdos who want to use anything besides the Play Store. The best term for this community is 'power users'. The average user outside of this bubble doesn't know their phone has the same kind of file system as their desktop. It is often disappointing that the world is the way that it is, but it doesn't stop it from being so.
Alternative app stores don't have much malware because there's not many alternative app store users you can rook with it, not because they make it functionally harder. However, there are a large number of malicious actors whose scam has an important step of 'download and install this apk, which Google would otherwise flag'.
Considering Play store is absolutely full of all kinds of privacy invasive filth and such, I don't think this even does really fix anything.
The 24 hour cooldown will definitely be annoying but as a one off thing it's quite fine.
This isn't even the primary issue in this process. As soon as one enables "developer options", most banking apps and payment apps will stop working which makes this an infeasible option for anyone who has a single Android phone which is also used for financial purposes. I've enabled developer options on my Android to reduce the animation duration to 0.5x which apparently makes my Android not suitable to make transactions and receive money.
I feel that there shouldn't be any methods to detect whether "developer options" are enabled on an Android phone just to point a big middle finger to the security industry that advises organizations like banks and RBI but that's probably not gonna happen.
That's a great point.
GrapheneOS presumably won't be implementing this anyway, but they should consider adding a toggle that stubs out Android's implementation with a return false, as this API is nothing but an anti-feature.
By the way, just to add another data point, I've had developer options enabled for years and I can't remember any apps refusing to work because of it, but it's not the first time I've heard of this happening from someone else.
According to a "community engagement manager @ Android" on HN (https://news.ycombinator.com/item?id=47444261) developer mode must be used to enable sideloading, but once it's enabled you can turn it back off.
I think the real problem is that modern life practically forces you to put all your eggs into a phone that is controlled by one of two profit-seeking companies.
I had some faith in the DMA; in Spain, living without WhatsApp is a pain. So Mark Zuckerberg in particular has killed off two of my favorite phones. Unfortunately, at least in the case of WhatsApp, I'm still waiting for the DMA to be effective. And then I don't expect that using a non-Android/iOS phone will immediately be a good idea for me, let alone any visible chunk of the general population.
As for this, the question I ask myself is what else you can do to protect people from being scammed by malicious phone calls/SMS? I can't think of much better ideas than what's posed by Google.
To the common argument that F-Droid contains much less malware than the Play Store, that is certainly true. But if Google were to "bless" F-Droid to be able to install apps with fewer restrictions than the Play Store, the incentives would make F-Droid suddenly the juiciest target for malicious actors. And I would really like the solution was "give F-Droid enough resources to defend", but pessimist does not expect that will happen.
At some point my intense dislike for paternalism and sympathy for the scammed clash. I don't believe a technological solution (that is, the one completely solving the problem, as opposed to "patching" some of it) could even exist.
Amazing... Will I still be able to install from arbitrary sources after I disable developer mode? Or is this setting tied to developer mode being enabled? (Okay, someone linked a reply from the "community engagement manager" claiming it won't need to be kept enabled. Regardless, my concerns still stand.)
This doesn't affect me, because I refuse to run malware on my phone, but my fiancée wants to be able to access her bank app, and this app doesn't like it when developer mode is enabled. So she would need to choose between being able to install e.g. some random convenience apps I made for her, or access her bank account.
So if this is tied to developer mode, then malware from banks and other companies will now hold you hostage.
I mean, that malware is already often holding you hostage for installing from arbitrary sources, although that seems slightly less common than locking out developer mode.
I bet regardless of whether this is tied to developer mode or not, there will also be a new global option anyone can grab called: "Settings.Global.SOMEWHAT_OWNING_THE_HARDWARE_YOU_PURCHASED_ENABLED" which these malware apps will insist on checking and complaining about.
What else will it be? Will there be some amber mark on the hardware attestations?
Kindly: Go fuck yourselves Google. I hope telling big companies to go fuck themselves is okay on this website.
I’m not sure how the rest of the “precautions” are necessary with a one-day cooldown. Seems like waiting 24-hours would be even more effective than a reboot if you’re just trying to prevent scams.
I think this is just barely on the "reasonable" side of the reasonable-vs-unreasonable line, so I hope it's not a slippery slope and they aren't just going to make this worse later.
This does nothing to stop "Verizon App Installer" from loading malware onto my grandparent's phone every week.
For a power user - Can't you use USB debugging to use adb to push it?.
This seems ok for parents and grandparents