undefined | Better HN

0 pointsbko4y ago0 comments

I don't know, I just tried downloading an APK directly (telegram). Android warns me file might be harmful.

Do you suggest they shouldn't warn someone when they download an APK? It's also browser specific and I imagine all major browser give the same kind of warning because , you know, downloading an APK directly from a website might be harmful.

0 comments

oauea4y ago

Why isn't the same warning shown when installing from the play store? Apps installed from the play store can have the exact same permissions as side loaded apps. You can claim that Google vets the apps, but this is pretty much false. Just go make an app and experience the process for yourself, it's laughable. Any checks they perform are automated, and there's no reason those couldn't just run on-device.

And besides, even for side loaded apps they have a database of "bad" apps that get deleted by Google called "play protect"

cma4y ago

So you've gone through all the weird flows to accept and enable installing. Now how do you get security updates? Google scares them again every time, even though android apps can already execute arbitrary downloaded unsigned code at runtime (otherwise V8 and other JITs that generate machine code can't work), so it isn't really protecting much and mainly makes things more insecure by not letting you add your own trusted providers permanently for timely updates.

ece4y ago

Self updates can be a thing now in Android 12 I believe[1]. The initial install and updates should be easier though, and not just on 12.

[1] https://developer.android.com/reference/android/Manifest.per...

ece4y ago

Something like enabling instant apps and play protect scanning for any apk on the web could mean a nicer and safer experience for users. I think people would still use the app stores for their discovery/convenience but safer web installs could be an option for both users and developers.

This model exists on desktops and laptops, where there is signing or browser scanning, just not on mobile.

IshKebab4y ago

To be fair, installing an app from the store might be harmful too.

hamburglar4y ago

Yes. Require them to give the same dire warnings about apps from their own store, or remove them both.

drusepth4y ago

The difference is that the store includes any amount of heuristic tests meant to scan for malicious activity, and directly installing an APK has no such safety net.

You can argue that the testing Google does is bad or minimal, but it seems like the ideal solution would then be "improve the testing". I'd also prefer to see such tests moved on-device so they could apply to APKs from any source, but I don't know how technically feasible that'd be; depends on how they're doing the testing, I guess.

heleninboodler4y ago

This puts google in the position of being the arbiter of what testing is "good enough" when they're also one of the supposed competitors. If there's no mechanism by which the other app stores meet the "good enough" bar for testing that would eliminate the dire warnings, then they shouldn't be penalized for not being google.

1 more reply

realusername4y ago

> You can argue that the testing Google does is bad or minimal, but it seems like the ideal solution would then be "improve the testing"

Yes why would we believe Google on the APK scanning? There's zero transparency on this subject, zero code shared and the store is visibly full of scams anyways.

IshKebab4y ago

There's absolutely no reason you couldn't provide that automated testing for non-store APKs too.

Edit: Sorry, didn't read to the end of your comment. Yeah doing it on-device would be good but I'd guess there's some stuff they want to keep secret.

j / k navigate · click thread line to collapse

0 comments

oauea4y ago

And besides, even for side loaded apps they have a database of "bad" apps that get deleted by Google called "play protect"

cma4y ago

ece4y ago

Self updates can be a thing now in Android 12 I believe[1]. The initial install and updates should be easier though, and not just on 12.

[1] https://developer.android.com/reference/android/Manifest.per...

ece4y ago

This model exists on desktops and laptops, where there is signing or browser scanning, just not on mobile.

IshKebab4y ago

To be fair, installing an app from the store might be harmful too.

hamburglar4y ago

Yes. Require them to give the same dire warnings about apps from their own store, or remove them both.

drusepth4y ago

The difference is that the store includes any amount of heuristic tests meant to scan for malicious activity, and directly installing an APK has no such safety net.

heleninboodler4y ago

1 more reply

realusername4y ago

> You can argue that the testing Google does is bad or minimal, but it seems like the ideal solution would then be "improve the testing"

Yes why would we believe Google on the APK scanning? There's zero transparency on this subject, zero code shared and the store is visibly full of scams anyways.

IshKebab4y ago

There's absolutely no reason you couldn't provide that automated testing for non-store APKs too.

Edit: Sorry, didn't read to the end of your comment. Yeah doing it on-device would be good but I'd guess there's some stuff they want to keep secret.

j / k navigate · click thread line to collapse