undefined | Better HN

0 pointsxnx7d ago0 comments

> some apps (e.g., banking apps) will refuse to operate and such when developer mode is on

JFC. Why would an app be allowed to know this? Just another datapoint for fingerprinting.

0 comments

Yes, it is really dumb that some of these settings are exposed to all apps with no permission gating [0]. But it will likely always be possible to fingerprint based on enabled developer options because there are preferences which can only be enabled via the developer options UI and (arguably) need to be visible to apps.

0: https://developer.android.com/reference/android/provider/Set...

zzo38computer7d ago

What might help better is having permissions that you can set separate settings that can be read for different apps (including the possibility to return errors instead of the actual values), even if they can be read by default you can also change them per apps. (This has other benefits as well, including possibility of some settings not working properly due to a bug, you can then work around it.)

nijave7d ago

It's always boggled my mind what native apps are allowed to know versus the same thing running in a browser on the same device.

ninininino7d ago

Because estimates suggest Americans lose about $119 billion annually to financial scams, which is a not insignificant fraction of our entire military budget, or more than 5% of annual social security expenditures.

tadfisher7d ago

Banks do these things to check security boxes, not to prevent scams.

In this case, they don't want users to reverse-engineer their app or look at logs that might inadvertently leak information about how to reverse-engineer their app. It is pointless, I know, but some security consultant has created a checkbox which must be checked at all costs.

Zak7d ago

What do scams have to do with having developer options enabled?

This isn't a rhetorical question. There's no big red warning on the developer options screen saying it's dangerous. I haven't heard about real-world attacks leveraging developer settings. I suppose granting USB debug to an infected PC is dangerous, but if you're in that situation, you're already pwned.

Is there a real vulnerability nobody talks about?

ninininino7d ago

Android is attempting to discourage good / regular users from sideloading apps, rooting their phone, etc.

Android wants good / regular users to pass things like Play Integrity with the strongest verdicts.

This helps app distributors to separate regular good users from custom clients, API scripting etc that is often used to coordinate scamming, create bots, etc. If an app developer can just toss anyone who doesn't pass Play Integrity checks in the trash, they can increase friction for malicious developers.

1 more reply

prmoustache7d ago

That is unrelated to apps installed outside of the playstore (which by the way is full of malware).

It is like mandating that people use rainjackets in the rain to avoid getting cancer.

nijave7d ago

So put a disclaimer in... Same way tons of other stuff works...

warkdarrior7d ago

Nobody reads disclaimers, and people who get scammed and lose their life savings won't be made whole by being told "you accepted the disclaimer, nothing we can do."

1 more reply

j / k navigate · click thread line to collapse

0 comments

tadfisher7d ago

0: https://developer.android.com/reference/android/provider/Set...

zzo38computer7d ago

nijave7d ago

It's always boggled my mind what native apps are allowed to know versus the same thing running in a browser on the same device.

ninininino7d ago

tadfisher7d ago

Banks do these things to check security boxes, not to prevent scams.

Zak7d ago

What do scams have to do with having developer options enabled?

Is there a real vulnerability nobody talks about?

ninininino7d ago

Android is attempting to discourage good / regular users from sideloading apps, rooting their phone, etc.

Android wants good / regular users to pass things like Play Integrity with the strongest verdicts.

1 more reply

prmoustache7d ago

That is unrelated to apps installed outside of the playstore (which by the way is full of malware).

It is like mandating that people use rainjackets in the rain to avoid getting cancer.

nijave7d ago

So put a disclaimer in... Same way tons of other stuff works...

warkdarrior7d ago

Nobody reads disclaimers, and people who get scammed and lose their life savings won't be made whole by being told "you accepted the disclaimer, nothing we can do."

1 more reply

j / k navigate · click thread line to collapse