top | item 30510423

(no title)

Sounds like a you problem: https://developer.android.com/reference/com/google/android/t... https://developer.android.com/reference/android/os/UserManag...

You're welcome to search for mentions of sources and app stores, and to browse the references.

Again, the paper is not in contradiction, you misread it. Not to mention, as explained in the original comment you were responding to, F-Droid weakens the security model for various other reasons.

discuss

lolinder|4 years ago

The links you provide say nothing except something I already knew: there is a setting that tells Android to allow installing apps from unknown sources. Which proves... nothing at all.

It's obvious you're convinced you're right, but since you're unable to produce evidence it seems we are at an impasse. I'm done here.

Wonderfall|4 years ago

Once again, these management features don't expect an app to bypass the trust boundaries by allowing the user to arbitrarily add repositories. There is a to-be-exposed toggle that allows user profiles to install apps from trusted sources. It wouldn't work with the way F-Droid works. I can't explain more than that.

You have been provided with evidences, but you've been arguing in bad faith since your first comment by misinterpreting the paper. The security model also expects you to download apps from trusted sources because the signature verification is only enforced for app updates, that's a trust-on-first-use model. That notion exists within Android, and you have been given examples.

> In order to ensure that it is the app developer and not another party that is consenting, applications are signed by the developer.

Back to the original question; it is clearly explained why.