top | item 45911423

(no title)

ramshanker | 3 months ago

Ancedotal: I used to believe in this "freedom to install". Than my Father got scammed (~$1000) in the name of Electricity recharge. The APK was sent over WhatsApp. Now I am not so sure how to implement this freedom. At the bare minimum there has to be big red warnings.

One thing which can immediately improve security is forbidding SMS read access forever. Just like Apple does. No App should be able to read SMS.

discuss

atoav|3 months ago

So your father: 1. Downloaded a weird file from a stranger

2. Went to the settings and about pyone sceeen

3. Tapped the thing 5 times to activate developer mode

4. Activated installing from third party sources despite the warning there

5. Installed the APK

May I suggest the problem is not that this is possible, but a lack of education? If your father is the type that would jump into the bathtub with a toaster because someone on whatsapp told them to do so, I am afraid it is not the existence of toasters that is the issue.

peterdn|3 months ago

Yes, education around these scams and their methods could be better, but there is also a reason they target the elderly and vulnerable. Unless something else terrible happens, I assume I will count in one or both of those groups eventually. I feel like when I get there, I would appreciate empathy rather than disdain, if I were ever taken advantage of.

Regardless, you do not actually need to enable developer settings to install APKs from unknown sources (at least, not on my Samsung). When you open an APK from within another app (e.g. Google Drive or WhatsApp), Android "helpfully" forwards you straight to the relevant security settings page, allowing you to immediately toggle the "Install unknown apps" permission for that specific app. It's a streamlined flow, only a couple of taps, no scrolling/searching/reading, therefore likely easy to coach a victim into performing.

So, I expect what the Android team is alluding to in the original post is to enable additional friction like you describe.

yoavm|3 months ago

One does not need to enable developer mode to install a 3rd party APK.

computerdork|3 months ago

eh, think this is a bit much to ask. Are we going to educate a majority of the baby boomers who just never got a feel for how technology works? Yeah, my Dad also just got scammed by a phishing scheme on his PC (and if a scammer had walked him through how to install an apk on his phone, he'd probably do that too).

In my humble opinion, in the design of a UI or any type of system, kind of have to go where the users take you to some degree. And Android, being an OS for consumer devices, should be geared toward the masses and the mistakes they'll make.

jonathanstrange|3 months ago

I wrote a longer post about that elsewhere but there is morally no good justification to restrict everyone else's devices just because a small minority falls for scams. This is a very principal issue in a free society and in most societies we allow all kinds of individual risk taking because we believe that adults should make their own choices even if that means that some people sometimes make mistakes.

On a side note, it is technically very feasible to help antivirus and security software makers to lock down phones for people who would benefit from it. For example, you could have a strict whitelisting approach for vulnerable users (e.g. elderly, bitcoin entrepreneurs, annoying kids, Google engineers) who prefer it that way, making installation of arbitrary software impossible. Giving up choices voluntarily is fine, taking away choices by force is not fine.

Biganon|3 months ago

> The APK was sent over WhatsApp.

Why did your father enable installing APK packages from third party sources? That's a setting buried deep inside the developer settings, which themselves have to be activated with a very arcane manipulation

floppyd|3 months ago

I believe this only works this way on some android forks, iirc you are talking about Samsung. Stock android would show a warning "do you want to install apk from this app?" and lead you to a settings page that enables apk installs from this particular app. No need to separately enable the ability to install apks in general.

I always thought this is a very weird flow, it adds hoops yet accomplishes nothing because the hoops are all trivial and the same for every app.

bpye|3 months ago

> No App should be able to read SMS.

I disagree - one feature in KDE Connect that is super useful is being able to forward your notifications, including your text messages. This would also harm non Android smartwatches, such as the recently revived Pebble.

a2128|3 months ago

There seems to be a whole market of Google Play developer accounts and apps for sale, developers like myself regularly get emailed by scammy companies offering to buy the account or to publish an app, and malware is regularly found on Google Play[0]. There's no reason to believe that bad actors would be stopped by install restrictions if their scam is effective enough to overcome the financial hurdles

[0] https://www.bleepingcomputer.com/news/security/malicious-and...

b112|3 months ago

The built in Android SMS app seems to be horrible in every incarnation I've seen. The one that comes with the Pixel, the one Samsung has. Some may like it, but I can't stand them. I tend to install my own SMS app in each case, and I don't use computers to be locked into something I don't prefer.

It's my tool. Mine. I'll do with it as I please.

I agree there are issues. But preventing installs aren't the answer, just like removing all windows and doors from a house isn't the answer to neighbourhood crime.

I'd be more inclined to say the problem is allowing apps to be funded by advertising. If all apps were paid apps, and using personal data in any way was immensely, "thrown in jail" illegal, then you'd find yourself approving access to contacts, SMS, Pii quite rarely.

It would really stand out in such a case.

"What?! I've been using my phone for 10 years, and some app wants to see my contacts. Why?? No one reputable asks for that, ever!"

So much of the problem with the internet is that Pii is paying the way.

On GrapheneOS, when I install anything, it flat out asks me if I want to give it internet access at all. SMS could be the same way. Off by default, try to grant it, big warnings.

At a certain point, if you have big warnings saying "Are you serious?!" and people turn it on, it entirely ends up being the end user's fault.

eviks|3 months ago

- warning - SMS read access

So you do know - inform users, increase privacy,...?

basilikum|3 months ago

Genuinely curious: would you mind telling more about how your father got scammed and how the adversary managed to get your father to install an app from WhatsApp?

mcherm|3 months ago

I receive all my SMS messages through a separate app, because my SMS provider is not my TelCo. Please propose solutions that will not harm people like me.

tcfhgj|3 months ago

For real? No, thanks I'd like to keep my SMS app

callc|3 months ago

Freedom and protecting tech illiterate people are not mutually exclusive.

Our right to choose install software on our own devices should not be encroached because over-trusting elderly follower scammers instructions.

We can protect people like your dad with an opt-in system like parental controls. Have a responsible family member lock the system down however you deem fit.

gumby271|3 months ago

Sounds like an iPhone is the better option for your dad.