Delve into System Settings, find Developer Options
Tap the build number seven times to enable Developer Mode
Dismiss scare screens about coercion
Enter your PIN
Restart the device
Wait 24 hours
Come back, dismiss more scare screens
Pick "allow temporarily" (7 days) or "allow indefinitely"
Confirm, again, that you understand "the risks"
Nine steps. A mandatory 24-hour cooling-off period. For installing
software on a device you own.
Worse: this flow runs entirely through Google Play Services, not the Android OS. Google can change it, tighten it, or kill it at any time, with no OS update required and no consent needed.
And as of today, it hasn't shipped in any beta, preview, or canary build.
It exists only as a blog post and some mockups.
Had to read that sentence twice. You really think that there's more people getting scammed via "please tap the build number seven times and then go to extra settings and enable untrusted installs and then go to this website that I will dictate the URL of and you should ignore that install warning" etc etc etc. to install an apk to run software that can barely access more than a simple webpage could, than there are people (like HN'ers) who install apk files from github and f-droid?!
(Also note that "crapware" describes basically every app you find in google's store. I try on occasion, when nobody made an open source this-or-that, and it's such a minefield. If that's the thing you're trying to avoid, I don't know how you could possibly feel positive about a requirement to only use the Play Store for the tech-illiterate)
> more people getting scammed via "please tap the build number seven times and then go to extra settings and enable untrusted installs and then go to this website that I will dictate the URL of and you should ignore that install warning" etc etc etc.
I don't really understand. You seem to be against the 'annoyance' of the protections, but that annoyance is precisely why the scammed count is lower, no?
I certainly believe _more generally_ that the market for scam victims is much bigger than the market for sideloaders, for example.
What I'm against is the mandatory registration to get a key signed by a party we don't elect, who controls all (soft-mandatory^1) devices that aren't controlled by the other party we didn't elect, and both are controlled by a government that we have no say in and is acting increasingly hostile towards everyone but fellow belligerents (Israel, Russia.. seeing a pattern here).
Your "it's just a bit annoying" argument seems irrelevant compared to that, even if it would reduce scams, which I have seen no evidence for or against. Did you find or come across any evidence for it?
> the market for scam victims is much bigger than the market for sideloaders
That makes no sense. Of course the market for "scam victims" is current-earth-population.com minus one (the person doing the scamming); this is a universal constant you're comparing against
If you mean the number of people who would potentially get scammed by being told to do a dozen steps to install some app which can barely do more to aid the scam than a webpage could, then I'm interested in how you end up with those figures!
Given that maybe every 20th person is decently tech-literate and that I have yet to come across a scam where installing software on your phone is a component of it (including via google's; just any kind of mobile software installation), the way I figure the "market sizes" are about 400 million to somewhere around nil
The scams this directly targets are well known and common. Someone gets a phishing message, they have someone install some sort of malware on the device, then their bank accounts are drained into some offshore account never to be seen again.
That's why there's a requirement for restarting the phone and waiting 24 hours.
The restart ends the connection for any remote-access software or phone call that might be driving the operation -- and the 24 hour wait period breaks the "urgency" part of the scam that prevents other people who know better from stopping the vicim from continuing.
To be fair, that's a one time process. You do not need to do that for every app you want to sideload.
The malware issue that the flow is designed to mitigate is a very real problem. Perhaps there is a better way, but it's not immediately clear what that is.
You are thinking about it from the point of view of an enthusiast/hacker who wants to put their homebrew stuff on it. But this is also tightening around developers who may want to distribute their applications to lay users.
Unless they do something google doesn't like, or trip one of their many automated systems that ban them without recourse. Or they are compelled to revoke a key by a government.
Revocations are for apps being malware and nothing else, much like macOS Gatekeeper (Apple doesn't even revoke certs used by Warez groups to sign cracked apps).
Automated bans can be an issue, but that's an edge case. Google already had the functionality to 'revoke' an app if ordered to do so by a legal authority.
It is much more important to make a real world attack - something that is draining wallets of ordinary people across Thailand/Brazil/SEA in general - harder to achieve. One thing is a political goal of some people in the west, the other is an ordinary person not having the money to feed themselves because a scammer stole it all.
I can't trust Google will keep to that, sorry. Nor can I accept harms being twisted into a further centralised accumulation of power (especially when Google, with all their resources, could likely do much more to prevent these scams than grabbing that power for themselves)
Well, the very good news is that Google is not seeking your trust. You have no say at all. This is the new system, it benefits actual real people over HN commenters and you will just have to deal with it.
Google doesn't have the ability to change the way banking apps work with regards to transferring money from one account to another in Malaysia/Brazil/Thailand. That would be a matter for the national Governments. This is the best approach available.
Because grandmas all over the world are getting swindled by scam apps.
Look, I can't locally install a web extension I wrote on an open-source Firefox browser, because security. I have to install a Developer Edition, or get the extension reviewed and signed by Mozilla, for the very same reasons of thwarting scammers. Is this stifling, or is it making my browser not mine? Is anybody making a big deal out of that?
The world we inhabit is not always friendly. It has a ton of determined and sophisticated bad actors, and a lot of people with less technical savvy than you and me. We have to deal with that, instead of being cantankerous.
It's not obvious to me that this will help much with scamming. Especially when it affects safer app repositories like F-droid more than the cesspit that is the official Play store.
And most Android banking malware is distributed through unsafe sideload installs (as opposed to much safer Gatekeeper-style installs, which is what is coming) and are fed to victims through complex attacks involving obtaining a victim's personal information and calling them while credibly pretending to be a local authority or a bank representative. You can read about this wherever you get news about cyber crime.
This is a scourge in South East Asia and Google can do some good here. The only cost is whining from non-technical people. Everyone else will go pay $25 or whatever and sign their app.
Play Store being a cesspit is indeed a problem! But it still is making a constant effort to drive away scammers, so scams don't last too long there. Scammers show sleek-looking web pages offering to install an "official app" from their own apk. Or they have an app that clandestinely sideloads another app. This is being curbed.
But it's limited to a one-time action, not encumbered by additional papers or payment. I don't foresee any trouble using F-Droid (which I use a lot) after I have dismissed the scary screens and confirmed that I know what I'm doing.
>It's not obvious to me that this will help much with scamming.
Because as a reader to this forum, you're probably more tech savvy that the average person. Moreover this type of scam seems to be more common in Asia than the West, see:
They convince users to download a "government app", grant it accessibility permissions, then use that to take over their phone and drain their bank accounts.
>Especially when it affects safer app repositories like F-droid more than the cesspit that is the official Play store.
Where do you draw the line? If you whitelist f-droid, do you have to whitelist third party f-droid repos too? What about other app "stores" like obtanium? Moreover f-droid being less of a "cesspool" is likely because its reach is smaller, not because it has better moderation.
I'm aware of the way the scams work. I'm also aware that scammers tend to be much more motivated to jump through hoops that are put in front them (more so than legitimate users!). Scammers can also talk people through many, many warning signs.
Scammers cannot talk people past a 24 hour wait. This attack is built upon pressure and operates at a scale that makes stealing many identies, building different-enough apps to avoid getting flagged by Google and signing them all non-viable.
Not a 'code of rules'. The scam itself relies on urgency. Breaking the spell by allowing people to talk to friends/family/their bank makes the scam not work.
The 24 hour wait period is so the scammer can't use the element of urgency to keep the victim on the phone where they don't have the opportunity to speak with trusted friends/family who would stop the scam.
reply