[HN Gopher] Barcode scanner app on Google Play infects 10M users...
___________________________________________________________________
Barcode scanner app on Google Play infects 10M users with one
update
Author : decrypt
Score : 764 points
Date : 2021-02-08 04:36 UTC (18 hours ago)
(HTM) web link (blog.malwarebytes.com)
(TXT) w3m dump (blog.malwarebytes.com)
| greatgib wrote:
| One can say that the solution to this is more control/power for
| the app store, but te opposite, the solution for this problem on
| computer was solved decades ago:
|
| Open source software and more open and transparent platforms!
|
| Today users of common brands of Android and Apple devices are
| really restricted in control of their devices, so there is very
| few ways to check what the system or apps are doing, inspect,
| firewall/limit things, go tinker inside the apps.
|
| And as said by other people, most of the time you have auto
| updates forced on users and so app developer does not even have
| to really justify what changed and why.
| [deleted]
| mpol wrote:
| Agreed. The only way reviews can be done is by stores doing the
| review based on source code, and have submitting source code be
| mandatory with automated builds before review. That is not
| something companies like Apple or Google would even care about,
| it is not in their interest, since it is not their problem.
|
| The phone market is a duopoly, Google and Apple have the market
| shared between them. There is no need to really improve this
| situation for end-users. For me it feels like Windows XP all
| over again.
|
| I am a happy user of a Linux phone. I very much enjoy and
| support Jolla and Sailfish OS, while also hoping for the
| Pinephone and the Librem 5 to take off and be available as an
| option for daily use.
| lvs wrote:
| The OG Barcode Scanner app is getting absolutely throttled with
| negative reviews. But this posting seems to be about a clone app
| by a different developer.
|
| https://en.wikipedia.org/wiki/Barcode_Scanner_(application)
|
| https://play.google.com/store/apps/details?id=com.google.zxi...
| morpheuskafka wrote:
| Yeah it's a really bad idea that they just called the app
| "Barcode Crossing" instead of "Zebra Crossing" or whatever.
| Completely generic and impossible to defend the brand.
| owijfoewiwid wrote:
| This is a very important distinction.
| gdubya wrote:
| I had this one (by ZXing Team) and never noticed any negative
| behaviour, but given that the default camera app now supports
| QR Code scanning I don't see a reason to keep the Barcode
| Scanner app.
| pjc50 wrote:
| Which default camera app? From which version?
|
| (The proliferation of manufacturer camera apps is one of the
| worst things about android)
| sschueller wrote:
| It is also open source: https://github.com/zxing/zxing and
| hasn't had an update since 2019.
|
| So will google fix these reviews like they did with RH? These
| are clearly wrong unlike RH...
| [deleted]
| [deleted]
| bigiain wrote:
| I wonder if there's a coordinated effort to exploit barcode
| reader apps, because (at least where I'm from) its becoming a
| government mandated Covid tracing thing to use a QR code to
| "check in" to certain classes of businesses/venues?
|
| I bet there's a _huge_ increase in use of QR code scanning apps
| compared to this the last year...
| admax88q wrote:
| Its kind of amazing that there isnt an official qr code
| scanner app preinstalled on phones given how ubiquitous QR
| codes are.
| JCharante wrote:
| I think both Android and iOS have been shipping a built in
| QR code scanner for some years now.
|
| Wechat had 1.17 billion users last year and has had a QR
| scanner built in for many years now. Given that you need
| the app to login to their web or desktop applications, it
| can be presumed that that many users have the app
| installed, possibly making WeChat the most popular QR code
| scanner app.
| bigiain wrote:
| I think Android 9 and up has QR code scanning built into
| the camera app, same as similarly recent vintage iOS. iOS
| is somewhat less problematic given that ~98% of devices are
| running current or one version old OSes, where the Android
| fleet has a huge install base who won't or can't upgrade
| from pre Android 9 versions. Last time I looked it was
| still over 40% of all Android devices.
|
| I've side loaded LineageOS into a few old old Android
| devices, Galaxy S3 and S4s, but my S6Edge is still running
| the Android7 OS it has when Samsung abandoned it. My
| similar vintage 2015 iPhones 6S is running fully current
| iOS14 - but it is the oldest Apple device that'll run it.
| (To be fair, my Samsung S3 vintage iPhone 5 can't run
| anything newer that iOS10.3).
| astura wrote:
| There is, on Android point the camera at a QR code and it
| will scan/read it.
| bigiain wrote:
| Interestingly, I just checked the QR code scanner app I have
| on one of my Android devices (A Samsung S6Edge abandoned and
| unupdateable from Android7 - without jumping through some
| hoops I've not been inclined to do yet).
|
| As soon as I opened it, it popped up a dialog box with non
| ascii text in it (Arabic or maybe Thai script?) with yes/no
| options, for all I know asking fro permission to steal my
| contact list... I just closed the app and uninstalled it.
|
| It was "QR code scanner free" by Application4u. It does
| disclose "Contains ads". 4.5 stars, 10million+ downloads. Has
| some expected permissions (camera) and a few less expected
| ones (storage/sd card) and a few very suspicious ones (full
| network access, prevent phone from sleeping, connect and
| disconnect from wifi, view wifi connections - I guess maybe
| these are needed for the ad serving in the free version?
| Seems like over reach to me...)
| rwh86 wrote:
| My phone was affected by this, and I can confirm I had the
| original barcode scanner app in your first link installed, and
| I'd had it installed for years.
|
| I now use Google Lens through the default phone app.
| Farbklex wrote:
| This is even worse when the app in question comes preinstalled on
| your Samsung tablet and can't be uninstalled (but afaik it can be
| stopped and downgraded).
|
| https://fossbytes.com/peel-remote-use-remove-smart-remote/ "Truth
| be told, Peel Remote has been scrutinized for more than a year
| because of the company desperate measure to gain revenue. In
| 2017, the app introduced a malign ad practice of unethical lock
| screen ads and overlays."
|
| My girlfriends tablet just started turning the screen on at
| random times. It took some time to find out which app causes
| this.
| codesternews wrote:
| We are the same guys want every app to be free. Do you expect
| bread to be free or coffee to be free? Why we expect apps to be
| free even from google?
|
| How do you think small app developers earn money by displaying
| ads? But we want ads to be blocked and don't want to pay money
| Rooster61 wrote:
| Ads within the app are fine, and I don't think many people who
| download a free app expect to have zero ads unless it says it.
|
| THIS app, however, displayed ads outside of the application
| when the phone was unlocked. It's not the same thing, and it's
| not ok.
| ntSean wrote:
| When the Apple App Store contained malware compiled by
| unsuspected Chinese developers using a local cache of Xcode [1],
| Apple emailed the developers to prompt them to update their
| application immediately and removed them from sale.
|
| Apple also contacted users directly to alert them of whatever
| apps they had purchased on the App Store were compromised so they
| could monitor for updates, or remove the app entirely.
|
| Has Google done the same? Neither Apple or Google have the
| ability to directly remove apps on a users device, but simply
| removing it from the store and then having users rely on a
| solution like MalwareBytes seems like Google is abnegating their
| responsibility of a safe marketplace.
|
| [1] https://en.wikipedia.org/wiki/XcodeGhost
| saagarjha wrote:
| Apple has this ability, but they have not used it:
| https://iphone-services.apple.com/clbl/unauthorizedApps
| slezyr wrote:
| Google can disable apps on the users' devices.
|
| https://developers.google.com/android/play-protect/client-pr...
| vultour wrote:
| "Can"
|
| Play protect is a complete joke, it can't even detect
| malicious chinese apps that request every single permission
| that exists.
| jk7tarYZAQNpTQa wrote:
| > Neither Apple or Google have the ability to directly remove
| apps on a users device
|
| I'm pretty sure both can. But it's a legal problem, not a
| technical one.
| waiseristy wrote:
| Crazy to see this on HN. I was affected by this malware earlier
| this month and have both reported the app via the app store phone
| UI and submitted a full report w/ screenshots via the play stores
| web interface. Absolutely insane that I can still download this
| app from the play store and the devs account hasn't been nuked.
| f430 wrote:
| When did you first notice it?
| waiseristy wrote:
| The app was updated Jan 29th. I noticed probably on the 1st
| or 2nd of February. I had a hard time tracking down where the
| spam tabs were coming from, but the app luckily gave me a
| spam notification from which I was able to see the app name
| and uninstall it.
| f430 wrote:
| I just don't understand how Google Play could've let this
| slip. Was this like the cyberattack now to long ago where
| they were able to infiltrate the CI/CD process to slip in
| updates? Is this the fault of the developers not securing
| it or is this willful neglect or incompetence at Google
| Play store level?
| TrianguloY wrote:
| What I don't understand is why the internet permission (one of
| the most dangerous permissions in my opinion) is assumed to be
| always requested and not even reported when downloading an app.
| Sure, most apps need it (most of them for ads though) but at
| least warn me before installing like you do with other
| permissions like calls and sms.
|
| But wait, there is more, that permission (and some others) are
| considered so harmless that if you install an app without it, and
| then the developer publish an update with it, play store will
| automatically update it without even asking! Remember this
| doesn't happen with 'dangerous' permissions, so apparently Google
| thinks accessing the internet is not dangerous at all.
| secondcoming wrote:
| Does any know what SDK they were using? I work in adtech and
| would like to review traffic from this SDK and potentially block
| it.
|
| Edit: Seems they're using MoPub and AdMob
| LordOfWolves wrote:
| Apple's (often critical) review process for app updates is
| shining right now!
|
| Edit: /s
| m463 wrote:
| Apple does not let you back out an update you made and regret.
|
| Apple does not block apps from using the network or give you
| any way to find out what they are doing and who they are
| talking to.
|
| In fact, apple does the opposite - it blocks apps that let you
| firewall your phone.
| ntSean wrote:
| Applications like Charles [1] allow you monitor network
| connections and data closely. Apple do not actively prevent
| this.
|
| You can also setup a VPN to route traffic and strictly
| firewall.
|
| [1] https://www.charlesproxy.com
| bigiain wrote:
| Charles is great, but it can't view the data for any app
| running pinned certificates.
| m463 wrote:
| Charles must have some wild carveout from apple. All other
| apps that do that have been shut down. I still run a very
| old version of adblockios that starts a vpn (proxy) at
| 127.0.0.1 and blocks traffic that way. mostly.
| mbreese wrote:
| I think the parental control app Circle does something
| similar (faux-vpn proxy). When I tried using Circle, it
| seemed a bit convoluted to me, so we ended up
| uninstalling it. So, I'm not sure how unique this method
| is. But, I'm not sure I can think of another way for a
| network blocking/security app to work on iOS.
| ignoramous wrote:
| https://firewalla.com is another one.
| Wowfunhappy wrote:
| This works as long as the app does not enforce certificate
| pinning. But if it does, there's no way to override it and
| inspect what's actually going on, as I can on my desktop.
| [deleted]
| saagarjha wrote:
| Apple does a pretty bad job here too. The difference is is that
| their sandboxing model is better.
| djrogers wrote:
| What in the seven hells is this? Why on earth would any app _not
| running in the foreground_ of my mobile device have the ability
| to launch a random web page?
|
| Guess this is why some walled gardens look a lot nicer from the
| inside...
| wooptoo wrote:
| This is possibly tied to the recent assault on the ZXing Barcode
| scanner app[1].
|
| This is a legit open source app that's been recently flooded by
| 1-star reviews claiming that the app contains malware, probably
| in order to get users to switch to the other apps. The funny
| thing is this app has not been updated since 2019 on the Play
| Store, so those reviews are clearly bogus.
|
| It takes a special kind of scum to slander an open source project
| in order to push malware.
|
| [1]:
| https://play.google.com/store/apps/details?id=com.google.zxi...
| tetromino_ wrote:
| See https://github.com/zxing/zxing/issues/1345 and
| https://android.stackexchange.com/questions/233322/finding-a...
|
| TL;DR someone apparently cloned ZXing Barcode Scanner, added
| annoying ads, uploaded it to the Play Store with the same name.
| Soon enough the malicious clone got taken down. Legitimately
| pissed off people who installed the malicious clone are leaving
| angry reviews for the non-malicious original (presumably
| because the malicious clone is gone from the Play Store).
| Avamander wrote:
| I reported a bunch as spam, but it probably netted me some
| negative reputation by their AI though.
| kevingadd wrote:
| Yeah, be careful doing anything like that on the Play Store.
| You can get your account randomly locked out with no
| explanation (I haven't been able to review apps, leave
| comments or contact the developer for like 3 years, and I
| never got an email or notice about this)
| consp wrote:
| If you have a gsuite account, that might be the reason.
| This started somewhere in 2018.
| jtbayly wrote:
| Wait... why?! I can't think of a single reason Google
| would do this.
| mmahemoff wrote:
| I have the same problem - paying Google customer, so I'm
| not allowed to leave ratings or reviews on Google's app
| store. Support's ignored my requests on this.
| kevingadd wrote:
| Oh, that explains it! Mystery solved, thanks :-)
| kobalsky wrote:
| Do you really want to do anything that looks like abuse with
| your Google account though?
|
| When people don't know why Google banned their 15 year
| accounts I wonder if it's not from innocent stuff like this.
| mrweasel wrote:
| It's doubtful that any AI is involved, but I wouldn't be
| surprised if Google have an algorithm that decides thay X
| number of negative reviews must be spam, without considering
| the quality and correctness of the review.
| jorvi wrote:
| Gotta love that those bogus 1-star reviews stay up, but Google
| _instantly_ came to the rescue of Robinhood when it was getting
| flooded by 1-star reviews that had an actual legitimate basis.
| josh11b wrote:
| Robinhood's app has a 1.2 star rating at the moment.
|
| https://play.google.com/store/apps/details?id=com.robinhood..
| ..
| mynameisvlad wrote:
| Google was well known to have removed about 100k low rating
| reviews during the peak:
| https://www.theverge.com/2021/2/1/22261178/robinhood-
| google-...
| curtis3389 wrote:
| I knew nothing of ZXing Barcode Scanner other than it was super
| simple and "just works." Nice to know that it's open source!
| I've been happily using on all my android phones since I
| started with the HTC Dream so many years ago.
| Fej wrote:
| Not only that, there's a "plus" version that's both better
| and is now free, as it can't be updated anymore via Google
| Play.
|
| https://play.google.com/store/apps/details?id=com.srowen.bs..
| ..
| bityard wrote:
| The ZXing Barcode Scanner (which is the "official barcode/QR
| code scanner for Android, as far as _I_ am concerned) is also
| available on f-droid.org. There's no absolute guarantee that
| F-Droid apps are malware-free but they have at least been
| looked at by a competent team of humans, something that is not
| true of the Play Store.
|
| https://f-droid.org/en/packages/com.google.zxing.client.andr...
| dyingkneepad wrote:
| Does F-Droid compile the binaries themselves? Or do they just
| take a look at my github and then trust the .apk I build
| myself and send them?
|
| I mean, I could very well make an open source app and then
| load some malware in the apk in addition to the well behaved
| thing... Are they immune from this attack?
| ashneo76 wrote:
| F-droid mostly compiles from source.
| https://f-droid.org/en/docs/FAQ_-_General/#whats-the-
| differe...
| TheRealDunkirk wrote:
| "Apps" and "algorithms" seem to be driving literally everything
| about society now. I don't think this is a good thing, nor do I
| see the trend reversing. These giant black boxes now control
| the levers of modern society, and the companies that own them
| get to hide behind their "terms of service" to avoid any
| responsibility for the damage being done.
|
| Every significant review system is being gamed to the point of
| being unusable, and yet stories about not being able to trust
| them keep being reported as if this were somehow noteworthy.
| For every one of these stories that rises to a thread on HN,
| how many other small time vendors are getting screwed by
| someone who is willing to pay a room full of people in some
| 3rd-world country to debase their competitor's online presence?
| swiley wrote:
| These app stores are a terrible software distribution model.
| Every day we hear about another reason they harm users far more
| than community maintained repositories and only protect the
| interests of the OS vendor.
| notatoad wrote:
| App stores are no more terrible than the previous software
| distribution model where you Google the name of the software
| you want to install, find some site that "mirrors" the
| download, realize they've repackaged the original app with
| extra ads and toolbars, keep searching, find the official
| download link, scroll past all the misleading ads containing
| download buttons, download the package, and then hope the
| download runs on your machine.
|
| Anybody complaining about app stores has forgotten how bad
| the alternatives are. And community-maintained repositories
| aren't a solution, that's just the app store model but on a
| smaller scale so it's less of a Target for bad actors. If
| ubuntu's universe repo had to suffer the same amount of abuse
| as the play store does, it would crumble in a day.
| PUSH_AX wrote:
| Would you call it the "previous" software distribution
| model? I still Google software for Mac and Windows, but I
| can't remember the last time i had to use a dodgy mirror
| site. Storage and bandwidth are cheap and plentiful now,
| most everything has an official source.
| notatoad wrote:
| i call it "previous" because windows and mac both have
| actual app stores now, even if many developers shun the
| app stores and still encourage people to find their
| software by searching for it on google.
| _jal wrote:
| It really is pathetic. Looks more mafia-like every day - they
| grab control of a choke point, ensuring they get their vig,
| but otherwise show no interest in providing real security.
|
| It is just 'protection'.
| lrossi wrote:
| What you describe is actually worse than the mafia. They
| would offer protection to some extent against third party
| rip-off.
| jimmaswell wrote:
| Yeah, people from areas that used to be run by the mob
| often say they ran things better than the government did.
| Mobs require some form of community support to operate
| from what I understand.
|
| The "real" government is really just another mob anyway.
| Pay your [protection money/taxes] or get your shop
| [busted up/shut down] and have other bad things happen to
| you.
| AdrianB1 wrote:
| Don't assume malice when it can be explained by stupidity; it
| is probably a confusion as there are many apps with very
| similar names and in the phone the publisher is usually not
| listed (I checked mine), so people with the malware app gave
| reviews to other apps.
| tcldr wrote:
| This review fraud has got way out of hand. Right now, it would
| be better to remove reviews entirely and for consumers to make
| a decision based on the product page alone. The consumer trust
| in reviews is at such a low that it's adding friction to
| purchase decisions and starving honest businesses from being
| able to invest in quality products.
|
| One solution might be to only publish reviews/ratings from
| accounts with a minimum spend threshold and unique active
| payment details. This would effectively price out the scammers.
| hammock wrote:
| Fake reviews are not that hard to spot. Why don't we focus on
| educating people on how to evaluate what they read, and
| making informed decisions, rather than taking information
| (even if misinformation) away from them? It would help with
| fake news as well.
| tcldr wrote:
| Most people don't read many reviews though. Just the 'most
| helpful' and the review tally. Worse, the store search
| results pages use the review scores to rank apps too.
| khamba wrote:
| > Fake reviews are not that hard to spot.
|
| This statement seems very suspect to confirmation bias. How
| would you get to know if what you think is genuine was
| actually fake? This part of feedback loop is completely
| missing, and hence I find your above statement hard to
| believe.
| duxup wrote:
| Even non fake reviews suck.
|
| The sheer scale of situations where the top review is
| negative describes something that ... is not a bug, is
| actually supposed to be that way, is how the dang app works
| by design for good reason ... is bonkers.
|
| It seems like reviews are driven by people who don't know,
| and respond reviews by to people who don't know who describe
| what sounds like fundamentally broken things... so they give
| it a thumbs up and they're both completely ignorant.
|
| The volume of people who do know the app and would see /
| write a review seems like it is MUCH smaller.
|
| I had a game app update recently. I went to update it (one of
| the few times I go directly to the play store app). There at
| the top is a review that described how they saw opposing
| players "just disappear" during the game and raged about that
| 'bug'. But it's not a bug the game has some fog of war and
| view distance type mechanic. It's entirely expected /
| appropriate.... but there it is the top review.
| trevor-e wrote:
| FWIW the updated date doesn't necessarily mean anything, the
| app could be loading code remotely via some endpoint which the
| article does mention as a possibility in general.
| [deleted]
| estomagordo wrote:
| Oh wow, one hundredth of a user.
|
| People really need to start respecting m=milli and M=mega.
| tiagod wrote:
| The m in the title doesn't stand for mega, it stands for
| million, and lower-case m is a proper abbreviation:
|
| https://www.lexico.com/definition/m
| prof18 wrote:
| QR Reader are load of everything. I went mad to find one a decent
| one for my parents' android phone and apparently it doesn't
| exists. So in a weekend I've created one without any kind of
| tracking, ads, permission, whatever. Here it is if you guys need
| one ->
|
| https://play.google.com/store/apps/details?id=com.prof18.sec...
| aardshark wrote:
| It doesn't exist? What were your feature requirements?
|
| You wrote a wrapper around ZXing, which already has an official
| app as well as simple variations of that app from the ZXing
| team. That app is open source and ad-free.
|
| There are already many similar wrappers around ZXing on the
| Play Store.
|
| So what does your app do (or not) that makes it special?
| rjmunro wrote:
| Obligatory XKCD: https://xkcd.com/927/
|
| But in this case, there is only one standard, and lots of
| imitators:
| https://play.google.com/store/apps/details?id=com.google.zxi...
|
| But fallout from the bad app, or possibly deliberate actions by
| the malware maker have caused hundreds of bad reviews. It might
| be that removing the malware app from the store means people
| search for Barcode Scanner, find ZXing instead of the bad one,
| then post their bad review there. Or maybe the bad app is
| deliberately telling people "Click here to review the app", and
| pointing to the wrong app.
|
| There's also reports of some sort of malware doing fishy things
| with intents to make it look like the ZXing software is bad htt
| ps://github.com/zxing/zxing/issues/1345#issuecomment-7590....
|
| I'd like to see a proper investigation by someone at Google
| Play. The original Barcode scanner is not needed for QR codes
| any more - almost any camera app will recognise those, as will
| Google's lens application, but it is still useful for scanning
| other barcode formats and for generating barcodes by sharing
| data with it from other apps, without needing to upload to a
| server or anything.
| nonsapreiche wrote:
| I find https://appsco.pe/app/qrsnapper a simple pwa that works
| fine for me
| TrianguloY wrote:
| 4M for just a scanner??
|
| I appreciate the app but...don't you think that's too much?
| moritonal wrote:
| But this is the classic cycle don't you see? They almost always
| start as "here is an app I threw together, no ads, don't be
| evil".
|
| But then a lot of people like your app, and ask for a small
| extra feature. You support it, and then get a bit annoyed by
| all the features people are asking for. Then you have to update
| it for the latest release... then suddenly fix it when some
| obscure version of Android breaks on it.
|
| Then someone offers you PS60k for a small ad no-one will even
| see and you think.. don't you deserve a bit of credit?
|
| Maybe you'll be the good one who doesn't take it, but the free
| model is generally unsustainable.
| welly wrote:
| If the OP open sources his QR code reader app then the "free"
| model is absolutely sustainable.
| e12e wrote:
| The op did (it's in the description on the app store, but
| was unfortunately (considering the context and audience)
| left out from they comment:
|
| https://github.com/prof18/Secure-QR-Reader
| kuschku wrote:
| That's why you should try to use apps from reputable
| developers, who've already had countless such offers and
| refused them all.
|
| The usual "400$/month per 1k users" stuff, just integrate an
| ad network is common, but sometimes as dev you even get
| offers like "we hire you, with a contract, you can't be
| fired, legally you're a consultant to us for 2 years, at a
| few hours per week officially, for a silicon valley wage,
| unofficially you just don't do anything and collect but we
| get full control over your apps".
|
| Personally I've had quite a few such offers, and I've
| rejected them in the past and will also reject them in the
| future
|
| Trust devs who've proven themselves :)
| prof18 wrote:
| I'll never do that, because I've done it without any kind of
| profit in mind. I've done it just to help people and the
| community.
|
| I think that if the app is open source, it's harder to hide
| such behavior.
| ant6n wrote:
| Nice. Once you have a million users, are you open to selling
| it? ;-)
| prof18 wrote:
| Nope. Because I truly believe in community and open source.
| I'd not be able to sleep on night and I'd prefer to shut it
| down rather than selling.
| em3rgent0rdr wrote:
| Stallman calls autoupdates a "universal backdoor".
| qwertay wrote:
| Stallman is almost always right but nothing he says is
| particularly surprising or useful.
|
| Yes auto updates allow delivery of malware but its not like
| manual updating was any better. No user was auditing changes
| before hitting the update.
| edoceo wrote:
| But if you were slow updating you could avoid a malware once
| it was known.
| philshem wrote:
| Who will detect the malware if we are all slow to update?
| jobigoud wrote:
| The early adopters. There are always people that will
| weight that risk of latest & greatest and vs buggy
| differently, it should be a choice. Especially for apps
| that don't have a beta testing or early bird channel.
| ksml wrote:
| Also if you were slow updating, you could avoid critical
| security patches (and many people did)
| malux85 wrote:
| Yeah and missing security updates was WAY more common,
| autoupdates is the lesser of the two evils by far ...
| simfoo wrote:
| Which affect the OS mostly and not individual apps.
| Funnily enough OS updates are usually not automatic.
| Which I think is a good thing because vendors keep mixing
| them with "feature updates" which end up making things
| worse (looking at you Samsung).
|
| I'd love for Google to take away the security update
| channel from the phone vendors and auto-update ONLY
| security-related things through that.
| rjmunro wrote:
| So what happens if you are on an old version, a security
| issue is discovered, but they only fix it in the new
| version?
| Cthulhu_ wrote:
| Give a user a choice though, and they dismiss the update
| notification because it's naggy and annoying and usually
| involves restarting your app or OS (I'm mainly thinking of
| operating systems here).
|
| Microsoft went in hard / aggressively and are forcing update
| installs and restarts, which IMO is going the wrong
| direction.
|
| Wasn't there a Linux project where they could update the OS /
| kernel without a restart? I feel like this is what all OSes
| should aim for. I like to think Android is going in one
| direction, moving shared libraries (Play Services) outside of
| the core OS so it can be updated independently.
| TeMPOraL wrote:
| > _Give a user a choice though, and they dismiss the update
| notification because it 's naggy and annoying and usually
| involves restarting your app or OS (I'm mainly thinking of
| operating systems here)._
|
| ...or because it doesn't justify its right to be there. As
| a user, the updates mean to me a high probability of
| getting more bloated, less usable app with important
| functionality moved or missing. The security implications
| are abstract. The usability impact is real.
| unhammer wrote:
| > Wasn't there a Linux project where they could update the
| OS / kernel without a restart?
|
| Ubuntu? Last time I updated, they asked me if I wanted to
| start using Livepatch, so it seems pretty integrated:
| https://ubuntu.com/security/livepatch
|
| (though I'm horrible at noticing the critical battery
| warnings so I get frequent reboots for free - but that
| method wouldn't work on Windows which installs updates on
| shutdown!)
| krageon wrote:
| > update the OS / kernel without a restart
|
| https://wiki.archlinux.org/index.php/Kernel_live_patching
| simias wrote:
| Windows is in an even worse position because of NTFS file
| locking shenanigans. A lot of the time you can't even
| update the userspace without rebooting.
| amatecha wrote:
| I used to think he was "crazy" and I disregarded a lot of what
| he said. Recently I was reading the FSF website and I realized
| a lot of the stuff on there is actually full of some pretty
| good points, even if it's sometimes presented in a slightly
| "judgemental" or perhaps emotionally-charged manner. Some of
| the statements might not be 100% perfectly factually precise,
| but the jist of them is generally on-point. I have recently
| been a LOT more cognizant of the ways that corporations and
| software outfits exert control over the people who use their
| software. Now that I see it more, and look for it more, I am
| getting suuuper unhappy with the current state of computing. :(
| A lot of the complaints I've had about software and computers
| in the recent years are generally the direct result of the
| software motivations of for-profit/proprietary software
| vendors. I can still use all the OSS stuff just as I always
| have, and it's actually the most stable and reliable stuff I
| use.
| zulban wrote:
| I've seen Stallman live, and in many interviews. The guy is
| in fact "crazy" in a loose sense. Really. Unfortunately, he
| is also often right. It's not a useful combination.
| davidhyde wrote:
| I didn't know that automatic app updates could be turned off
| until I just tried it now in iOS, thanks! Just a side note but
| think that Google and Apple took way too long to provide built
| in apps for using your phone as a flashlight or scanning a QR
| code. They allowed this malware cottage industry to flourish.
| sneak wrote:
| iOS these days also grants Apple full automatic OS updates by
| default, too.
|
| You can turn it off, but you have to dig in settings. During
| initial iOS 14 setup it has a screen telling you it's turning
| autoupdates on, but you're not allowed to opt out there.
|
| Unattended upgrades are a remote code execution
| vulnerability.
| est31 wrote:
| He is right in a sense, and cases like this give him proof, but
| on the other hand, most people don't see the point in patching
| their software. They'd just keep it around unpatched, while
| connecting it to the network. Is millions of vulnerable devices
| better than giving vendors of some software the ability to
| remotely patch their software?
| littlecranky67 wrote:
| I use iOS and have App auto-updates disabled (not the system
| update). We are at a point where auto-updates are more risky
| than the security flaw itself - especially since iOS has a
| pretty good sandbox, especially since its impossible for one
| app to access the data of another. Additionally, the App
| usually connects to a pretty limited set of servers, and is
| not publicly reachable. So the attack vector is pretty small.
|
| Another point is the often complete change in UI or app
| behavior and you only find out about when you want it the
| least. I once had the case where I came out of a bar in the
| middle of a cold night, tired, had some beers and just wanted
| to use my Bikesharing app to unlock a freefloating bike to
| get home - whilst the app decided that it had to introduce a
| completely new UI and forced me to take an unskippable
| "guided tour" through the new features right at the spot.
| g_p wrote:
| > We are at a point where auto-updates are more risky than
| the security flaw itself - especially since iOS has a
| pretty good sandbox, especially since its impossible for
| one app to access the data of another. Additionally, the
| App usually connects to a pretty limited set of servers,
| and is not publicly reachable. So the attack vector is
| pretty small.
|
| I'd have to say that most apps now connect to a rather
| large number of hosts/servers, and it's getting
| increasingly untenable to not offer users proper control of
| this. I get that Apple wants to be "friendly computers",
| but looking at my firewall logs I'm seeing:
|
| - third party audience segmenting - third party analytics -
| third party static content being fetched - third party ad
| networks - first or third party generic cloud server
| connections
|
| I think the attack vector on apps is quite significant if
| you consider the app itself to have been built to monetize
| data - there's no outbound traffic filtering to check the
| system isn't leeching user data and/or device identifiers
| (the latter getting better and hopefully Apple will require
| consent soon for the ID for advertisers).
|
| It's trivial to make an app that leeches a user's contacts
| regularly to a server, then does anything the developer
| feels like to build a social graph. See clubhouse. I fear
| the biggest issue for most users' privacy are the
| "legitimate" apps they use simply not being built with
| incentives aligned with their interests, and having access
| to phone home to any server with anything they can access.
| littlecranky67 wrote:
| > there's no outbound traffic filtering to check the
| system isn't leeching user data and/or device identifiers
|
| But there is the iOS sandbox FS. So if an App gets
| exploited, it can only every leech the data from exactly
| THAT app. Just the same as an auto-update might just
| start to leech and upload that data. Given the real-world
| practices, I think it is more likely an App creator
| choses to upload the data, than some malicious hacker
| doing it.
|
| > It's trivial to make an app that leeches a user's
| contacts regularly to a server
|
| On iOS this is not possible - either the App requests
| access to the contacts list then I have to consent via
| iOS sandbox features, or it doesn't get access. And if I
| didn't give this consent, any security hole that exploits
| the App will need to get that consent too (at which I
| will not give it).
| g_p wrote:
| From a technical perspective, you're of course right.
|
| I fear however that the majority of "regualar users" are
| being coerced into giving consent without realising what
| is happening - seeing the number of people end up in a
| FOMO-induced panic to join Clubhouse (or whatever the
| next big popular phone number based app is), a simple
| "give access to your contacts to invite a friend" masks
| the fact the app uploads your contacts to the server
| every time you open the invite tab.
|
| It feels we need to address coercive practices or at
| least try to do some kind of taint analysis to allow iOS
| to alert that it believes the memory buffer about to go
| into a networking API originates from a permission-
| protected memory buffer, and are you sure you want to let
| the app upload your contacts... But I suspect we just end
| up shifting the problem, and they coerce users again, ad
| infinitum, until they harvest their social graph
| (illegally, at least in Europe/UK).
| Silhouette wrote:
| _hopefully Apple will require consent soon for the ID for
| advertisers_
|
| Just think through the implications of that phrase for a
| moment, though. _Your own device_ comes with a _built-in_
| mechanism specifically designed for advertisers to track
| you. Why was that ever a good idea in the first place?
| sjwright wrote:
| Such mechanisms have already existed and never needed OS-
| level sanction. It's pretty clear that Apple is employing
| the strategy of "embrace, extend, extinguish" against
| tracking and privacy compromising dark patterns. In other
| words, force developers to use a special API, then give
| consumers the ability to block it. The current stoush
| with Facebook is only the most formidable hurdle Apple
| has encountered so far.
| Silhouette wrote:
| That is the usual argument, but I don't see how it stands
| up to scrutiny.
|
| Either there are alternative ways to track a user of an
| Apple device without IDFA or there are not. If there are,
| then it is reasonable to assume that unethical
| advertisers will return to using them if their access to
| IDFA is gated.
|
| So, whether or not IDFA exists, the only robust way to
| protect users is to block apps from having access to
| _anything_ about the host device that implicitly provides
| a unique method of identifying the user.
|
| This is what other platforms have been trying to achieve.
| For example, in the web browser ecosystem, software has
| been restricting programmatic access to features that can
| be used for fingerprinting or deliberately reducing the
| level of detail exposed by some APIs.
|
| With control of the entire ecosystem, why is Apple not
| better placed to adopt this strategy than anyone else,
| and whether or not Apple is technically capable of
| achieving the perfect result, how does introducing IDFA
| make any difference?
| g_p wrote:
| It does seem like when IDFA goes, apps will be struggling
| for identifers, at least on iOS. I've seen a few articles
| suggesting they will be back to trying to fingerprint
| devices (in manners that break the App Store terms of
| service).
|
| I agree entirely - it seems that the solution going
| forwards is to prevent any access to any kind of
| persistent identifier that is part of the runtime
| environment. This might get in the way of some security
| mitigations (which seem pretty weak to begin with) and
| some monetisation models (i.e. enabling pervasive
| tracking across apps), but the end result feels more
| "clean" and like users would expect - the app runs in a
| sandbox where there's no access to anything to
| distinguish the app from any other instance of it.
|
| Clearly keeping this up at the network level is far
| harder (and some app developers will probably fall back
| to using the WAN IP and other factors), but perhaps there
| are even solutions here - perhaps TCP relay servers mix
| user traffic (while leaving it HTTPS-protected) to
| prevent services from seeing user IPs, and a virtual
| network interface internally in the runtime ensures apps
| only see an IP of 10.0.0.1.
|
| It seems a worthy goal to try to ensuer that runtime
| environments are indistinguishable, at least to end
| cross-service ad tracking once-and-for-all. Handling it
| within apps probably comes down to policy - not sure any
| technical mitigations can prevent this while apps can
| remain Turing complete (as they can simply store their
| own identifier).
| g_p wrote:
| Agreed - it really is absurd. One time I tried to design
| as a thought experiment a "platform" where each execution
| environment of the app was absolutely indistinguishable
| from any other.
|
| Unfortunately to make it work you can't give it network
| access (easily, at least). But you have a whole host of
| stuff in /proc and /sys that you also need to block (at
| least on Android) - there's just too much unique per-
| device information available to apps. Clearly ensuring
| runtimes are indistinguishable was never a design goal
| (as some simple chroot'ing together a virtual filesystem
| would help to prevent a lot of this, as long as the APIs
| are limited enough).
|
| But alas, when your phone OS comes from an adtech
| company, that is probably a hint they are not interested
| in making it indistinguishable from others.
| hulitu wrote:
| > He is right in a sense, and cases like this give him proof,
| but on the other hand, most people don't see the point in
| patching their software.
|
| We are not talking about patching. We are talking about
| updating.
|
| > They'd just keep it around unpatched, while connecting it
| to the network. Is millions of vulnerable devices better than
| giving vendors of some software the ability to remotely patch
| their software?
|
| Yes. Vendors do not patch their SW. For the average SW
| developer fixing bugs is like castor oil. Remember the forced
| transition from Win 7 to Win 10 when a good OS was replaced
| by an abomination ? And no, 10 is not better securitywise
| than 7. There are lot of RCEs in 10. Did you ever play an EA
| game ? With Origin doing a 4GB update before playing ? On a
| 25 Mbps internet connection ?
|
| So for me if you have a security patch for your sw i will
| apply it. Maybe after some buffer period in the case of known
| offenders (MS) depending on severity. If it's "performance
| and usability improvements" just forgetit. If you did't
| bother to write a changelog for your SW i will not waste my
| time and money (an internet connection is not free ) updating
| it.
| Closi wrote:
| What stops them bundling something malicious into the
| "security patch" and then not writing it into the change
| log?
| rob74 wrote:
| App review... maybe? But the review (especially on
| Android) would have to be much more careful than it is
| nowadays...
| Silhouette wrote:
| Traditionally, when someone deliberately does something
| that causes significant harm to someone else, we address
| that by giving them a chance to defend their actions in
| court and if their defence is not acceptable we penalise
| them. It is strange how easily we forget normal behaviour
| as soon as technology comes into the picture.
|
| If you had a shower fan/light that broke, and the
| manufacturer supplied a new model to replace it that had
| a working fan but no light and also an undisclosed camera
| and connectivity that sent everything it saw home to the
| manufacturer, no-one would be debating the situation.
| People would be going to jail.
| Kiro wrote:
| > We are not talking about patching. We are talking about
| updating.
|
| No, he's talking about all auto updates. Here's the
| interview with the quote in question:
| https://archive.org/details/LundukeHourApril14RMS
| macksd wrote:
| There's a third possibility, and I think it's Stallman's
| ideal computing landscape: all users care deeply about the
| code running on their machines and they are competent in
| applying and vetting patches, building from source, etc. It's
| unrealistic, sure, but it sounds nice right about now.
| mcv wrote:
| Not everybody needs to do that, but then you need to rely
| on people you can trust. Of course we already do that to
| some extent in app stores: I don't install something from
| unknown developers that requires all sorts of permissions
| it shouldn't need, I do install from developers I think I
| can trust. But if I don't trust them, I lack the ability to
| inspect their code. That's indeed the big thing that's
| lacking.
| TeMPOraL wrote:
| I don't think it was ever Stallman's point. He is smart
| enough to recognize most users aren't going to be
| technically competent.
|
| He's also smart enough to recognize is that most people
| _are_ going to have someone technically competent in their
| circle of friends, or within few minutes of walking
| distance. So people need a set of rights that will allow
| them to ask or hire someone else to care for their
| computing. In this sense, Free Software is like Right to
| Repair - it isn 't about making individuals technically
| competent; it's about enabling local markets of
| specialists.
| est31 wrote:
| I think back when he posted it, it might have been possible
| for sufficiently motivated and talented individuals to do
| such vetting, albeit even then it would have been a
| stretch. Nowadays the amount of code running on various
| devices in a single home has increased so dramatically...
|
| Think of TV remotes. They used to work with infrared.
| Nowadays, there are bluetooth remotes (not sure how widely
| deployed they are, but at least some vendors offer them
| instead of IR remotes). An infrared device can be send
| only. No way to hack it even if you have an infrared sender
| in range. The pattern transmitted was quite simple. The
| bluetooth protocol however requires both sending and
| receiving ability. Bluetooth stack is in the tens of
| thousands of lines range. There will be a security bug
| somewhere...
| littlecranky67 wrote:
| This TV Remote exactly clearly gets to the point: What do
| you think is more likely, a malicious hacker driving a
| van and parking in front of your house? Just to exploit
| the TV remote via Bluetooth, a device that has no
| sensitive data, is not connected to the internet and can
| only be used to make TV inputs like switching channels?
| Or rather that your TV vendor like Samsung or LG decide
| one day that they offer a firmware "update" that will log
| what you watch on the TV, upload screenshot of the device
| and installed App to the cloud and sell to 3rd parties?
| My bet is on the later, and it exactly makes the point
| that auto-update is more dangerous than having a security
| flaw in a bluetooth TV remote.
| macksd wrote:
| I agree it's unrealistic, but I think Stallman and many
| others like him would rather forego the benefits of a
| bluetooth remote than embrace the status quo.
|
| OpenBSD for instance, was recently discussed on here for
| dropping a Bluetooth stack over concerns about the
| correctness of the implementation, and no one has
| bothered to write a better one.
| z3t4 wrote:
| Basically all phones are behind a NAT/firewall. You can't
| connect to them directly.
| BelenusMordred wrote:
| Until they turn on ADB, then it's a free for all.
|
| https://www.bleepingcomputer.com/news/security/tens-of-
| thous...
| rjmunro wrote:
| On my home WiFi, my phone is on IPv6, and therefore not
| behind NAT (it is on a NAT address for IPv4, though). I've
| not done any super-geeky things to enable this, it's a
| standard router from a mainstream internet provider.
|
| Pinging the IPv6 address from outside doesn't seem to work
| - I guess there is some sort of firewalling going on.
| bonzini wrote:
| They can connect to whatever they want, it's more than
| enough.
| est31 wrote:
| Plus many services can send push messages to the phone.
| E.g. Whatsapp. Bezos for example was hacked through a
| Whatsapp message containing an exploit.
| Silhouette wrote:
| We need a culture that distinguishes between truly necessary
| updates like security ones and general updates that change
| functionality and interfaces. One type is essential and we
| want to encourage everyone to install those promptly. The
| other should always be optional and the changes being made
| should always be transparent. Bundling the two is a common
| but user-hostile behaviour.
|
| This separation should be the price of admission for software
| developers who want to use online updates, and by now there
| is probably a need for real laws to regulate the industry
| since firstly it is very clear that it will not regulate
| itself effectively and secondly it is no longer just random
| applications but essentials like operating systems, web
| browsers and even the software controlling your car that are
| being treated in this cavalier way.
| rjmunro wrote:
| This would be nice, but a developer could still publish a
| malicious update as an important security fix.
|
| Also it gets very hard for developers to keep track of past
| versions and apply new fixes to them, when they also have
| to apply fixes to the new versions.
| Silhouette wrote:
| _Also it gets very hard for developers to keep track of
| past versions and apply new fixes to them, when they also
| have to apply fixes to the new versions._
|
| Then maybe they release too often?
|
| I have been developing software professionally for a long
| time, much of it code that needed to be high quality. I
| have never worked on such a team that couldn't keep track
| of its own software, often over a period of years or even
| _decades_ , and backport fixes when necessary.
|
| Yes, it's less convenient for the developers than just
| having a single version that users are forced to update
| constantly if they want fixes. But it is achievable if
| you drop the pretence that every minor change in
| functionality or appearance must be pushed into
| production instantly through some CD system, which is of
| course a luxury that only those running hosted software
| have anyway.
| yread wrote:
| Maybe I'm a luddite but updates are not always necessary.
| It's a barcode app, what updates does it need? Is there a cve
| that needs to be patched? No? Then I don't need a new version
| robin_reala wrote:
| Better scanning in low light, better error correction in
| code recognition, ability to recognise codes from a further
| distance, faster capture of codes, more options of what to
| do with the resulting data, reduced power usage while
| scanning, better user interface choices (e.g. updating to
| support more devices or matching new platform UI), ability
| to interface with external barcode scanners, better privacy
| protections for the user, reduction in overall package
| size, etc etc etc.
|
| There's always more things you can do to a product to
| improve it for its users.
| [deleted]
| kace91 wrote:
| "is there a CVE" is not a question that regular people can,
| will, or in my opinion even _should_ ask.
|
| I mean, if they do, all the better, but my point is that
| advanced enough tech knowledge should not be a requirement
| for a safe system.
| Scoundreller wrote:
| I'm usually like this. Then my bank's app refused to launch
| until I updated.
|
| They re-designed it. When I went to click my usual
| "schedule payment" button on a bill payment, it just said
| "Coming Soon".
|
| I wasn't a happy person about it.
|
| Big Canadian bank too. US$65b mkt cap.
| tinus_hn wrote:
| It's a bank app. Keep your bank apps up to date.
|
| Complain about updates all you want but not keeping your
| bank apps up to date is the wrong solution.
| kogepathic wrote:
| > Big Canadian bank too. US$65b mkt cap.
|
| Well then, let me tell you about Toronto Dominion bank
| (TD, market cap ~$105B)
|
| The app allows you to photograph a cheque to deposit from
| the app. This option is displayed for their TD USD
| chequing account.
|
| I scanned a cheque from a US bank in the app (to deposit
| into my USD chequing account), only to be informed that
| cheques from US banks cannot be deposited using the app
| and that I'd have to go to a branch.
|
| The same app is missing transactions and does not
| correctly display the current balance of some accounts
| (which are correctly shown in EasyWeb) The app has also
| blocked screenshots, so I was unable to provide their
| customer support with proof of the missing transactions.
|
| Call me entitled, but I would expect all transactions and
| current account balances visible in the web interface to
| be accurately reflected in the bank's official app.
|
| If you have ever experienced N26, Revolut, or any number
| of European "FinTech" banks, you will understand that
| Canadian banks are busy banging rocks together while
| telling you they're hot shit.
| Scoundreller wrote:
| > I scanned a cheque from a US bank in the app (to
| deposit into my USD chequing account), only to be
| informed that cheques from US banks cannot be deposited
| using the app and that I'd have to go to a branch.
|
| Dunno if Canadian banks would be game for this, but back
| when AdSense only mailed cheques in US$, and inexplicably
| refused to e-deposit to my US-based bank account, I'd
| mail my cheques in.
| jobigoud wrote:
| I never use my bank app because I don't fully trust my
| phone but they redesigned their website to be more mobile
| friendly. Now I can only see 10 operations at once
| instead of 30 before, and I can no longer sort by
| amount...
|
| When I complained 2 years ago about it my banker told me
| to participate in their feedback program... Now they send
| me market research polls about future products and
| features, no way to report usability issues, it's not
| even run by the bank itself...
| Silhouette wrote:
| Financial services companies do seem to be particularly
| bad when it comes to UIs for their customers. Both awful
| apps and broken "mobile-first" sites seem to be par for
| the course these days. A few do try to do better, but the
| reality is that most people don't change banks for much
| more serious reasons than this, so the banks have a
| financial incentive to just throw some mostly workable
| junk together and ship it as cheaply as possible. :-(
| krageon wrote:
| Generally the apk can be decompiled and the protections
| stripped if it really bothers you to update.
| [deleted]
| dolmen wrote:
| And even when you choose to only manually upgrade, carefully
| looking at the changelog, but it just says "Bugs fixed."
|
| The Play Store doesn't give enough information to really
| judge if the upgrade is necessary.
| dividuum wrote:
| "Bug fixes and performance improvements". ~AirBnB
| pieter_mj wrote:
| My Nokia 7.2 has had so many performance improvement
| updates I fully expect it to be faster than the latest
| iPhone flagship.
| Animats wrote:
| So why aren't we hearing about someone being arrested?
|
| Google knows who their devs are. Law enforcement can demand they
| give up that info.
| layoutIfNeeded wrote:
| They are most likely Chinese. I've been getting asked by
| Chinese accounts on LinkedIn to let them use my account to
| submit their apps on the Google Play Store for a fraction of
| their revenue. I'm guessing there's a similar scam going on
| here too.
| Farbklex wrote:
| This is also very common on freelance sites like Upwork.
| tinus_hn wrote:
| There is a difference between 'infects' and 'shows pop-up ads'.
| Annoying? Sure. Comparable to a complete security breach? No.
| iamacyborg wrote:
| It's not a data breach, but it is fraud and should be treated
| as such.
| pjc50 wrote:
| Computer crime is so very rarely traced and prosecuted, like
| most white collar crime.
| Cthulhu_ wrote:
| It's still a massive issue if the crime crosses borders; if
| the entity behind the malware is from, say, Russia, what can
| a prosecutor in the US do? This is why internet crime is such
| an issue.
| _AzMoo wrote:
| Right, which is a massive problem. If these people and those
| like them were prosecuted then we'd have far less of a
| problem.
| [deleted]
| RavlaAlvar wrote:
| This, is why I am going to buy more apple stock tomorrow.
| hilbert42 wrote:
| _Quote from Malwarebytes site: "Peter V. Jaspers-Fayer - Why does
| this article not contain the publisher and the icon of the app in
| question? There are many called "Barcode Scanner", and by
| omitting this information, you have caused unwarranted panic by
| users of innocent apps of the same name."_
|
| The fact that Google allows applications on Google Play to have
| identical/duplicate names is a significant ongoing problem as it
| causes considerable confusion.
|
| I'm not against apps that have similar functions having identical
| (duplicate) filenames as this stops developers having to dream up
| ridiculous names that have little or no bearing to an app's
| function but it would make sense to separate the apps in some
| simple way that users could easily identify. For instance, apps
| with identical names could be flagged in many ways such as, say,
| Google providing a sequence number to the end of the filename.
| And I'm sure there are many other suitable ways I've not thought
| of.
|
| As for the fact that Google lets malware onto Google Play and
| that it has happened many times demonstrates the fact that Google
| doesn't consider the matter of highest importance. That's to say,
| keeping malware off users' Android phones is not as important as
| making money from its advertisers.
|
| If keeping malware off apps were equally important to Google then
| this is malware would have unlikely escaped Google's monitoring,
| as Google has just about every technical measure at its disposal
| to monitor apps for malware--and I'd venture to say that even its
| AI technology could be brought bear.
|
| Clearly, if both issues aren't of equal importance in Google's
| eyes then it raises questions as to why Google keeps changing or
| adding certain features to its Android operating system in the
| name of security but which annoy users (and in effect violate
| their privacy--in that users' data, etc are even more transparent
| to Google whether the user likes it or not).
|
| Day by day, Google is proving itself to everyone to be more of a
| worry.
|
| --
|
| Note: I'm one of those who have an app on my phone named _'
| Barcode scanner'_ and it took me a while to determine
| (fortunately) that the one I have installed is not the app in
| question.
| donio wrote:
| There is also a unique application ID string but unfortunately
| that's not displayed, probably in the name of "user
| friendliness". Just showing that in the play store alongside
| the app name would go a long way.
| hilbert42 wrote:
| Yeah, I know but most don't bother to check including myself,
| and that's the trouble. I'm reasonably careful but I've only
| just gone through the process with this app since this alert.
|
| You're right, displaying the fact would solve most things.
| The question is why such an obvious matter--which also would
| have been even more obvious to Google--wasn't enacted as
| such.
| drderidder wrote:
| My first ever mobile app was an experimental bit of Android
| Malware. It got demo'd by my colleague at Blackhat [1]. I'm
| definitely not a hacker, but with a few basic tricks I was able
| to create a pretty effective trojan which we then injected into a
| popular game (again only for experimental purposes, it was never
| released in the wild). In our lab we had literally millions of
| samples of Android malware, but for iOS we had only two (which
| only worked on jailbroken phones). Fun times.
|
| 1. https://www.softwaretalks.io/v/4047/black-hat-
| usa-2013-how-t...
| jk7tarYZAQNpTQa wrote:
| Apple's iOS is way more secure than Android in several aspects.
| The best example is their 5 years of guaranteed security (and
| features!) updates, versus 2-3 tops in Android (even <1 with
| Chinese cheap brands than are very common in Europe, such as
| Xiaomi).
| dbrgn wrote:
| I recently noticed that the "Barcode Scanner" app by ZXing
| (https://play.google.com/store/apps/details?id=com.google.zxi...)
| was being review-bombed with 1* reviews. People were talking
| about the "recent update", even though the last update is from
| February 2019. As far as I know, that app is open source and
| never contained ads. (Of course, without reproducible builds,
| we'll never know for sure.)
|
| Was ZXing also hit by some issue, or is that just confused people
| that mistook the ZXing barcode scanner for the Lavabird barcode
| scanner?
|
| In the comments of the article, someone wrote:
|
| > The Zxing project is the flagship open source barcode scanner
| project for many years, and the December 2020 build was infected
| with malware. That bad build has been removed, of course, but the
| damage to the project continues.
|
| Is there any further information on this?
| pieter_mj wrote:
| To be clear : "the December 2020 build was infected with
| malware" only refers to the lavabird barcode scanner and not
| other apps (that use ZXing library or not).
| lucioperca wrote:
| Probably the people responsible for the malware barcode scanner
| have other scanner apps in the game and trying to prevent user
| from their app from installing the Foss app and live happily
| ever after.
| dbrgn wrote:
| Yep, fake reviews by malware-ridden competitors was also one
| of my thoughts. But there's this motto "don't attribute to
| malice what can be attributed to stupidity".
|
| It could also be both of course.
| aasasd wrote:
| https://github.com/zxing/zxing/issues/1345
|
| The dev says the app hasn't been updated since 2019.
| [deleted]
| phendrenad2 wrote:
| Why is a barcode scanner app able to open a web browser and
| navigate to a page without user interaction (just by being
| installed)? That's the real question here.
| curt15 wrote:
| This is why Ubuntu's forced auto-updates policy for snaps is
| crazy.
| kevingadd wrote:
| Google Chrome extensions are like this too. Not a coincidence
| that they've had multiple identical incidents where extensions
| were sold to malicious third parties or had malware added in.
| [deleted]
| marcinzm wrote:
| Thinking about it, Apple seems like they'd have better dealt with
| this sort of issue in four ways:
|
| * Stricter review process to catch this preemptively
|
| * Stricter app isolation to limit impact without a vulnerability
| explicit
|
| * Longer maintained and more forceful operating system updates to
| minimize the number of phones running with known exploits
|
| * Likely removing/disabling app from phones and not just the app
| store
| mcpeepants wrote:
| I think you mean Google, but also noting that #4 is possible
| (supposedly) through Google Play Protect
| swiley wrote:
| Stuff like this happens on iOS all the time and everyone just
| ignores it because it's _mostly sandboxed._ Apple is terrible
| at stopping malware until it ends up in the news.
| ship_it wrote:
| Source? Or you just made that up?
| joshuaissac wrote:
| Here's an example of 18 such apps from 2019:
| https://www.wired.com/story/apple-app-store-malware-click-
| fr...
|
| Another from 2018: https://www.zdnet.com/article/top-mac-
| anti-adware-software-i...
| marcinzm wrote:
| The first didn't cause any user issues as I'm reading it
| except extra data usage. I don't think it even did it in
| the background but only when the app was running. So I
| wouldn't even call it malware. Unlike this Android app
| which showed ads to users outside the app.
|
| The second is Mac not iOS which had a much more relaxed
| security model.
| joshuaissac wrote:
| The article about the 18 apps says that the ads were
| running in the background.
|
| A Forbes article on the same incident also reports that
| data was exfiltrated from the infected devices:
|
| > the trojan [...] sent data from the infected device to
| an external command and control server.
| aq3cn wrote:
| I stick to F-droid android app store. it asks developer to submit
| their code which gets compiled by the F-Droid team. apps with
| proprietary codes are flagged.
|
| few QR code apps from F-Droid.
|
| https://f-droid.org/en/packages/com.example.barcodescanner/
|
| https://f-droid.org/en/packages/com.secuso.privacyFriendlyCo...
| uzakov wrote:
| Additionally you can have two/three separate phones, linked to
| separate accounts for different purposes. I keep one phone
| separate for phone gaming.
| pieter_mj wrote:
| Same here. The first one is also installable from Google Play
| with a different package name however :
|
| https://play.google.com/store/apps/details?id=org.barcodesca...
|
| It also uses the ZXing library. It does not contain any
| tracking or ad SDK's per the exodus report :
|
| https://reports.exodus-privacy.eu.org/en/reports/org.barcode...
| abrowne wrote:
| The second one too:
|
| https://play.google.com/store/apps/details?id=com.secuso.pri.
| ..
| benibela wrote:
| I once tried to get my app in F-Droid, but they refused,
| because they did not want to install the dependencies because
| the dependencies were too big. Turns out you cannot compile
| something without dependencies. I wrote my app in FPC/Lazarus
| to make a truly cross platform app that runs natively on
| anything from a Raspberry PI to Windows 2000, and they did not
| like that tech stack.
| ignoramous wrote:
| Open source apps can absolutely have trackers in them. F-Droid
| isn't a security solution by any measure. I have inspected code
| of at least one popular "privacy" app that absolutely tracks
| its users out in the open (I mean, the code is right there on
| GitHub), yet I see repeatedly that app (and F-Droid) being
| touted as some elixir that fixes security and privacy for one
| and all. It doesn't. Don't place your trust on F-Droid apps
| blindly, and more importantly, refrain from blanket advocating
| F-Droid apps as a security / privacy panacea.
|
| What I do instead is monitor Android's traffic with a
| LittleSnitch-esque firewall and block all apps I don't use.
| Also, I've disabled auto-updates on non-essential apps. Only
| Photos, Maps, Chrome, and Firefox are allowed to auto update on
| my Android.
| higerordermap wrote:
| It's manually curated and generally flags such things as
| anti-features if found, and I'd believe them more than some
| tensorflow_script_to_detect_malware.py
| ignoramous wrote:
| I wouldn't depend on F-Droid or FOSS as a measure of
| security. Of course, I get that F-Droid is run by
| volunteers, but I hope no one is spreading the notion that
| the F-Droid apps are magically uber secure and private or
| anything.
| higerordermap wrote:
| I wasn't clear. What I told was comparative.
| rectang wrote:
| What open source gives you is an audit trail, which is
| helpful but not sufficient. You still need to be able to
| trace malicious code to actual individuals. Then you need the
| ability to punish those individuals, ideally through criminal
| prosecution.
| JeremyNT wrote:
| Were the trackers already labeled in F-droid? They maintain a
| list of these anti features for all apps. If not, when you
| reported your findings to F-Droid, did they flag the app as
| having trackers at that time?
|
| Nobody said blanket trust anything. F-Droid is a community
| project with a framework that allows for disclosing user
| hostile behavior in apps. By using it and paying attention,
| we can all make it even better - the exact opposite of
| Google, whose incentives do not align at all with these
| goals.
| krageon wrote:
| It would be more compelling if you actually mentioned what
| app you've found that's so naughty.
| marcodiego wrote:
| F-droid flags apps that have known anti-features. Using Open
| source software is a very significant security solution.
| epicide wrote:
| (F)OSS by itself is not a security solution. Largely
| because you can't "solve" security.
|
| There are plenty of insecure open source apps. To deny that
| would be to deny tons of security-related CVEs.
|
| Yes, open source software is easier to audit, but does
| nothing to a) make those audits actually happen (frequently
| enough), nor b) improves the quality of those audits.
|
| i.e. just because I have access to information does not
| validate that information. Work still has to be done.
| marcodiego wrote:
| FLOSS may have security vulnerabilities, just like any
| other software. An OSS android app which has no anti-
| feature flags on f-droid with intrusive advertisements or
| malware behavior, deliberately implemented by its own
| developer, is something I have never heard about.
|
| The same can't be said about 'free' (or sometimes even
| paid) proprietary apps from play store.
| schmorptron wrote:
| What app are you talking about specifically?
| ignoramous wrote:
| https://news.ycombinator.com/item?id=25492855 and
| https://news.ycombinator.com/item?id=25263876
| You-Are-Right wrote:
| why is nebulo not on fdroid?
| ignoramous wrote:
| It is on the main developer's f-droid repo:
| https://github.com/Ch4t4r/Nebulo#f-droid
| You-Are-Right wrote:
| I do like the fdroid review process - private repos do
| not have that.
| schmorptron wrote:
| ah, thanks!
| haspok wrote:
| Both recommended apps use the ZXing library. So it is a small
| world, and if someone overtakes ZXing (assuming that it is not
| malicious right now), then all apps become infected. Otherwise
| no security and bugfixes, no improvements, no version
| upgrades... who knows how long this library will work?
| sloshnmosh wrote:
| Imagine if this app had opened the Chrome browser tabs to a
| specially crafted webpage that exploited a vulnerability in
| Chrome like the recent zero days in the V8 scripting engine.
| jboydyhacker wrote:
| We've built a QR Code and Barcode Scanner that is fully privacy
| compliant. It focuses on product search and providing local and
| online prices but the QR code Scanning is incredibly fast here:
| https://play.google.com/store/apps/details?id=com.biggu.shop...
|
| If you guys have any features you'd like to see in a stand alone
| QR code Reader, let us know.
| IgorBog61650384 wrote:
| The only reason this was detected was very overt behavior -
| opening AD popups. So I guesstimate for each one of these we have
| 10 that go undetected. This means the whole ecosystem is broken,
| as there is no reason this will happen only for updates and not
| for new apps as well. Apple's ecosystem is somewhat better, but I
| can't imagine they go through every line of code in each package,
| so most of their review is probably done with some combination of
| automatic static and dynamic analysis, and these can be fooled.
| The problem with both platforms is that they don't provide run of
| the mill users the option of installing an effective firewall and
| security solutions.
| WA wrote:
| You probably overestimate Apple here. I'm pretty sure you can
| do a lot of fuckery with WebView, JavaScript and an innocent-
| looking API and feature flags in JS that gets swapped for bad
| behavior remotely after the review process is complete.
| ignoramous wrote:
| > _The problem with both platforms is that they don 't provide
| run of the mill users the option of installing an effective
| firewall and security solutions._
|
| Google does allow no-root firewalls on the PlayStore which rely
| on VPN APIs. Here are some open source ones:
| https://www.reddit.com/r/androidapps/comments/jhtvn4/a_list_...
| m463 wrote:
| This happened on ios for me years ago.
|
| I had two apps that radically changed their business model
| (owner?) through updates with no recourse.
|
| I had an app called gas cubby, which let me locally - on the
| phone - keep track of all my vehicles. I could enter detailed
| information about each car such as year, make, model, vin,
| insurance policy, gas purchases, oil changes and the like. It
| would tell you gas mileage and remind you of upcoming
| maintenance. One day, I updated the app and all my local data
| was uploaded to the cloud.
|
| Another app I updated was camscanner from tencent that
| basically did the same thing. Think of all the PDFs you scan
| going to their cloud.
| djrogers wrote:
| > This happened on ios for me years ago.
|
| Neither of the 2 scenarios you describe are even remotely
| what's happened here. Not sure how you got from 'malicious ad
| popups' to 'app added cloud feature'.
| vmception wrote:
| yeah this is one reason why I can't take mobile app end to
| end encryption, or client side only, claims seriously. a
| single update at any time could undermine all of that
|
| and secondly, they or an analytics package can just read
| everything client side and upload it to a server anyway
|
| doesn't matter if its whatsapp, or signal, or some protonmail
| client if such a thing exists
|
| I just don't use them with that assurance in mind, I use them
| for other things.
| Barrin92 wrote:
| >yeah this is one reason why I can't take mobile app end to
| end encryption, or client side only, claims seriously.
|
| If it's a large company like Facebook that values these
| products like Whatsapp at billions I trust them at least on
| this issue. I'm pretty sure they're not going to put junk
| third party malware for 50k into the Whatsapp client.
|
| This is mostly an issue for apps done by individual
| developers who have huge incentive to take these deals,
| like the barcode scanner in question.
| phone8675309 wrote:
| >If it's a large company like Facebook that values these
| products like Whatsapp at billions I trust them at least
| on this issue. I'm pretty sure they're not going to put
| junk third party malware for 50k into the Whatsapp
| client.
|
| Zuck: They "trust me"
|
| Zuck: Dumb fucks.
| kobalsky wrote:
| That's a one dimensional way to think.
|
| You may not be able to trust facebook with your privacy,
| but you can trust them not to install a malware that
| swipes your bitcoins.
|
| That being said, I despise the current state of affairs
| with cellphones. I don't like needing to trust any corp.
| I'm jumping to a Linux native phone when my current
| device dies.
| vmception wrote:
| They've been sideloading with React Native, allowing
| updates even for people without automatic updates
| enabled, and have abused enterprise/privileged developer
| keys which allows access to additional parts of the
| system. I just don't see how you can draw that
| conclusion.
|
| I use the apps for other things, not for any assurance of
| privacy.
| MrPatan wrote:
| I get what you're saying, but it's funny because what the
| dodgy small players do with the data is actually sell it
| to facebook. You're just cutting out the middleman here.
| krageon wrote:
| > I trust them
|
| You literally mentioned a company that betrayed trust so
| bad a government tried to call them to account.
| Barrin92 wrote:
| Are people capable of enough nuance to distinguish
| between issues that large tech firms are likely
| trustworthy on and issues that they aren't?
|
| When they stand to make billions from breaking my trust
| I'm sceptical. When they stand to make a penny and ruin
| their entire product, then no I' not.
|
| The problem in question here, that rogue developers sell
| out their product to third parties, is not an issue that
| Facebook, Google etc have. They have every incentive to
| keep their software secure.
| vmception wrote:
| Your whole premise is based on a very arbitrarily low
| value of collecting your plain text data? From a company
| that is a machine built for monetizing this specific
| thing? And that they wont because their users care about
| trust too much, users of Facebook products but
| specifically whatsapp? And you think the rest of us arent
| compartmentalizing our issues with that company enough?
|
| this is.... I'm speechless, I ran out of words for this
| absurdity
| krageon wrote:
| A betrayal of trust will not "ruin their entire product",
| we've already seen that it won't (no matter the scale).
| Believing a small betrayal to be worse than a big one is
| your right, but that doesn't mean it isn't naive.
| chordalkeyboard wrote:
| School tried to make me use camscanner, glad I took the extra
| effort to do something else. Thanks for the anecdote.
| dotancohen wrote:
| I absolutely love Camscanner, and I have been for over a
| year on the old version because I refuse to update to the
| new version which requires network permissions. I exactly
| suspected this is why it needs those permissions.
|
| To what did you switch? Camscanner is otherwise an
| excellent app, especially for combining multiple images and
| straightening them out.
| radq wrote:
| Not OP, but I switched to using Microsoft Office Lens.
| chordalkeyboard wrote:
| I just continue to use the brother scanner in the other
| room. I don't recommend brother, they updated the
| software and somehow took away features.
| dotancohen wrote:
| Unfortunately the HP scanner doesn't fit into my meeting
| bag!
| curiousgal wrote:
| Adobe Scan is a solid option as well.
| dotancohen wrote:
| Adobe has lost my trust years ago, and I see that
| viewpoint vilified often enough to never use Adobe
| software again. The only Adobe product that I still use
| is Magento, and only that on client sites. I would love
| to find a non-Adobe alternative.
| karmahunting wrote:
| Try OpenScan, open source document scanner app...
|
| Source: I am a user
| dotancohen wrote:
| Thank you. Unfortunately, it seems that OpenScan does not
| have the feature to straighten out photographed
| documents. Cammscanner has its own camera app, which has
| features specific to photographing documents.
| lioeters wrote:
| > One day, I updated the app and all my local data was
| uploaded to the cloud
|
| This happened to me with Chrome. It auto-updated, then
| automatically synced browser history, passwords, and who
| knows what else, to Google. They soon changed it to opt-in
| sync, but it was too late for me at that point; they had
| already hoovered up my personal data. That was when I stopped
| using Chrome and switched fully to Firefox.
| ChrisMarshallNY wrote:
| I've been writing apps for a long time. They are usually
| free/Tier 1 apps.
|
| A while back, I was approached by a [NATION OBFUSCATED]
| developer, asking to buy up one of my older apps (they are
| all open-source).
|
| I ignored the request, and reported the approach to Apple, as
| I'm sure that this actor has been doing the same for many
| other apps.
|
| This is apparently a common method for malware-slingers. They
| buy established, older apps, that they assume the developer
| has abandoned (I hadn't abandoned it, but it's a simple app
| that hardly ever needs tweaking. If I stop supporting an app,
| I remove it from the store).
|
| They then "update" the app, with a little "extra flavoring."
| flyinghamster wrote:
| I gave Slacker Radio the big heave-ho when they decided they
| wanted to help themselves to my contact list. They did that
| just before I was about to pony up for a paid subscription.
| Bullet dodged.
| zo1 wrote:
| Camscanner was a blatant bait and switch. When I first
| started using it, I paid for a license to get full
| functionality with no ads/watermarks/etc. Magically, years
| later I got reverted to the ad-supported/free version, and my
| license was nowhere to be found. This was at the same time
| they moved to "cloud features" and a subscription model.
| Their reviews are littered with people having the same issue
| and the developer copy-pasting some response that doesn't
| work.
| dotancohen wrote:
| I haven't had this issue with Camscanner, but I've had it
| with other apps. One outright disappeared from my library,
| as if I have never had it installed.
| rajveermalviya wrote:
| Can't Google remove apps like Rocket Cleaner, that participate in
| these ads?
| lini wrote:
| Not a good idea - I can pay for an ad for an app I don't like
| and it will be removed.
| jobigoud wrote:
| Apps and websites running ads they don't know about or don't
| vouch for is another problem. It's like a propaganda
| backdoor.
| ytjohn wrote:
| I was 100% impacted by this. I've used that barcode scanner app
| for pretty much forever. I can't be 100% certain, but it's one of
| the first apps I ever installed on my first android phone (around
| '08/'09). It was what I directed other people to since all the
| other barcode scanners had ads.
|
| Around the end of December started seeing web page notifications
| after my phone had been locked for a while. I clear those and it
| goes away for a day or so. I originally attributed it to an open
| tab, or some site that I had inadvertently enabled notifications
| for. It took me a few days of seeing these and checking browsers
| to realize it was more, so I started checking apps recently
| installed. I even installed malwarebytes to do a scan, found
| nothing. There were three recently updated, including barcode
| scanner. I opened that and malwarebytes immediately flagged it.
| So the scanner seemed to know about it at that time, but couldn't
| detect it until you actually opened the application.
|
| I used to have Theft Aware before it got bought by Avast, and I
| tried Lookout some years ago. But it was this incident that
| finally convinced me to install and keep anti-malware app on my
| phone. I've also disabled app updates from the play store.
|
| EDIT: Mine was by "The Space Team", not the one listed in the
| article. Seems like a number of barcode scanner apps were
| targeted recently.
| system2 wrote:
| Two words for you:
|
| Buy iPhone.
|
| I know some people hate Apple but these type of things never
| happen or so rare. I hear android malware very often though.
| enragedcacti wrote:
| Three words:
|
| Buy Nokia 3310.
|
| These types of things literally never happen.
|
| Or maybe people have a lot of reasons for why they chose what
| they chose and this isn't productive.
| jcun4128 wrote:
| Well... maybe Linux phones can catch up/have a market... at
| least code goes through the specific distro checks eg.
| Mobian if by apt
| davchana wrote:
| Were you using the app from ZXing team
| https://play.google.com/store/apps/details?id=com.google.zxi...
| app? Because this app was last updated in 2018, has a generic
| name Barcode Scanner, & has attracted hundreds of reviews like
| yours saying App was updated recently, & now causes Web Ads.
|
| For a counter point, I am also using this app since 2016, &
| have all apps on auto update, & have never received any web add
| popup or notification because of this or any app.
| ytjohn wrote:
| The ZXing app is in fact the one I've had since "the dawn of
| android". But when I switched phones a couple years ago, I
| had apparently installed the one by the Space Team[1].
|
| It took me a bit of digging to make the distinction. I have
| both of them listed in my App Library, and both with the same
| name. At some point, I believe I went to install ZXing on a
| new phone and Android warned me that the app may be
| incompatible, so I went to the space team one. It makes sense
| that if people aren't looking directly in their app library
| that they can get these mixed up and leave the bad reviews.
|
| However, since the space team version got infected, I did try
| the ZXing app - no pop-ups, and it works just fine (despite
| the age warning).
|
| https://play.google.com/store/apps/details?id=com.qrcodescan.
| ..
| f430 wrote:
| So just to be aware, what was the root cause of this incident?
| Was it permission settings? How did it slip through the release
| process on Google Play, or is there none at all?
|
| What does this mean for other apps with overreaching
| permissions?
| ytjohn wrote:
| This app only had the basic permissions of camera and to open
| web links - pretty much exactly what you need to scan a QR
| code and open a web page. The software author (or more likely
| someone they sold it to) pushed a new version of the app that
| would just keep opening links to various ads.
|
| The key here is that the author had a properly working,
| trusted, non-invasive application for years and then they
| pushed an updated version that was less so. Fortunately, it
| was an app with minimal permissions - it could only open web
| pages. In my case, running ublock, those pages came up blank.
| But for others not running an ad filter, they got pop-ups
| prompting them to install even more malware.
|
| As for Google Play release process, I can't speak on that too
| much. They do scan for malicious code, but this code may not
| be malicious enough. If part of an application's purpose is
| to open web links, more code that opens links would not be as
| noticeable. Apple has a more intensive process to review new
| apps, and they spot-check app updates, but it's going to be
| somewhat similar. We hear about Apple pulling existing
| applications all the time for random reasons, but it's often
| _after_ an update or report. Google pulled some of these apps
| after they were reported, but it was also after.
|
| I'm not defending Google Play - they have a more relaxed
| review process than Apple, relying more on automation. But
| both have "legitimate" apps pulled for obscure reasons (and
| the only recourse seems to be getting attention on
| HN/Twitter/other), and both have let scam apps through. Apple
| seems to catch more of the "bad" apps, but also drops more
| legitimate apps that compete with Apple's business interest.
| protoman3000 wrote:
| Even legitimate app developers have no incentive to keep their
| apps sterile. Someone just has to approach you with your 10+
| million users barcode scanner app and offer you +50,000$ in order
| to install some automated ad clicker for them.
|
| Don't be naive, the majority will accept the money and gladly.
|
| I believe that particularly makeshift applications such as e.g.
| barcode scanners are susceptible to this kind of overtake. Apps
| that offer what should have been offered by the OS vendor in the
| first place. Why should the app developer refuse the money if
| what their app offers will be incorporated in a next OS update by
| anyways? Why defend your mini-adapter-app in an ocean of mini-
| adapter-apps, with yours becoming so large just because of a
| random seed and path dependency?
|
| This can have a big impact for end users. Imagine an
| authenticator app ending service to all their users in such a
| scheme and how you will be cut out from all your accounts by
| this. How many authenticator apps do you have to use in parallel
| to mitigate this risk of a single point of failure?
| wsc981 wrote:
| One or two years ago a Chinese guy contacted me asking me if I
| wanted to put an app or multiple apps on the AppStore for his
| company. In return I would receive 1.000 USD per month or so. I
| found this really suspicious, so I never accepted the offer. I
| also didn't want to risk getting banned by Apple for an offence
| like distributing malware.
|
| I wouldn't be surprised if there are app developers that
| actually do accept these kinds of offers though.
| dspillett wrote:
| _> Don't be naive, the majority will accept the money and
| gladly._
|
| I wouldn't accept it to sneak the change in, but I'd probably
| be perfectly willing to take their hand off and sell rights to
| the product. Assuming of course I didn't just delete the
| message assuming it was some sort of phishing scam or other
| rather than a genuine offer.
|
| I'd feel obligated to make it known that I'd done this, perhaps
| via a notification in the app prior to hand-over and in its
| README. Something along the lines of a normal change of
| ownership message (copyright has been transferred to X, contact
| them for further information, future official releases will
| come from their fork, of course existing open source releases
| remain open source even if they change licencing arrangements
| for future releases, yadda yadda). Though we all know how often
| people just click through notifications, so I'm not sure how
| much difference that would really make - so if I were a robot I
| might be considered culpable under the second half of the first
| law...
|
| If the buyer would walk away if I didn't agree to a more silent
| sale then I wouldn't touch it. It is a thin line that I won't
| cross, but still a line I like to think wouldn't cross. Then
| again I have the luxury of being relatively comfortable at this
| point in my life (decent day job at a company which is
| weathering the current collection of world crises pretty well,
| the little flat's mortgage near paid), for many others out
| there the financial incentive would be _much_ harder to ignore.
| I 'm not sure that I like that I wouldn't draw my line in a
| different place, but I'd be dishonest if I tried to claim that
| I would.
| krageon wrote:
| Most apps never need to be updated, problem solved. Especially
| stuff like barcode scanners, authenticator apps and other apps
| that I'd call phone infrastructure can just be static from the
| time of install.
| fendy3002 wrote:
| And then the app isn't working anymore due to newer os
| breaking change
|
| Or it suddenly gone from app / play store
| krageon wrote:
| If it's gone from the play store that doesn't matter, you
| have it installed.
|
| Breaking OS changes are a problem, it's true. Thankfully
| they basically never happen on phones (certainly if you
| have a phone that stopped updates ~4-5 years ago it will
| still work).
| fendy3002 wrote:
| It's true if you don't need to change device. In 3 or 4
| years (my usual device lifetime) many non updated apps is
| no longer supported at newer os version.
| dspillett wrote:
| _> Don't be naive, the majority will accept the money and
| gladly._
|
| I wouldn't accept it to sneak the change in, but I'd probably
| be
| wodenokoto wrote:
| I think you are absolutely right about how easy it is to fall
| prey to lots of money for adding a simple payload.
|
| In the early days Wordpress sold use of their domain to black
| hat seo / spammers.
| II2II wrote:
| > Apps that offer what should have been offered by the OS
| vendor in the first place.
|
| The questions are: how do you decide is necessary and how do
| you present it to the user? Different people have different
| needs and making every should have been feature visible ends up
| making every other feature less visible. That may be fine if
| you're developing software for a specialist who will take the
| time to learn a particular application which is relevant to
| them, but it's a drawback when you're creating software for a
| general audience since only a handful of enthusiasts will take
| the time to learn the software.
| dfxm12 wrote:
| _Apps that offer what should have been offered by the OS vendor
| in the first place._
|
| Bundling can be seen as bad in terms of competition [0], but it
| can also be good for the user experience. I wonder if these
| apps go unimplemented for fear of regulation. It might be silly
| to think of a barcode scanner (or other small utility) in that
| way, but, if the app is so silly, then is it really worth the
| risk (not just from regulation, but from having to deal with
| bugs)?
|
| 0 - https://en.wikipedia.org/wiki/United_States_v._Microsoft_Co
| r....
| iKevinShah wrote:
| > This can have a big impact for end users. Imagine an
| authenticator app ending service to all their users in such a
| scheme and how you will be cut out from all your accounts by
| this. How many authenticator apps do you have to use in
| parallel to mitigate this risk of a single point of failure?
|
| This right here is a big reason, apart from actual restorable
| backups, why I root my Android device. Sure it is not required
| nowadays but it does give a sense of control if thats the right
| word.
|
| So many times I had to restore older copies of apps like Chess
| or even Yoga app. The older apps allowed a functionality
| (downloadable content for offline view) which was straightup
| removed in newer versions.
|
| Same for Authenticator or any other app which does things
| locally.
| ce4 wrote:
| You can write down the code for all authenticator entries upon
| scanning the installation code with a barcode reader app for
| later reuse :) (I suggest to use fdroid versions for both
| barcode reader and authenticator anyway to mitigate the issue)
| HenryBemis wrote:
| > Imagine an authenticator app
|
| I will imagine that anyone who creates an authenticator is
| half-decent enough to NOT take that bribe and serve the greater
| good.
|
| I will also imagine that when people install authenticators,
| they would NOT trust one from HenryBemis but only from sources
| that they recognize (Google, Microsoft, Yubikey, etc.)
|
| It always amazes me how come all smartphone OS creators switch
| every connectivity option to ON by default on every new app
| installation. It would take a use another 3-4 seconds per app
| installation to prompt the user whether they want this app to
| access Wifi/Data/Background/Roaming. In the same sense than the
| OS asks you whether you allow access to Calendar, Contacts,
| Camera, etc. At least half my apps on my Android do NOT need
| access to the internet to function. They may 'want', but
| definitely not need.
| mtrycz2 wrote:
| > It would take a use another 3-4 seconds per app
| installation to prompt the user
|
| I yes, I too rememeber the FirefoxOS. Good times.
| TeMPOraL wrote:
| > _I will imagine that anyone who creates an authenticator is
| half-decent enough to NOT take that bribe and serve the
| greater good._
|
| Dear HenryBemis,
|
| As a CEO of TRC, I would like to extend you an offer to
| purchase source and distribution rights to your app,
| SummerChildAuthenticator, to the form of $500,000 (five
| hundred thousand US dollars). We are a fast growing SV
| startup that wants to make it easier for people to secure
| their papers and money on-line. We have developed a
| streamlined, easy-to-use, user interface for authenticator
| applications and are looking for a way to quickly put it in
| front of a wide audience. We believe that your
| SummerChildAuthenticator, with its established base of over
| 50 000 users, is the gateway we are looking for.
|
| If you are interested in this offer, please reply to this
| e-mail.
|
| Sincerely yours,
|
| TeMPOraL, CEO, TRC
|
| <smallfont>Temporal's Rackets and Cons is a startup
| registered in Southern Vescillo, Arstotzka.</smallfont>
|
| --
|
| You think to yourself: "this is a good deal! The app is
| unlikely to grow more, it isn't making you any money anyway.
| Here is this hot new startup with great ideas, what's the
| worst that could happen? They'll just inject an ad here and
| there. Meanwhile, I have medical expenses, and..."
|
| So you agree, and I take your app, and run a "growth hacking"
| campaign on Reddit to blow its userbase up to 500 000 people,
| and then proceed with my main business plan, which is selling
| access to OTP codes to the mob running phishing scams.
|
| (Oh, dear reader, you've noticed Arstotzka and thought I'll
| be selling data to evil government? Nope, we registered there
| only because it'll make it mighty hard for anyone to sue us.)
| HenryBemis wrote:
| I hear you.
|
| Any developer knows/understands if the offer comes from a
| legit source or scumbag. I cannot make other people's
| choices for them. My answer would be 'no' even for 100k,
| BUT I am in HN and I suggest people get off facebook and
| google because they are privacy nightmares (also certified
| in a couple of audit/security areas - so there's that). Btw
| I did have an app on Apple store, target audience was
| children (3-6 years old), it did OK, I just didn't have the
| time to keep it around (for the little revenue it was
| bringing). It worked 100% offline, no tracking, no ads, no
| nothing. I have a free version as a sample and the full
| version at $0.99. I chose to sell than help the ad beast
| grow bigger and track children more.
|
| But that is just me. $50k is a serious amount but it won't
| make me or break me. For some other parts of the world,
| where a monthly salary may be $200.....
| Silhouette wrote:
| Sadly, the permissions-by-default problem is not unique to
| Android. I bought a new iPhone a couple of years ago and
| spent _nearly an hour_ straight away just turning off all the
| junk I didn 't want. That is now the way of the world, if all
| you want is a phone for communications and running a small
| number of essential apps because too many organisations now
| assume everyone will have a smartphone.
|
| I suppose I should be grateful that I can turn off a lot of
| permissions for apps at all these days, unlike the malware
| built into recent versions of the major desktop operating
| systems. :-(
| strictfp wrote:
| You cannot trust established players either. For instance,
| cheaper Samsung phones ship with a lot of shady software, as
| I found out helping relatives.
|
| And a lot of reputable software companies have sold out to
| peddling adware. Adobe is one, and there are a lot of others.
| Abandoned shareware or open source often resurface with
| adware installers.
| matkoniecz wrote:
| https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_root
| k...
|
| > When inserted into a computer, the CDs installed one of
| two pieces of software which provided a form of digital
| rights management (DRM) by modifying the operating system
| to interfere with CD copying. Neither program could easily
| be uninstalled, and they created vulnerabilities that were
| exploited by unrelated malware. One of the programs would
| install and "phone home" with reports on the user's private
| listening habits - even if the user refused its end-user
| license agreement (EULA), while the other was not mentioned
| in the EULA at all. Both programs contained code from
| several pieces of copylefted free software in an apparent
| infringement of copyright, and configured the operating
| system to hide the software's existence, leading to both
| programs being classified as rootkits.
|
| > on about 22 million CDs
|
| https://en.wikipedia.org/wiki/Superfish
|
| > The installation included a universal self-signed
| certificate authority; the certificate authority allows a
| man-in-the-middle attack to introduce ads even on encrypted
| pages. The certificate authority had the same private key
| across laptops; this allows third-party eavesdroppers to
| intercept or modify HTTPS secure communications without
| triggering browser warnings by either extracting the
| private key or using a self-signed certificate.
| nobodywasishere wrote:
| This is why I get all of these kinds of apps from F-Droid
| instead of the Play Store. Here's the QR code scanner I use:
| https://f-droid.org/en/packages/de.t_dankworth.secscanqr/
| hilbert42 wrote:
| Right, I'm an avid user of F-Droid and a large percentage of
| my apps come via this route. The trouble is that I have found
| that QR code scanners are very significantly different in
| both their feature sets and in their ability to recognize
| different barcode/QR code scans.
|
| That's to say:
|
| (a) The time for a given barcode to be accurately detected
| varies considerably from app to app.
|
| (b) And various apps have different detection capabilities
| with respect to one another (i.e.: the detection performance
| varies from app to app depending on the contrast across the
| barcode image, camera focus or lack thereof, etc.).
|
| (c) For a given app, the detection capability for different
| types of barcode scans can vary considerably.
|
| For that reason, I have five different QR scanners installed
| including SecScanQR that you've mentioned and the one with
| the same namesake as mentioned in this Malwarebytes article.
|
| It seems there's a great deal of variability in the detection
| algorithms between apps. Unfortunately, from my experience
| I've found that some of the commercial apps have better
| detection performance than those on F-Droid--but granted
| that's only from my limited testing. Which app I use
| sometimes depends on other features, for instance, the fact
| that it has a better database or export ability, etc. is more
| important than the fact that it's insensitive in the
| detection department.
|
| I wish someone with more knowledge and experience could give
| others and me the good oil on this. Reckon it'd save us
| considerable time experimenting.
| sp1rit wrote:
| Anything wrong with binary eye? https://f-droid.org/packages/
| de.markusfisch.android.binaryey...
|
| I'm very happy with it
| stonesweep wrote:
| Binary Eye can also be found on the Play store - I
| personally check to see if apps are on both to add a bit of
| confidence, its not a negative if they're not but a
| positive +1 if they are co-listed when I'm deciding which
| widget to use.
| pcthrowaway wrote:
| I'm terrified of browser extensions for this very same reason
| (and yes, I still use them). I wish the browser vendors
| supported some kind of pinning to source code for open source
| extensions. Right now I have at least 2 extensions running that
| I know could access my passwords on any website as I enter
| them. One of those is Lastpass, which I use for
| storing/generating those passwords anyway, and the other is
| AdBlock Plus. Could other extensions access sensitive
| information? I'm not sure, but I hate not being able to see the
| source code of apps which need so many permissions.
| mafuy wrote:
| Re AdblockPlus, I can recommend Ublock Origin instead. The
| UBO developer (Raymond Hill) repeatedly chose ethical
| behavior over money.
| leonroy wrote:
| Alas the Great Suspender just fell prey to malware after its
| creator sold it off:
| https://news.ycombinator.com/item?id=25846504
|
| I think Apple have the right idea with app review on browser
| extensions for Safari.
| josho wrote:
| The other nice thing about Safari's approach is that for
| common extension functionality it is just a set of rules
| that are executed. So no malware can be run because
| extension code isn't actually reading the dom. Nor does it
| have access to load remote resources.
| teddyh wrote:
| I hear that a lot of companies are doing unethical things.
| Maybe the government should only grant corporations to form
| which are headed by approved people?
|
| /s
| emayljames wrote:
| Not a bad idea, even if sarcastic.
| martin_a wrote:
| AdBlock Plus is owned by a company who is selling ads. Use
| uBlock Origin instead, please.
| martin_a wrote:
| To be more precise: You can pay them to get your ads listed
| as "acceptable ads" which will then pass the filter rules
| of ABP.
|
| Would be a real shame if some software would block your ads
| because you didn't want to pay, wouldn't it?
| mcdevilkiller wrote:
| Given the reputation of ABP, I'd be worried too.
| tonyedgecombe wrote:
| At least with LastPass you know they have a commercial model
| and reputation to incentivise better behaviour. If you
| download something that is free then that pressure doesn't
| exist.
| [deleted]
| asiachick wrote:
| have you read their privacy policy? They layout they can
| spy on everything and share with anyone they want.
|
| You'd think if they were serious about privacy their
| privacy policy would just say "we spy on nothing and
| collect nothing and share with no one". 1password
| effectively has that privacy policy, lastpass does not.
|
| https://www.logmeininc.com/legal/privacy/us
|
| https://1password.com/jp/legal/privacy/
| oauea wrote:
| > I wish the browser vendors supported some kind of pinning
| to source code for open source extensions.
|
| Chrome used to. You used to be able to just download the
| source code of an extension, point Chrome at it, and done you
| are.
|
| Well, you still can. But Chrome will CONSTANTLY nag you about
| it and try to forget you added that extension using source,
| like it's some vile crime.
|
| They removed it because of "security", which is a hilarious
| reason because it just made everything so much worse.
| bjarneh wrote:
| > Apps that offer what should have been offered by the OS
| vendor in the first place.
|
| This is really it. The Google/Android team have already made
| the "Zebra" library that actually reads barcodes; why on earth
| do they not include this as a standard app. Instead we get this
| myriad of different barcode scanner apps with all sorts of
| harmful features. All the heavy lifting is done by the Android
| team anyway (the actual barcode scanning).
|
| To make matters worse, scanning a barcode when you enter a
| store/cafe (to register your location), is now begin done
| everywhere in order to track potential covid19 spreaders. This
| forces anyone without an iPhone to install at least one of
| these potentially harmful apps.
| emayljames wrote:
| On last point, Firefox/Chrome and derivatives have scanning
| built in. It would be very simple to have an app that links
| to Chrome.
| loufe wrote:
| A great argument for installing F-Droid in my eyes.
| TrianguloY wrote:
| The issue is not having a default app or not, the issue is
| having a qr reader external service.
|
| Imagine you are an app developer of a really simple app that
| takes a number and tells you if that number is in a valid
| phone format or not. You have a textbox, the user enters it,
| you do the checking and display the result. Easy. Now imagine
| you want to allow scanning a qr which contains a number, to
| do the checking afterwards. You need to either ask your users
| to use an external app to scan and then open yours, include
| all the qr related library inside yours, or use a special
| intent from a third party app (that the users need to have
| already installed).
|
| First solution is slow and inconvenience for users, the
| second is what almost all apps do, but then the code logic is
| duplicated on all of them (with the increment in app size).
| The third option is the best, both for the developer and for
| the user, however there is no official qr service so in the
| end this is basically option 1.
|
| I mean, you already have a service to get a picture, a file
| and a contact, among others (you don't need to include all
| the code, simply do a call to the respective intent and wait
| for the result) so why don't extend this with the qr too?
| codazoda wrote:
| On android (and I think iPhone too) you can scan barcodes
| with the camera app. It's not obvious, but I learned this
| from servers this year.
|
| When we sit down they just say, "use your camera app to scan
| the barcode". It seemed to work for everyone at the table.
| Samsung, Pixel, and iPhone.
| UncleMeat wrote:
| "Google creates barcode scanning app, replacing popular app
| with 10m+ downloads".
|
| Platform providers are also criticized when natively offering
| features that apps offer. You sort of can't win.
| chii wrote:
| the platform should accept the criticism, because it
| doesn't hurt them. they have no feelings.
|
| People doing low effort apps can only just whinge when the
| floor shifts under them. i have no sympathy - they just
| need to adapt and improve, and create new value to sell.
| bjarneh wrote:
| There probably could be some backlash, but it would be easy
| for Google to brush this off by listing harmful features
| they removed in the process.
|
| They have done more drastic things in the past. They have
| even removed apps entirely from Android phones due to very
| harmful features, and nobody cared when they heard about
| the horrid things these apps did in the background.
| EdwardDiego wrote:
| > To make matters worse, scanning a barcode when you enter a
| store/cafe (to register your location), is now begin done
| everywhere in order to track potential covid19 spreaders.
| This forces anyone without an iPhone to install at least one
| of these potentially harmful apps.
|
| Our (New Zealand) Covid tracing app scans QR codes itself.
| What jurisdictions are requiring to scan an arbitrary QR code
| using random apps?
|
| https://www.health.govt.nz/our-work/diseases-and-
| conditions/...
| ryandrake wrote:
| What do people without smartphones do?
| bjarneh wrote:
| Is there anything you guys in New Zealand haven't done
| better during this pandemic? :-)
| bbarn wrote:
| "Better" is certainly a point of view here. Having to
| tell the government all of your whereabouts when you
| already live on an Island with no spreading is an
| overreach, IMO.
| Ensorceled wrote:
| The 21,000 dead here in Canada would like to argue that
| it is much, much better but, well, they can't.
|
| I literally can not believe you are arguing it's not
| better.
| logicchains wrote:
| Believe it or not but not everybody believes that human
| rights like privacy are always optional when lives are at
| stake. Ever heard of the phrase "the end doesn't justify
| the means"?
| adriancr wrote:
| exactly, how are you going to visit the mistress(es) if
| government tracks everything and eventually will be
| leaked? (a bit of sarcasm but the point stands, privacy
| shouldn't be optional)
| emayljames wrote:
| What about the people on deaths doors human rights. I'd
| say they take precedence over being upset on sharing you
| location.
| leesalminen wrote:
| https://fallacyinlogic.com/the-appeal-to-emotion-fallacy-
| wit...
| 2muchcoffeeman wrote:
| We have a similar system is AU. It's not really enforced
| all that well. But most people cooperate and life is
| generally back to normal. You also only need to do it in
| enclosed areas like shops. Mask wearing is still
| mandatory on public transport.
|
| Unfortunately very low cases doesn't mean the virus is
| gone. Occasionally there is a case and if you want to
| clamp that down as fast as possible, you need contact
| tracing. Which means we need to know where you are.
|
| For most people, no extra information is being leaked.
| Facebook and google already know where they are and they
| are far more malicious than the AU or NZ government. The
| tin foil hatters like you can take extra measures I'm
| sure.
|
| The US has over 25million cases and over 400k dead.
| That's literally the entire population of Australia
| infected. So I'd argue that NZ and AU are objectively
| better and we shouldn't worry about "overreach" just yet.
| bjarneh wrote:
| Well, when the users already give the government access
| to their location 24/7 with that app, at least they
| include a barcode/QR scanner.
|
| But privacy is clearly one of the victims of this
| pandemic. At least some countries are now opening up the
| source-code of the front and back-end of their apps. They
| had to do that here in Norway (they had to replace the
| whole app actually) when the original closed source
| version was demonstrated to contain harmful features...
| tialaramex wrote:
| The New Zealand government doesn't learn "all your
| whereabouts" by default. The app is storing _locally_
| what it has learned about places you visited by scanning
| QR codes, and comparing that to information it is being
| sent over the Network (by the government) to discern if
| you went anywhere that the government says warrants
| special action - if so you get notified.
|
| For most Kiwis this means a bunch of QR code data is
| stored on their phone and, months or years from now when
| the emergency is over (depending on how incompetent other
| countries are) that data is deleted. There is no NZ
| department of health MySQL database full of geo data of
| every New Zealand citizen and never will be.
|
| If you're a case (remembering that New Zealand has
| elimination, so rather than cases being millions of
| people as in the US for example, they're very rare) then
| you can choose to help the contact tracers by giving them
| your data and in that case they do get all the data
| because you gave it to them. Because New Zealand has
| elimination contact tracing is something done by a
| handful of experts.
|
| I would guess that like most countries New Zealand's
| contact tracing experts worked previously with sexually
| transmitted infections - so they already understand the
| sensitivity of this work. COVID-19 is actually less
| awkward, because at least you don't have to admit to
| fucking somebody you claim you're not sexually attracted
| to, just that you were in the same room as them for a
| period of time.
|
| But of course none of what I wrote above matters much
| because those are merely facts, and for so many Americans
| mere facts can't oppose a Truth they have become certain
| of despite all evidence to the contrary. Not that Mother
| Nature gives a damn whether you believe her.
| jessaustin wrote:
| I'm glad NZ chose to develop the app the right way, but I
| certainly wouldn't expect any American government to do
| that.
| shaoonb wrote:
| I recall back in the early days (before NZ Covid Tracer was
| released) we had the same system where every shop had a QR
| code that linked to its own guestbook type website.
| [deleted]
| sundvor wrote:
| My S21 Ultra has a QR scanner built in, but no barcode. Are
| the old ones still used for such purposes? I've only seen QR
| codes used for eg contact tracing.
| sssk wrote:
| While Google Lens does the job for the most part, we created
| a free privacy minded security first app -
| https://dhiway.com/seqr/ This app plugs in to Google's anti-
| malware lookup service to flag harmful content from making it
| to the device.
| miohtama wrote:
| Patents
| teekert wrote:
| Yeah, it's always in the flashlights, the barcode scanners,
| the background packs. They all address super basic
| functionality that many, many people seem to want (if I could
| just set a ringtone from YouTube, it'd save me from going
| through a bunch of shady apps, if I ever needed a ringtone
| that is). Yet they just aren't included in the base OS (or
| weren't always, my lineage OS has a flashlight currently).
| Therefore, they offer very low hanging fruit(super simple
| app, one can hardly ask money for it, so how does one make
| money?)
|
| I heard from a friend that iOS has TOTP and indeed a barcode
| scanner build in, same goes for cal/carddav. To be fair, my
| wife's Pocophone also comes up with a QR-code icon when the
| cam detects a QR code. And, FireFox for mobile has a QC code
| scanner build in (although since I now have to open a new tab
| for each new page and I end up with many many tabs of the
| same 4 websites I find myself using FF less and less).
|
| Maybe the experience on Pixel Phones is better? GCam makes a
| lot of difference in many aspects.
| bjarneh wrote:
| > Yeah, it's always in the flashlights, the barcode
| scanners, the background packs.
|
| Why are Google afraid to release a free non-harmful version
| of those popular apps. Is it to keep the illusion the app-
| store is a vibrant market place where tons of developers
| get rich? It just seems nuts to allow all those harmful
| apps (that does virtually nothing) to float among the top
| downloads.
| mschuster91 wrote:
| > Why are Google afraid to release a free non-harmful
| version of those popular apps.
|
| Fear of anti-competition lawsuits and complaints. They're
| seeing what happens when Apple integrates stuff into iOS
| / OS X core that previously were third party provided, or
| the flak that Amazon gets for pushing AmazonBasics
| products.
| asiachick wrote:
| QR scanning is already built into the camera app. So, not
| this has nothing to do integration, it's already
| integrated.
|
| Those QR code scanner apps are basically taking advantage
| of people not knowing they don't need one.
| bjarneh wrote:
| > Fear of anti-competition lawsuits and complaints.
|
| They could just create an open source variant that
| suddenly shows up top when people search for QR or
| barcode scanner. It would be in their best interest, and
| it would not violate any anti-competition laws, nobody
| can demand to see how these apps are ranked I guess?
| 2muchcoffeeman wrote:
| Manipulating the search results so blatantly? How are
| they going to do this without generating more criticism?
|
| It's better to bake it into the OS and push an update.
| But then you'd have to get an OS update to heaps of
| phones.
| bjarneh wrote:
| > How are they going to do this without generating more
| criticism?
|
| From the people who make those crummy apps; criticism
| surely cannot hurt Google all that much?
|
| > But then you'd have to get an OS update to heaps of
| phones.
|
| That's not a viable option, this requires tons of work
| from OEM's that Google would have to pay for. I've rarely
| ever gotten any OS updates at all on Android - apart from
| my latest phone. But I think the only reason I get OS
| updates now is due to the fact that Nokia just ships
| stock Android under the "android_one" brand.
| jefftk wrote:
| _> Why are Google afraid to release a free non-harmful
| version of those popular apps._
|
| They already did; these have both been built-in for
| years. The flashlight was added in Android 5.0
| (https://www.androidauthority.com/android-5-0-lollipop-
| offici... I'm having a harder time figuring out when the
| barcode scanner was added, but my phone does it
| automatically in the camera app now.
|
| (Disclosure: I work for Google, speaking only for myself)
| bhaile wrote:
| I think it was announced in Google I/O 2018 but here is a
| link [1] talking about in in fall 2018.
|
| [1] https://medium.com/turunen/built-in-qr-reader-on-
| android-696...
| bjarneh wrote:
| > these have both been built-in for years.
|
| If Android has a built-in QR scanner now, that must be
| something that came with Android 11, but September 8 2020
| cannot qualify as "for years". It takes a while for OEM's
| to catch up as well.
|
| There are certainly Android phones that ships with this
| feature (QR-scanner), but stock Android 10 does not.
| (Google lens != Standard Photo app).
|
| If you know about it, you can start "Google lens" app,
| but that app does not even come up as a suggestion when
| you type QR scanner into the play store. I.e. even when
| you have a QR scanner available on your phone, you
| wouldn't know unless you somehow knew about "Google
| lens".
| jefftk wrote:
| I have a Pixel 3a, and I'm pretty sure it's done this
| since it was new (Spring 2019). I also thought my
| previous phone (Pixel 1) did it, though I don't have
| anymore and can't check.
| yodelshady wrote:
| FWIW I've not had an Android phone lacking a flashlight
| in the OS since... ever, I think. At a guess, the apps
| are preying on customers not aware of the OS-level
| functionality.
|
| QR scanning seems a little more complicated. FF for
| Android integrates a QR scanner, but chrome does not.
| Google's default camera also opens links, _if_ you allow
| Google Lens.
| dpwm wrote:
| About four years ago, when I had a low end Android phone,
| some kind of "make the screen white" app was really
| useful.
|
| I remember the play store being scary but I think there
| was something in fdroid.
|
| I am not so sure on this, but I do not recall my nexus 5
| having flashlight in the OS.
| Naracion wrote:
| I have a Nexus 5, and I can confirm the flashlight is
| available in the system tray icon. This is true for all
| Google phones since at least Nexus 4. It is my
| understanding that AOSP as well as Google's Android
| implementation has always exposed access to the
| flashlight hardware (although somebody mentioned this not
| being the case with Nexus One).
| [deleted]
| MisterTea wrote:
| > (if I could just set a ringtone from YouTube, it'd save
| me from going through a bunch of shady apps, if I ever
| needed a ringtone that is)
|
| I don't like that example of utilitarian because it fights
| the youtube platform which does not want you downloading
| videos. Anything that sidesteps some sort of security fence
| or functionality is shady to begin with; even if you think
| it's fair use. Plus there's the whole copyright minefield.
| xorcist wrote:
| > they just aren't included in the base OS
|
| Both a QR-capable camera and a flashlight in the
| notification bar are in all my Android phones, and they've
| been for a very long time. I know the Nexus One didn't
| include it, but those will have problems with modern TLS
| anyway.
|
| The problem is likely elsewhere. It wouldn't surprise me if
| many of these users are tricked into installing these apps.
| It is quite popular for malware to disguise itself as a
| legitimate app as to not raise suspicion.
| Nightshaxx wrote:
| I have a pixel but i don't have qr scanning built in to
| the camera. It was at one point built into the "google
| vision" thing, but i haven't seen it in the ui for a
| while.
| thatguy0900 wrote:
| In a very google move, Google goggles was rebranded as
| Google lens and the Google goggles app stopped doing
| anything. As far as I know Google lens still does
| everything goggles did, including bar code/qr codes.
| ProZsolt wrote:
| You just have to point to a QR code and it will
| automatically scan it.
| mynameisvlad wrote:
| Discoverability is just as much an issue as feature
| including. If you have to go into a special QR mode
| (which a lot of cameras did), you're never going to use
| the feature, and it's hard to break those mental models
| if the feature gets silently added in later iterations;
| you're always going to remember that first encounter
| where something didn't work seamlessly.
| flyinghamster wrote:
| Indeed it is. It wasn't at all obvious on my phone that I
| could put a flashlight toggle on my notification bar, so
| for a long time I still kept the old Motorola DroidLight
| app, which, despite being unmaintained for a very long
| time, worked beautifully.
| sunnyam wrote:
| Yeah, on Pixel phones you can just scan the barcode from
| the camera app, or from Google Lens
| machrider wrote:
| I just tried the camera app with a QR code (on a Pixel 5)
| and nothing happened.
| vel0city wrote:
| Its provided by Google Lens suggestions, so you'll need
| to have that enabled in the Camera settings for it to
| appear. It also seems a little slow sometimes, give it a
| few seconds for it to show up a small suggestion bubble
| at the bottom of the viewfinder.
|
| I'm using Google Camera version 8.1 on a fully updated
| Pixel 4a and it works for me.
| ceejayoz wrote:
| Same on iOS; the camera will recognize QR codes and offer
| to open.
| spurgu wrote:
| Yeah the problem I think is other vendors implementing
| their own camera apps _without_ this feature.
| pmontra wrote:
| My Android 10 phone from Samsung has both the flashlight and
| the QR code scanner icons in the drop down notification bar.
| I don't know if it is a standard Android feature or something
| from Samsung.
| kevingadd wrote:
| It's Samsung, though many other vendors also offer it.
| mcv wrote:
| OnePlus seems to have the QR code scanner built into its
| standard camera app. And the flashlight into the setting
| shortcuts. Very convenient, and perhaps necessary,
| considering all these app stores becoming malware vectors.
| Chris2048 wrote:
| There should probably be a "standard apps" project, similar
| to prog-langs "standard library" - sponsored by goog et al
| but not owned by it, and heavy on security and
| standardisation.
|
| what do you recon would be included?
|
| - barcode scanner, - auth app, - calculator of some kind, -
| wifi management, dns/network/firewall management.
| Shorel wrote:
| My Android phone has the barcode scanner app built in.
|
| Also FM Radio, screen recorder and IR remote control.
| finithic wrote:
| Wow great phone what is the model
| Shorel wrote:
| It is this one:
|
| https://www.gsmarena.com/xiaomi_redmi_note_9_pro-10217.ph
| p
| manderley wrote:
| My Moto G8 Power (G Power in the US) Android phone has it as
| part of the Camera app; when you point the camera at a code,
| a small bubble will pop up at the bottom allowing you to
| follow the link/see the content.
| cormacrelf wrote:
| The same is true of things like Instagram, where they have
| made downloading an image so difficult that people install
| malware purporting to be able to do it all the time. Pretty
| huge vector.
| captn3m0 wrote:
| It is 2021 and Android still doesn't have a QR code scanner
| by default.
| welly wrote:
| I don't know if it differs from various vendor releases of
| android but certainly on my Samsung S20, QR codes can be
| read without an additional app just by pointing the camera
| app at one. I seem to recall my Pixel XL did the same.
| perryizgr8 wrote:
| Samsung phones have it in the camera, so I guess most
| Android users do have a barcode scanner built-in.
| captn3m0 wrote:
| Why are Android users installing all these apps then? htt
| ps://play.google.com/store/search?q=QR%20scanner&c=apps&h
| ...
| jabroni_salad wrote:
| Personally, when I installed the app, there wasn't one
| built in. I just still had it lying around.
| magicalhippo wrote:
| My Samsung has a built-in QR scanner, which I found out
| by accident.
|
| I downloaded an app for it because it never crossed my
| mind it would be built into the camera app. After all I
| don't want to take pictures of the QR code, I want to
| decode it...
|
| No idea when it was introduced. I've had an S3, S5 and
| now an S8 where I discovered it by accident last year.
| Pretty sure the S3 didn't have it.
| meibo wrote:
| Because most Android users don't know about Google
| Lens/their camera app and google "Barcode Scanner app"
| when they get their phone.
| artifact_44 wrote:
| the camera app scans qr codes on my pixels.
| captn3m0 wrote:
| Limited to certain phones. Otherwise, how do we explain
| millions of installs on QR code apps?
| [deleted]
| martyvis wrote:
| Actually they do if they have Google Assistant, which I
| imagine anyone with Android 7 or later will. If you use the
| Google Lens feature it will decode barcodes and QR codes.
| But unfortunately this feature is pretty much self-
| discovery rather than a publicised function
| captn3m0 wrote:
| It isn't obvious, needs Lens installed, which needs
| Internet to work properly.
| varispeed wrote:
| Not everyone wants to use more spying software.
| sdefresne wrote:
| The stock Camera app on my Android phone recognises QR
| codes. This is on Android 11 on a Pixel 3. I think this has
| been the case for a few versions of the OS (but don't have
| access to old versions to check).
| simias wrote:
| Google lens does it, is it not part of stock android? My
| phone runs Android One, so I think it's all stock but I
| could've missed a subtlety.
| captn3m0 wrote:
| Lens isn't AOSP, so it gets different treatment depending
| on your manufacturer.
| danielsamuels wrote:
| It's built into the camera app
| pjc50 wrote:
| There is no "the camera app"; the manufacturer often
| provides their own. It may well be in recent versions of
| GCam, but quite often it requires you to bail out to
| Google Lens for some reason.
|
| Android is like Forrest Gump's box of chocolates: you
| never quite know what you're going to get. And sometimes
| it's stale.
| m-p-3 wrote:
| The ability to read QR codes should be added to Android's
| Compatibility Test Suite (CTS) default camera app, this way
| vendors would need to ensure their camera app are all
| equipped with this if they want to ship with Google Play
| Store.
| Chris2048 wrote:
| > Imagine an authenticator app ending service
|
| imagine android version of Google Authenticator having no way
| to export data to the iphone version..
|
| oh wait..
| oauea wrote:
| > How many authenticator apps do you have to use in parallel to
| mitigate this risk of a single point of failure?
|
| Just one, together with alternative forms of 2 factor auth,
| such as a Yubikey (U2F token) or printed backup codes.
| varispeed wrote:
| > Apps that offer what should have been offered by the OS
| vendor in the first place.
|
| Wouldn't that be anti-competitive? Similar situation when
| Microsoft was including IE on their system that made them a
| quasi monopolist with subpar product. I'd rather have Google
| having stricter rules when it comes to malware.
| protoman3000 wrote:
| You're right. How dare Microsoft abuses their monopoly and
| ships Windows with a clock in the taskbar!
|
| And why stop here? We should open the market for TCP
| implementations. The status quo is anti-competitive and
| stifles innovation!
| fogihujy wrote:
| > And why stop here? We should open the market for TCP
| implementations.
|
| _Re-open_. There were, indeed, commercial TCP/IP stacks
| available for various operating systems until the operating
| systems started including them.
|
| If we do a comparison with the browser situation, then it
| would be quite sufficient to allow people to install 3rd
| party TCP/IP stacks. Does Microsoft prevent that? I
| honestly don't know myself since I don't really use
| Windows. :D
| pjc50 wrote:
| I'm just about old enough to remember the versions of
| Windows which didn't ship with TCP and you had to install
| "Trumpet Winsock" to get on the Internet. This was silly.
|
| The key to understanding the browser case is that, as MS
| wanted it, it would have tied client and server and rich
| application development together, all of which would have
| necessitated Windows. IE was a threat because of ActiveX.
| fogihujy wrote:
| It wasn't silly. It was third-party software which
| provided functionality that the OS simply lacked.
| asiachick wrote:
| agreed, I lived through those times, TCP/IP was not a
| thing, until it was. There was no reason for it to be in
| the OS until it actually became popular and therefor
| useful
|
| I used various competing systems before that in
| Windows/DOS
| bbarn wrote:
| Funny how Microsoft's including a useful tool for you know,
| getting on the internet, with their OS was the subject of
| an anti-trust suit just a few decades ago and now it's ok
| to force users to purchase all apps from the apple store,
| which takes 30% from every company wanting to sell an app
| on iOS.
| Ensorceled wrote:
| Anti-trust has many fewer teeth that it used to.
| qwertox wrote:
| I wish Google would inform the users when they remove an app from
| Google Play due to it containing malware. I'm not sure if they
| also remove it remotely from the devices, I think they don't,
| because I once had an affected file explorer which then got
| removed from Google Play but not from my device.
|
| The same goes for Chrome Extensions which have been removed from
| the Chrome Web Store. In that case, they get removed
| automatically from the browser, which is somewhat ok. I would
| prefer that they would get disabled without me being able to
| enable it again, and get labeled as malicious. Because how else
| can I verify that I once installed an extension or an app which
| then turned malicious?
|
| Currently I know that either one of my or my dad's devices has
| something malicious on it, because I got an HTTP GET request to a
| URL whose full path is only known to our devices (and only via
| HTTPS).
| [deleted]
| mickotron wrote:
| Binary Eye is a QR scanner for android that is open source, and
| available on Google Play and F-Droid.
| est31 wrote:
| I don't get why no barcode scanner app is shipped with Android.
| It's such a basic functionality. Edit: apparently it IS shipped
| on iOS and at least my Lineage OS default camera app has a QR
| code reader too.
| wiml wrote:
| My boring AndroidOne phone does. If there's a clear QR code in
| the field of view of the camera app it'll recognize it.
| the_only_law wrote:
| I don't think my past two phones (one Android, one iOS) have
| built in QR scanning, or at least it's not very discoverable.
| No fun to have to find something in an App Store when it all
| looks like 7 year old malware.
| [deleted]
| srgpqt wrote:
| You can point the builtin Camera app on iOS to any QR code,
| it will pick it up just fine.
| astura wrote:
| Same with Android
| other_herbert wrote:
| Try your plain camera... this seems like such a hidden anti-
| feature though... no one I know has tried just the camera
| shadowofneptune wrote:
| I discovered this week when fooling around with QR code
| makers that the Android camera app, at least the one
| released on Samsung phones, does not read QR codes. That
| was very surprising to me.
| lstamour wrote:
| On iOS, you can use the Camera app on your iPhone or enable
| the Code Scanner button on the Control Panel:
| https://support.apple.com/en-
| ca/guide/iphone/iphe8bda8762/io...
|
| It would be interesting if Apple added support articles or
| how-to videos for built-in features to their App Store search
| results though...
| renewiltord wrote:
| Switch to Google Lens in the Camera app. It's way less reliable
| but it usually gets the job done.
| usr1106 wrote:
| What do you mean by way less reliable?
|
| While Google will not start any overly obnoxious ad-serving,
| who tells you they will not upload all or a bit more
| stealthily some pictures for some AI user profiling thingie?
| Cannot happen? They collected WiFi access points when doing
| Streetview back when their motto was "Don't be evil".
| renewiltord wrote:
| Sometimes it decides that I'm actually searching for
| pictures of QR codes and gives me Google Search results for
| similar pictures of QR codes, which is kind of useless.
|
| As for the second part, that's your personal risk tolerance
| so I'm going to leave that to you. Google is generally a
| high-trust brand in America, so most people will find the
| risk tolerable. If you don't find it tolerable, you
| shouldn't use it.
| prof18 wrote:
| The problem is that not all the people knows that. And I
| don't know why Google does not "advertise" it.
|
| Anyway, for my parents' old phone I built one simply QR
| Reader without any crap. If you need one -> https://play.goog
| le.com/store/apps/details?id=com.prof18.sec...
| lucioperca wrote:
| I stopped using apps from companies or projects I don't know some
| time ago. Which left basically small local companies, the big
| global ones and FOSS-projects. This of course is not perfect but
| at least leaves some sort of accountability.
| laurent92 wrote:
| All my employees use a JSON formatter on Chrome. Such apps
| require permissions to view all sites...
|
| I require them to create 2 profiles in Chrome (and a 3rd for
| personal purposes), one for dev and one for official purposes,
| but I know that, in remote work, they get less serious.
|
| It's a major security problem. I'm wondering whether I should
| purchase the Chrome extension's source code and deploy it
| myself on the store.
| curiousgal wrote:
| This is why I root my phone. I block internet access to any new
| app that shouldn't need it, if it refuses to work, I uninstall
| it.
| marcodiego wrote:
| Considering I'm not dependent on any Google Play only app, is
| there a good reason not to use f-droid instead?
| [deleted]
| dolmen wrote:
| The title says "Barcode scanner", but this is a QR Code scanner
| app from qrcodescanner.com
| dolmen wrote:
| I'm glad that Firefox on Android now has a built-in QR code
| scanner. This is the best UI and security improvement they added
| in the last 5 years.
| [deleted]
| jabl wrote:
| It has? How does one use it?
| przmk wrote:
| When you open a new tab, it is right above the search bar.
| jabl wrote:
| Indeed there it is, I hadn't noticed. Thanks!
| [deleted]
| dagurp wrote:
| Vivaldi just added one too.
|
| I'll never undertand why Google didn't include one from the
| start. They finally added it to the camera app but very few
| people know about it.
| nanagojo wrote:
| The iPhone stock camera app also scans QR codes btw, guess most
| people just don't know since it isn't advertised heavily
| tambeb wrote:
| Google's stock camera app supports QR codes.
| michaelmrose wrote:
| There are so many different issues here.
|
| Arguably manual curation doesn't scale to google play store or
| apple app store size and automated scanning only gets you so far.
|
| You have several possible threats.
|
| 1. Apps that are malicious from the start.
|
| Best addressed by better automated testing.
|
| 2. Apps that become malicious particularly when the app changes
| hands.
|
| Best addressed by making this impossible. James/foo should never
| be transferred ownership should result in Jane/foo which users
| would have to download.
|
| 3. Apps that aren't malicious but include a component that is
| user hostile. Virtually always included for money.
|
| Best addressed by just forbidding apps with ads. We wont do this
| but not much of value would be lost.
|
| 4. Apps that include a component that isn't malicious but itself
| becomes malicious later.
|
| Requires due diligence by the developer. Arguably one could
| imagine better automated enumeration of the constituent
| components to discern what might have been compromised so that
| developers could have their apps automatically pulled and
| informed that they were compromised. One could also imagine a
| statutory fine for paid that earn developer revenue wherein their
| product harms users. This couldn't accrue to free apps without
| making foss impossible. Eliminating apps paid for with ads would
| eliminate a gray area.
|
| An interesting point for those who presently avoid ad laden apps
| is whether your paid for apps are infected with the same
| potential malware vectors as the ad supported version as whether
| or not to show ads may be solely a function of an in app purchase
| you have made. Your paid for app might therefore be just as
| vulnerable.
|
| What reasonable measures would one expect Google to actually
| take? Probably only reactive measures like removing this
| particular app while making no meaningful moves to correct any
| systemic problems. In the longer term one might expect them to do
| a better job of finding malware automatically.
|
| If you value not getting hacked in the longer term it looks like
| this is insufficient. If for example Fdroid is insufficient in
| scope of applications then perhaps we should work on improving
| this situation as Google is unlikely to fix this for us.
| timdaub wrote:
| HEY THIS IS THE PERFECT MOMENT TO PLUG MY SUPER MINI PROJECT:
| https://scan.lol
|
| Excuse my caps!
| monksy wrote:
| I found this behavior in the Barcode Scanner app by "the space
| team"
|
| That was not one that was mentioned by the article
|
| It's url:
| https://play.google.com/store/apps/details?id=com.qrcodescan...
|
| (See the reviews)
| squealish wrote:
| Glad you brought this one up. I also had the app you mentioned
| installed and noticed pop-up ads in Chrome.
|
| I immediatly uninstalled the app and left a review. Like many
| other negative reviews I received some copy-pasted response
| stating they only have some in app ads.
|
| It is beyond me that the developers just lie about including
| malware in their app while it is so obvious they are.
| hulunon wrote:
| I also found this pop-up add behaviour Saturday (6th) morning.
| I distinctly remember looking at this app last year when a
| different barcode scanner had an issue and it was not owned by
| "the space team" then,maybe a takeover? App now uninstalled
| zerocrates wrote:
| The one I remember being popular before on Android was the
| "zxing" one: it's still on the Play Store but has tons of
| recent reviews complaining about adware... confused users
| (and/or competitors taking advantage) leaving reviews on the
| wrong one?
|
| The zxing one seems to not have been updated in years (plus
| it's still on the store).
| scns wrote:
| I use this one from F-Droid:
|
| https://f-droid.org/en/packages/com.secuso.privacyFriendlyCo...
|
| you can directly download the APK from that site, don't need an
| F-Droid client.
|
| If you want an F-Droid client, i recommend Foxy Droid.
| Unfortunately lacks some features of the official one but way
| faster and nicer to use.
|
| https://f-droid.org/en/packages/nya.kitsunyan.foxydroid/
| herendin2 wrote:
| The developer's street address, as shown in the malwarebytes
| screenshot, is obviously either incomplete or bogus. There's no
| city or country, and a weird unit number. Is Google Play really
| approving apps from such dubious sources?
|
| Or does Google have the full address? Seems unlikely
| meibo wrote:
| You don't need to provide this publicly if you do not have any
| billing in your app, so no IAP or paid apps. They might just
| not verify it though.
|
| Google has it, since publishing requires a $15 one-time fee. Of
| course, you can put bogus into the billing info for that as
| well.
| guy-om wrote:
| QR code scanning should just be native in every OS.
| wnevets wrote:
| Android doesn't actually need a 3rd party barcode scanner app.
| Google Lens supports barcodes.
| system2 wrote:
| Average users don't know the default capabilities of their own
| phones and instinctively go to the app stores to find their one
| purpose ad filled apps. I've seen flashlight, basic camera,
| weather, clock apps that are inferior to default apps of the
| phones installed on many client devices.
| wnevets wrote:
| Inferior and probably filled with ads, tracking and now
| malware. Too bad Google doesn't try to let users know the
| feature already exist on their phone when users search for
| these apps.
| Pxtl wrote:
| Meanwhile they block the Terraria developer's Google account,
| after which he's decided to cancel his game's port to Stadia. How
| are they so bad at this? Literally driving away legitimate
| developers while letting scammers run wild.
| DenisM wrote:
| What's easy to do for a thousand apps is impossible to do for a
| million apps.
|
| Large scale is not a new quantity, it's a new quality.
| tuco86 wrote:
| I noticed the package name com.qrcodescanner.barcodescanner. and
| went to https://qrcodescanner.com/ which advertises another very
| popular barcode scanner wescan.
|
| they also offer an sdk of their own for including a barcode
| scanner into your app. https://github.com/WeTransfer/WeScan
|
| I'm not really sure they are connected (package names don't
| verify domain names AFAIK). Just curious.
| unixhero wrote:
| Another episode of Stallman was right.
| varispeed wrote:
| Most apps on Android behave like a malware. The most annoying
| ones are those who randomly take over the screen and play ads
| with annoying music and you have no way to close it quickly and
| you don't know which app is displaying those. Only solutions so
| far is to actually disable apps one by one and see if the problem
| appear. I think Google should remove all apps that do that. My
| friend's phone who is not IT literate, essentially looks as the
| IE6 back in the day.
| kmeisthax wrote:
| I had fullscreen ads on unlock with another barcode scanner app -
| IDK if it was this one or another one, but I remember blaming
| several other apps before figuring out it was a barcode scanner
| and removing it. The really frustrating part was that trying to
| open the app switcher to find out what app this was coming from
| would also dismiss the ad somehow.
| svara wrote:
| I was affected by this. Funny how Malwarebytes wants to turn this
| into positive PR about how they reacted "quickly".
|
| I installed just about every Android anti-malware app that I
| could find in late January, and none detected the bad app.
|
| Finally by googling some of the ad domains that kept popping up,
| I found the forum discussion that they mention. In other words it
| took them about two months to react!
|
| Edit: either it took forever or there are multiple barcode
| scanner apps that are affected and they didn't find all of them.
| lukeitup wrote:
| Simple scanner turns evil.. these kind of apps should have been
| offered by the respective OS, as a standard app. If the money
| involved are correct, then are the developers to blame?! I'm not
| sure to be honest.
| [deleted]
| [deleted]
| ravenstine wrote:
| This is precisely why I have auto-updates turned off. No minor
| security or bug updates are worth getting an all-out infection(or
| unexpectedly losing features).
| IgorBog61650384 wrote:
| How do you decide when it is safe to update?
| littlecranky67 wrote:
| Probably never. I mean, I am on iOS and as a developer I know
| how hard it is to get your code to run on iOS. Heck, security
| flaws that jailbreak an iOS device just via network/OTA is
| paid serious money for, there is no need to implement this.
|
| I seriously ask the question what damage could a potential
| malicious app on iOS cause? There is no running in the
| background, so no exploiting while I don't use the app, no
| being part of a botnet when the app is closed. There is a FS
| sandbox that will not let you access another Apps data
| without being able to jailbreak etc. I think an auto-update
| is more risky on iOS than to live with an older version of
| the app that does its job (you never know what an update
| changes/breaks for you, and downgrading is not an option in
| the appstore).
| userbinator wrote:
| The short answer is "when the benefits outweigh the risks";
| i.e. if there's a huge bugfix or new feature you need, but
| something like a barcode scanner is something whose change
| frequency should be very close to zero.
|
| The "update culture" has unfortunately trained users to
| obediently "bend over and take it", which is horrible from
| both the security and change-management point of view; but is
| the dream of those who want to exert control over "the
| sheeple".
| ntSean wrote:
| Your dogmatic approach to updating would prevent you from
| installing a version _without_ malware attached. For
| example, a version of Xcode circulated in China was
| infected with malware and once Apple had detected it, they
| asked all developers to recompile and update their apps
| immediately.
|
| https://www.zdnet.com/article/how-malware-finally-
| infected-a...
|
| With your attitude, you wouldn't have necessarily seen the
| efficacy in updating the apps and could still be infected
| to this day.
| DrScump wrote:
| Every Google Play update prompt in My Apps has a
| description provided by the publisher. If there is an
| urgency to update and they don't say so, I'm not going to
| blithely accept every update.
|
| Ior example, had there not been the exploit risk, I would
| have left Chrome at the older version, as their new
| tabgroup implementation is horrible, and it doesn't even
| allow you to open a new tab without creating a group or
| going incognito!
| stedaniels wrote:
| > Every Google Play update prompt in My Apps has a
| description provided by the publisher.
|
| I hate to reply like this but, the vast majority of
| Google Play app updates go something like this:
|
| "Updates."
|
| "Fixes"
|
| "..."
|
| Having genuine changelogs would be glorious.
|
| Apple and Google should require proper source and issue
| management, they could then generate changelogs
| automatically. Having that, they could then use machine
| learning against the code commits and issue titles to
| ensure that what people say are happening, are actually
| happening in the code.
|
| I mean we've got ML that can generate code from natural
| language, I'm sure the bright sparks at Google and Apple
| could use some ML to, with a high degree of probability,
| say that the code does what the comment/issue says it
| does.
| DrScump wrote:
| the vast majority of Google Play app updates go something
| like this
|
| That's exactly my point. _Unless_ they state something
| that accurately communicates risk and urgency, I _don 't_
| upgrade.
|
| Most updates of embedded-ad apps just seem to be changes
| in ads or ad engines.
| unishark wrote:
| "performance improvements and bug fixes".
|
| I just looked at the messages for the last ten or so
| updates on my phone and the last three were worthless
| like the above, but the rest were relatively detailed and
| informative. I imagine they are more motivated to give
| details when it's for new features.
| TeMPOraL wrote:
| Same here. Every now and then some app stops working or
| politely asks me to update, so an update it'll get (and at that
| point I have time to look it over and rethink whether I even
| need the app).
|
| Last time I went on an "update spree" and updated everything I
| tend to use frequently, I got the new Firefox mobile update,
| which is frankly utter garbage, and now I regret it.
|
| (Why it's utter garbage? It's much more laggy across the board,
| and there are issues getting uBlock Origin to work on it. And
| this tends to be the story with updates - I haven't seen the
| app that got _leaner_ , or _faster_ , or _more ergonomic_ with
| an update. Not a single one.)
___________________________________________________________________
(page generated 2021-02-08 23:01 UTC)