[HN Gopher] Apps can now block sideloading easier and force down...
___________________________________________________________________
Apps can now block sideloading easier and force downloads through
Google Play
Author : cglong
Score : 12 points
Date : 2024-09-12 19:31 UTC (3 hours ago)
(HTM) web link (www.androidauthority.com)
(TXT) w3m dump (www.androidauthority.com)
| dartharva wrote:
| _sigh_ so no more cracked Spotify on Android, I guess. Too bad. A
| lot of the Android warez scene will take a huge hit from this.
| TimeBearingDown wrote:
| Yep. Could be a big hit to GrapheneOS users. I wonder how
| Aurora Store will manage.
| variadix wrote:
| How so? Assuming they're modifying the APK they can just remove
| whatever check is in place. I'm guessing something like microG
| could emulate this API and always return true as well (though
| this veers more into DRM bypass which may cause legal trouble
| for microG).
| zb3 wrote:
| For apps that communicate with a server, there will be so
| called hardware attestation, like the API doesn't just return
| "true" but a signature which the server can validate. Keys
| for this are in the TEE/whatever secure element the phone has
| (and there's a $500K bounty for extracting secrets from the
| TEE).
|
| For apps that don't, Google is currently developing a new
| obfuscation VM called pairip (that libpairipcore.so). This
| extracts some java code into a VM, so patching an app is not
| simply a matter of patching smali code - that VM employs many
| checksums on its memory.
| Boltgolt wrote:
| Seems like it's going to get even more annoying to get apps for a
| country that you're traveling in. So many apps you want to use as
| a tourist are geolocked
| hollow-moe wrote:
| Smart move, you're not forcing the use of your app store if all
| major applications enable this of their own will
| jakeogh wrote:
| Yep. It will become the default after a bit. As I mentioned in
| the other thread, Google is using its monopoly position to
| force consumers to do business with it (by forcing them to have
| a google account to use the play walled garden).
|
| https://news.ycombinator.com/item?id=41517159
| zb3 wrote:
| Note this can practically only be enforced by apps that
| communicate with a server. For pure client side apps, one can
| simply patch the code (albeit this won't give them access to the
| saved data due to signature mismatch).
|
| However, Google is developing a new obfuscation method called
| pairip (officially automatic integrity protection) that makes it
| really hard to patch apps by moving some java code to an
| encrypted vm riddled with checksums and anti debugging checks..
| Fortunately "really hard" (and yes, the vm is crazy..) doesn't
| mean impossible.
|
| But for server side services, this will unfortunately serve its
| purpose.
| zb3 wrote:
| There's no such thing as "your Android phone" - this phone is not
| really yours. Not just because Android acts against your
| interest, but also because you have no access to the TEE (which
| powers DRM for example).
|
| Things will get even worse because Google is working on the AVF
| framework which includes so called "protected VMs" - of course
| they're meant to be protected from you, the user. Their
| "security" (where you're the "attacker") is based on the TEE but
| also a so called "protected vm firmware". In their design
| document they explicitly say that these protected VMs can provide
| "security" only with locked bootloader.. you probably know what
| that means..
___________________________________________________________________
(page generated 2024-09-12 23:01 UTC)