Posted by erohead 11/13/2025
One thing which can immediately improve security is forbidding SMS read access forever. Just like Apple does. No App should be able to read SMS.
2. Went to the settings and about pyone sceeen
3. Tapped the thing 5 times to activate developer mode
4. Activated installing from third party sources despite the warning there
5. Installed the APK
May I suggest the problem is not that this is possible, but a lack of education? If your father is the type that would jump into the bathtub with a toaster because someone on whatsapp told them to do so, I am afraid it is not the existence of toasters that is the issue.
Regardless, you do not actually need to enable developer settings to install APKs from unknown sources (at least, not on my Samsung). When you open an APK from within another app (e.g. Google Drive or WhatsApp), Android "helpfully" forwards you straight to the relevant security settings page, allowing you to immediately toggle the "Install unknown apps" permission for that specific app. It's a streamlined flow, only a couple of taps, no scrolling/searching/reading, therefore likely easy to coach a victim into performing.
So, I expect what the Android team is alluding to in the original post is to enable additional friction like you describe.
In my humble opinion, in the design of a UI or any type of system, kind of have to go where the users take you to some degree. And Android, being an OS for consumer devices, should be geared toward the masses and the mistakes they'll make.
I worked in IT support and I am deeply aware with the issues people are having. Some issues are systemic (aka bad design) and those should be fixed. Other issues are human.
It may not seem like it, but I have the patience of an angel, because I remember when computers where new to me. I like people to understand. Understanding is power. But when I did work in IT support I saw some things. Grown adults repeatedly clicking away error messages without reading them while I stand and watch over their shoulder. When I ask them what their error message read they say they don't know. Then we read it together and they go: "Ohhh".
Yeah. Ohhh. You have a weird error that prevents you from working and there is a red error message and you don't bother to read it. That isn't a technological problem that is a educational problem.
I stand by what I said, we cannot dumb down our system because people don't care, are lazy and act dumb. Because that leads to a cycle where it gets ever dumber and lazier all while making life hell for people who are not dumb or lazy.
If you want to use a car you need to know certain things. Same is true for digital systems, the internet, a smartphone, a toaster, a hair dryer, a knife, a simple plastic bag, etc. The solution is education, not dumbing down the world.
But you know, if there is a method that you know that can teach the masses these skills, then am all for it (maybe barrage them with youtube commercials teaching basic tech skills?:)
(except now the bank needs more staff behind the counter)
Well, think just letting the knowledge of user failure expand organically is definite a method of deterrence, and some amount of this probably going to happen to some of the users. But to me, seems like it's a question of what percentage of your user base would be exposed to being scammed. Of course you'd want his to be zero, but if it's significant, yeah, probably should put measures in place to reduce the amount of scamming. Even on a purely practical level, it's bad for the reputation of your product...
...Am thinking, since there is so much resistence to locking down android, one problem might be was it was initially billed as a more open OS that tech people could enhance in whatever way they wanted. But yeah, times have changed, it's now a product that is used by the masses, and guessing the masses are now their most important users. Not saying this is wrong or right, but probably why there is so much push back as compared to say if iOS did the same thing (which they may have already done).
On a side note, it is technically very feasible to help antivirus and security software makers to lock down phones for people who would benefit from it. For example, you could have a strict whitelisting approach for vulnerable users (e.g. elderly, bitcoin entrepreneurs, annoying kids, Google engineers) who prefer it that way, making installation of arbitrary software impossible. Giving up choices voluntarily is fine, taking away choices by force is not fine.
Why did your father enable installing APK packages from third party sources? That's a setting buried deep inside the developer settings, which themselves have to be activated with a very arcane manipulation
I always thought this is a very weird flow, it adds hoops yet accomplishes nothing because the hoops are all trivial and the same for every app.
Your Galaxy phone or tablet is configured by default to prevent the installation of apps from sources other than the Play Store and Galaxy Store.
The point being that there is not a whole lot of friction in this flow -- one or two taps -- likely making it easy for scammers to coach victims to perform.
I agree that activating the developer settings menu is substantially more friction, and may arouse more suspicion in a victim, but [on many/most devices] is not currently required. I guess the original article is alluding to putting this kind of friction in place.
I disagree - one feature in KDE Connect that is super useful is being able to forward your notifications, including your text messages. This would also harm non Android smartwatches, such as the recently revived Pebble.
[0] https://www.bleepingcomputer.com/news/security/malicious-and...
It's my tool. Mine. I'll do with it as I please.
I agree there are issues. But preventing installs aren't the answer, just like removing all windows and doors from a house isn't the answer to neighbourhood crime.
I'd be more inclined to say the problem is allowing apps to be funded by advertising. If all apps were paid apps, and using personal data in any way was immensely, "thrown in jail" illegal, then you'd find yourself approving access to contacts, SMS, Pii quite rarely.
It would really stand out in such a case.
"What?! I've been using my phone for 10 years, and some app wants to see my contacts. Why?? No one reputable asks for that, ever!"
So much of the problem with the internet is that Pii is paying the way.
On GrapheneOS, when I install anything, it flat out asks me if I want to give it internet access at all. SMS could be the same way. Off by default, try to grant it, big warnings.
At a certain point, if you have big warnings saying "Are you serious?!" and people turn it on, it entirely ends up being the end user's fault.
So you do know - inform users, increase privacy,...?
Our right to choose install software on our own devices should not be encroached because over-trusting elderly follower scammers instructions.
We can protect people like your dad with an opt-in system like parental controls. Have a responsible family member lock the system down however you deem fit.
Then let me decide which apps can access the internet, and which app can access which domain names / IP addresses.
Because it feels like there are a lot of DATA THIEVES out there, selling my data to companies you work with.
We call them Firewalls on the PC.
Other schemes include impersonating sex workers to lure victims into nude video chats, then persuading them to install an app that harvests private content and contacts for blackmail.
This is how loss of autonomy always happens in every sphere: make an argument that it's for their own safety that individuals are losing autonomy, and the entity gaining control is superior in knowing what's best, and is taking control only out of the goodness of their heart.
If someone tricks you into handing over the keys to the kingdom, the solution isn't to remove your door.
We don't cater the most stupid in society.
Google should just ban all apps that use SMS 2FA codes for login.
None of my banks have complained to me because I'm running a patched YouTube app.
If Android is open source, why can't/won't a community fork it? Graphene OS exists but many folks claim Netflix and banking apps do not work with it (despite allowing logins from any common desktop browser)?
If all widely-accepted phone operating systems are de-facto proprietary, what does this say about the current phase of society?
What choice do non-billionaire/millionaire humans have for living in a single-planet society where technology is so highly integrated (and the inherent non-consensual compromises)?
What If the little people are going to get squeezed even more?
Troubling questions.
Android in practice is full of proprietary blobs, stuck on old kernel versions, and the hardware is barely supported. Lots of downstream crap from the vendors not playing nice. Most devices running Android are instantly doomed to be e-waste. You can look through devices postmarketOS supports, and anything without mainline kernel support and most stuff working is basically e-waste unless someone puts in a lot of work for that particular device. It's a little bit like how modern GPUs don't work without blobs in the kernel anymore and you have to go back to Haswell era or older for things to work with all free software, but the state of smartphones is a few steps worse than that due to their locked down nature.
Pretty much any OnePlus device (other than ones still too new) seems to be a good bet for decent software support (both LineageOS and pmOS). Though annoyingly stuff like the 3G shutdown makes a lot of the earlier models unusable as actual phones these days. At least they can still be computers. Not quite e-waste.
Things have been going bad since then. Closing of root access, closing of software, youtube not working in split screen etc. All the changes make me think of Android as more and more repulsing. Recent changes like removing old software from the store because they didn't update API and now this... Google stop being evil
You think this is evil? :-)))
Watch what happens as they can't grow by 10% per year and their share price tanks in 5-10 years.
> "Google come to their senses on this"
it's
> "Google was forced to their senses on this"
Google goes on to say how taking away one of your last remaining rights is good for you, if you like it or not.
It is clear to everyone why Google is partnering with governments around the world to remove our rights to installing apps. Laws are not on your side and must be reevaluated on an individual level to move forward. You decide your own terms, you have the power.
Only we can stop this together.