Top
Best
New

Posted by drewfax 1 day ago

Android Developer Verification: Threat masquerading as protection(f-droid.org)
1591 points | 684 commentspage 8
selectively 20 hours ago|
[dead]
Rekindle8090 1 day ago||
[dead]
p0w3n3d 21 hours ago||
[flagged]
Rekindle8090 21 hours ago|
[dead]
ranger_danger 1 day ago||
> How long before they designate all ad-blocking software as malware, block installation on all Android certified devices worldwide, and permanently designate all developers of this class of software as malware creators?

Classic slippery slope fallacy.

https://en.wikipedia.org/wiki/Slippery_slope

History shows that when a "slope" appears... regulation steps in, technology evolves to solve the problem, or the culture shifts to reinterpret the thing.

In almost every case, the feared "bottom" of the slope was never reached because humans constantly built ramps or bridges along the way.

weikju 1 day ago||
> In almost every case, the feared "bottom" of the slope was never reached because humans constantly built ramps or bridges along the way.

Perhaps it happens because the slope is called out...

acters 18 hours ago|||
Plus, it is not the bottom I fear, it's the precedent from letting companies slide down the slope.

Regulation may try to stop it but history has shown some have slid to the point of no return or past a point where people can care enough to build out of.

Prevention is better than retroactively fixing stuff.

Terr_ 20 hours ago|||
Much like the fallacy behind: "The Y2K bug was was a total hoax, you can tell because nothing much happened on 2000-01-01."
thinking_cactus 22 hours ago|||
I alternate my thoughts frequently (which I believe is healthy), and sometimes I think we should let things take their course a bit more before reacting. It's certainly tiresome and can be pointless (some people claim 'hysterical') to fight lots of changes, not necessarily this one but some like it.

But I've come to realize there are serious downsides to letting things run their course too. Some changes are very hard to roll back (famous 'cat's out of the bag') just taking a lot of time to reverse if ever. For example, once there is a long term contractual agreement, if one parties decides to roll back they may just not be able to until the contract expires (like renting land; or worse, selling). A change in software systems for example that need backward compatibility can be quite difficult in technical and nontechnical ways.

I think people need to also keep some sympathy for the protests and let people protest more. I'm leaning more toward: if in doubt, provide visibility to a cause (even if not full support). It's okay to save yourself some energy (in particular for the most important causes). Some things might have to run their course for people to understand they were valuable, and we will probably have to eat some frogs as a consequence. Don't lose you sanity ;) (As the saying goes, "Don't you dare go hollow.")

RedComet 21 hours ago|||
"or the culture shifts to reinterpret the thing"

Yes. You see it already.

"Actually it is good that I can't run programs that haven't been approved by Google on my own device."

aerzen 20 hours ago|||
There is precedent of Google making changes in light of "security" that break ad blocking Chrome extensions. See chome extension manifest 3.

So this concern cannot be dismissed with just "slippery slope falacy", it's a new vector of the same power grab strategy.

ozgrakkurt 22 hours ago|||
This is a useless argument since there is no way to measure what case is this and what is not.

You can say "Classic slippery slope fallacy." to whatever seems like that to you.

This is an antipattern to scientific thinking as you can frame something x and then say all x are like this, look I created this framework to think about x. But in reality there is no empirical basis for this thought. And it serves no purpose other than doing more argument or winning arguments.

In the end what you wrote equates to "I don't think all of this will happen".

Chaning many possibilities makes the outcome less and less likely obviously.

Also the same principle applies to most religions I know of, for example:

- Assume there is God

- Assume it did create universe.

- Assume x

...

Then this also fits the same pattern and be called the "x fallacy" but it is useless to create an argument like this. This is useless mainly because this thinking pattern is ubiquitous in any world view.

More productive discussion might be to pick some steps in the theory they chained together and argue on that imo.

int_19h 16 hours ago|||
I don't know which timeline you live in, but in mine I've stopped counting how many slippery slopes ended up exactly where the critics said they would.
loconut 18 hours ago|||
Just look at the world around you, the slippery slope "fallacy" stopped being a fallacy long ago.
dminik 21 hours ago||
Is it a fallacy if you've said before that Google is aiming to create a walled garden, Google itself has already started saying it wants a walled garden and they've already implemented several such steps?
charcircuit 21 hours ago|
This is not malware. It's an official part of Google Play Services.
ale42 21 hours ago||
It all depends on how you define malware. If malware is software doing something that is contrary to the user's interests, then for many users it is indeed malware.
someonebaggy 21 hours ago|||
Too much hedging in this comment.

Malware is something that maliciously breaks your computer.

This maliciously breaks my computer so it's malware. There's no difference between this and the ILOVEYOU virus, except the delivery mechanism.

spaqin 20 hours ago||
Can I install some software on your computer to send me over your bank details? It won't break your computer, I promise, it's not malware.
charcircuit 20 hours ago|||
>this malevolent process has exactly one goal: to block you from running software by developers who haven’t been approved centrally by Google.

This claim is made by FDroid with no evidence. They make this scary claim which goes against everything Google has claimed so far. They are a biased party, and I can't trust their opinion. I would appreciate if they shared a more in depth investigation or a way to verify there big claim.

psd1 20 hours ago|||
Trust is not binary; we can process data with a level of confidence. We do not need either Google or F-Droid to be sanctified before we evaluate their claims.

The claim is that a repeat monopolist is doing monopolist things. Feel free to make the case for the trustworthiness of Google's opposing claim, as I don't see anyone else doing that.

notrealyme123 20 hours ago|||
Google wrote their plans as blog posts.
charcircuit 19 hours ago||
But the plan doesn't include blocking developers who are not verified. You can still sideload such apps once you enable sideloading for them.
mdp2021 21 hours ago|||
The point is that it is said to tamper with your installations. If it does, it is malware.
charcircuit 20 hours ago||
It doesn't tamper with your installations.
Aachen 20 hours ago|||
Oh? Maybe you could comment on what part of the f-droid article is wrong
charcircuit 18 hours ago||
>If you are running Android 8 or higher, a virus has been installed on your device and is silently awaiting remote activation.

I have such a phone and the "virus" has not been installed to it. There is no evidence behind this claim.

>with as many as 4 billion Android handsets and tablets estimated to have already been contaminated

This is misleading wording. It's just as true to say that as many as 1 trillion devices have been contaminated. It is state an impossible upper bound to drum up fear.

>this trojan horse runs surreptitiously in the background as a system service with full root privileges

Services in Android do not run with root privileges. Android practices the principal of least privilege where individual permissions are granted instead of giving it blanket access to everything.

>The service cannot be blocked, disabled, or removed.

This is unlikely to be true. You can most likely use "am" to disable it.

>In fact, Play Protect is itself the vector through which this virus is transmitted and installed.

This is probably false. Realistically it's going to be transmitted via the google play store like all other play service components.

>There are many things we don’t know about what to expect on September 30

>What will happen if I try to install or launch the F-Droid app?

Once active if FDroid not verified the user has to use adb or have enabled sideloading by unverified developers. If it's already installed the user can launch it.

>What will happen to all the apps I’ve installed through F-Droid? Will they be disabled? Deleted?

Nothing will happen to them.

>If apps that I rely on are suddenly disappeared, what happens to the data they contain? Can I still retrieve it?

Nothing will happen. But if Play Protect were to flag malware it manually asks you if you want to delete the app. If you delete the app the data will be lost.

Aachen 15 hours ago||
Thanks, I appreciate the elaborate response.

If you can just disable it with the activity manager or similar, I don't think Google would provide another workaround with a wait time and everything - and that only after a lot of public pressure. It's claimed to be a security feature against scams, and scammers can theoretically let you open up an adb shell and run an am command, so that would negate the safety. (That this never happens in practice imo demonstrates that it's just about ecosystem control and not actually for user safety.)

I agree on the root thing though. I don't have a device here that has this service running so I can't check the process permissions for myself, but it seems extremely doubtful that it runs as uid 0. Fdroid could have dumbed the technical permission level down in more accurate way

How do you know nothing will happen to already-installed apps and their data, when the user hasn't had time yet to go through the annoyance unlock procedure?

charcircuit 12 hours ago||
>and scammers can theoretically let you open up an adb shell and run an am command

It requires a lot more steps to do this. Finding another computer, installing Android dev tools, finding a cable to connect them. In reality this adds a lot of friction.

>How do you know nothing will happen to already-installed apps and their data, when the user hasn't had time yet to go through the annoyance unlock procedure?

Extrapolation based off how play services has handled things so far and how Google has explained what will happen. Of course without looking at the actual code I can't say for 100% certainty, but from my perspective fdroid is fear mongering here as there is no evidence that supports this viewpoint. If they had evidence to back these dramatic claims up I would be less critical on them.

psd1 20 hours ago|||
False
RobotToaster 21 hours ago|||
Those are not mutually exclusive.
vrighter 18 hours ago|||
it is malware when everyone is explicitly asking to not have it.
someonebaggy 21 hours ago|||
Which is malware.