Eugen RochkoAug 26, 2025

"Sideloading" is the rentseeker word for "being able to run software of your choosing on a computing device you purchased". There is no reasonable case for an operating system developer having a say over what programs you run on your hardware.

#Android #Google

Show threadDenzil FerreiraAug 26, 2025
@Gargron the review process at Google can be a PITA, but for a good reason. Permissions to access more than an app really needs can be exploited for harvesting private information on a seemless update that most won't even notice. Side loaded apps downloaded from say APK mirror can have been tampered with using smali edits and you won't know. What Google should do is certified dev signing keys to trace and confirm if an APK is legit or not and coming from the actual dev, regardless of being side loaded.
Show threadDavid Chisnall (*Now with 50% more sarcasm!*)

@denzilferreira @Gargron

Except that, it doesn't prevent malware. Note that this news article is from today. I went to find the most recent example of this and it turns out that I didn't even have to go back as far as yesterday.

Proper safety is done by reducing kernel attack surface, reducing the size of the TCB, and making it easy for applications to respect the principle of least privilege so that ones that don't stand out as things that obviously request more permissions than they should have.

Malware-ridden apps made it into Google's Play Store, scored 19 million downloads

: Everything's fine, the ad slinger assures us

The Register
Aug 26, 2025 at 9:14amWeb
Show threadDenzil FerreiraAug 26, 2025
@david_chisnall @Gargron yep, there is only so much that automated and human review of code can do to prevent or minimize malicious code.
Show threadKevin Karhan Aug 30, 2025

@david_chisnall @Gargron @denzilferreira in fact all #malware that gets into #GooglePlay works with lies and deciet as in the original account and code submitted is all clean and onlynafterwards do they slowly "update" maliciois functionality.

Stolen Minecraft Is Now More Popular Than Minecraft.

YouTube
Show threadDenzil FerreiraAug 30, 2025
@kkarhan @david_chisnall @Gargron yep... it may be that with AI assistance, code could be analysed on every update to prevent or mitigate some of this backdoor malicious updates. Will it be perfect? No.
Show threadKevin Karhan Aug 30, 2025

@denzilferreira @david_chisnall @Gargron not really.

Also "#AI" is wasteful computing that results in unmaintainable code and hallucinated solutions.

Show threadDenzil FerreiraAug 30, 2025
@kkarhan @david_chisnall @Gargron I meant to analyze the code for possible CVE or exploits at scale. Doing it manually with a lot of humans will take more resources if that is what you are comparing to (computers, electricity, etc). AI has it's place to help.
Show threadKevin Karhan Aug 30, 2025

@denzilferreira @david_chisnall @Gargron

1. Google and Apple do that to an extent. Obviously they can't work against maliciois devs knowing that and thus detecting their sandbox-testing.

2. What you point out as "#AI" is at best a worse version of #VirusTotal.

Show threadDenzil FerreiraAug 30, 2025
@kkarhan @david_chisnall @Gargron yep, that's why I said before there are limits to what AI or humans can actually do 😄 VirusTotal looks very interesting, thanks for sharing!