Saagar JhaMy security hot take for this week is that Google’s changes for sideloading on Android seem to strike a good balance between security and usability. This gives me hope the team is putting thought into maintaining the original dream of the platform rather than making a worse iOS
Of course the jury is still out on how well this will work but the rationale seems pretty solid to me. Being tricked into installing blatant malware is, despite how you might feel about it, a major problem for Android. Historically efforts to combat this have badly hurt openness.
The general problem with security is identifying bad things is hard because often it will end up impacting desirable things too. In this case Google picks a very specific quality of scams and aims to target it specifically: urgency. I expect this to be very high signal!
By delaying 24 hours they dramatically reduce the capabilities of scammers while also minimally impacting legitimate sideloaded installs which rarely have the same requirements. This is a very clever choice and also one that seems nonobvious
I’m happy to discuss the usual ideas of slippery slope or app stores etc but having worked on this stuff I spend a lot of time reviewing compromises rather than having absolute positions on things
Jeff Johnson@saagar The biggest source of Android malware is the Google Play Store. The equally “curated” Chrome Web Store is equally a cesspool. Thus, since neither of those have a waiting period, it seems clear to me that Google doesn’t actually much care about malware. You can’t look at these things in isolation.
@saagar The financial conflict of interest, for both Google and Apple, is massive. They’re making $billions per years directing developers into their stores.
Eliminate the cut, then we can talk about security.
@lapcatsoftware Would you be willing to listen to my opinions if I told you that I have been paid with the express purpose of maintaining this cut
@saagar Can’t tell if joking or serious…
@lapcatsoftware I worked on Android security under the Google Play Protect team for just under a year and a half
@saagar Paid out of the cut and paid with the express purpose of maintaining the cut are slightly different, though perhaps they’re effectively the same. ;-)
@saagar Anyway, if you had proposed disabling Google Play by default and requiring a 24 hour waiting period to enable it, I’m pretty certain your superiors would have laughed and/or escorted you out of the room.
Claudia@saagar Scamming has been a highly specialized economy for a while. My prediction: switch-toggling-as-a-service evolves, framed as a giveaway (“remember, you’re about to claim your free money of your own free will, you’re not being coerced”.) Scammers are just going to hire those and go on about their scheme the next day as usual.
Dominic Hopton@saagar I’m assuming part of the challenge for ‘legitimate’ uses is that people are… forgetful… and don’t come back to the app.
On one level: “How will I convert these users without the push of my growth funnel!??”
On another: “Well, I suppose if they really want the app, they’ll actually find it and use it” 😀
(cue: enter your email to receive download link & install, constant drip email from scammers & growth teams to get you to use it… like today? oh.)