I keep sounding like a broken record. This is not for your "average user" but I use two methods to block all data transmissions for applications that doesn't make sense to have internet connections (e.g. a selfie app):
a) The device's App-Data settings. I keep most boxes unchecked. I don't understand why CamScanner (legit super useful app) needs internet connection when I just email myself all the scans, and not using the cloud-options. Only Email needs internet connection on that scenario.
b) NoRoot Firewall, I either recognize the IP or the domain name, or I check on ipaddress.com the IP, and then I end up global-blocking the whole block of that IP and be done with it.
In this world you have to go with Security in mind. Default state is block-everything, and only allow the truly needed/useful (to me, not the app developer) connections to go through.
I know the selfie app was just an example, but what's the point of a selfie app if you can't share the selfies?
Also you are assuming people have due diligence to actually care or understand which permissions an app is requesting and to actually stop long enough to consider the implications. Consider that most of the world is technologically illiterate, and pop-ups will probably at most be a very mild annoyance for end-users who blindly press ALLOW in order to open the app because it has kittens and rainbows.
I actually can't believe this. How in the name of all the is holy are we letting them get away with this.
Sure, we talk about the problem a lot. But we need to take action. It seems every big corporation are abusing the trust we give them in some form or another.
Please, for the love of God, can anybody prove me wrong. Are there any companies than don't abuse our trust?
>Are there any companies than don't abuse our trust?
I guess you need to look in the direction of GNU/Linux. For example, company https://puri.sm. They have nice laptops and nice Debian-based OS and they are working on the phone (soon to be released).
Abuse your trust? The better question is why are you trusting them in the first place? If you actually read the TOS of a service, you'd know that they are usually quite forthright with what they are going to do.
If a murderer knocks on your door, informs you that if you let them in they're going to brutally murder you, but you choose to ignore that because they brought you free stuff, you don't get to complain about being murdered later.
That is a stupid analogy which I hope I don't even need to explain.
A terms of service is not a free pass to do whatever the fuck you want. Just because I agreed to Apple's terms of service doesn't mean they can turn me into a human centiPad, even if it says so in the small print.
sigh Serves me right for using an analogy I guess. Or a "stupid" one. I dislike the need to defend against a strawman argument, but it looks like I am going to.
Anyway, you're right, and so are the other people pointing out quite correctly that murder is still illegal and an agreement doesn't magically give them a right to kill me. But you know what isn't illegal? A company selling your data that you gave to them and agreed to allow them to sell in exchange for providing a service. Yes, I know there are some weak protection rules out there, and things like the GDPR exist in some countries. IANAL, but an app using permissions that you gave it, to do things it says it's going to do in its description and/or TOS is not illegal in most countries. If it was, we'd not be in the privacy clusterfuck that we're in today.
The point is that trust has nothing to do with it. If anything, these companies tell you exactly what they're going to do (and if they don't, that's another problem altogether which I'm not getting into here) and you can trust that they will do what they said they're going to do to make as much money from you as they can. Treating companies like living, empathetic human beings worthy of your trust to "be nice and give you a product for free without selling your data you agreed to allow them to sell" is silly.
Yes exactly. Not to mention (pun intended) they don't mention in their TOS that they will be abusing their power and doing whatever they want with your data.
Microsoft, for all their other flaws, usually keeps out of the business of selling their consumers. Perhaps it's because they have better (internal) monetization possibilities.
That's a fair point. I think many companies are doing such bastardly deeds because they can and because it brings in a profit. To some extent, if a company does not need to do such acts to survive & thrive, they will perhaps act more legitimately.
It makes a lot of sense to keep your customers happy in the long run (bottom line and stock value).
As far as I know (and can find online) DU group and Xiaomi are unrelated. However, this is a really interesting discovery in it's own right. I am a Xiaomi phone owner and have the App MiFit.
Would it be possible for me to reproduce what you have found? and if so, how can I do so?
I don't know what to make of MiFit copying all such information. I had assumed they copy it to show notifications on the watch. Does Lumen reveal that Xiaomi is sending that data to their own servers?
One of the things that is really troubling about the Google Android Play store is the ease that an app developer can develop an app and remain totally anonymous unless you are forced to file a lawsuit or subpoena to Google to reveal information.
I own and operate a fairly popular audio streaming platform, and I've had to deal with numerous instances of unscrupulous app developers who steal API keys from our licensed developers, release apps wrapped in tons of ads, and are able to remain totally anonymous by:
1) Setting up what is presumably a fictitious company
2) Privacy policy link that directs to pastebin
3) Email address for support where nobody responds
These apps steal tens of thousands of dollars of ad revenue from my business monthly, and I have absolutely zero recourse. Filing DCMA and other complaints with Google typically goes into a black hole, and when they do respond or address the issue its typically "we don't see the need to take any action here" - presumably because these apps are generating enough revenue for AdMob and the Play Store that Google has zero incentive to take action.
How often does this happen in the Apple App Store, almost never.
That, and they can steal the new API keys just as fast as we rotate them. And since these API keys are licensed to third-party developers we've got to manage business impact for that third-party.
The problem is Google has no incentive to address these issues, because they prioritize their own platform growth revenue over user and partner experience.
With all the frustration one can have with the Apple App Store, including huge wait times for new releases, arbitrary reasonings for declining apps etc, it's almost worth it vs the wild-west of the Google Play Store.
> Neither is wrapping someone else's content in ads.
What the hell are you talking about? If I take Office 2016, create custom launcher which will just pop ads here and there, offer it to companies, I can't possibly claim this as legal business anywhere where copyright law can be upheld
Accessing a paid service by taking the API key out of another app without the consent of the service provider would be theft of services. In most US states theft of services falls under the same law as theft of personal property.
Sure you can, that is what this post is about, it's just not legal to do so. But just because something is against the law doesn't make it theft anymore then it makes it murder.
the locked in store model has completely failed. both for ios and android it is a terrible experience compared to PC. you are stuck with only the search tools the hardware maker gives you, often designed in a user hostile way (ios brings up ads) and no way to bail out to a different store. as well the monoculture leads to a race to the bottom with garbage programs shoving their way to the top via misleading a dishonest means, and by sheer numbers.
i want no part of it. when a phone maker comes to the market without this locked down model i will buy it, and if windows goes this route i will drop it for linux.
and yea i know you can sideload on android, but the unwashed masses don’t know that so it doesn’t matter.
>and yea i know you can sideload on android, but the unwashed masses don’t know that so it doesn’t matter.
Then what is your solution? The unwashed masses tried the wild wild west of digital software delivery back in the 2000s. It ended with tears, viruses, UAC and SaaS. Even today, most sideloading, for general consumers, begins with trying to pirate apps and ends with even more invasive spyware.
The locked in store model is better than than what we had before for the general consumer (at least iOS's, unequivocally is, IMO). The App Store might be bad for developers, but it's way better for consumers.
The problem with early 2000's-style software delivery wasn't that you could choose which software to install, it was that there was no separation between programs, so that any random program you installed could add toolbars to your browser, steal all your passwords, etc. If iOS or Android made it easier to install apps outside the store, I highly doubt you'd see anywhere near the same level of problems, since everything is so isolated from each other.
I would find it acceptable if side loading apps was allowed by default but sideloaded apps are blocked from the dangerous permissions like device admin and draw over screen. Apps that really do require this have to be checked by a maintainer or require the device to be in developer mode.
This way almost everyone is happy because most apps don't really require anything other than internet, camera and GPS which can be denied by the user.
Hm, I'm not sure how iOS apps do it. My app is a fitness app that records activities, the app has to remain running in the background so the recording isn't interrupted.
It's the background part im not sure about. You can e.g. start Runtastic on an iPhone and it won't close if you switch to Music or messages or whatever but I don't know for sure that it'll be allowed to run in the background for extended periods of time.
If we want to show users permission dialogs and that let them make good decisions, there's a need for finer grain APIs to allow finer-grain permissions.
For example, for a smart home app asking 'precise location constantly even when not using the app' is sufficient to perform geofencing - but asking for a more limited 'know when you arrive home' is much more likely to get user approval.
The correct time to ask for the permission is when the user attempts to set up geofencing, at which point the phone OS should present a geofence picker that stores the fence in the OS and notified the app on entry/exit. The app itself has no need to know what the geofence coordinates and radius are, so by implementing the geofence at the OS level you can optionally as app author decline to care what its coordinates are — and thus have no need to request location access at all.
This. Google and Apple should make it easy for computer literate people to use something more advanced. Have the unwashed massed version sure, but then let us override it in a graceful manner instead of having to jump through hoops. Would lead to all kinds of free innovation etc. that they could then take over and profit from. Use the computer literate! WE WILL FIX IT FOR YOU
> it was that there was no separation between programs, so that any random program you installed could add toolbars to your browser, steal all your passwords, etc.
The solution is what has been suggested earlier: allow users to choose their own 'store', don't lock them to a single vendor. This is already possible with Android where F-Droid is a good example of a 'store' where the chance of being exposed to these shenanigans is close to zero.
Currently iOS users lack this option so for them the only way out is to change platform.
That doesn’t seem like much of an improvement: if it became popular, you’d see the same social attacks switch from getting people to install apps to enabling a new store. F-Droid is safer because it’s much smaller and mostly free software: that’s good for people who don’t want anything else but it seems unlikely to satisfy mainstream demand or survive a motivated attack.
Linux survived these attacks. Debian survived them. Ubuntu did. More or less all Linux distributions have been attacked but survived, many of them thrive.
Yes, this is free software. Being less susceptible to these problems has been one of the stated advantages of using such for a long time. Alternative 'stores' carrying 'pirated' non-free software do not have this advantage and can easily turn into dark places so the solution does not lie there.
Will people choose a 'boring' free software 'store' over a 'cool pirate store' (Arrrrr!)? Some will, some won't. Those who will will end up being mostly silent as the thing just works. Those who won't will be susceptible to the whims of those who put up those 'stores' and are likely to come home with a bit more than they asked for.
Some 'stores' will get a good reputation along the lines of that of F-Droid, some will get the reputation of being the place to go to get the latest craze but also the latest infection. Users will start making conscious decisions based on those reputations, just like they already do elsewhere.
Will opening up closed platforms like iOS for third-party software repositories get rid of these problems? No, it won't, it will even raise the average level of problematic software on that platform. The difference between closed systems and more open ones is not that the closed ones are inferior, it is that they limit the user's choice to get something which is better as well as worse than what the walled garden offers. In this context better can mean software which does not come with tracking, analytics, profiling and other such privacy-invading nonsense. I can get the source code and build it myself, I can host my own repository, only time limits where I can go. This is not true for the Google Play Store or the Apple Appstore, nor is it true for the Amazon equivalent or any of those Chinese alternatives. That is why I chose to use something like F-Droid.
By the way, there is nothing keeping e.g. Facebook or Twitter from releasing a free software version of their apps. Their value - and most of their profiling proficiency - lies in their platforms, not in the apps used to access them. They might lose any additional venues for leaching the user of data but they would gain some believability when they state that they're not up to no good. Of course there are plenty of alternative apps for these services so they don't really need to but they could if they wanted to.
> Linux survived these attacks. Debian survived them. Ubuntu did. More or less all Linux distributions have been attacked but survived, many of them thrive.
Really? Is there a huge market of mainstream consumer Linux software which I've missed in the past 3 decades of using it?
The answer is, of course, no. Linux distributions have mostly been used by developers and other IT people and there's never been the equivalent of the mainstream mobile app ecosystem used by people who are asked to make critical security decisions which they don't know how to answer. If there was an equivalent, there would be the same sleazy sites pushing free porn, games, taking successful apps and repackaging them, etc. that we see in the mobile/Windows desktop world, and normal people would routinely be socially-engineered to get access to free stuff, just as Linux users have for years been fooled into running binaries or installing packages. This isn't more widespread because there's not much money in it but if that were to change it would immediately require the same kind of hardening which every other consumer OS has had to make.
Well, there is Android, that uses Linux and is as mainstream consumer as it gets. Do mind that I specifically said 'Linux survived' as in 'the Linux kernel project', followed by a number of Linux distributions.
Also, where are those Linux users [who] have for years been fooled into running binaries or installing packages? The majority of Linux users get their software from repositories maintained by whichever distribution they use. This fact is one of the reasons why Linux users are far less likely to install 'random' software. It is that aspect of Linux distributions which 'stores' like F-Droid bring to Android.
Last, what kind of 'hardening' do you deem every other consumer OS has had to make which Linux distributions have yet to accomplish? I'd go so far as saying that the likes of Windows and MacOS are playing catch-up here in finally getting around to implementing a sane repository infrastructure from which users can install and update software instead of having them hunting around the web for some SETUP.EXE to download and click on - which then proceeds to install not only the requested program but also a host of toolbars and 'shopping assistants'.
That both Apple as well as Microsoft took one step further in making these software repositories single-source to the detriment of their user's freedom of choice is what started this discussion in the first place.
Another nice thing about F-Droid is that it uses Linux style "repositories" meaning that individuals/companies can setup repos for apps without needing to build their own custom app store. There are also multiple independent implementations of the F-droid client:
I am told thses software repos are super useful for the 3rd world because phone stores can run a local app repo and people can download apps without using their very limited internet data. Fdroid also allows local app transfers to people near you.
You still have fragmentation though, which creates surfaces for security and privacy issues that the 'wild west' of the 2000s had. OS providers could enforce standards for these 'stores' as a fix, but then they'll be accused of unfairly regulating competition.
Part of one of the antitrust suits against Google was that it required Play Services to be preinstalled by manufacturers on Android phones before the Play Store could be preinstalled - but the latter needs the former to work.
Anything that became popular would be targeted just the same. The solution is more secure OSes, not distribution filtering. I should be able to put a gelatinous abomination from hell on my phone and be okay. Mobile OS sandboxing is better than older PC OSes but it's still not perfect.
> This is already possible with Android where F-Droid is a good example of a 'store' where the chance of being exposed to these shenanigans is close to zero.
There are many other stores where the chance of being exposed to these shenanigans is close to 1. Think of the article recently about super-shady app stores for iOS that misused enterprise certificates to sideload apps [0].
If alternate app stores were to be allowed on iOS, all that would happen is a great proliferation of these scumware stores, full of knockoffs, fakes and outright malware.
It's going to be almost impossible for a lot of people to distinguish between legit good quality, legit crap quality and non-legit harmful app stores, resulting in waves of malware and privacy theft that will make the old Windows XP days look like a panacea.
While it has its problems, the curated nature of iOS' App Store is a distinct positive for users.
I don't think people using Android are different from those using iOS and recognise that that most popular alternative 'store' for Android does not seem to fall victim to these problems. This is very much related to the fact that F-Droid only hosts free software but the same thing could be done for iOS if Apple lifted its heavy control over the platform and its users. I see no reason why a similar free software store for iOS would turn into a scumware-infested hell hole.
It is amazing that we can fly aircrafts to space but cannot solve software installations, in't it? Maybe the software industry as a whole needs a kick in the butt.
I'd say that the sandboxing introduced by mobile OSes today solves the vast majority of the problem.
By isolating applications and introducing permissions, malware that can steal or encrypt user data isn't possible even for people installing those pirated APKs.
Don't trust Android or iOS or macOS sandbox. Google invests huge amounts of development time and research into Google Chrome JavaScript sandbox. It is the real wild west, there are malicious actors who want to break that sandbox. There are multiple layers of protection. Yet there are successful attacks. Much less people trying to break Android or iOS sandbox, because you can just ask for permission from Android and because Apple can kick bad app from the store and prevent infestation. It means that security of those sandboxes is worse, there are many undiscovered (or undisclosed) holes.
Check out history of Java sandbox with its numerous vulnerabilities. I have no reasons to expect anything different from built-in sandboxes. It's like relying on unix user permissions and allow to run anything under untrusted user. Works in theory, but you'll be owned pretty soon, because local root escalation vulnerabilities are not that rare.
In those days the only sandbox I would trust is JavaScript one. It's battle tested.
> because you can just ask for permission from Android
You cannot ask for permission to bypass sandbox restrictions on Android. You need root access, which means physical access to do things like unlock the bootloader or an exploit.
iOS sandbox seems slightly weaker here due to the use of hidden/private functions to protect certain things, sideloaded apps would likely be a bigger risk on iOS than Android at the moment, but that's not something unresolvable.
In any case, the things you're discussing aren't really so problematic - isolation systems are only getting better, OS level ones are improving every day. We could easily have sandboxes at this level just as secure as the javascript ones.
But the type of malware described in the article obviously is possible, given that it’s possible even on the Play Store. The OP posed switching to a decentralized model as a solution to that, and it’s hard to see how that makes any sense.
I'd argue the type of malware described in this article is fairly to completely harmless to the user. Harm to ad networks and a bit of wasted bandwidth is basically the worst case scenario.
The wasted bandwidth would be made clear by the OS to the user too, so it'd be trivial to identify if it was a significant consumer.
The single source has many advantages but also many negatives.
Android apps run the risk of becoming facebook apps. A rising platform that had a lot going for it. Little by little more restrictions pushed many away and turned into what it is today.
But Linux is not better. Android at least has permissions for apps and allows you to deny some of it; on a typical desktop Linux distribution or on Windows every app has full access to all of your data: a calculator can read your browser history. If you install the Slack app from Deb package on Linux, it will add its repository into APT sources list which means that Slack Inc. can now "patch" any program on your system, for example, sshd or Firefox. Also, it will add a daily cron task that checks that added configuration is not commented out (they explain that it is necessary for the case of upgrading a distribution). Such behaviour is simply impossible on Android.
So I think it is the opposite: mobile OS provide better security than desktop OS.
Checkout snaps, where packages are preferred sand boxed and locked down, and require explicit permission from store operator and the user to install with unrestricted rights https://snapcraft.io/
That's why I hope snap or flatpack will gain more momentum. While I assume they still are far from perfect at the moment, they seem to me a step in the right direction for desktops and servers.
How does this follow from the article? Sure, a walled garden isn't a perfect model. But opening it up further would make abuse, like the behaviors described in the article, even easier for developers to execute, and harder for anyone to stop.
I feel the problem is the complexity of permissions models. Rather than expose many fine-grained permissions, apps ask for wide ranging permissions. Good apps and Bad apps. because the good apps are written naievely from days past and didn't know there is now a specific APP_PERMISSION_THIS_THING rather than 'all files'
Because even good apps ask for all things, It cannot be used as a filter to determin bad apps.
With physical consumer products this used to be solved by the distributor and retail buyer chain.
Company makes a product and provides samples to the distributors buyers who then run it through the wringer. If it's crap then they don't order any. If it's 'good' then they'll market it to the retail buyers who place orders if they think they can sell it (and it's not crap).
None of that exists in the 'app market'. If it did then you'd submit an app to a distributor who would notice you're sending private user data to a Chinese website and they'll not only not market it, they'll never touch any of your stuff again.
The downside of that system is 99.99% of apps out there would never get installed on a phone in the wild.
When the app is free, there's no incentive for the consumer to check like they would for white goods.
What's really needed is the abolishment of ad driven revenue model. If the user derives value from the app, they ought to pay for it. This way, the app developer is incentivized to make the app better for the consumer, rather than attempt to generate revenue thru illicit/anti-user means.
> i want no part of it. when a phone maker comes to the market without this locked down model i will buy it, and if windows goes this route i will drop it for linux.
> and yea i know you can sideload on android, but the unwashed masses don’t know that so it doesn’t matter.
I don't totally understand what you want. You say you want a phone (presumably OS?) that does not require an app store then totally dismiss a very popular operating system that has exactly that feature. Who cares if a large segment of Android users don't side load apps, that does nothing to prevent you from doing it.
I've been using Android without Google Play services for a few months and everything works fine. My bank apps work, the few social media apps I use work, WhatsApp/Signal work, Bing/Cortana work, I could go on but I think you get the idea. Most of my apps have been side loaded (or downloaded via F-Droid).
So if google's app store is so bad (and I tend to agree it isn't great) what is preventing the rise of a better alternative app store? They exist, but as far as I can tell none have gained any traction.
Google's illegal anticompetitive contracts with phone manufacturers that forbid them from developing/selling non-Google-app-store-infected phones if they want to sell any phone's with Google's app store: https://www.theinformation.com/articles/Google-s-Confidentia...
Well I'd say Google Play's dominance is mostly because it is default. Additionally, there is a natural vendor lock-in as you begin buying apps since your purchases won't be available on other app stores.
There are other apps stores that have become relatively popular when pre-installed such as Amazon's and the various Chinese app stores.
The usability of OsmAnd~ will depend greatly on the area where it is to be used. It can use a host of map tile providers and/or vector maps, the detail level of these varies from very good to hardly any. I use it in Sweden where it generally works fine.
Waze -> ...
OsmAnd~ can be used for navigation but it does not offer live traffic updates.
Gmail -> my own mail server + K9 on Android
Gmail is more or less equivalent to a mail user agent, right? Mail is an internet standard which has been around for a while, long before Google was launched from a scruffy server under a desk. With a bit of luck mail - or some other open protocol like it - will be around when Google has gone the way of so many of its predecessors.
The list goes on:
Google Search -> a private Searx instance
Google Drive/Documents/etc -> Nextcloud on a private server
Google News (remember that?) -> News application on the above mentioned Nextcloud server, using either the web front or one of the Android apps available on F-Droid.
Youtube -> private Peertube instance on the already mentioned server
Facebook, Twitter, Snapchat, Instagram -> No need for such
Whatsapp -> private XMPP (ejabberd) server using Conversations Android client, using OMEMO encryption. Also using Telegram app from F-Droid.
Spotify et al -> Airsonic on that server I mentioned, feeding off my private collection and also serving internet radio stations (which it also sometimes uses to update the private collection). Using Dsub (from F-Droid) on Android, the web interface on PC's. The same collection can be reached through a host of MPD instances scattered about the place, these are controlled through MPDroid or M.A.L.P (both from F-Droid). There are also a few Kodi instances, controlled through Kore (from F-Droid).
The list goes on.
There is no Google-proprietary code on any of my Android devices yet they provide me with all these services.
I use the Google Maps PWA and never really used Waze to begin with. For email, I just use the stock Android email app which looks and acts very similar to the old Gmail app before the recent redesign.
How can you on the one hand complain the locked into a store model has failed, then say yes you know Android has multiple stores and you can side-load.
Doesn't that mean the multiple-stores and side-loading model has failed also? I'm not quite sure what your point is.
I did my Master Thesis on this kind of stuff. There are many Apps among the top 100 free ones that ask permissions completely unrelated to their functionality. Yeah I know, not surprising. What surprised me at the time was that Android gives away much information "for free". For example, if I recall correctly, GET_ACCOUNTS was granted automatically and it allowed to get the "title" of every account on the phone as shown in the Android UI. Most Apps use the actual username as the title, google included (aka, every App could read your email address). Nice exceptions are Signal and WhatsApp.
I'm the author of this article and I'd love to learn more about what you found in your research. You can reach me at craig dot silverman at buzzfeed.com.
This review from USENIX Enigma 2019 might be interesting for you. They tested over 80,000 of the most popular Android apps to examine what data they access and with whom they share it, how mobile apps are tracking and profiling users, how these practices are often against users' expectations and public disclosures, and how app developers may be violating various privacy regulations.
Some numbers from the presentation
- the "GPS icon" is visible for only 0.04% of actual accesses to location data
- of 42000 apps transmitting personal information, 21000 (50%) don't use TLS and send data unencrypted
- 1,325 apps that don't have location permission, actually obtain street-level location data and transmit it home
> As noted earlier in this thread, I didn't go looking for Chinese developers for this story. But if you go hunting for permissions-abusing apps, this is where you might end up. …
The article puts blame on specific apps of Chinese origin, but lot of said in the article can be applied to other apps too, for example:
> Kaltheuner, of Privacy International, told BuzzFeed News the policies are vague about how third parties, including potentially the Chinese government or other authorities, can gain access to the data being collected.
Google's privacy policy [1] is also very vague. Instead of clearly writing technical details, what data they collect and when, they just give a general description. Take this phrase, for example:
> We may also collect information about you from trusted partners, including marketing partners who provide us with information about potential customers of our business services, and security partners who provide us with information to protect against abuse.
Or this:
> We provide personal information to our affiliates and other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.
Absolutely no details. I don't see how Google hiding its "partners" identity is different from Chinese companies hiding their identity.
The article says that Chinese company can share the data with their government (without any proofs), but doesn't Google share the data too when required by the law?
Also, there is an interesting note hidden in Chrome's policy [2]:
> Chrome won't allow a site to access your location without your permission; however, on mobile devices, Chrome automatically shares your location with your default search engine if the Chrome app has permission to access your location and you haven’t blocked geolocation for the associated web site.
So instead of singling out a Chinese company, we should pay attention to all of the mobile apps and their practices.
Regarding excessive permissions, I think Google could improve the situation by promoting apps with few required permissions in the search results and making permission list more noticeable. For example, currently, if you browse Google Play, permission list is hidden behind a tiny link.
It's amazing how poor the filtering is. There are plenty of developer horror stories of legitimate apps being taken down by some broken, automated process - sometimes taking peoples' entire Google accounts with them. Then you're stuck dealing with more automated systems for support.
Of course these garbage apps make it through somehow. My favorite is an SNES emulator that's full of ROMs. Clearly a copyright violation, but somehow made it through state-of-the-art AI...
Which shows badly machine learning works compared to all the promises made by big companies. Google can't identify fraudulent apps, amazon apparently has a big problem with false positives regarding reviews (deleting real 5* reviews while keeping fake ones), YouTube thinks a church fire is a 9/11 conspiracy theory, etc.
In an ideal world, OS maintainers, instead of running a software store with a client-end on consumer devices, would run just a repository, with version control, metadata and downloadable packages for apps submitted to and supported on their platform, but allowed any third party to link to their repositories for fetching information or downloads. This would allow external review hosting, discovery, competing marketplaces, or even users directly fetching the application without navigating marketplaces if they knew what they wanted.
Of course, there's nothing in this approach financially for the maintaining company, so this was not going to happen.
Its too bad its still flakey at updating apps. I've been using it for a few apps for many years, and I'd say easily half of app updates simply fail for non-obvious reasons. Its been this way across multiple devices and countless versions of Android, so I'm left to believe the problem is with F-droid itself.
I've had problems with YALP store suddenly being unable to find su and then no longer working. F-Droid is in the same boat where it gives you the choice of a few different methods to install apps, because it's still trying to find where it fits in.
IMHO that place is sideload as system app when you first install the OS. Which was my solution to the YALP issue.
(YALP store is not on my actual phone - that only has F-Droid)
I also heavily heavily hate the idea that they sign everything, the app stores must not be trusted. They should only be signing over packages already reproducibly compiled.
What are you expecting them to do, not host non-reproducible builds at all? Android will not run unsigned apps. This would result in F-Droid having exactly 3 apps. They're working on getting more reproducible builds but the build system is not exactly great for it.
Well you can start your own F-Droid repo only hosting reproducible builds and build them yourself. It is a very large amount of work which is why it's happening so slowly.
For risk management from getting banned, those adware companies, will usually register multiple accounts, with offshore address in Hong Kong or Singapore.
This is a good starting move by Google, but not enough still. We still see companies like Cheetah mobile, Du group being active in Google Play Store.
Those companies (and their associated accounts which distributes malware) who caught red-handed, should be banned permanently.
Good. This is what advertising agencies asked for and what they deserve. Implement a "click button to get money" system means of course people are going to try to beat that any way they can. I'm surprised any web advertising firm manages to stay afloat.
It might actually be beneficial for privacy, since trying to "poison the well" of tracking data gets detected by the adtech companies and they'll likely start ignoring you. In that sense, affecting their bottom line is the only way to make advertisers leave you alone...
I would rather not being subjected to the adverts and the associated data mining in the first place. Nothing more creepy than the feeling you are being stalked through your internet journey to sell you yet another useless product you don't want or need.
Companies care only about click fraud in as much as it costs them money.
My guess is that this kind of add-on will make your traffic stand out like a sore thumb too so while some companies will happily log that you're into every ad they throw at you, most won't bill for your fake clicks and simply have a very easy time tracking the pages you visit across the web. Where you go says a lot more about you than any ad you click on while you are there.
If enough people use something like this it would force shitty low effort ad platforms to implement some basic fraud detection, but forcing minor players into investing in their services isn't exactly screwing anyone over.
I'm not entirely sure I have that much of a problem with ad fraud, doesn't it only hurt the ad companies and companies like google (which I have a problem with anyway), by basically scamming them into believing that I interacted so that company should be compensated.
I do object to collecting and sending my personal information, but I feel they just mixed it, as that probably relates to more then just these Chinese apps.
And I really don't like the fact that it seems that Google only cares about abusing the users, and breaches of trust and privacy when it hurts the advertisers (and themselves), and not when the normal user gets hurt.
I would actually think the smaller ones would detect the issue faster, simply because they would see ad clicks and recognize no new business, as opposed to bigger ones, that this would be an insignificant change they wouldn't notice.
In addition, I don't see the companies paying for ads getting hurt the most, in the end, if they would recognize that these types of ads are inefficient, they just wouldn't use it as much (they would use other outlets) or lower how much the value (and pay) for it. Which would help me (by getting rid of something I dislike), and at the same time hurt those that maintain and support that part of the business in the adtech world (another plus for me).
They're mixing so many issues and confusing the matter. They have discovered ad fraud, which is interesting, but doesn't actually directly harm the user (right?), just the advertisers and Google. But then to make sure they are propagating fear, they bring in the completely unrelated issue of data being sent to China. And there is some confusion there too - is it only through the (unnecessary) permissions that users approve (a much different problem) or are they able to send unexpected data also without the permissions? I wish the world didn't have this sensationalism arms race to get their articles read.
People think I'm weird for not installing whatsapp because it downloads all my contacts and I can't prevent that in this version of android which I can't update because I can only do that through at&t while on their network but I get service through someone else because at&t doesn't cover my area.
Just get a written permission from all of your contacts that you're allowed to upload their data to WhatsApp, like the rest of us clearly have.
Or make it so that no one has anything against you ever. Because people have been sued already for uploading their contacts' information to WhatsApp without permission.
It's a separate store for your contacts, so that you don't have to use the Android contacts implementation where every app and their mum wants access to.
However, mind that WhatsApp is not going to be particularly user-friendly whether you do this or block access to the contacts in newer Android versions. It won't display people's names until they've chatted to you (and then only in a shitty secondary GUI), so you will often have to guess from their picture who they might be.
And worse still, there's no way to initiate a chat from within WhatsApp to someone who's not in your contacts.
Isn't exporting a contact list a violation under GDPR? Contact names and their phone numbers are a personal information and the app must get that person's consent to process their data.
Let me put it like this: I consider it only a matter of time before a lawsuit for this completes and Facebook has to pay a multi-million dollar fine. A lawsuit against WhatsApp was filed in the night that the GDPR became active: https://noyb.eu/4complaints/
The lawsuit is not just for this matter, it's rather because users were forced to consent to the privacy policy in order to continue using the services, which is very hard to justify under the GDPR, but I presume/hope, they will also look into what WhatsApp wanted users to consent to and how they presented it (89 screens full of legalese).
In theory, there is some clause in WhatsApp's terms of service which requires every user to get that written permission from all their contacts that I joked about.
One actual thing that WhatsApp will be able to cling to, is that they do have a 'legitimate interest'. Without uploading these contacts, their service would not anymore grow at even just half the pace.
Bullshit, Google. Bullshit. Only a very small proportion of the apps on Play ask only for the permissions that are needed to perform their task, and Internet access is not a deniable permission, leaving a nice little back door for them to siphon off your data. The example of the flashlight app is not an edge case, it's the norm. Google does not care because they'd rather earn more ad revenue than have quality apps, and the number of apps with the ability to seriously spy on you is staggering.
Why is that? I can't even imagine what's going on at the meetings leading up to implementing ad fraud in what I presume is a normal company otherwise and not a bunch of gangsters. Is it morally OK to do this in China for some reason?
> While on my most recent flight to Beijing, I sat next to an chatty elderly Chinese woman. We started discussing the topic, and she said that Chinese society lacks su zhi 素质, which translates roughly to manners or etiquette. Before the Cultural Revolution, she explained, Chinese society was guided by the moral lessons of Confucianism, with its emphasis on being a gentleman, respecting one’s elders, and obeying one’s leaders. But during the Cultural Revolution, Mao Zedong put Confucian principles on its head, pitting the Red Guard youth against their parents, the less educated against the educated elite. This chaos tore the social fabric and transformed the society into a survivalist one, a dog-eat-dog world, the vestiges of which are still felt today.
> When Deng Xiaoping implemented the Reform and Opening Up policy in 1978, capitalism was added to the mix of the survivalist culture; in order to get rich, you had to compete fiercely, fend for yourself and take care of your own with no regard for rules. This would also explain the rampant corruption among government officials, who use their position to amass wealth for themselves and their family. And nowadays, a third phenomenon has also added itself to the dangerous cocktail of selfishness and competition: the digital age. Many Chinese young people spend the majority of their days glued to WeChat, or taking selfies everywhere, or shopping at the ubiquitous malls around the country. This “me” culture is certainly not unique to China; indeed, we see the same thing happening to the youth in New York to Buenos Aires to London to Brussels to Moscow. But in China it exacerbates the already self-centeredness brought on by the cruelty of the cultural revolution and the competitiveness of capitalism with Chinese characteristics.
> In other words, China doesn’t just lack common etiquette and basic manners; it lacks a moral compass altogether.
> Google confirmed it found fake ad clicking on all 6 apps, and said ad fraud was against Play store policy. So why aren't you removing the apps, I asked. They said they banned them from ad products and were still investigating. Really? Finally, not long ago, Google removed them.
What's wrong with this guy? Does he not understand what investigating means? God forbid Google actually investigates claims of malfeasance.
Hi! I'm the author of the story and want to note that I only asked Google why it wasn't removing the apps after their investigation confirmed a major policy infraction. By then their investigation was close to a week old.
Google confirmed that these apps were committing ad fraud, and told me that ad fraud is against Play store policy. Yet the company was going to keep the apps in the store. That didn't make sense to me. Fortunately, they reversed their position.
(Also, in case it matters, I didn't submit my story here. But I always appreciate the interesting threads on my ad fraud stories.)
In all cases Google basically said it takes action against specific apps found violating policy. It seems unwilling to take action against a developer as a whole and ban them. I would also add that I suspect the Play store is not equipped to enforce a ban. People can easily create a newco and get back into the store. This is definitely a much larger issue. So I think that among other things these stories show that you can be a clear bad actor and still do business in the Play store.
Yes. Google prioritizes themselves, business partners over end consumers. I have seen many high ranked apps, which clearly violate Google Play store policy (For instance, placing ads on user lock screen)
Yet, those apps are being ranked higher than other honest apps, which are doing business in honest way.
These day, Google is not willing to do the right thing, unless being pressured by press media, or EU.
If we take the paragraph at its word, Google had already “found” fake ad clicking, with a high enough level of confidence that they both “confirmed” it to a journalist and banned the apps from ad products. It was reasonable to wonder why the same level of confidence was not enough to remove the apps. There are some potential valid answers to that question, to be sure (e.g. want to be more careful before taking actions that affect users), but also potential invalid ones (they just didn’t care much about ad fraud and only removed the apps due to the pressure).
That's no longer a reliable way of trusting the credibility. There's been many Pulitzer Prize news reporting which have come out to be completely false.
google play store and android have consistently shown that the first priority is gaining market share. user safety and security, app quality, data privacy and positive developer experience are far, far lower priorities.
Here is a solution for this problem: let's devalue mobile advertisements. How? Simple: every time you see an ad, add the product advertised to a blacklist. Refuse to download any app that advertises to you. I've been doing this for a few years, and have felt no negative effects; in fact I have way less app clutter on my phone, and I still find all of the apps that I look for.
Advertising has changed in nature; it used to be about increasing visibility of your products. Now it is about compelling people who don't want or need your product into buying it, by using deception and psychological manipulation. So how do we kill the beast that the ad industry has become? Don't feed it.
An adblocker keeps you from being exposed to an advertisement. This means you'll be adding zero value to the ad. What I'm talking about is a boycott, and you'll add negative value to it. I find this much more effective, and again, it has had no discernable negative effect on my life. I research to find the things I need. Word of mouth is more powerful, and gives more value to people's opinions.
To consider the versions of Chinese apps uploaded to Play is already much cleaner and toned-down than their China versions.
DU Group is an affiliate of Baidu, which has been using ads like "Click a button to boost your signal 5X stronger" to harvest users. It's common and unfettered in China, since they are all watchdogs of the party.
Has anyone ever gone to jail for this? Oh, you committed massive fraud and stole millions of dollars? We’re just going to tell you not to do that anymore... in what world would they NOT incessantly scam the system with these completely asymmetric incentives?
I'm using a non-Google version of Android (provided for the Fairphone 2) and install apps from the F-Droid store (exception is WhatsApp which is a dirctinstalll). Can I consider myself safe?
That is a not a cure-all solution. It may be better as Apple has a higher barrier of entry into their store but those apps still exist. And Apple doesn't remove these apps right away either, for instance it took Apple one month to remove the app that was sending browser data to China.
https://www.reddit.com/r/miband/comments/8eqtve/why_did_mifi...