This is possibly tied to the recent assault on the ZXing Barcode scanner app[1].
This is a legit open source app that's been recently flooded by 1-star reviews claiming that the app contains malware, probably in order to get users to switch to the other apps.
The funny thing is this app has not been updated since 2019 on the Play Store, so those reviews are clearly bogus.
It takes a special kind of scum to slander an open source project in order to push malware.
The ZXing Barcode Scanner (which is the "official barcode/QR code scanner for Android, as far as _I_ am concerned) is also available on f-droid.org. There's no absolute guarantee that F-Droid apps are malware-free but they have at least been looked at by a competent team of humans, something that is not true of the Play Store.
Does F-Droid compile the binaries themselves? Or do they just take a look at my github and then trust the .apk I build myself and send them?
I mean, I could very well make an open source app and then load some malware in the apk in addition to the well behaved thing... Are they immune from this attack?
"Apps" and "algorithms" seem to be driving literally everything about society now. I don't think this is a good thing, nor do I see the trend reversing. These giant black boxes now control the levers of modern society, and the companies that own them get to hide behind their "terms of service" to avoid any responsibility for the damage being done.
Every significant review system is being gamed to the point of being unusable, and yet stories about not being able to trust them keep being reported as if this were somehow noteworthy. For every one of these stories that rises to a thread on HN, how many other small time vendors are getting screwed by someone who is willing to pay a room full of people in some 3rd-world country to debase their competitor's online presence?
The platforms these companies provide have been so useful and successful that they have both become oligopolies and are a big part of how society operates nowadays. Think like electrical grid or roads.
But it's still not stabilized, society has not yet found out how to deal with all this.
It's like when there were no speed limits for cars or standard signage. There was more freedom but it was way more dangerous and unpredictable and also as a result, not yet as useful as it could be.
It's not necessarily anybody's fault. A company like Google maybe sees itself as a company but it's way past that. It really provides quite essential platforms for people, families, cities, you name it. And also the platform for content creators and developers and businesses.
Many of these don't have a proper contract with the platform. It doesn't scale to have lawyers to be involved in every point to point dealing either.
My assumption is that there is going to be maturation of these platforms, common rules and terms. Governments and WTO could be involved.
I knew nothing of ZXing Barcode Scanner other than it was super simple and "just works." Nice to know that it's open source! I've been happily using on all my android phones since I started with the HTC Dream so many years ago.
This review fraud has got way out of hand. Right now, it would be better to remove reviews entirely and for consumers to make a decision based on the product page alone. The consumer trust in reviews is at such a low that it’s adding friction to purchase decisions and starving honest businesses from being able to invest in quality products.
One solution might be to only publish reviews/ratings from accounts with a minimum spend threshold and unique active payment details. This would effectively price out the scammers.
The sheer scale of situations where the top review is negative describes something that ... is not a bug, is actually supposed to be that way, is how the dang app works by design for good reason ... is bonkers.
It seems like reviews are driven by people who don't know, and respond reviews by to people who don't know who describe what sounds like fundamentally broken things... so they give it a thumbs up and they're both completely ignorant.
The volume of people who do know the app and would see / write a review seems like it is MUCH smaller.
I had a game app update recently. I went to update it (one of the few times I go directly to the play store app). There at the top is a review that described how they saw opposing players "just disappear" during the game and raged about that 'bug'. But it's not a bug the game has some fog of war and view distance type mechanic. It's entirely expected / appropriate.... but there it is the top review.
> It seems like reviews are driven by people who don't know, and respond reviews by to people who don't know who describe what sounds like fundamentally broken things... so they give it a thumbs up and they're both completely ignorant
Heh. One of Google's featured reviews for ZXing is a one star review from someone who said they started getting popup ads, and looked up the issue on a web forum which said it was ZXing's fault. It has 30+ thumbs up.
To mangle the phrase about politicians: The type of person who feels compelled to leave a review is probably the type of person who should not leave a review.
I've left online reviews a total of maybe 5 times ever. It was only ever to help very small businesses with very few reviews who gave me an exceptional and unexpected result in one way or another.
Fake reviews are not that hard to spot. Why don't we focus on educating people on how to evaluate what they read, and making informed decisions, rather than taking information (even if misinformation) away from them? It would help with fake news as well.
This statement seems very suspect to confirmation bias. How would you get to know if what you think is genuine was actually fake? This part of feedback loop is completely missing, and hence I find your above statement hard to believe.
Most people don’t read many reviews though. Just the ‘most helpful’ and the review tally. Worse, the store search results pages use the review scores to rank apps too.
Yeah, be careful doing anything like that on the Play Store. You can get your account randomly locked out with no explanation (I haven't been able to review apps, leave comments or contact the developer for like 3 years, and I never got an email or notice about this)
I have the same problem - paying Google customer, so I'm not allowed to leave ratings or reviews on Google's app store. Support's ignored my requests on this.
It’s doubtful that any AI is involved, but I wouldn’t be surprised if Google have an algorithm that decides thay X number of negative reviews must be spam, without considering the quality and correctness of the review.
These app stores are a terrible software distribution model. Every day we hear about another reason they harm users far more than community maintained repositories and only protect the interests of the OS vendor.
App stores are no more terrible than the previous software distribution model where you Google the name of the software you want to install, find some site that "mirrors" the download, realize they've repackaged the original app with extra ads and toolbars, keep searching, find the official download link, scroll past all the misleading ads containing download buttons, download the package, and then hope the download runs on your machine.
Anybody complaining about app stores has forgotten how bad the alternatives are. And community-maintained repositories aren't a solution, that's just the app store model but on a smaller scale so it's less of a Target for bad actors. If ubuntu's universe repo had to suffer the same amount of abuse as the play store does, it would crumble in a day.
> And community-maintained repositories aren't a solution, that's just the app store model but on a smaller scale so it's less of a Target for bad actors. If ubuntu's universe repo had to suffer the same amount of abuse as the play store does, it would crumble in a day.
I disagree strongly.
Most community supported Linux distributions have fairly arduous processes by which members of the community become trusted users / MOTUs / etc. It is not simply a matter of deciding to upload something, creating an account, and clicking a button. To deliberately upload a malicious package into Universe (or similar repos in other distributions), you would have to methodically worm your way into a community over time, participating on IRC, helping contribute innocuous changes to other packages, training new users, and so on. You'd then have to apply for the ability to upload, having demonstrated both skill and the ability to work with other members of the community, as well as the need for permission to upload a specific package. This process would take months or years.
And then, you'd have to keep any changes you made pretty cleverly hidden. Anything obviously phoning home or popping up full screen ads would instantly blow your cover, wasting the whole effort you put into it. It's simply not worth it. And that's before you realize how extensively open source the build pipelines for most distributions tend to be. (I can - and have - examined the actual build process used by multiple Arch Linux packages.)
This is completely incomparable to the process for uploading to Google Play. At best you're going to have to pass some automated checks. But it's an ecosystem built around closed-source (so no peer review) software, quasi-anonymous developers, and software funded by advertising. It's infinitely easier to sneak something into an app store, get a bunch of users, and get away with it (temporarily) than it is to put malware in the repositories of a modern Linux distribution.
>you would have to methodically worm your way into a community over time, participating on IRC, helping contribute innocuous changes to other packages, training new users, and so on. You'd then have to apply for the ability to upload, having demonstrated both skill and the ability to work with other members of the community, as well as the need for permission to upload a specific package. This process would take months or years.
sure. or you find somebody who's already done that and pay them some money.
And then, even if they're tempted by the large amount of money, they probably get caught pretty quickly and get banned. Again, even if you can use another person's account to reputation launder, it's still a very transparent platform that's hard to pull stuff like this on.
The usual process for this with mobile apps is not to pay someone a lot of money to ship malware, but rather to buy the person's account, app, and the source code outright. This has the advantage of not having to be explicit about what you're up to, gives the original developer plausible deniability, and gives you way more control. Plus it makes reputation laundering way easier and since the app is still closed source you can make any changes you want without anyone being the wiser.
All of this is completely different from how community supported repositories are run.
Would you call it the "previous" software distribution model? I still Google software for Mac and Windows, but I can't remember the last time i had to use a dodgy mirror site. Storage and bandwidth are cheap and plentiful now, most everything has an official source.
i call it "previous" because windows and mac both have actual app stores now, even if many developers shun the app stores and still encourage people to find their software by searching for it on google.
It really is pathetic. Looks more mafia-like every day - they grab control of a choke point, ensuring they get their vig, but otherwise show no interest in providing real security.
Yeah, people from areas that used to be run by the mob often say they ran things better than the government did. Mobs require some form of community support to operate from what I understand.
The "real" government is really just another mob anyway. Pay your [protection money/taxes] or get your shop [busted up/shut down] and have other bad things happen to you.
Gotta love that those bogus 1-star reviews stay up, but Google instantly came to the rescue of Robinhood when it was getting flooded by 1-star reviews that had an actual legitimate basis.
FWIW the updated date doesn't necessarily mean anything, the app could be loading code remotely via some endpoint which the article does mention as a possibility in general.
TL;DR someone apparently cloned ZXing Barcode Scanner, added annoying ads, uploaded it to the Play Store with the same name. Soon enough the malicious clone got taken down. Legitimately pissed off people who installed the malicious clone are leaving angry reviews for the non-malicious original (presumably because the malicious clone is gone from the Play Store).
Don't assume malice when it can be explained by stupidity; it is probably a confusion as there are many apps with very similar names and in the phone the publisher is usually not listed (I checked mine), so people with the malware app gave reviews to other apps.
Even legitimate app developers have no incentive to keep their apps sterile. Someone just has to approach you with your 10+ million users barcode scanner app and offer you +50,000$ in order to install some automated ad clicker for them.
Don’t be naive, the majority will accept the money and gladly.
I believe that particularly makeshift applications such as e.g. barcode scanners are susceptible to this kind of overtake. Apps that offer what should have been offered by the OS vendor in the first place. Why should the app developer refuse the money if what their app offers will be incorporated in a next OS update by anyways? Why defend your mini-adapter-app in an ocean of mini-adapter-apps, with yours becoming so large just because of a random seed and path dependency?
This can have a big impact for end users. Imagine an authenticator app ending service to all their users in such a scheme and how you will be cut out from all your accounts by this. How many authenticator apps do you have to use in parallel to mitigate this risk of a single point of failure?
> Apps that offer what should have been offered by the OS vendor in the first place.
This is really it. The Google/Android team have already made the "Zebra" library that actually reads barcodes; why on earth do they not include this as a standard app. Instead we get this myriad of different barcode scanner apps with all sorts of harmful features. All the heavy lifting is done by the Android team anyway (the actual barcode scanning).
To make matters worse, scanning a barcode when you enter a store/cafe (to register your location), is now begin done everywhere in order to track potential covid19 spreaders. This forces anyone without an iPhone to install at least one of these potentially harmful apps.
Yeah, it's always in the flashlights, the barcode scanners, the background packs. They all address super basic functionality that many, many people seem to want (if I could just set a ringtone from YouTube, it'd save me from going through a bunch of shady apps, if I ever needed a ringtone that is). Yet they just aren't included in the base OS (or weren't always, my lineage OS has a flashlight currently). Therefore, they offer very low hanging fruit(super simple app, one can hardly ask money for it, so how does one make money?)
I heard from a friend that iOS has TOTP and indeed a barcode scanner build in, same goes for cal/carddav. To be fair, my wife's Pocophone also comes up with a QR-code icon when the cam detects a QR code. And, FireFox for mobile has a QC code scanner build in (although since I now have to open a new tab for each new page and I end up with many many tabs of the same 4 websites I find myself using FF less and less).
Maybe the experience on Pixel Phones is better? GCam makes a lot of difference in many aspects.
Both a QR-capable camera and a flashlight in the notification bar are in all my Android phones, and they've been for a very long time. I know the Nexus One didn't include it, but those will have problems with modern TLS anyway.
The problem is likely elsewhere. It wouldn't surprise me if many of these users are tricked into installing these apps. It is quite popular for malware to disguise itself as a legitimate app as to not raise suspicion.
Discoverability is just as much an issue as feature including. If you have to go into a special QR mode (which a lot of cameras did), you’re never going to use the feature, and it’s hard to break those mental models if the feature gets silently added in later iterations; you’re always going to remember that first encounter where something didn’t work seamlessly.
Indeed it is. It wasn't at all obvious on my phone that I could put a flashlight toggle on my notification bar, so for a long time I still kept the old Motorola DroidLight app, which, despite being unmaintained for a very long time, worked beautifully.
I have a pixel but i don't have qr scanning built in to the camera. It was at one point built into the "google vision" thing, but i haven't seen it in the ui for a while.
In a very google move, Google goggles was rebranded as Google lens and the Google goggles app stopped doing anything. As far as I know Google lens still does everything goggles did, including bar code/qr codes.
Its provided by Google Lens suggestions, so you'll need to have that enabled in the Camera settings for it to appear. It also seems a little slow sometimes, give it a few seconds for it to show up a small suggestion bubble at the bottom of the viewfinder.
I'm using Google Camera version 8.1 on a fully updated Pixel 4a and it works for me.
> (if I could just set a ringtone from YouTube, it'd save me from going through a bunch of shady apps, if I ever needed a ringtone that is)
I don't like that example of utilitarian because it fights the youtube platform which does not want you downloading videos. Anything that sidesteps some sort of security fence or functionality is shady to begin with; even if you think it's fair use. Plus there's the whole copyright minefield.
> Yeah, it's always in the flashlights, the barcode scanners, the background packs.
Why are Google afraid to release a free non-harmful version of those popular apps. Is it to keep the illusion the app-store is a vibrant market place where tons of developers get rich? It just seems nuts to allow all those harmful apps (that does virtually nothing) to float among the top downloads.
FWIW I've not had an Android phone lacking a flashlight in the OS since... ever, I think. At a guess, the apps are preying on customers not aware of the OS-level functionality.
QR scanning seems a little more complicated. FF for Android integrates a QR scanner, but chrome does not. Google's default camera also opens links, if you allow Google Lens.
I have a Nexus 5, and I can confirm the flashlight is available in the system tray icon. This is true for all Google phones since at least Nexus 4. It is my understanding that AOSP as well as Google's Android implementation has always exposed access to the flashlight hardware (although somebody mentioned this not being the case with Nexus One).
Since it's not an app, but hidden under edit in the pull down notification tray, people may still end up looking for a flaslight app. Perhaps a warning in the Play store that "You already have a flashlight, it's here..." would be a good comprimise? Although that might be considered "MS pushing IE", because the Flashy flashlight app has features(tm) (omg blink S.O.S., gotta have that :s).
> Why are Google afraid to release a free non-harmful version of those popular apps.
They already did; these have both been built-in for years. The flashlight was added in Android 5.0 (https://www.androidauthority.com/android-5-0-lollipop-offici... I'm having a harder time figuring out when the barcode scanner was added, but my phone does it automatically in the camera app now.
(Disclosure: I work for Google, speaking only for myself)
If Android has a built-in QR scanner now, that must be something that came with Android 11, but
September 8 2020 cannot qualify as "for years". It takes a while for OEM's to catch up as well.
There are certainly Android phones that ships with this feature (QR-scanner), but stock Android 10 does not. (Google lens != Standard Photo app).
If you know about it, you can start "Google lens" app, but that app does not even come up as a suggestion when you type QR scanner into the play store. I.e. even when you have a QR scanner available on your phone, you wouldn't know unless you somehow knew about "Google lens".
I even have a pixel3 and forgot Lens existed; the first time I was exposed to it by the phone it looked like yet another Google scans all your stuff and gives you questionable suggestions feature. It never occurred to me it would do something as straightforward as decode QRs.
I have a Pixel 3a, and I'm pretty sure it's done this since it was new (Spring 2019). I also thought my previous phone (Pixel 1) did it, though I don't have anymore and can't check.
There are many phones that have it (and have had it for a while like the Pixel it seems). Some can also enable Google lens from within the camera app, I cannot though on stock Android version 10.
> Why are Google afraid to release a free non-harmful version of those popular apps.
Fear of anti-competition lawsuits and complaints. They're seeing what happens when Apple integrates stuff into iOS / OS X core that previously were third party provided, or the flak that Amazon gets for pushing AmazonBasics products.
> Fear of anti-competition lawsuits and complaints.
They could just create an open source variant that suddenly shows up top when people search for QR or barcode scanner. It would be in their best interest, and it would not violate any anti-competition laws, nobody can demand to see how these apps are ranked I guess?
> How are they going to do this without generating more criticism?
From the people who make those crummy apps; criticism surely cannot hurt Google all that much?
> But then you’d have to get an OS update to heaps of phones.
That's not a viable option, this requires tons of work from OEM's that Google would have to pay for. I've rarely ever gotten any OS updates at all on Android - apart from my latest phone. But I think the only reason I get OS updates now is due to the fact that Nokia just ships stock Android under the "android_one" brand.
The ability to read QR codes should be added to Android's Compatibility Test Suite (CTS) default camera app, this way vendors would need to ensure their camera app are all equipped with this if they want to ship with Google Play Store.
There probably could be some backlash, but it would be easy for Google to brush this off by listing harmful features they removed in the process.
They have done more drastic things in the past. They have even removed apps entirely from Android phones due to very harmful features, and nobody cared when they heard about the horrid things these apps did in the background.
the platform should accept the criticism, because it doesn't hurt them. they have no feelings.
People doing low effort apps can only just whinge when the floor shifts under them. i have no sympathy - they just need to adapt and improve, and create new value to sell.
> To make matters worse, scanning a barcode when you enter a store/cafe (to register your location), is now begin done everywhere in order to track potential covid19 spreaders. This forces anyone without an iPhone to install at least one of these potentially harmful apps.
Our (New Zealand) Covid tracing app scans QR codes itself. What jurisdictions are requiring to scan an arbitrary QR code using random apps?
I recall back in the early days (before NZ Covid Tracer was released) we had the same system where every shop had a QR code that linked to its own guestbook type website.
"Better" is certainly a point of view here. Having to tell the government all of your whereabouts when you already live on an Island with no spreading is an overreach, IMO.
The New Zealand government doesn't learn "all your whereabouts" by default. The app is storing locally what it has learned about places you visited by scanning QR codes, and comparing that to information it is being sent over the Network (by the government) to discern if you went anywhere that the government says warrants special action - if so you get notified.
For most Kiwis this means a bunch of QR code data is stored on their phone and, months or years from now when the emergency is over (depending on how incompetent other countries are) that data is deleted. There is no NZ department of health MySQL database full of geo data of every New Zealand citizen and never will be.
If you're a case (remembering that New Zealand has elimination, so rather than cases being millions of people as in the US for example, they're very rare) then you can choose to help the contact tracers by giving them your data and in that case they do get all the data because you gave it to them. Because New Zealand has elimination contact tracing is something done by a handful of experts.
I would guess that like most countries New Zealand's contact tracing experts worked previously with sexually transmitted infections - so they already understand the sensitivity of this work. COVID-19 is actually less awkward, because at least you don't have to admit to fucking somebody you claim you're not sexually attracted to, just that you were in the same room as them for a period of time.
But of course none of what I wrote above matters much because those are merely facts, and for so many Americans mere facts can't oppose a Truth they have become certain of despite all evidence to the contrary. Not that Mother Nature gives a damn whether you believe her.
Believe it or not but not everybody believes that human rights like privacy are always optional when lives are at stake. Ever heard of the phrase "the end doesn't justify the means"?
exactly, how are you going to visit the mistress(es) if government tracks everything and eventually will be leaked? (a bit of sarcasm but the point stands, privacy shouldn't be optional)
Well, when the users already give the government access to their location 24/7 with that app, at least they include a barcode/QR scanner.
But privacy is clearly one of the victims of this pandemic. At least some countries are now opening up the source-code of the front and back-end of their apps. They had to do that here in Norway (they had to replace the whole app actually) when the original closed source version was demonstrated to contain harmful features...
We have a similar system is AU. It’s not really enforced all that well. But most people cooperate and life is generally back to normal. You also only need to do it in enclosed areas like shops. Mask wearing is still mandatory on public transport.
Unfortunately very low cases doesn’t mean the virus is gone. Occasionally there is a case and if you want to clamp that down as fast as possible, you need contact tracing. Which means we need to know where you are.
For most people, no extra information is being leaked. Facebook and google already know where they are and they are far more malicious than the AU or NZ government. The tin foil hatters like you can take extra measures I’m sure.
The US has over 25million cases and over 400k dead. That’s literally the entire population of Australia infected. So I’d argue that NZ and AU are objectively better and we shouldn’t worry about “overreach” just yet.
OnePlus seems to have the QR code scanner built into its standard camera app. And the flashlight into the setting shortcuts. Very convenient, and perhaps necessary, considering all these app stores becoming malware vectors.
My Moto G8 Power (G Power in the US) Android phone has it as part of the Camera app; when you point the camera at a code, a small bubble will pop up at the bottom allowing you to follow the link/see the content.
The issue is not having a default app or not, the issue is having a qr reader external service.
Imagine you are an app developer of a really simple app that takes a number and tells you if that number is in a valid phone format or not. You have a textbox, the user enters it, you do the checking and display the result. Easy. Now imagine you want to allow scanning a qr which contains a number, to do the checking afterwards. You need to either ask your users to use an external app to scan and then open yours, include all the qr related library inside yours, or use a special intent from a third party app (that the users need to have already installed).
First solution is slow and inconvenience for users, the second is what almost all apps do, but then the code logic is duplicated on all of them (with the increment in app size). The third option is the best, both for the developer and for the user, however there is no official qr service so in the end this is basically option 1.
I mean, you already have a service to get a picture, a file and a contact, among others (you don't need to include all the code, simply do a call to the respective intent and wait for the result) so why don't extend this with the qr too?
The same is true of things like Instagram, where they have made downloading an image so difficult that people install malware purporting to be able to do it all the time. Pretty huge vector.
While Google Lens does the job for the most part, we created a free privacy minded security first app - https://dhiway.com/seqr/ This app plugs in to Google's anti-malware lookup service to flag harmful content from making it to the device.
My Android 10 phone from Samsung has both the flashlight and the QR code scanner icons in the drop down notification bar. I don't know if it is a standard Android feature or something from Samsung.
My S21 Ultra has a QR scanner built in, but no barcode. Are the old ones still used for such purposes? I've only seen QR codes used for eg contact tracing.
There should probably be a "standard apps" project, similar to prog-langs "standard library" - sponsored by goog et al but not owned by it, and heavy on security and standardisation.
what do you recon would be included?
- barcode scanner,
- auth app,
- calculator of some kind,
- wifi management, dns/network/firewall management.
Actually they do if they have Google Assistant, which I imagine anyone with Android 7 or later will. If you use the Google Lens feature it will decode barcodes and QR codes. But unfortunately this feature is pretty much self-discovery rather than a publicised function
I don't know if it differs from various vendor releases of android but certainly on my Samsung S20, QR codes can be read without an additional app just by pointing the camera app at one. I seem to recall my Pixel XL did the same.
There is no "the camera app"; the manufacturer often provides their own. It may well be in recent versions of GCam, but quite often it requires you to bail out to Google Lens for some reason.
Android is like Forrest Gump's box of chocolates: you never quite know what you're going to get. And sometimes it's stale.
My Samsung has a built-in QR scanner, which I found out by accident.
I downloaded an app for it because it never crossed my mind it would be built into the camera app. After all I don't want to take pictures of the QR code, I want to decode it...
No idea when it was introduced. I've had an S3, S5 and now an S8 where I discovered it by accident last year. Pretty sure the S3 didn't have it.
The stock Camera app on my Android phone recognises QR codes. This is on Android 11 on a Pixel 3. I think this has been the case for a few versions of the OS (but don't have access to old versions to check).
I'm terrified of browser extensions for this very same reason (and yes, I still use them). I wish the browser vendors supported some kind of pinning to source code for open source extensions. Right now I have at least 2 extensions running that I know could access my passwords on any website as I enter them. One of those is Lastpass, which I use for storing/generating those passwords anyway, and the other is AdBlock Plus. Could other extensions access sensitive information? I'm not sure, but I hate not being able to see the source code of apps which need so many permissions.
The other nice thing about Safari’s approach is that for common extension functionality it is just a set of rules that are executed. So no malware can be run because extension code isn’t actually reading the dom. Nor does it have access to load remote resources.
I hear that a lot of companies are doing unethical things. Maybe the government should only grant corporations to form which are headed by approved people?
At least with LastPass you know they have a commercial model and reputation to incentivise better behaviour. If you download something that is free then that pressure doesn't exist.
have you read their privacy policy? They layout they can spy on everything and share with anyone they want.
You'd think if they were serious about privacy their privacy policy would just say "we spy on nothing and collect nothing and share with no one". 1password effectively has that privacy policy, lastpass does not.
Right, I'm an avid user of F-Droid and a large percentage of my apps come via this route. The trouble is that I have found that QR code scanners are very significantly different in both their feature sets and in their ability to recognize different barcode/QR code scans.
That's to say:
(a) The time for a given barcode to be accurately detected varies considerably from app to app.
(b) And various apps have different detection capabilities with respect to one another (i.e.: the detection performance varies from app to app depending on the contrast across the barcode image, camera focus or lack thereof, etc.).
(c) For a given app, the detection capability for different types of barcode scans can vary considerably.
For that reason, I have five different QR scanners installed including SecScanQR that you've mentioned and the one with the same namesake as mentioned in this Malwarebytes article.
It seems there's a great deal of variability in the detection algorithms between apps. Unfortunately, from my experience I've found that some of the commercial apps have better detection performance than those on F-Droid—but granted that's only from my limited testing. Which app I use sometimes depends on other features, for instance, the fact that it has a better database or export ability, etc. is more important than the fact that it's insensitive in the detection department.
I wish someone with more knowledge and experience could give others and me the good oil on this. Reckon it'd save us considerable time experimenting.
Binary Eye can also be found on the Play store - I personally check to see if apps are on both to add a bit of confidence, its not a negative if they're not but a positive +1 if they are co-listed when I'm deciding which widget to use.
> This can have a big impact for end users. Imagine an authenticator app ending service to all their users in such a scheme and how you will be cut out from all your accounts by this. How many authenticator apps do you have to use in parallel to mitigate this risk of a single point of failure?
This right here is a big reason, apart from actual restorable backups, why I root my Android device. Sure it is not required nowadays but it does give a sense of control if thats the right word.
So many times I had to restore older copies of apps like Chess or even Yoga app. The older apps allowed a functionality (downloadable content for offline view) which was straightup removed in newer versions.
Same for Authenticator or any other app which does things locally.
I, like many other HNers, simply store the secret passphrase & QR code in a separate keypass database.
Recently Google Authenticator app added the ability to move all codes to next phone by displaying multiple sequence of QR codes, but I coded a simple no internet just local storage & javascript app to to utilize otpauth:// protocol to eadily readd the codes on new phone https://spa.bydav.in/otp.html
> Apps that offer what should have been offered by the OS vendor in the first place.
Wouldn't that be anti-competitive? Similar situation when Microsoft was including IE on their system that made them a quasi monopolist with subpar product.
I'd rather have Google having stricter rules when it comes to malware.
Funny how Microsoft's including a useful tool for you know, getting on the internet, with their OS was the subject of an anti-trust suit just a few decades ago and now it's ok to force users to purchase all apps from the apple store, which takes 30% from every company wanting to sell an app on iOS.
> And why stop here? We should open the market for TCP implementations.
_Re-open_. There were, indeed, commercial TCP/IP stacks available for various operating systems until the operating systems started including them.
If we do a comparison with the browser situation, then it would be quite sufficient to allow people to install 3rd party TCP/IP stacks. Does Microsoft prevent that? I honestly don't know myself since I don't really use Windows. :D
I'm just about old enough to remember the versions of Windows which didn't ship with TCP and you had to install "Trumpet Winsock" to get on the Internet. This was silly.
The key to understanding the browser case is that, as MS wanted it, it would have tied client and server and rich application development together, all of which would have necessitated Windows. IE was a threat because of ActiveX.
agreed, I lived through those times, TCP/IP was not a thing, until it was. There was no reason for it to be in the OS until it actually became popular and therefor useful
I used various competing systems before that in Windows/DOS
> Don’t be naive, the majority will accept the money and gladly.
I wouldn't accept it to sneak the change in, but I'd probably be perfectly willing to take their hand off and sell rights to the product. Assuming of course I didn't just delete the message assuming it was some sort of phishing scam or other rather than a genuine offer.
I'd feel obligated to make it known that I'd done this, perhaps via a notification in the app prior to hand-over and in its README. Something along the lines of a normal change of ownership message (copyright has been transferred to X, contact them for further information, future official releases will come from their fork, of course existing open source releases remain open source even if they change licencing arrangements for future releases, yadda yadda). Though we all know how often people just click through notifications, so I'm not sure how much difference that would really make - so if I were a robot I might be considered culpable under the second half of the first law...
If the buyer would walk away if I didn't agree to a more silent sale then I wouldn't touch it. It is a thin line that I won't cross, but still a line I like to think wouldn't cross. Then again I have the luxury of being relatively comfortable at this point in my life (decent day job at a company which is weathering the current collection of world crises pretty well, the little flat's mortgage near paid), for many others out there the financial incentive would be much harder to ignore. I'm not sure that I like that I wouldn't draw my line in a different place, but I'd be dishonest if I tried to claim that I would.
Apps that offer what should have been offered by the OS vendor in the first place.
Bundling can be seen as bad in terms of competition [0], but it can also be good for the user experience. I wonder if these apps go unimplemented for fear of regulation. It might be silly to think of a barcode scanner (or other small utility) in that way, but, if the app is so silly, then is it really worth the risk (not just from regulation, but from having to deal with bugs)?
> Apps that offer what should have been offered by the OS vendor in the first place.
The questions are: how do you decide is necessary and how do you present it to the user? Different people have different needs and making every should have been feature visible ends up making every other feature less visible. That may be fine if you're developing software for a specialist who will take the time to learn a particular application which is relevant to them, but it's a drawback when you're creating software for a general audience since only a handful of enthusiasts will take the time to learn the software.
One or two years ago a Chinese guy contacted me asking me if I wanted to put an app or multiple apps on the AppStore for his company. In return I would receive 1.000 USD per month or so. I found this really suspicious, so I never accepted the offer. I also didn't want to risk getting banned by Apple for an offence like distributing malware.
I wouldn't be surprised if there are app developers that actually do accept these kinds of offers though.
Most apps never need to be updated, problem solved. Especially stuff like barcode scanners, authenticator apps and other apps that I'd call phone infrastructure can just be static from the time of install.
If it's gone from the play store that doesn't matter, you have it installed.
Breaking OS changes are a problem, it's true. Thankfully they basically never happen on phones (certainly if you have a phone that stopped updates ~4-5 years ago it will still work).
It's true if you don't need to change device. In 3 or 4 years (my usual device lifetime) many non updated apps is no longer supported at newer os version.
You can write down the code for all authenticator entries upon scanning the installation code with a barcode reader app for later reuse :) (I suggest to use fdroid versions for both barcode reader and authenticator anyway to mitigate the issue)
I will imagine that anyone who creates an authenticator is half-decent enough to NOT take that bribe and serve the greater good.
I will also imagine that when people install authenticators, they would NOT trust one from HenryBemis but only from sources that they recognize (Google, Microsoft, Yubikey, etc.)
It always amazes me how come all smartphone OS creators switch every connectivity option to ON by default on every new app installation. It would take a use another 3-4 seconds per app installation to prompt the user whether they want this app to access Wifi/Data/Background/Roaming. In the same sense than the OS asks you whether you allow access to Calendar, Contacts, Camera, etc. At least half my apps on my Android do NOT need access to the internet to function. They may 'want', but definitely not need.
> I will imagine that anyone who creates an authenticator is half-decent enough to NOT take that bribe and serve the greater good.
Dear HenryBemis,
As a CEO of TRC, I would like to extend you an offer to purchase source and distribution rights to your app, SummerChildAuthenticator, to the form of $500,000 (five hundred thousand US dollars). We are a fast growing SV startup that wants to make it easier for people to secure their papers and money on-line. We have developed a streamlined, easy-to-use, user interface for authenticator applications and are looking for a way to quickly put it in front of a wide audience. We believe that your SummerChildAuthenticator, with its established base of over 50 000 users, is the gateway we are looking for.
If you are interested in this offer, please reply to this e-mail.
Sincerely yours,
TeMPOraL, CEO, TRC
<smallfont>Temporal's Rackets and Cons is a startup registered in Southern Vescillo, Arstotzka.</smallfont>
--
You think to yourself: "this is a good deal! The app is unlikely to grow more, it isn't making you any money anyway. Here is this hot new startup with great ideas, what's the worst that could happen? They'll just inject an ad here and there. Meanwhile, I have medical expenses, and..."
So you agree, and I take your app, and run a "growth hacking" campaign on Reddit to blow its userbase up to 500 000 people, and then proceed with my main business plan, which is selling access to OTP codes to the mob running phishing scams.
(Oh, dear reader, you've noticed Arstotzka and thought I'll be selling data to evil government? Nope, we registered there only because it'll make it mighty hard for anyone to sue us.)
Any developer knows/understands if the offer comes from a legit source or scumbag. I cannot make other people's choices for them. My answer would be 'no' even for 100k, BUT I am in HN and I suggest people get off facebook and google because they are privacy nightmares (also certified in a couple of audit/security areas - so there's that). Btw I did have an app on Apple store, target audience was children (3-6 years old), it did OK, I just didn't have the time to keep it around (for the little revenue it was bringing).
It worked 100% offline, no tracking, no ads, no nothing. I have a free version as a sample and the full version at $0.99. I chose to sell than help the ad beast grow bigger and track children more.
But that is just me. $50k is a serious amount but it won't make me or break me. For some other parts of the world, where a monthly salary may be $200.....
And while I don't think you personally will sell out like this, I wanted to highlight that a) it's easy to make such an offer sounding legit enough (particularly to developers with little experience with the world at large), and b) an Authenticator app is a perfectly valid target for such offer. I'd even say it's more lucrative target than most.
You cannot trust established players either. For instance, cheaper Samsung phones ship with a lot of shady software, as I found out helping relatives.
And a lot of reputable software companies have sold out to peddling adware. Adobe is one, and there are a lot of others. Abandoned shareware or open source often resurface with adware installers.
> When inserted into a computer, the CDs installed one of two pieces of software which provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Neither program could easily be uninstalled, and they created vulnerabilities that were exploited by unrelated malware. One of the programs would install and "phone home" with reports on the user's private listening habits - even if the user refused its end-user license agreement (EULA), while the other was not mentioned in the EULA at all. Both programs contained code from several pieces of copylefted free software in an apparent infringement of copyright, and configured the operating system to hide the software's existence, leading to both programs being classified as rootkits.
> The installation included a universal self-signed certificate authority; the certificate authority allows a man-in-the-middle attack to introduce ads even on encrypted pages. The certificate authority had the same private key across laptops; this allows third-party eavesdroppers to intercept or modify HTTPS secure communications without triggering browser warnings by either extracting the private key or using a self-signed certificate.
Sadly, the permissions-by-default problem is not unique to Android. I bought a new iPhone a couple of years ago and spent nearly an hour straight away just turning off all the junk I didn't want. That is now the way of the world, if all you want is a phone for communications and running a small number of essential apps because too many organisations now assume everyone will have a smartphone.
I suppose I should be grateful that I can turn off a lot of permissions for apps at all these days, unlike the malware built into recent versions of the major desktop operating systems. :-(
The only reason this was detected was very overt behavior - opening AD popups. So I guesstimate for each one of these we have 10 that go undetected.
This means the whole ecosystem is broken, as there is no reason this will happen only for updates and not for new apps as well. Apple's ecosystem is somewhat better, but I can't imagine they go through every line of code in each package, so most of their review is probably done with some combination of automatic static and dynamic analysis, and these can be fooled. The problem with both platforms is that they don't provide run of the mill users the option of installing an effective firewall and security solutions.
I had two apps that radically changed their business model (owner?) through updates with no recourse.
I had an app called gas cubby, which let me locally - on the phone - keep track of all my vehicles. I could enter detailed information about each car such as year, make, model, vin, insurance policy, gas purchases, oil changes and the like. It would tell you gas mileage and remind you of upcoming maintenance.
One day, I updated the app and all my local data was uploaded to the cloud.
Another app I updated was camscanner from tencent that basically did the same thing. Think of all the PDFs you scan going to their cloud.
I've been writing apps for a long time. They are usually free/Tier 1 apps.
A while back, I was approached by a [NATION OBFUSCATED] developer, asking to buy up one of my older apps (they are all open-source).
I ignored the request, and reported the approach to Apple, as I'm sure that this actor has been doing the same for many other apps.
This is apparently a common method for malware-slingers. They buy established, older apps, that they assume the developer has abandoned (I hadn't abandoned it, but it's a simple app that hardly ever needs tweaking. If I stop supporting an app, I remove it from the store).
They then "update" the app, with a little "extra flavoring."
> One day, I updated the app and all my local data was uploaded to the cloud
This happened to me with Chrome. It auto-updated, then automatically synced browser history, passwords, and who knows what else, to Google. They soon changed it to opt-in sync, but it was too late for me at that point; they had already hoovered up my personal data. That was when I stopped using Chrome and switched fully to Firefox.
Camscanner was a blatant bait and switch. When I first started using it, I paid for a license to get full functionality with no ads/watermarks/etc. Magically, years later I got reverted to the ad-supported/free version, and my license was nowhere to be found. This was at the same time they moved to "cloud features" and a subscription model. Their reviews are littered with people having the same issue and the developer copy-pasting some response that doesn't work.
I haven't had this issue with Camscanner, but I've had it with other apps. One outright disappeared from my library, as if I have never had it installed.
yeah this is one reason why I can't take mobile app end to end encryption, or client side only, claims seriously. a single update at any time could undermine all of that
and secondly, they or an analytics package can just read everything client side and upload it to a server anyway
doesn't matter if its whatsapp, or signal, or some protonmail client if such a thing exists
I just don't use them with that assurance in mind, I use them for other things.
>yeah this is one reason why I can't take mobile app end to end encryption, or client side only, claims seriously.
If it's a large company like Facebook that values these products like Whatsapp at billions I trust them at least on this issue. I'm pretty sure they're not going to put junk third party malware for 50k into the Whatsapp client.
This is mostly an issue for apps done by individual developers who have huge incentive to take these deals, like the barcode scanner in question.
They've been sideloading with React Native, allowing updates even for people without automatic updates enabled, and have abused enterprise/privileged developer keys which allows access to additional parts of the system. I just don't see how you can draw that conclusion.
I use the apps for other things, not for any assurance of privacy.
Are people capable of enough nuance to distinguish between issues that large tech firms are likely trustworthy on and issues that they aren't?
When they stand to make billions from breaking my trust I'm sceptical. When they stand to make a penny and ruin their entire product, then no I' not.
The problem in question here, that rogue developers sell out their product to third parties, is not an issue that Facebook, Google etc have. They have every incentive to keep their software secure.
A betrayal of trust will not "ruin their entire product", we've already seen that it won't (no matter the scale). Believing a small betrayal to be worse than a big one is your right, but that doesn't mean it isn't naive.
Your whole premise is based on a very arbitrarily low value of collecting your plain text data? From a company that is a machine built for monetizing this specific thing? And that they wont because their users care about trust too much, users of Facebook products but specifically whatsapp? And you think the rest of us arent compartmentalizing our issues with that company enough?
this is.... I’m speechless, I ran out of words for this absurdity
I get what you're saying, but it's funny because what the dodgy small players do with the data is actually sell it to facebook. You're just cutting out the middleman here.
>If it's a large company like Facebook that values these products like Whatsapp at billions I trust them at least on this issue. I'm pretty sure they're not going to put junk third party malware for 50k into the Whatsapp client.
You may not be able to trust facebook with your privacy, but you can trust them not to install a malware that swipes your bitcoins.
That being said, I despise the current state of affairs with cellphones. I don't like needing to trust any corp. I'm jumping to a Linux native phone when my current device dies.
>you can trust them not to install a malware that swipes your bitcoins
Sure, they might not take malware that swipes my crypto, but I wouldn't put it past them to take malware that uses my resources to mine for crypto. What is the downside for them?
Thank you. Unfortunately, it seems that OpenScan does not have the feature to straighten out photographed documents. Cammscanner has its own camera app, which has features specific to photographing documents.
I absolutely love Camscanner, and I have been for over a year on the old version because I refuse to update to the new version which requires network permissions. I exactly suspected this is why it needs those permissions.
To what did you switch? Camscanner is otherwise an excellent app, especially for combining multiple images and straightening them out.
Adobe has lost my trust years ago, and I see that viewpoint vilified often enough to never use Adobe software again. The only Adobe product that I still use is Magento, and only that on client sites. I would love to find a non-Adobe alternative.
Neither of the 2 scenarios you describe are even remotely what's happened here. Not sure how you got from 'malicious ad popups' to 'app added cloud feature'.
I gave Slacker Radio the big heave-ho when they decided they wanted to help themselves to my contact list. They did that just before I was about to pony up for a paid subscription. Bullet dodged.
You probably overestimate Apple here. I'm pretty sure you can do a lot of fuckery with WebView, JavaScript and an innocent-looking API and feature flags in JS that gets swapped for bad behavior remotely after the review process is complete.
> The problem with both platforms is that they don't provide run of the mill users the option of installing an effective firewall and security solutions.
I stick to F-droid android app store. it asks developer to submit their code which gets compiled by the F-Droid team. apps with proprietary codes are flagged.
Open source apps can absolutely have trackers in them. F-Droid isn't a security solution by any measure. I have inspected code of at least one popular "privacy" app that absolutely tracks its users out in the open (I mean, the code is right there on GitHub), yet I see repeatedly that app (and F-Droid) being touted as some elixir that fixes security and privacy for one and all. It doesn't. Don't place your trust on F-Droid apps blindly, and more importantly, refrain from blanket advocating F-Droid apps as a security / privacy panacea.
What I do instead is monitor Android's traffic with a LittleSnitch-esque firewall and block all apps I don't use. Also, I've disabled auto-updates on non-essential apps. Only Photos, Maps, Chrome, and Firefox are allowed to auto update on my Android.
Were the trackers already labeled in F-droid? They maintain a list of these anti features for all apps. If not, when you reported your findings to F-Droid, did they flag the app as having trackers at that time?
Nobody said blanket trust anything. F-Droid is a community project with a framework that allows for disclosing user hostile behavior in apps. By using it and paying attention, we can all make it even better - the exact opposite of Google, whose incentives do not align at all with these goals.
(F)OSS by itself is not a security solution. Largely because you can't "solve" security.
There are plenty of insecure open source apps. To deny that would be to deny tons of security-related CVEs.
Yes, open source software is easier to audit, but does nothing to a) make those audits actually happen (frequently enough), nor b) improves the quality of those audits.
i.e. just because I have access to information does not validate that information. Work still has to be done.
FLOSS may have security vulnerabilities, just like any other software. An OSS android app which has no anti-feature flags on f-droid with intrusive advertisements or malware behavior, deliberately implemented by its own developer, is something I have never heard about.
The same can't be said about 'free' (or sometimes even paid) proprietary apps from play store.
It's manually curated and generally flags such things as anti-features if found, and I'd believe them more than some tensorflow_script_to_detect_malware.py
I wouldn't depend on F-Droid or FOSS as a measure of security. Of course, I get that F-Droid is run by volunteers, but I hope no one is spreading the notion that the F-Droid apps are magically uber secure and private or anything.
What open source gives you is an audit trail, which is helpful but not sufficient. You still need to be able to trace malicious code to actual individuals. Then you need the ability to punish those individuals, ideally through criminal prosecution.
I once tried to get my app in F-Droid, but they refused, because they did not want to install the dependencies because the dependencies were too big. Turns out you cannot compile something without dependencies. I wrote my app in FPC/Lazarus to make a truly cross platform app that runs natively on anything from a Raspberry PI to Windows 2000, and they did not like that tech stack.
Both recommended apps use the ZXing library. So it is a small world, and if someone overtakes ZXing (assuming that it is not malicious right now), then all apps become infected.
Otherwise no security and bugfixes, no improvements, no version upgrades... who knows how long this library will work?
I recently noticed that the "Barcode Scanner" app by ZXing (https://play.google.com/store/apps/details?id=com.google.zxi...) was being review-bombed with 1* reviews. People were talking about the "recent update", even though the last update is from February 2019. As far as I know, that app is open source and never contained ads. (Of course, without reproducible builds, we'll never know for sure.)
Was ZXing also hit by some issue, or is that just confused people that mistook the ZXing barcode scanner for the Lavabird barcode scanner?
In the comments of the article, someone wrote:
> The Zxing project is the flagship open source barcode scanner project for many years, and the December 2020 build was infected with malware. That bad build has been removed, of course, but the damage to the project continues.
Probably the people responsible for the malware barcode scanner have other scanner apps in the game and trying to prevent user from their app from installing the Foss app and live happily ever after.
Yep, fake reviews by malware-ridden competitors was also one of my thoughts. But there's this motto "don't attribute to malice what can be attributed to stupidity".
To be clear : "the December 2020 build was infected with malware" only refers to the lavabird barcode scanner and not other apps (that use ZXing library or not).
I used to think he was "crazy" and I disregarded a lot of what he said. Recently I was reading the FSF website and I realized a lot of the stuff on there is actually full of some pretty good points, even if it's sometimes presented in a slightly "judgemental" or perhaps emotionally-charged manner. Some of the statements might not be 100% perfectly factually precise, but the jist of them is generally on-point. I have recently been a LOT more cognizant of the ways that corporations and software outfits exert control over the people who use their software. Now that I see it more, and look for it more, I am getting suuuper unhappy with the current state of computing. :( A lot of the complaints I've had about software and computers in the recent years are generally the direct result of the software motivations of for-profit/proprietary software vendors. I can still use all the OSS stuff just as I always have, and it's actually the most stable and reliable stuff I use.
I've seen Stallman live, and in many interviews. The guy is in fact "crazy" in a loose sense. Really. Unfortunately, he is also often right. It's not a useful combination.
He is right in a sense, and cases like this give him proof, but on the other hand, most people don't see the point in patching their software. They'd just keep it around unpatched, while connecting it to the network. Is millions of vulnerable devices better than giving vendors of some software the ability to remotely patch their software?
I use iOS and have App auto-updates disabled (not the system update). We are at a point where auto-updates are more risky than the security flaw itself - especially since iOS has a pretty good sandbox, especially since its impossible for one app to access the data of another. Additionally, the App usually connects to a pretty limited set of servers, and is not publicly reachable. So the attack vector is pretty small.
Another point is the often complete change in UI or app behavior and you only find out about when you want it the least. I once had the case where I came out of a bar in the middle of a cold night, tired, had some beers and just wanted to use my Bikesharing app to unlock a freefloating bike to get home - whilst the app decided that it had to introduce a completely new UI and forced me to take an unskippable "guided tour" through the new features right at the spot.
> We are at a point where auto-updates are more risky than the security flaw itself - especially since iOS has a pretty good sandbox, especially since its impossible for one app to access the data of another. Additionally, the App usually connects to a pretty limited set of servers, and is not publicly reachable. So the attack vector is pretty small.
I'd have to say that most apps now connect to a rather large number of hosts/servers, and it's getting increasingly untenable to not offer users proper control of this. I get that Apple wants to be "friendly computers", but looking at my firewall logs I'm seeing:
- third party audience segmenting
- third party analytics
- third party static content being fetched
- third party ad networks
- first or third party generic cloud server connections
I think the attack vector on apps is quite significant if you consider the app itself to have been built to monetize data - there's no outbound traffic filtering to check the system isn't leeching user data and/or device identifiers (the latter getting better and hopefully Apple will require consent soon for the ID for advertisers).
It's trivial to make an app that leeches a user's contacts regularly to a server, then does anything the developer feels like to build a social graph. See clubhouse. I fear the biggest issue for most users' privacy are the "legitimate" apps they use simply not being built with incentives aligned with their interests, and having access to phone home to any server with anything they can access.
> there's no outbound traffic filtering to check the system isn't leeching user data and/or device identifiers
But there is the iOS sandbox FS. So if an App gets exploited, it can only every leech the data from exactly THAT app. Just the same as an auto-update might just start to leech and upload that data. Given the real-world practices, I think it is more likely an App creator choses to upload the data, than some malicious hacker doing it.
> It's trivial to make an app that leeches a user's contacts regularly to a server
On iOS this is not possible - either the App requests access to the contacts list then I have to consent via iOS sandbox features, or it doesn't get access. And if I didn't give this consent, any security hole that exploits the App will need to get that consent too (at which I will not give it).
From a technical perspective, you're of course right.
I fear however that the majority of "regualar users" are being coerced into giving consent without realising what is happening - seeing the number of people end up in a FOMO-induced panic to join Clubhouse (or whatever the next big popular phone number based app is), a simple "give access to your contacts to invite a friend" masks the fact the app uploads your contacts to the server every time you open the invite tab.
It feels we need to address coercive practices or at least try to do some kind of taint analysis to allow iOS to alert that it believes the memory buffer about to go into a networking API originates from a permission-protected memory buffer, and are you sure you want to let the app upload your contacts... But I suspect we just end up shifting the problem, and they coerce users again, ad infinitum, until they harvest their social graph (illegally, at least in Europe/UK).
hopefully Apple will require consent soon for the ID for advertisers
Just think through the implications of that phrase for a moment, though. Your own device comes with a built-in mechanism specifically designed for advertisers to track you. Why was that ever a good idea in the first place?
Agreed - it really is absurd. One time I tried to design as a thought experiment a "platform" where each execution environment of the app was absolutely indistinguishable from any other.
Unfortunately to make it work you can't give it network access (easily, at least). But you have a whole host of stuff in /proc and /sys that you also need to block (at least on Android) - there's just too much unique per-device information available to apps. Clearly ensuring runtimes are indistinguishable was never a design goal (as some simple chroot'ing together a virtual filesystem would help to prevent a lot of this, as long as the APIs are limited enough).
But alas, when your phone OS comes from an adtech company, that is probably a hint they are not interested in making it indistinguishable from others.
Such mechanisms have already existed and never needed OS-level sanction. It’s pretty clear that Apple is employing the strategy of “embrace, extend, extinguish” against tracking and privacy compromising dark patterns. In other words, force developers to use a special API, then give consumers the ability to block it. The current stoush with Facebook is only the most formidable hurdle Apple has encountered so far.
That is the usual argument, but I don't see how it stands up to scrutiny.
Either there are alternative ways to track a user of an Apple device without IDFA or there are not. If there are, then it is reasonable to assume that unethical advertisers will return to using them if their access to IDFA is gated.
So, whether or not IDFA exists, the only robust way to protect users is to block apps from having access to anything about the host device that implicitly provides a unique method of identifying the user.
This is what other platforms have been trying to achieve. For example, in the web browser ecosystem, software has been restricting programmatic access to features that can be used for fingerprinting or deliberately reducing the level of detail exposed by some APIs.
With control of the entire ecosystem, why is Apple not better placed to adopt this strategy than anyone else, and whether or not Apple is technically capable of achieving the perfect result, how does introducing IDFA make any difference?
It does seem like when IDFA goes, apps will be struggling for identifers, at least on iOS. I've seen a few articles suggesting they will be back to trying to fingerprint devices (in manners that break the App Store terms of service).
I agree entirely - it seems that the solution going forwards is to prevent any access to any kind of persistent identifier that is part of the runtime environment. This might get in the way of some security mitigations (which seem pretty weak to begin with) and some monetisation models (i.e. enabling pervasive tracking across apps), but the end result feels more "clean" and like users would expect - the app runs in a sandbox where there's no access to anything to distinguish the app from any other instance of it.
Clearly keeping this up at the network level is far harder (and some app developers will probably fall back to using the WAN IP and other factors), but perhaps there are even solutions here - perhaps TCP relay servers mix user traffic (while leaving it HTTPS-protected) to prevent services from seeing user IPs, and a virtual network interface internally in the runtime ensures apps only see an IP of 10.0.0.1.
It seems a worthy goal to try to ensuer that runtime environments are indistinguishable, at least to end cross-service ad tracking once-and-for-all. Handling it within apps probably comes down to policy - not sure any technical mitigations can prevent this while apps can remain Turing complete (as they can simply store their own identifier).
That would be premature. Nobody is in a position to know how the "extinguish" portion of the plan will turn out because it hasn't happened yet. All we can say is that the plan looks quite robust in theory and would be a significant coup for Apple if they can pull it off.
Obviously there will always be some unethical operators, but that is true of all major platforms. Apple has the benefit of top-down control and some amount of market incentive to get it right.
> For example, in the web browser ecosystem
...there is precious little to block effective fingerprinting of 99%+ of installs and little prospect of that changing.
There's a third possibility, and I think it's Stallman's ideal computing landscape: all users care deeply about the code running on their machines and they are competent in applying and vetting patches, building from source, etc. It's unrealistic, sure, but it sounds nice right about now.
I think back when he posted it, it might have been possible for sufficiently motivated and talented individuals to do such vetting, albeit even then it would have been a stretch. Nowadays the amount of code running on various devices in a single home has increased so dramatically...
Think of TV remotes. They used to work with infrared. Nowadays, there are bluetooth remotes (not sure how widely deployed they are, but at least some vendors offer them instead of IR remotes). An infrared device can be send only. No way to hack it even if you have an infrared sender in range. The pattern transmitted was quite simple. The bluetooth protocol however requires both sending and receiving ability. Bluetooth stack is in the tens of thousands of lines range. There will be a security bug somewhere...
This TV Remote exactly clearly gets to the point: What do you think is more likely, a malicious hacker driving a van and parking in front of your house? Just to exploit the TV remote via Bluetooth, a device that has no sensitive data, is not connected to the internet and can only be used to make TV inputs like switching channels? Or rather that your TV vendor like Samsung or LG decide one day that they offer a firmware "update" that will log what you watch on the TV, upload screenshot of the device and installed App to the cloud and sell to 3rd parties? My bet is on the later, and it exactly makes the point that auto-update is more dangerous than having a security flaw in a bluetooth TV remote.
I agree it's unrealistic, but I think Stallman and many others like him would rather forego the benefits of a bluetooth remote than embrace the status quo.
OpenBSD for instance, was recently discussed on here for dropping a Bluetooth stack over concerns about the correctness of the implementation, and no one has bothered to write a better one.
I don't think it was ever Stallman's point. He is smart enough to recognize most users aren't going to be technically competent.
He's also smart enough to recognize is that most people are going to have someone technically competent in their circle of friends, or within few minutes of walking distance. So people need a set of rights that will allow them to ask or hire someone else to care for their computing. In this sense, Free Software is like Right to Repair - it isn't about making individuals technically competent; it's about enabling local markets of specialists.
Not everybody needs to do that, but then you need to rely on people you can trust. Of course we already do that to some extent in app stores: I don't install something from unknown developers that requires all sorts of permissions it shouldn't need, I do install from developers I think I can trust. But if I don't trust them, I lack the ability to inspect their code. That's indeed the big thing that's lacking.
We need a culture that distinguishes between truly necessary updates like security ones and general updates that change functionality and interfaces. One type is essential and we want to encourage everyone to install those promptly. The other should always be optional and the changes being made should always be transparent. Bundling the two is a common but user-hostile behaviour.
This separation should be the price of admission for software developers who want to use online updates, and by now there is probably a need for real laws to regulate the industry since firstly it is very clear that it will not regulate itself effectively and secondly it is no longer just random applications but essentials like operating systems, web browsers and even the software controlling your car that are being treated in this cavalier way.
This would be nice, but a developer could still publish a malicious update as an important security fix.
Also it gets very hard for developers to keep track of past versions and apply new fixes to them, when they also have to apply fixes to the new versions.
Also it gets very hard for developers to keep track of past versions and apply new fixes to them, when they also have to apply fixes to the new versions.
Then maybe they release too often?
I have been developing software professionally for a long time, much of it code that needed to be high quality. I have never worked on such a team that couldn't keep track of its own software, often over a period of years or even decades, and backport fixes when necessary.
Yes, it's less convenient for the developers than just having a single version that users are forced to update constantly if they want fixes. But it is achievable if you drop the pretence that every minor change in functionality or appearance must be pushed into production instantly through some CD system, which is of course a luxury that only those running hosted software have anyway.
Maybe I'm a luddite but updates are not always necessary. It's a barcode app, what updates does it need? Is there a cve that needs to be patched? No? Then I don't need a new version
I never use my bank app because I don't fully trust my phone but they redesigned their website to be more mobile friendly. Now I can only see 10 operations at once instead of 30 before, and I can no longer sort by amount...
When I complained 2 years ago about it my banker told me to participate in their feedback program... Now they send me market research polls about future products and features, no way to report usability issues, it's not even run by the bank itself...
Financial services companies do seem to be particularly bad when it comes to UIs for their customers. Both awful apps and broken "mobile-first" sites seem to be par for the course these days. A few do try to do better, but the reality is that most people don't change banks for much more serious reasons than this, so the banks have a financial incentive to just throw some mostly workable junk together and ship it as cheaply as possible. :-(
Well then, let me tell you about Toronto Dominion bank (TD, market cap ~$105B)
The app allows you to photograph a cheque to deposit from the app. This option is displayed for their TD USD chequing account.
I scanned a cheque from a US bank in the app (to deposit into my USD chequing account), only to be informed that cheques from US banks cannot be deposited using the app and that I'd have to go to a branch.
The same app is missing transactions and does not correctly display the current balance of some accounts (which are correctly shown in EasyWeb) The app has also blocked screenshots, so I was unable to provide their customer support with proof of the missing transactions.
Call me entitled, but I would expect all transactions and current account balances visible in the web interface to be accurately reflected in the bank's official app.
If you have ever experienced N26, Revolut, or any number of European "FinTech" banks, you will understand that Canadian banks are busy banging rocks together while telling you they're hot shit.
> I scanned a cheque from a US bank in the app (to deposit into my USD chequing account), only to be informed that cheques from US banks cannot be deposited using the app and that I'd have to go to a branch.
Dunno if Canadian banks would be game for this, but back when AdSense only mailed cheques in US$, and inexplicably refused to e-deposit to my US-based bank account, I’d mail my cheques in.
Better scanning in low light, better error correction in code recognition, ability to recognise codes from a further distance, faster capture of codes, more options of what to do with the resulting data, reduced power usage while scanning, better user interface choices (e.g. updating to support more devices or matching new platform UI), ability to interface with external barcode scanners, better privacy protections for the user, reduction in overall package size, etc etc etc.
There’s always more things you can do to a product to improve it for its users.
On my home WiFi, my phone is on IPv6, and therefore not behind NAT (it is on a NAT address for IPv4, though). I've not done any super-geeky things to enable this, it's a standard router from a mainstream internet provider.
Pinging the IPv6 address from outside doesn't seem to work - I guess there is some sort of firewalling going on.
> He is right in a sense, and cases like this give him proof, but on the other hand, most people don't see the point in patching their software.
We are not talking about patching. We are talking about updating.
> They'd just keep it around unpatched, while connecting it to the network. Is millions of vulnerable devices better than giving vendors of some software the ability to remotely patch their software?
Yes. Vendors do not patch their SW. For the average SW developer fixing bugs is like castor oil. Remember the forced transition from Win 7 to Win 10 when a good OS was replaced by an abomination ? And no, 10 is not better securitywise than 7. There are lot of RCEs in 10.
Did you ever play an EA game ? With Origin doing a 4GB update before playing ? On a 25 Mbps internet connection ?
So for me if you have a security patch for your sw i will apply it. Maybe after some buffer period in the case of known offenders (MS) depending on severity.
If it's "performance and usability improvements" just forgetit. If you did't bother to write a changelog for your SW i will not waste my time and money (an internet connection is not free ) updating it.
Traditionally, when someone deliberately does something that causes significant harm to someone else, we address that by giving them a chance to defend their actions in court and if their defence is not acceptable we penalise them. It is strange how easily we forget normal behaviour as soon as technology comes into the picture.
If you had a shower fan/light that broke, and the manufacturer supplied a new model to replace it that had a working fan but no light and also an undisclosed camera and connectivity that sent everything it saw home to the manufacturer, no-one would be debating the situation. People would be going to jail.
Give a user a choice though, and they dismiss the update notification because it's naggy and annoying and usually involves restarting your app or OS (I'm mainly thinking of operating systems here).
Microsoft went in hard / aggressively and are forcing update installs and restarts, which IMO is going the wrong direction.
Wasn't there a Linux project where they could update the OS / kernel without a restart? I feel like this is what all OSes should aim for. I like to think Android is going in one direction, moving shared libraries (Play Services) outside of the core OS so it can be updated independently.
> Give a user a choice though, and they dismiss the update notification because it's naggy and annoying and usually involves restarting your app or OS (I'm mainly thinking of operating systems here).
...or because it doesn't justify its right to be there. As a user, the updates mean to me a high probability of getting more bloated, less usable app with important functionality moved or missing. The security implications are abstract. The usability impact is real.
> Wasn't there a Linux project where they could update the OS / kernel without a restart?
Ubuntu? Last time I updated, they asked me if I wanted to start using Livepatch, so it seems pretty integrated: https://ubuntu.com/security/livepatch
(though I'm horrible at noticing the critical battery warnings so I get frequent reboots for free – but that method wouldn't work on Windows which installs updates on shutdown!)
Windows is in an even worse position because of NTFS file locking shenanigans. A lot of the time you can't even update the userspace without rebooting.
Which affect the OS mostly and not individual apps. Funnily enough OS updates are usually not automatic. Which I think is a good thing because vendors keep mixing them with "feature updates" which end up making things worse (looking at you Samsung).
I'd love for Google to take away the security update channel from the phone vendors and auto-update ONLY security-related things through that.
The early adopters. There are always people that will weight that risk of latest & greatest and vs buggy differently, it should be a choice. Especially for apps that don't have a beta testing or early bird channel.
I didn’t know that automatic app updates could be turned off until I just tried it now in iOS, thanks! Just a side note but think that Google and Apple took way too long to provide built in apps for using your phone as a flashlight or scanning a QR code. They allowed this malware cottage industry to flourish.
iOS these days also grants Apple full automatic OS updates by default, too.
You can turn it off, but you have to dig in settings. During initial iOS 14 setup it has a screen telling you it's turning autoupdates on, but you're not allowed to opt out there.
Unattended upgrades are a remote code execution vulnerability.
I was 100% impacted by this. I've used that barcode scanner app for pretty much forever. I can't be 100% certain, but it's one of the first apps I ever installed on my first android phone (around '08/'09). It was what I directed other people to since all the other barcode scanners had ads.
Around the end of December started seeing web page notifications after my phone had been locked for a while. I clear those and it goes away for a day or so. I originally attributed it to an open tab, or some site that I had inadvertently enabled notifications for. It took me a few days of seeing these and checking browsers to realize it was more, so I started checking apps recently installed. I even installed malwarebytes to do a scan, found nothing. There were three recently updated, including barcode scanner. I opened that and malwarebytes immediately flagged it. So the scanner seemed to know about it at that time, but couldn't detect it until you actually opened the application.
I used to have Theft Aware before it got bought by Avast, and I tried Lookout some years ago. But it was this incident that finally convinced me to install and keep anti-malware app on my phone. I've also disabled app updates from the play store.
EDIT: Mine was by "The Space Team", not the one listed in the article. Seems like a number of barcode scanner apps were targeted recently.
Were you using the app from ZXing team
https://play.google.com/store/apps/details?id=com.google.zxi... app? Because this app was last updated in 2018, has a generic name Barcode Scanner, & has attracted hundreds of reviews like yours saying App was updated recently, & now causes Web Ads.
For a counter point, I am also using this app since 2016, & have all apps on auto update, & have never received any web add popup or notification because of this or any app.
The ZXing app is in fact the one I've had since "the dawn of android". But when I switched phones a couple years ago, I had apparently installed the one by the Space Team[1].
It took me a bit of digging to make the distinction. I have both of them listed in my App Library, and both with the same name. At some point, I believe I went to install ZXing on a new phone and Android warned me that the app may be incompatible, so I went to the space team one. It makes sense that if people aren't looking directly in their app library that they can get these mixed up and leave the bad reviews.
However, since the space team version got infected, I did try the ZXing app - no pop-ups, and it works just fine (despite the age warning).
So just to be aware, what was the root cause of this incident? Was it permission settings? How did it slip through the release process on Google Play, or is there none at all?
What does this mean for other apps with overreaching permissions?
This app only had the basic permissions of camera and to open web links - pretty much exactly what you need to scan a QR code and open a web page. The software author (or more likely someone they sold it to) pushed a new version of the app that would just keep opening links to various ads.
The key here is that the author had a properly working, trusted, non-invasive application for years and then they pushed an updated version that was less so. Fortunately, it was an app with minimal permissions - it could only open web pages. In my case, running ublock, those pages came up blank. But for others not running an ad filter, they got pop-ups prompting them to install even more malware.
As for Google Play release process, I can't speak on that too much. They do scan for malicious code, but this code may not be malicious enough. If part of an application's purpose is to open web links, more code that opens links would not be as noticeable. Apple has a more intensive process to review new apps, and they spot-check app updates, but it's going to be somewhat similar. We hear about Apple pulling existing applications all the time for random reasons, but it's often after an update or report. Google pulled some of these apps after they were reported, but it was also after.
I'm not defending Google Play - they have a more relaxed review process than Apple, relying more on automation. But both have "legitimate" apps pulled for obscure reasons (and the only recourse seems to be getting attention on HN/Twitter/other), and both have let scam apps through. Apple seems to catch more of the "bad" apps, but also drops more legitimate apps that compete with Apple's business interest.
One can say that the solution to this is more control/power for the app store, but te opposite, the solution for this problem on computer was solved decades ago:
Open source software and more open and transparent platforms!
Today users of common brands of Android and Apple devices are really restricted in control of their devices, so there is very few ways to check what the system or apps are doing, inspect, firewall/limit things, go tinker inside the apps.
And as said by other people, most of the time you have auto updates forced on users and so app developer does not even have to really justify what changed and why.
Agreed. The only way reviews can be done is by stores doing the review based on source code, and have submitting source code be mandatory with automated builds before review. That is not something companies like Apple or Google would even care about, it is not in their interest, since it is not their problem.
The phone market is a duopoly, Google and Apple have the market shared between them. There is no need to really improve this situation for end-users. For me it feels like Windows XP all over again.
I am a happy user of a Linux phone. I very much enjoy and support Jolla and Sailfish OS, while also hoping for the Pinephone and the Librem 5 to take off and be available as an option for daily use.
When the Apple App Store contained malware compiled by unsuspected Chinese developers using a local cache of Xcode [1], Apple emailed the developers to prompt them to update their application immediately and removed them from sale.
Apple also contacted users directly to alert them of whatever apps they had purchased on the App Store were compromised so they could monitor for updates, or remove the app entirely.
Has Google done the same? Neither Apple or Google have the ability to directly remove apps on a users device, but simply removing it from the store and then having users rely on a solution like MalwareBytes seems like Google is abnegating their responsibility of a safe marketplace.
This is precisely why I have auto-updates turned off. No minor security or bug updates are worth getting an all-out infection(or unexpectedly losing features).
Same here. Every now and then some app stops working or politely asks me to update, so an update it'll get (and at that point I have time to look it over and rethink whether I even need the app).
Last time I went on an "update spree" and updated everything I tend to use frequently, I got the new Firefox mobile update, which is frankly utter garbage, and now I regret it.
(Why it's utter garbage? It's much more laggy across the board, and there are issues getting uBlock Origin to work on it. And this tends to be the story with updates - I haven't seen the app that got leaner, or faster, or more ergonomic with an update. Not a single one.)
The short answer is "when the benefits outweigh the risks"; i.e. if there's a huge bugfix or new feature you need, but something like a barcode scanner is something whose change frequency should be very close to zero.
The "update culture" has unfortunately trained users to obediently "bend over and take it", which is horrible from both the security and change-management point of view; but is the dream of those who want to exert control over "the sheeple".
Your dogmatic approach to updating would prevent you from installing a version _without_ malware attached. For example, a version of Xcode circulated in China was infected with malware and once Apple had detected it, they asked all developers to recompile and update their apps immediately.
Every Google Play update prompt in My Apps has a description provided by the publisher. If there is an urgency to update and they don't say so, I'm not going to blithely accept every update.
Ior example, had there not been the exploit risk, I would have left Chrome at the older version, as their new tabgroup implementation is horrible, and it doesn't even allow you to open a new tab without creating a group or going incognito!
> Every Google Play update prompt in My Apps has a description provided by the publisher.
I hate to reply like this but, the vast majority of Google Play app updates go something like this:
"Updates."
"Fixes"
"..."
Having genuine changelogs would be glorious.
Apple and Google should require proper source and issue management, they could then generate changelogs automatically. Having that, they could then use machine learning against the code commits and issue titles to ensure that what people say are happening, are actually happening in the code.
I mean we've got ML that can generate code from natural language, I'm sure the bright sparks at Google and Apple could use some ML to, with a high degree of probability, say that the code does what the comment/issue says it does.
I just looked at the messages for the last ten or so updates on my phone and the last three were worthless like the above, but the rest were relatively detailed and informative. I imagine they are more motivated to give details when it's for new features.
Probably never. I mean, I am on iOS and as a developer I know how hard it is to get your code to run on iOS. Heck, security flaws that jailbreak an iOS device just via network/OTA is paid serious money for, there is no need to implement this.
I seriously ask the question what damage could a potential malicious app on iOS cause? There is no running in the background, so no exploiting while I don't use the app, no being part of a botnet when the app is closed. There is a FS sandbox that will not let you access another Apps data without being able to jailbreak etc. I think an auto-update is more risky on iOS than to live with an older version of the app that does its job (you never know what an update changes/breaks for you, and downgrading is not an option in the appstore).
I was affected by this. Funny how Malwarebytes wants to turn this into positive PR about how they reacted "quickly".
I installed just about every Android anti-malware app that I could find in late January, and none detected the bad app.
Finally by googling some of the ad domains that kept popping up, I found the forum discussion that they mention. In other words it took them about two months to react!
Edit: either it took forever or there are multiple barcode scanner apps that are affected and they didn't find all of them.
I also found this pop-up add behaviour Saturday (6th) morning.
I distinctly remember looking at this app last year when a different barcode scanner had an issue and it was not owned by "the space team" then,maybe a takeover?
App now uninstalled
The one I remember being popular before on Android was the "zxing" one: it's still on the Play Store but has tons of recent reviews complaining about adware... confused users (and/or competitors taking advantage) leaving reviews on the wrong one?
The zxing one seems to not have been updated in years (plus it's still on the store).
Right. Space Team's app was a fork of the zxing demo app updated to newer SDK versions, but with the same name and basically identical interface. It had a malicious version uploaded recently, and was nuked by Google.
People then found the original, that looks the same, and started leaving negative reviews, attacking the "maintainer" (who does not really maintain it anymore, since Google no longer pays him to do so and it is no longer possible to update for the play store without some substantial code changes to target the newer android API versions) on Github, etc.
Glad you brought this one up. I also had the app you mentioned installed and noticed pop-up ads in Chrome.
I immediatly uninstalled the app and left a review. Like many other negative reviews I received some copy-pasted response stating they only have some in app ads.
It is beyond me that the developers just lie about including malware in their app while it is so obvious they are.
What I don't understand is why the internet permission (one of the most dangerous permissions in my opinion) is assumed to be always requested and not even reported when downloading an app. Sure, most apps need it (most of them for ads though) but at least warn me before installing like you do with other permissions like calls and sms.
But wait, there is more, that permission (and some others) are considered so harmless that if you install an app without it, and then the developer publish an update with it, play store will automatically update it without even asking! Remember this doesn't happen with 'dangerous' permissions, so apparently Google thinks accessing the internet is not dangerous at all.
They are most likely Chinese. I’ve been getting asked by Chinese accounts on LinkedIn to let them use my account to submit their apps on the Google Play Store for a fraction of their revenue. I’m guessing there’s a similar scam going on here too.
It's still a massive issue if the crime crosses borders; if the entity behind the malware is from, say, Russia, what can a prosecutor in the US do? This is why internet crime is such an issue.
QR Reader are load of everything. I went mad to find one a decent one for my parents’ android phone and apparently it doesn’t exists. So in a weekend I’ve created one without any kind of tracking, ads, permission, whatever. Here it is if you guys need one ->
But this is the classic cycle don't you see? They almost always start as "here is an app I threw together, no ads, don't be evil".
But then a lot of people like your app, and ask for a small extra feature. You support it, and then get a bit annoyed by all the features people are asking for. Then you have to update it for the latest release... then suddenly fix it when some obscure version of Android breaks on it.
Then someone offers you £60k for a small ad no-one will even see and you think.. don't you deserve a bit of credit?
Maybe you'll be the good one who doesn't take it, but the free model is generally unsustainable.
That’s why you should try to use apps from reputable developers, who’ve already had countless such offers and refused them all.
The usual "400$/month per 1k users" stuff, just integrate an ad network is common, but sometimes as dev you even get offers like "we hire you, with a contract, you can’t be fired, legally you’re a consultant to us for 2 years, at a few hours per week officially, for a silicon valley wage, unofficially you just don’t do anything and collect but we get full control over your apps".
Personally I’ve had quite a few such offers, and I’ve rejected them in the past and will also reject them in the future
It doesn't exist? What were your feature requirements?
You wrote a wrapper around ZXing, which already has an official app as well as simple variations of that app from the ZXing team. That app is open source and ad-free.
There are already many similar wrappers around ZXing on the Play Store.
So what does your app do (or not) that makes it special?
But fallout from the bad app, or possibly deliberate actions by the malware maker have caused hundreds of bad reviews. It might be that removing the malware app from the store means people search for Barcode Scanner, find ZXing instead of the bad one, then post their bad review there. Or maybe the bad app is deliberately telling people "Click here to review the app", and pointing to the wrong app.
I'd like to see a proper investigation by someone at Google Play. The original Barcode scanner is not needed for QR codes any more - almost any camera app will recognise those, as will Google's lens application, but it is still useful for scanning other barcode formats and for generating barcodes by sharing data with it from other apps, without needing to upload to a server or anything.
Stuff like this happens on iOS all the time and everyone just ignores it because it's mostly sandboxed. Apple is terrible at stopping malware until it ends up in the news.
The first didn't cause any user issues as I'm reading it except extra data usage. I don't think it even did it in the background but only when the app was running. So I wouldn't even call it malware. Unlike this Android app which showed ads to users outside the app.
The second is Mac not iOS which had a much more relaxed security model.
I wish Google would inform the users when they remove an app from Google Play due to it containing malware. I'm not sure if they also remove it remotely from the devices, I think they don't, because I once had an affected file explorer which then got removed from Google Play but not from my device.
The same goes for Chrome Extensions which have been removed from the Chrome Web Store. In that case, they get removed automatically from the browser, which is somewhat ok. I would prefer that they would get disabled without me being able to enable it again, and get labeled as malicious. Because how else can I verify that I once installed an extension or an app which then turned malicious?
Currently I know that either one of my or my dad's devices has something malicious on it, because I got an HTTP GET request to a URL whose full path is only known to our devices (and only via HTTPS).
My first ever mobile app was an experimental bit of Android Malware. It got demo'd by my colleague at Blackhat [1]. I'm definitely not a hacker, but with a few basic tricks I was able to create a pretty effective trojan which we then injected into a popular game (again only for experimental purposes, it was never released in the wild). In our lab we had literally millions of samples of Android malware, but for iOS we had only two (which only worked on jailbroken phones). Fun times.
Apple's iOS is way more secure than Android in several aspects. The best example is their 5 years of guaranteed security (and features!) updates, versus 2-3 tops in Android (even <1 with Chinese cheap brands than are very common in Europe, such as Xiaomi).
This is even worse when the app in question comes preinstalled on your Samsung tablet and can't be uninstalled (but afaik it can be stopped and downgraded).
https://fossbytes.com/peel-remote-use-remove-smart-remote/
"Truth be told, Peel Remote has been scrutinized for more than a year because of the company desperate measure to gain revenue. In 2017, the app introduced a malign ad practice of unethical lock screen ads and overlays."
My girlfriends tablet just started turning the screen on at random times. It took some time to find out which app causes this.
Quote from Malwarebytes site: "Peter V. Jaspers-Fayer - Why does this article not contain the publisher and the icon of the app in question? There are many called "Barcode Scanner", and by omitting this information, you have caused unwarranted panic by users of innocent apps of the same name."
The fact that Google allows applications on Google Play to have identical/duplicate names is a significant ongoing problem as it causes considerable confusion.
I'm not against apps that have similar functions having identical (duplicate) filenames as this stops developers having to dream up ridiculous names that have little or no bearing to an app's function but it would make sense to separate the apps in some simple way that users could easily identify. For instance, apps with identical names could be flagged in many ways such as, say, Google providing a sequence number to the end of the filename. And I'm sure there are many other suitable ways I've not thought of.
As for the fact that Google lets malware onto Google Play and that it has happened many times demonstrates the fact that Google doesn't consider the matter of highest importance. That's to say, keeping malware off users' Android phones is not as important as making money from its advertisers.
If keeping malware off apps were equally important to Google then this is malware would have unlikely escaped Google's monitoring, as Google has just about every technical measure at its disposal to monitor apps for malware—and I'd venture to say that even its AI technology could be brought bear.
Clearly, if both issues aren't of equal importance in Google's eyes then it raises questions as to why Google keeps changing or adding certain features to its Android operating system in the name of security but which annoy users (and in effect violate their privacy—in that users' data, etc are even more transparent to Google whether the user likes it or not).
Day by day, Google is proving itself to everyone to be more of a worry.
—
Note: I'm one of those who have an app on my phone named 'Barcode scanner' and it took me a while to determine (fortunately) that the one I have installed is not the app in question.
There is also a unique application ID string but unfortunately that's not displayed, probably in the name of "user friendliness". Just showing that in the play store alongside the app name would go a long way.
Yeah, I know but most don't bother to check including myself, and that's the trouble. I'm reasonably careful but I've only just gone through the process with this app since this alert.
You're right, displaying the fact would solve most things. The question is why such an obvious matter—which also would have been even more obvious to Google—wasn't enacted as such.
Meanwhile they block the Terraria developer's Google account, after which he's decided to cancel his game's port to Stadia. How are they so bad at this? Literally driving away legitimate developers while letting scammers run wild.
I noticed the package name com.qrcodescanner.barcodescanner. and went to https://qrcodescanner.com/ which advertises another very popular barcode scanner wescan.
I had fullscreen ads on unlock with another barcode scanner app - IDK if it was this one or another one, but I remember blaming several other apps before figuring out it was a barcode scanner and removing it. The really frustrating part was that trying to open the app switcher to find out what app this was coming from would also dismiss the ad somehow.
Crazy to see this on HN. I was affected by this malware earlier this month and have both reported the app via the app store phone UI and submitted a full report w/ screenshots via the play stores web interface. Absolutely insane that I can still download this app from the play store and the devs account hasn't been nuked.
The app was updated Jan 29th. I noticed probably on the 1st or 2nd of February. I had a hard time tracking down where the spam tabs were coming from, but the app luckily gave me a spam notification from which I was able to see the app name and uninstall it.
I just don't understand how Google Play could've let this slip. Was this like the cyberattack now to long ago where they were able to infiltrate the CI/CD process to slip in updates? Is this the fault of the developers not securing it or is this willful neglect or incompetence at Google Play store level?
I stopped using apps from companies or projects I don't know some time ago. Which left basically small local companies, the big global ones and FOSS-projects. This of course is not perfect but at least leaves some sort of accountability.
All my employees use a JSON formatter on Chrome. Such apps require permissions to view all sites...
I require them to create 2 profiles in Chrome (and a 3rd for personal purposes), one for dev and one for official purposes, but I know that, in remote work, they get less serious.
It’s a major security problem. I’m wondering whether I should purchase the Chrome extension’s source code and deploy it myself on the store.
We've built a QR Code and Barcode Scanner that is fully privacy compliant. It focuses on product search and providing local and online prices but the QR code Scanning is incredibly fast here: https://play.google.com/store/apps/details?id=com.biggu.shop...
If you guys have any features you'd like to see in a stand alone QR code Reader, let us know.
Arguably manual curation doesn't scale to google play store or apple app store size and automated scanning only gets you so far.
You have several possible threats.
1. Apps that are malicious from the start.
Best addressed by better automated testing.
2. Apps that become malicious particularly when the app changes hands.
Best addressed by making this impossible. James/foo should never be transferred ownership should result in Jane/foo which users would have to download.
3. Apps that aren't malicious but include a component that is user hostile. Virtually always included for money.
Best addressed by just forbidding apps with ads. We wont do this but not much of value would be lost.
4. Apps that include a component that isn't malicious but itself becomes malicious later.
Requires due diligence by the developer. Arguably one could imagine better automated enumeration of the constituent components to discern what might have been compromised so that developers could have their apps automatically pulled and informed that they were compromised. One could also imagine a statutory fine for paid that earn developer revenue wherein their product harms users. This couldn't accrue to free apps without making foss impossible. Eliminating apps paid for with ads would eliminate a gray area.
An interesting point for those who presently avoid ad laden apps is whether your paid for apps are infected with the same potential malware vectors as the ad supported version as whether or not to show ads may be solely a function of an in app purchase you have made. Your paid for app might therefore be just as vulnerable.
What reasonable measures would one expect Google to actually take? Probably only reactive measures like removing this particular app while making no meaningful moves to correct any systemic problems. In the longer term one might expect them to do a better job of finding malware automatically.
If you value not getting hacked in the longer term it looks like this is insufficient. If for example Fdroid is insufficient in scope of applications then perhaps we should work on improving this situation as Google is unlikely to fix this for us.
Why is a barcode scanner app able to open a web browser and navigate to a page without user interaction (just by being installed)? That's the real question here.
The developer's street address, as shown in the malwarebytes screenshot, is obviously either incomplete or bogus. There's no city or country, and a weird unit number. Is Google Play really approving apps from such dubious sources?
Or does Google have the full address? Seems unlikely
What in the seven hells is this? Why on earth would any app not running in the foreground of my mobile device have the ability to launch a random web page?
Guess this is why some walled gardens look a lot nicer from the inside...
Simple scanner turns evil.. these kind of apps should have been offered by the respective OS, as a standard app. If the money involved are correct, then are the developers to blame?! I'm not sure to be honest.
Imagine if this app had opened the Chrome browser tabs to a specially crafted webpage that exploited a vulnerability in Chrome like the recent zero days in the V8 scripting engine.
Most apps on Android behave like a malware. The most annoying ones are those who randomly take over the screen and play ads with annoying music and you have no way to close it quickly and you don't know which app is displaying those. Only solutions so far is to actually disable apps one by one and see if the problem appear.
I think Google should remove all apps that do that.
My friend's phone who is not IT literate, essentially looks as the IE6 back in the day.
Average users don't know the default capabilities of their own phones and instinctively go to the app stores to find their one purpose ad filled apps. I've seen flashlight, basic camera, weather, clock apps that are inferior to default apps of the phones installed on many client devices.
Inferior and probably filled with ads, tracking and now malware. Too bad Google doesn't try to let users know the feature already exist on their phone when users search for these apps.
Google Chrome extensions are like this too. Not a coincidence that they've had multiple identical incidents where extensions were sold to malicious third parties or had malware added in.
The OG Barcode Scanner app is getting absolutely throttled with negative reviews. But this posting seems to be about a clone app by a different developer.
My phone was affected by this, and I can confirm I had the original barcode scanner app in your first link installed, and I'd had it installed for years.
I now use Google Lens through the default phone app.
I had this one (by ZXing Team) and never noticed any negative behaviour, but given that the default camera app now supports QR Code scanning I don't see a reason to keep the Barcode Scanner app.
I wonder if there's a coordinated effort to exploit barcode reader apps, because (at least where I'm from) its becoming a government mandated Covid tracing thing to use a QR code to "check in" to certain classes of businesses/venues?
I bet there's a _huge_ increase in use of QR code scanning apps compared to this the last year...
Interestingly, I just checked the QR code scanner app I have on one of my Android devices (A Samsung S6Edge abandoned and unupdateable from Android7 - without jumping through some hoops I've not been inclined to do yet).
As soon as I opened it, it popped up a dialog box with non ascii text in it (Arabic or maybe Thai script?) with yes/no options, for all I know asking fro permission to steal my contact list... I just closed the app and uninstalled it.
It was "QR code scanner free" by Application4u. It does disclose "Contains ads". 4.5 stars, 10million+ downloads. Has some expected permissions (camera) and a few less expected ones (storage/sd card) and a few very suspicious ones (full network access, prevent phone from sleeping, connect and disconnect from wifi, view wifi connections - I guess maybe these are needed for the ad serving in the free version? Seems like over reach to me...)
I think Android 9 and up has QR code scanning built into the camera app, same as similarly recent vintage iOS. iOS is somewhat less problematic given that ~98% of devices are running current or one version old OSes, where the Android fleet has a huge install base who won't or can't upgrade from pre Android 9 versions. Last time I looked it was still over 40% of all Android devices.
I've side loaded LineageOS into a few old old Android devices, Galaxy S3 and S4s, but my S6Edge is still running the Android7 OS it has when Samsung abandoned it. My similar vintage 2015 iPhones 6S is running fully current iOS14 - but it is the oldest Apple device that'll run it. (To be fair, my Samsung S3 vintage iPhone 5 can't run anything newer that iOS10.3).
I think both Android and iOS have been shipping a built in QR code scanner for some years now.
Wechat had 1.17 billion users last year and has had a QR scanner built in for many years now. Given that you need the app to login to their web or desktop applications, it can be presumed that that many users have the app installed, possibly making WeChat the most popular QR code scanner app.
Yeah it's a really bad idea that they just called the app "Barcode Crossing" instead of "Zebra Crossing" or whatever. Completely generic and impossible to defend the brand.
I don't get why no barcode scanner app is shipped with Android. It's such a basic functionality. Edit: apparently it IS shipped on iOS and at least my Lineage OS default camera app has a QR code reader too.
While Google will not start any overly obnoxious ad-serving, who tells you they will not upload all or a bit more stealthily some pictures for some AI user profiling thingie? Cannot happen? They collected WiFi access points when doing Streetview back when their motto was "Don't be evil".
Sometimes it decides that I'm actually searching for pictures of QR codes and gives me Google Search results for similar pictures of QR codes, which is kind of useless.
As for the second part, that's your personal risk tolerance so I'm going to leave that to you. Google is generally a high-trust brand in America, so most people will find the risk tolerable. If you don't find it tolerable, you shouldn't use it.
I don’t think my past two phones (one Android, one iOS) have built in QR scanning, or at least it’s not very discoverable. No fun to have to find something in an App Store when it all looks like 7 year old malware.
I discovered this week when fooling around with QR code makers that the Android camera app, at least the one released on Samsung phones, does not read QR codes. That was very surprising to me.
Charles must have some wild carveout from apple. All other apps that do that have been shut down. I still run a very old version of adblockios that starts a vpn (proxy) at 127.0.0.1 and blocks traffic that way. mostly.
I think the parental control app Circle does something similar (faux-vpn proxy). When I tried using Circle, it seemed a bit convoluted to me, so we ended up uninstalling it. So, I’m not sure how unique this method is. But, I’m not sure I can think of another way for a network blocking/security app to work on iOS.
This works as long as the app does not enforce certificate pinning. But if it does, there's no way to override it and inspect what's actually going on, as I can on my desktop.
This is a legit open source app that's been recently flooded by 1-star reviews claiming that the app contains malware, probably in order to get users to switch to the other apps. The funny thing is this app has not been updated since 2019 on the Play Store, so those reviews are clearly bogus.
It takes a special kind of scum to slander an open source project in order to push malware.
[1]: https://play.google.com/store/apps/details?id=com.google.zxi...