Chinese apps, even those from big established players, are often indistinguishable from malware. Off the top of my head, I can think of:
- Hiding their app icon from launcher, but add a widget that looks the same. So if the user tries to uninstall the app, they just deleted the widget and the app remains.
- One app would install other apps from the same company in the background without user consent.
- Multiple apps will wake each other so they always stay in the background and become impossible to kill
- Requesting every permission under the sun and transmit as much info to the mothership as possible
- Secretly turning on the camera and film their users
However, these only happen on Android version. iOS version never have these issues.
So even though I am not a fan of the Apple monopoly, I am really really afraid that by allowing third party app stores and sideloading, the western apps will race to the bottom and become just like this.
("But you can always download from the official App Store!" you may say. But what if, say, Tik Tok announces they will from now on leave the App Store and available only via direct download?)
Well, apps that don't have a declared launchable (homescreen) UI don't get these icons. Granted it has been abused by spyware apps to "hide" from unsuspecting users, but you'll find these in Android's Settings app.
> One app would install other apps from the same company in the background without user consent.
I doubt installation without user consent is possible at all in Android 9+. Afaik, only Google PlayStore (or other OEM embedded stores) have permissions to silent install, as it were. And I haven't seen anyone allege PlayStore silently installing apps. See also: https://www.xda-developers.com/android-14-background-install...
> Multiple apps will wake each other so they always stay in the background and become impossible to kill
One can Force Stop an app to make sure no component (service, activity, recievers, or resolvers) can run in the background, until the user explicitly starts the app process again via the Launcher.
Android also limits background processes, tracks per-app CPU and memory use to limit it, and "caches" processes aggresively if need be (puts their threads to sleep so they aren't executing anything but could be resumed quickly).
> Requesting every permission under the sun and transmit as much info to the mothership as possible
The Trust on First Use model has been taken to the cleaners by Android apps hell bent on tracking their users. Starting Android 12 though, Android auto removes permissions granted from installed apps user hasn't interacted with.
> Secretly turning on the camera and film their users
Android 13+ has camera and mic indicators. And for earlier versions, even if inconvenient for end users to setup, there exist open source apps that continuously log cam or mic access from other apps.
>> Multiple apps will wake each other so they always stay in the background and become impossible to kill
>
> One can Force Stop an app to make sure no component (service, activity, recievers, or resolvers) can run in the background, until the user explicitly starts the app process again via the Launcher.
>
> Android also limits background processes, tracks per-app CPU and memory use to limit it, and "caches" processes aggresively if need be (puts their threads to sleep so they aren't executing anything but could be resumed quickly).
Amazon's apps love to do this. If any one of {Kindle app, Amazon Shopping, Amazon Music, Prime Video, Amazon Appstore} launches, one or more of the others will launch in the background. I first noticed it on three low-resource devices. Force-stopping ones I wasn't using at the moment resulted in them relaunching in a few moments. The only solution was to not have more than one Amazon app one each low-RAM or aging-CPU device.
Google does something like this, too, but I can't as easily disperse Gmail, Play Books, Play Music (erm, YouTube Music), Google Services, and whatever else. They also seem to do it more like "O, device just woke, or wifi state change, so lets update all the things", instead of Amazon's "User asked to load Kindle into 864 MB of RAM? Better have all the other large Amazon apps check for updates, too!".
2 GB RAM? Same sudden glacial slowness and unresponsivness due to background semi-related apps running unnecessarily. 4 GB? Well, that mostly works; a moderate slowdown, but no UI freezes.
(Yes, I'm saving up for a Galaxy Tab S8+with 16 GB, but…it costs as much as a real laptop without including a keyboard. I almost miss my Palm IIIx with month-long battery.)
The security argument for the App Store has never been stronger.
> "But you can always download from the official App Store!" you may say. But what if, say, Tik Tok announces they will from now on leave the App Store and available only via direct download?
> The security argument for the App Store has never been stronger.
Perhaps, for many users this is true. But I don't need or want a nanny-company telling me what I can and can't install on my devices.
(And yes, I do sideload apps -- including one I've written myself -- on my Android phone. So this isn't a theoretical "don't take my freedom" type concern.)
>> But what if, say, Tik Tok announces they will from now on leave the App Store and available only via direct download?
> ... and nothing of value was lost.
Couldn't agree more with that sentiment. The problem is, though, that many people will still download it from TikTok's own website or app store. Security is a collective problem: even if I manage to avoid malware, a friend or colleague -- who may have email or chat or whatever history with me -- could get hacked, and that would still leak some of my data.
>(And yes, I do sideload apps -- including one I've written myself -- on my Android phone. So this isn't a theoretical "don't take my freedom" type concern.)
Over the years I have built several very small, very specific apps, to do one thing and do it exactly the way I want it. The one that found most use (also among my friends) was my QR-code scanner, which was built in the days when the only QR-code scanners you could find were littered with ads, or paid for.
It took me less than 2 hours to wrap the google barcode SDK in an app with one view that showed the camera preview and had one toggle button.
The toggle button controlled whether a scanned QR-code would be immediately opened (through a generic intent), or whether it would be stored in the clipboard.
Super easy, works really well and I still prefer over the much slicker looking paid apps. If I had an iPhone i would have surely never have built this app, as the hassle would be too much.
Only works on Android though because Apple deems this type of non-Apple store a threat to their profits. Fortunately there are plenty of Android devices to be had on the market which can run a free AOSP-derived distribution like LineageOS. You'll get OTA updates until the cows come home or the developers move to another device, whichever comes first. The Galaxy SIII I'm using as a "dangerous work" phone - its screen got cracked when it fell of the barn roof for the second time while I was installing solar panels but it still works fine - still gets updates, it currently runs Android 11.
Spyware is much much less powerful on mobile than desktop. If you install malware on a desktop you are boned even without some OS exploit. On mobile there's still a lot an app can do, but it is far more constrained without some OS exploit.
Because it isn't just Apple. Back when Apple removed the headphone jack, people constantly said "Well just use Samsung" or some other brand. Look at where we're at now. If Apple can beat the current pressure, other brands will follow. We're no longer in a theoretical space with this. Companies actively follow the trend, and by excusing it because "it's just Apple", will end badly.
> Perhaps, for many users this is true. But I don't need or want a nanny-company telling me ...
most will not go through the trouble of downloading apps directly and then installing them via developer mode. So while annoying to 0.0001 of Tech workers ... this would actually work quite well.
And chances are that nobody asks us in our ivory Tech towers. It would work so well that within less than 2 years Chinese apps could disappear like Keyser Söze (which is even faster than Huawei disappeared from the US market ;)).
> Simply don't buy an Apple phone.
We said that about the headphone jack. Look where we are now. Companies follow what works, and Apple continues to pioneer anti-consumer practices. You shouldn't buy Apple, but that's not gonna solve the problem. We gotta continue to show why this is bad so others don't chase the same goals.
this has been a recent consideration of mine I haven't fully explored or thought how to deal with yet. I now look at new friends with suspicion, especially those who are not tech savvy. I just gave out an email to a friend recently and he forwarded me an email list without BCC revealing all the recipients. I thought to myself, "oh boy somewhere down the road I'm going to be getting hacked email messages from one of these individuals."
what is the difference between a clamped down App Store with arbitrary rules, and what China does with their Great Firewall?
With a locked down App store in America you have an option of using another device, or just using a computer, without any repercussion. With the Chinese great firewall working around it can lead to legal troubles, to put it lightly.
> what is the difference between a clamped down App Store with arbitrary rules, and what China does with their Great Firewall?
1/Apple is based in a country that follows the rule of law, with checks and balances, and can be sued if it disobeys the law.
2/Apple does not have police, a military, or other means to force you to act against your will.
3/Apple does not prevent you from accessing information outside the country.
4/Apple does not coerce you to say things even if they are false.
5/Apple does not torture -- sorry, I mean "re-educate" -- Muslims.
Please, don't make specious arguments comparing your inability to install some app few people need to being oppressed under the thumb of the CCP. Let's turn down the dramatic volume a little, shall we?
The CCP "great firewall" excuse is, precisely, that it will keep "bad actors" away from the homeland, or "flies" as Den Xiaoping put it. We all know what is the real reason, though.
Apple uses the same excuse: security through arbitrary content control.
As other users have said, I could go and buy an Android phone, or I could even use no phone, why not? But that's not the point. The point is, I'm not buying a device from Apple, I'm just leasing it, with certain conditions. And that should be, in my opinion, not only against the law, but widely considered unethical.
You’re not leasing your phone: you don’t have to pay the owner for continued use of it or be forced to return it.
I get that you don’t like the current state of affairs, but your analogies aren’t good ones.
Ownership has never meant that you are free to do what you want with your property. You take the property as is, and sometimes there are even legal restrictions to what you can do with it. For example, I’m not allowed to build a slaughterhouse on my land.
> You’re not leasing your phone: you don’t have to pay the owner for continued use of it or be forced to return it.
Call it what you want. I pay a lump sum for something that doesn't technically belong to me. And, if I break their ToS, they reserve the right to disable it.
People are rightfully upset about carmakers putting common features behind a paywall. It seems appropriate that they would be too, if they were forbidden to use their car as they pleased.
> Ownership has never meant that you are free to do what you want with your property. You take the property as is, and sometimes there are even legal restrictions to what you can do with it. For example, I’m not allowed to build a slaughterhouse on my land.
This is absurd.
Of course the rule of the law forbids you from having a slaughterhouse in your land if you don't comply with regulations. The terms of the App Store are part of a contract, not a law. Contracts may be initially binding, but they may also be illegal after review, and I personally hope they are in this regard.
In other words, there is no law saying that I shall not distribute porn on the App Store, that is just Apple's prerogative.
On the other hand, if you are arguing that federal and state laws are equivalent to private contracts, then your previous point about the Great Firewall and the App Store is moot.
> I pay a lump sum for something that doesn't technically belong to me.
The physical object belongs to you, but property has never in the course of history meant "I can do whatever I want with something in my possession." Property rights are about possession and control, not necessarily about concrete objects. (That's why copyright and trademark is known as "intellectual property.") And control is rarely absolute.
> the law forbids you from having a slaughterhouse in your land if you don't comply with regulations
No, zoning regulations prohibit me from having a slaughterhouse on my land at all. Hell, I can't even build a multi-family residence on it.
> if you are arguing that federal and state laws are equivalent to private contracts
They are not, but legal enforcement is what makes contracts work - the "teeth," if you will. If everyone were free to flagrantly breach the terms of their contracts, chaos would result.
What you're asking for is for certain terms of contracts to be unlawful as contrary to public policy. And that's fine, but again, let's keep the hysterics and ludicrous comparisons to a minimum.
It's going to be an unpopular opinion but there's an awful lot of applications that are out there that are just hilariously outdated, terribly made, or is some form of malware. I mostly use mainstream apps (Google Maps, Bitwarden, Safari, Slack, Discord, Spotify, Canary, etc) and the times I do look for new apps I enjoy having the convenience of not having sift through awful apps that used to plague android market (and to a certain extent google playstore).
App Store is not perfect by any means but I think it's superior to alternatives that are out there for users like me.
> Computer programs that enable smartphones, tablets, and portable all-purpose mobile computing devices, and smart televisions to execute lawfully obtained software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications with computer programs on the smartphone or device or to permit removal of software from the smartphone or device;
Every industry is regulated, it’s coming for software and it will help the common user from being exploited.
Do you see the legislation for broadcasting and say, ‘What makes that different from how you have no free speech in China?!’
We’ve already had voluntary step backs in the idea of online liberalism with Twitter having to be heavily pressured to take down ISIS propaganda. Codifying those rules for everyone is inevitable.
> I am really really afraid that by allowing third party app stores and sideloading
please stop it. I do not want my devices to become a toaster. I am a computer programmer. I would like the ability to write programs for my own personal use, and run those on my own devices THAT I PAID FOR. please stop pushing some narrative that will take this ability away from me.
> ("But you can always download from the official App Store!" you may say. But what if, say, Tik Tok announces they will from now on leave the App Store and available only via direct download?)
Personal freedom always has personal responsibility attached. If you direct download it and it's malicious, well, that's your own problem. Probably should've thought about it better.
If you don't want to think about security, all you have to do is only install apps that are in the app store. Why should everyone else be restricted from doing whatever they want with their phones?
> So even though I am not a fan of the Apple monopoly, I am really really afraid that by allowing third party app stores and sideloading, the western apps will race to the bottom and become just like this.
This did not happen with Windows, so why would it happen with Android, that is much more restrictive in terms of permissions?
(Off topic, but does someone know a good alternative to imgur? The website currently autoplays unrelated videos, freezes my mobile browser for several seconds, and appears to hijack the back button. It feels like malware.)
As a general rule of thumb, if I've seen a URL shared on 4chan, I assume it's either a honeypot or a service people will judge me for associating with. I also avoid clicking such a URL because it's the kind of place I'd expect to find a zero day WebKit exploit.
With the caveat that you should fully expect catbox.moe to be added to your organization's blacklist if it hasn't been already. It's kind of the premier service for sharing content that falls into the "legally grey but no big service will ever let you keep it on their site" content like mass shooting videos, etc. Just don't get used to relying on it at work is all I'm saying.
It's too much of a hassle with NoScript too. At least 12 domains trying to run js and allowing just imgur still doesn't load the image. Ridiculous that you even need js to view an image anyway.
On a laptop/PC you could give the rimgo[0] frontend a try for simple viewing, no uploading or interacting. It's by no means perfect but works really well in addition with the LibRedirect[1] browser extension.
Rimgo is basically a frontend for imgur that you can selfhost (or use a public instance). The LibRedirect browser extension automatically replaces the imgur.com URL with the specified rimgo instance.
If you are the one linking you can just grab the URL for the image file directly. If opening the website to do that is your problem... good luck I guess Lol
I linked the image file url, but checking on my phone, it redirects to the bloated page instead of the image. Loaded just the image on my desktop though.
On mobile they also default to serving resolutions that are completely unusable a lot of the time. I find myself going to desktop mode for anything with text on it.
What you can do is change the URL parameters to get a workable resolution (though honestly using desktop mode might be easier, I didn't know that it gives you a higher resolution!).
Here's a direct link that I got from a comment above that you should be able to get if you press on any imgur image and select "open image":
I just remove the shape parameter entirely, and add a 0 to the maxwidth (seems like it can take any number there, but it will just give you the highest available resolution). The fidelity arg I'm not sure about, but it might have to do with compression? I haven't seen a huge difference changing jt.
Yeah, they redirect to that website which has all these issues. The back button hijacking (it doesn't work on that site in Chrome) is the most annoying one.
To be fair, there are plenty of legitimate reasons to hire a reverse engineer. Maybe you're building a red team to your AppSec blue team, or you want to analyze the apps of your competitors, or any apps at the top of the App Store (you'd be shocked at the dark patterns you can uncover by looking at newly trending apps).
I'm long gone out of the mobile industry, but circa 8-10 years ago, I was aware of multiple top ranking iOS apps which were abusing OAuth login by opening the identity provider login screen inside an in-app browser, which meant they had full control over the DOM, and could e.g. circumvent Facebook protections to silently invite all your friends to the app using "invite to game" functionality. You would never know it happened because you wouldn't get any notification unless someone reached out and asked you why you sent that invite. And FB conveniently sorts friends so that the first 50 are your close contacts, which these apps could skip sending the invite to, under the assumption that your random acquaintances wouldn't bother reaching out about yet another notification they got from you.
I didn't see any of them grabbing the password, but they easily could have.
I'm pretty sure Apple has since closed this loophole by enforcing that apps perform OAuth in a browser where they can't control the DOM, but I'm not sure - I got as far away from that scene as I could...
> I'm pretty sure Apple has since closed this loophole by enforcing that apps perform OAuth in a browser where they can't control the DOM, but I'm not sure
Apple are not restricting OAuth in an embedded web view, at least not on a software level. I have worked on an application that injected JS into the OAuth window for non malicious style purposes. It is possible they're rejecting apps from the store for this behavior, but I wouldn't know.
I think they may be enforcing it for certain high-profile OAuth IDPs, e.g. Facebook. At least, as a user, I've noticed a difference in the feature, i.e. "TotallyNotMaliciousApp wants to Authenticate with Facebook" which seems to open some more locked-down version of the browser in a view that I assume is not modifiable by the app that initiated it.
But I'm not an iOS developer, so I have no idea what feature is driving this, or what the policies are around using (or not using) it.
What I found interesting about this technique is that it's difficult to classify as a bug, aside from the obviously malicious scenarios. But even then, who is being exploited? Everything is working as designed - apps should be able to control the DOM in their in-app WebView, and Facebook should expect that users on an OAuth screen may send them untrusted input. It's only when the two contexts are combined that an exploitable "bug" emerges, in such a way it's not clear whom to blame between Apple and Facebook. The only clear malicious entity is the app publisher. So from that perspective I guess you could blame Apple for letting it through review. But some apps go to great lengths to trick the reviewers in this regard, and there are many ways to obfuscate the injection, including loading it remotely or conditionally based on user IP, time of month (is a release currently under review?), etc.
Maybe because I'm from a different era, but installing anything on a device from a website is an extremely risky game. There is a reason we moved toward using a web browser to do functionality that was typically done on desktop.
I'm not one to worship Google's walled garden(which is just marketing jargon), but at least that has some layer of verification and malware detection.
I still dream of a web app based future. Then we only need to security proof 1 app.
> A new set of Android malware, phishing, and adware apps have infiltrated the Google Play store, tricking over two million people into installing them.
GP said it has some layer of protection of malware, not that it has 100% protection. And yes in my own experience Google Play Protect has successfully caught malware. The goal is to provide some better-than-zero protection.
But is it better than going to the developer website that uses SSL and downloading directly? A consolidated app store is a single point of failure after all. Hard to say it's actually better. There's also no need to bundle the malware scanner with the app store since all it does is scan your device. You can have a malware scanner without an app store.
I don’t think he was suggesting that walled garden is perfect in this regard, but that it is much safer than bypassing it, so instances such as you list don’t really refute his point (assuming that was your intention).
> Maybe because I'm from a different era, but installing anything on a device from a website is an extremely risky game
You are (just like me) from a different era. /s
I was trying to compile rust (for mozilla) and i was shocked to see that it connects to the internet during the build process to download crates (i presume these are some kind of libraries). Then you have js with npm and the menu is served.
Even if the web browser has a container, this can be compromised during the build process.
why would you try to compile Rust? You can just download it already built.
> i was shocked to see that it connects to the internet during the build process to download crates
how else is it supposed to get that software? unless you want to manually download 100 crates and put them into the correct folders, this is a normal process.
That's like saying "in a native-based future we only need to security proof the OS". There's no free lunch, you always need to check both the sandbox layer and the application.
Browsers have a truly remarkable track record when it comes to security. We have been able to run untrusted code for nearly two decades now without a large scale breach.
That's because browsers don't do all that much compared to an operating system (although they are catching up). On the other side, since Windows XP, security of the OS's has been steadily improving as well. What breaches do you mean anyway?
Once you push broad access to user data and hardware to browsers, you'll get ransomware there, too. Meanwhile, native sandboxing keeps advancing.
So no, web will not remain the safer option forever.
> We have been able to run untrusted code for nearly two decades now without a large scale breach
None that we know of. Keep in mind that not so long ago the browser did not have access to filesystem except to save files.
Now the browsers have access to filesystem, camera, microfone, they can act as servers, they have access to USB devices.
Which era is that, though? There was a decently-long stretch of time between shrink-wrap software being common (I think my last boxed software purchase was probably in the late 90s), and the advent of the App Store (2008). During that time, downloading things from a website was the primary method of installing software.
Also, it's not like people were installing this app from a random sketchy website; it appears to have been available on third-party Android app stores, which are the only option in China, since the Google Play Store isn't allowed there.
> I still dream of a web app based future.
Right there with you, but sadly, I don't think it's a realistic hope.
With the capabilities web apps have gathered over the years, I don't feel very comfortable with using random web apps either. As an added downside, random blog posts and ad iframes can now try to access the same APIs real web apps can. The more we move to a web app based reality, the more we're going to see exploitation of browsers and their many features.
We'll never get our one security proof app because security proof apps can't do things like rendering and file manipulation at acceptable speeds.
Downloading apps from websites is almost always a red flag in my opinion. If an app can't be in Google's app store for whatever reason, it surely can appear in another.
The only APKs I've downloaded come from Github/Gitlab because open source apps aren't always on F-Droid, and APKmirror because my phone is rooted, and I consider myself to be a power user. I'm really surprised an app like this is popular enough to get downloaded installs at all, though perhaps the Chinese app ecosystem is different enough that I simply can't understand.
I'd hate to have to resort to web apps for absolutely everything on my phone. Messengers and such need optimisations for battery usage and resources and browsers don't offer any of that. The overhead of web applications is also quite significant. Don't get me wrong, I use several web apps for small things like weather sites and a simole game here or there, but there has to be room for both or the mobile experience will get worse for everyone.
therefore I can't download Netflix from Google Play for some absolutely idiotic reason even though the stupid app works perfectly afterwards. They just hate me for wanting to sync my clipboard automatically, I'm guessing.
> The more we move to a web app based reality, the more we're going to see exploitation of browsers and their many features.
True, but as the GP pointed out, we only have to secure one app, and fixing a security issue in it saves you from anyone exploiting that flaw in any other app.
Sure, you can make the same argument of an OS-level flaw, but that leaves people with older devices out in the cold, as they often don't receive OS updates anymore. The browser is just an app, and as long as it supports the OS running on the older devices, you get those updates years after your device vendor stopped supporting you.
We're never going to solve all security issues (at least not until "perfect" AI starts writing our software), but I'd much rather run apps in a a browser than on the device directly, even with Android/iOS's app sandboxing tech.
> I'm really surprised an app like this is popular enough to get downloaded installs at all, though perhaps the Chinese app ecosystem is different enough that I simply can't understand.
From the article:
> The malicious versions of the Pinduoduo app were available in third-party markets, which users in China and elsewhere rely on because the official Google Play market is off-limits or not easy to access.
> Lookout’s forensic analysis of two Pinduoduo APK app samples released prior to March 5 ... has determined that both contain malicious code that exploits CVE-2023-20963, the Android privilege-escalation vulnerability that wouldn’t become public until March 6 and wouldn’t be patched in user devices for up to two weeks later.
Though it says it was exploited before Google's disclosure (not sure if disclosure is referring to the timing of the patch, but the linked Google post is from 6th March).
> This privilege-escalation flaw, which was exploited prior to Google’s disclosure
Temu (Pinduoduo's American app) appears to be unaffected and is still #1 on the app store and even has an "Editors Choice" badge, but with their parent company risking reputational harm on their main app I would be cautious.
Google should block all of their app signing keys, and only allow new ones when PDD can explain how malicious software was signed with the previous ones.
> Pinduoduo's core value is "本分" (Ben Fen). It is difficult to express it perfectly in English, but it essentially means to adhere firmly to one's own duties and principles. There are several layers of meaning here:
> Be honest and trustworthy;
> Discharge our own duties and responsibilities regardless of others' conduct;
> Never take advantage of others even when we are in a position to do so;
> Self-reflect and take responsibilities when problems arise instead of blaming others.
I guess the company's app developers never got the memo.
This is a refreshingly honest core value. To me, 本分 is better translated as "know your place". I.e. don't be ambitious, don't step out of line and always do exactly what the boss tells you to do, never a stroke more.
> The source[0] has a more clear description about what is being currently exploited:
In the end, the Internet vendor used the above-mentioned series of concealed hacking techniques to achieve:
Concealed installation, increase installed capacity
Counterfeit boost DAU/MAU
Users cannot uninstall
Attacking Competitor Apps
Steal user privacy data
Evasion of privacy compliance regulations
and other suspected illegal purposes.
These fake apps were signed with the signing key of the official PinDuoDuo app. Until PinDuoDuo can explain how this signing key was "stolen" they are to blame for creating this malware.
The EvilParcel saga seems quite tragic. You would think after the first few repeats they would have taken some stronger measures than patch up the new API misuse case of the day.
Anyone from China or informed enough can chip in how secure the marketplace is? How often does this happen? I had my own problems with a Chinese developed app I needed to add some content for a client.
Users on average also have to pay part of the app store fee since some form of the cost will be handed down, e.g. more expensive app / app lower quality.
From the article:
The malicious versions of the Pinduoduo app were available in third-party markets, which users in China and elsewhere rely on because the official Google Play market is off-limits or not easy to access. No malicious versions were found in Play or Apple’s App Store. Last Monday, TechCrunch reported that Pinduoduo was pulled from Play after Google discovered a malicious version of the app available elsewhere. TechCrunch reported the malicious apps available in third-party markets exploited several zero-days, vulnerabilities that are known or exploited before a vendor has a patch available.
As far as I know, China is the only country that has 3rd-party Android app markets of that size because Google Play is literally not allowed there. So I don't think this would be a significant story anywhere else in the world.
It's a company with 750M MAU, so very large but still not something most US readers would be aware of. If it was a French or US developer, they would have just used the name of it.
- Hiding their app icon from launcher, but add a widget that looks the same. So if the user tries to uninstall the app, they just deleted the widget and the app remains.
- One app would install other apps from the same company in the background without user consent.
- Multiple apps will wake each other so they always stay in the background and become impossible to kill
- Requesting every permission under the sun and transmit as much info to the mothership as possible
- Secretly turning on the camera and film their users
However, these only happen on Android version. iOS version never have these issues.
So even though I am not a fan of the Apple monopoly, I am really really afraid that by allowing third party app stores and sideloading, the western apps will race to the bottom and become just like this.
("But you can always download from the official App Store!" you may say. But what if, say, Tik Tok announces they will from now on leave the App Store and available only via direct download?)