Recently Google decided that in the future for an app to be installable on an Android device, the developer of this app needs to be ID’d and registered at Google. They claim this is in order to “to better protect users”. However, I think, this is a move to get more control over the Android ecosystem, and the data they can collect with it. If anyone who wants to develop an app for Android devices has to be registered with Google, this puts all the power of who to allow distributing an app to Google.
Furthermore F-Droid shows, that safe app stores can exist without registration, neither of users nor of developers. There is zero malware or spyware on the F-Droid store. What there is on F-Droid is thousands of beautiful, useful and, most importantly, safe apps. And this entire ecosystem is at risk, because Google wants to gain more control over its users and over the Android operating system.
F-Droid is in a bit of a bad position to argue here, as it does have a genuine security vulnerability that many choose to avoid the service for. Basically, while they say “our store is safe and contains zero malware” this isn’t necessarily true of the 3rd party repositories you can subscribe to with their app. So, if an attacker compromises the F-Droid app on your device, they can subscribe to their own repository and load malicious apps onto your device through the F-Droid app.
Unfortunately this move by Google is a bit of a death knell anyway. I can’t see governments preventing Google from doing this, particularly not now they’ve established means of access (paying) for data Google holds, and especially since governments (eg UK) are now mandating you install government apps on your phone.
This is circular.
Could be rewritten:
You’ve already lost when they put the first malicious app on.
I disagree with the notion that letting users make their own decisions regarding where to install apps from is a vulnerability. That’s how computers have always and are supposed to work. It’s like saying banking apps are a vulnerability because people can transfer money to scammers through them.
Under this thought process, Linux is the most insecure OS.
Why do you think vulnerabilities and functionality are mutually exclusive??
Of course being able to connect to other repos is a useful function of F-Droid, I use it for several. However, functionality also opens up potential doors for attackers.
The most effective way to secure your device is to limit functionality. Then, it becomes a trade off between what functionality you want or can do without, and what potential risk you’re willing to accept.
It’s easy to ignore risk and enable all functionality, and sometimes that’s nice to do, but you’ve got to find a balance.
My point here is that F-Droid is arguing about their viability because of their security, while running a service that has a known vulnerability.
Google itself has tons of malware in the play store, I don’t buy the security argument.
Yup, that’s a genuine vulnerability.
Then again, the playstore hosts predatory adware that legislation was forced to blunt.
Of the two, you have a higher chance of being scammed/harmed via the official playstore than by fdroid.
Yes absolutely. In fact, you’ve touched on the very issue that people don’t understand with Google - the likelihood of the risk.
Most people think that because the consequence of Google getting your data is low, it’s a lesser risk than a hacker getting into your device (very high consequence). But likelihood is just as important with risk. It’s very unlikely a competent hacker will attack your device (moreso with good practice on your part), so the risk is still low even though the severity is high. But it is an absolute certainty that Google will get your data - so even though the severity is low the risk is still significant, and arguably Google present a more significant risk than a hacker.
I’m not advocating using Google over F-Droid, or that Google’s change here is good, or even lawful. This is a textbook anti-trust type case that the EU prosecuted against in the past. However, unfortunately governments seem gung-ho for this to happen this time around.
All I’m saying is that if F-Droid want to tout the security of their service, they probably shouldn’t leave the door open for attackers to use their app as a vector for attacking devices. Their response to this wasn’t strong enough to justify their implied claim that they are at the forefront of security. They’re much better than Google, sure, but they should be trying harder if they want to lead.
On the contrary - it’s not Google getting one’s data that is to be avoided. They are a law abiding (if law bending) entity.
The issue is there are apps on the store that takes data for third parties, who then proceed to sell that data to threat actors who have a phone number and a user profile (great for scam calls).
The adverts within apps can also be predatory - preying on gambling addiction (I know this for a fact, I worked in the gambling industry), loneliness (AI partner boom), and inexperience (oh god the crypto scams…).
There is a greater probability of issues, but the severity is underplayed if examined without a psychological lense. When this is taken into account - the playstore offers a greater probability of lesser harm, and an equal (or greater) probability of severe harm.
The issue is that Google considers them getting your data as more important than allowing you to evade the data collection of third parties that pay them.
The issue is Google’s profiteering.
Agreed!