Hacker News new | ask | show | jobs
by 1nverseMtx 2793 days ago
This is the top download list for last week: https://en.aptoide.com/apps/local/more?period=7d

Note all the high profile apps like Google Photos, Nest, WhatsApp, Instagram? None of these have been uploaded by Google, FB, etc. These could easily have been modified to include additional malicious code to steal your personal data.

None of this is mentioned of course in the press. But it seems like this company mainly survives on copyright infringement and serving malicious apps.
4 comments
toast0 2793 days ago
Apks are signed. There's no explicit public way to check ownership of a key, but comparing the public keys to those on the same app retreieved from the play store works.
link
1nverseMtx 2793 days ago
If there’s no way to check ownership any properly resigned malicious apk would still not be distinguished from a real version.

According to the comments below currently the only way to notice a malicious but signed app would be updating an existing version from the play store. That requires access to the play store and installing an app from there first.

Allowing random 3rd parties to publish high profile apps stolen from the Play store seems a very bad idea. Especially if the OS doesn’t check apk signature against that same play store.

link
stonewhite 2793 days ago
Looks definitely very shifty, almost feels like seeing used needles in a public toilet.
link
boomboomsubban 2793 days ago
>None of this is mentioned of course in the press. But it seems like this company mainly survives on copyright infringement and serving malicious apps

They aren't serving the apps, and you would expect ads if that were there business model. They developed free software to make app stores, and their business is making app stores for people.

link
ocdtrekkie 2793 days ago
Bear in mind https://www.apkmirror.com/ is a totally legit site run by Android Police, which also gives you all the APKs you need to sideload official apps from Google, Facebook, etc. See https://www.apkmirror.com/apk/google-inc/ to get an idea how much they have and how convenient it is.

Most people accept that "free" apps should be able to be installed any way that people like. The difference is that Google doesn't consider their apps to be "free", they're a licensed component of Google Apps, which manufacturers license for their phones.

link
1nverseMtx 2793 days ago
> Most people accept that "free" apps should be able to be installed any way that people like.

That doesn't make it legal or safe. Re-distributing copyrighted material is questionable even in Portugal.

But more importantly there's no guarantee the app binary was not modified and repackaged to include malicious code.

link
opencl 2793 days ago
It is very easy to verify these apps have not been modified if you also have access to a known good copy of the same app. Install known good copy -> install suspect APK as upgrade -> signature check performed on upgrade verifies that it was signed with the same key as the old version, so if the upgrade succeeds there has been no modification.
link
kop316 2793 days ago
Actually Google is adding a way to verify it came from them:

https://android-developers.googleblog.com/2018/06/google-pla...

They specifically cite being able to do this peer to peer.

link
ihuman 2793 days ago
How do you get access to a known good copy of the app?
link
liotier 2793 days ago
Especially since the normal use of an APK intermediary is that one does not have access to a known good source such as Google Play
link
ocdtrekkie 2793 days ago
Android apps are generally signed by the developer in question. APKMirror verifies the apps they distribute are signed by the original developers.

Legality of distributing "free as in beer" stuff that isn't "free as in speech" is always an interesting topic, in the case of Europe, I suspect we'll see more revision on that front as these cases regarding the Play Store and the license changes develop. It's possible, for instance, that the EU might feel that preventing sideloading of a Google app "ties" it to the Play Store in a way they find distasteful.

It's interesting to me that as of yet, Google has tolerated APKMirror, likely because it's run by Google/Android enthusiasts, and not intended for circumventing Google's business model. I'd be very curious how Google distinguishes Aptoide as something to be stopped, but APKMirror as something to be permitted.

link
m-p-3 2793 days ago
The apps are signed. If you modify them and try to install an updated version on top of the one you already had from the Play Store, it will not match the signature and fail to install.
link
kop316 2793 days ago
To play devil's advocate, I can just as easily install lineageOS and then install Google's apps.

https://www.xda-developers.com/google-blocks-gapps-uncertifi...

As Google seems to explicitly allow that, does it actually matter if I download opengapps and flash it myself versus getting it from APK mirror or Aptiode?

link
ocdtrekkie 2793 days ago
Presumably, if you bought a phone that originally had the Play Store and then flash it with Lineage, Google has licensed that phone already to run Google Apps. The preloading agreement with the manufacturer, which is what this license scheme is designed to protect, is still working as intended, so Google has no reason to intervene.

Google's behavior would also generally lead one to believe they are not concerned about what enthusiasts/tech pros do with their phones, as that's a niche quantity of users who don't really negatively impact their bottom line. They're chiefly concerned with ensuring manufacturers are only selling devices with their apps installed and set as default.

link
kop316 2793 days ago
I agree they are chiefly concerned with manufacturers. However, if a user bought a phone from a device manufacturer that did not license it, from that article, it seems like they can still license it themselves. However, that opens up the idea that if that becomes more widespread, than they would lock down this "loophole".

I mainly bring it up as if an app is "free" (as in beer), does it really matter where you get it from (assuming it is untampered with)? I know they can forbid redistribution in their ToS, but is that actually enforceable legally?

link
Pzychotix 2793 days ago
Yes. Illegal redistribution violates the owner's copyright (in its absolute literal sense). While there may be no actual damages, a country might allow for statutory damages to be sought after. For example, the US allows for such statutory damages:

https://www.law.cornell.edu/uscode/text/17/504

link