It's hypocricy if they let these malicious devs keep publishing but keep harassing non-malicious developers with things like "How dare you have a Donate button in your app".
It seems like at least some of these apps might be using these vulnerabilities without even being aware of it, as the offending code is in third party libraries. Game devs grabbing mac addresses via Unity's API, for example, may not know that that information is supposed to be restricted on Android.
> some of these apps might be using these vulnerabilities without even being aware of it, as the offending code is in third party libraries
I'll assume by vulnerabilities you meant to say exploits. Given that: True but so what. This is criminal behavior. Using criminal libraries makes you complicit and a co-conspirator.
They aren't reliably determining violations of current absurd rules and people's apps get hit all the time for no good reason, so basically they could just continue doing what they've done so far.
If these apps get banned because they use poor dependencies, maybe better dependencies will become popular, and developers will also have a reason to be more aware of what code they are using.
Sure. And if an app intentionally exploits that vulnerability to bypass the permission system, its developer should no longer be able to publish in the Play Store.
To be fair, denying application knowledge of _device own_ MAC address is beyond absurd. If Google really wants that, they should buy their own MAC block, and regularly rotate the addresses within it when network is off.
A lot of Android own APIs (such as Wi-Fi P2P and Bluetooth) are built on implicit assumption, that application developer knows MAC address of device it is running on. Instead of fixing those APIs, Google now requires everyone using them to request Precise Location permission from user _and_ enable a Location Toggle in device settings. This is pure harassment.
An app developer being able to uniquely identify a device across applications has been considered a privacy violation for well over a decade. Even Microsoft in the Windows CE days made it hard for an app to uniquely identify a device.
The idea itself isn't bad, but Google's implementation of it is terrible. Good actors are forced to show security prompts, that literally scream "this application is malware!!". Bad actors enjoy ability to share MAC/IMEI/whatever with each other and skip whole "prompt for irrelevant permission" nonsense. They don't even particularly care about reading hardware addresses — why bother, when you can embed something like fingerprint.js and automatically identify every single device in existence!
If Google does not improve their P2P networking APIs, everyone may end up eventually integrating some Chinese spyware library, because it is the only approach that does not suck (and there is apparently no penalty for doing so).
Usually apps that exploit flaws in Android are even labeled malicious and actively removed from all devices, this might be even better than just perma-banning the developers.
> If the app can get around the permission system - it’s a vulnerability in Android
That's the same argument as saying that if someone can use a baseball bat to smash in the window to my car, it's a vulnerability in the auto manufacturers glass manufacturing and should be their fault and not that of the car thief. It's an absurd and ridiculously nonsensical argument in defense of criminals.
There's also the concept of white, grey and black hats. Just because someone finds a vulnerability doesn't make it okay to abuse it. The right thing to do is to disclose it, and businesses like Google do benefit from incentivizing it.
Alibaba does no effort to conceal that they target ads by IMEI.
Browse Alibaba app*, search something. Do factory reset, make new account, and the first thing you will see after logging in with new acc will be your products from your last search.
Moreover, Alibaba's app will refuse to work if you block IMEI retrieval, or if they detect some kind of spoofing
edit, made it clear that it is the app, not website that links you by imei to your previous accs and history
You know, maybe they should. Same for LinkedIn (assuming they're still doing dirty tricks). Maybe it's time for major app devs that exploit security holes in released applications to get the ban hammer, and show smaller devs it won't be acceptable and have less excuse if/when it happens to them.
How does that work? None of the methods described in this paper seem like they'd work with _websites_. They all seem to rely on permissions only available to native apps.
Belated edit: Anything that does something that you don't want, while pretending to be something that you do want, is malware. Especially if it goes out of the way to do that, evading limits, and hides what it's doing.
Even Unity? Their CEO says half of all games are built on that. I imagine users would riot if most games were to simply disappear tomorrow.
Or more likely, since it’s Android, the first thing everybody would do is switch to the App store that has all the software they want, even though they know it’s bad.
Yes, even Unity. Unity goes out of its way to get information that it does not have permission to acquire or transmit. It looks like knowledge of this is limited to a few developers who are "in the know" and I would not be surprised if Unity has given that info out to large licensees who have mentioned a need to uniquely identify players without permission.
There's something a lot of people don't know about Unity the company - they are awful. Difficult to work with, constant rumors about managerial scapegoating, questionable sales tactics.. the recent news about the allegations against the CEO didn't surprise me in the slightest.
I don't work with them closely, but I work with them closely enough that I've recommended that my employer cease all interaction with them, including further license purchases. That's how bad the taste in my mouth is after I deal with them interactively in any capacity.
The entire Android ecosystem is about abuse. Banning these apps won't help. Google legitimized surveillance capitalism that is the worst that could have happened.