[eMGm4D0zgUAVXc7]

The thread does not seem to answer the most interesting question:

Is it really possible for app developers to leave out permissions in the list of requested permissions on Google Play and then get them nevertheless when the app is actually installed?

See my other reply for a more lengthy description: https://news.ycombinator.com/item?id=30126488

[lnxg33k1]

Another question would be: If google gives me an app from their official playstore, on their OS, should they be considered responsible for any loss that it causes to bank accounts, or we have given up accountability for big corps, hope regulators are sleeping well

[ineedasername]

I'm not sure why Google should be any more or less accountable than Microsoft when malware lands on a Windows PC.

Both provide some minimal level of malware protection but make no guarantees and rely on users to scrutinize app sources.

Apple makes somewhat stronger claims of protection so there may be an argument for a higher level of responsibility on iOS and MacOS:

>...users can access these apps on their Apple devices without undue fear of viruses, malware, or unauthorized attacks....

>...all apps are sandboxed—to provide the tightest controls...

>...helps to ensure that these apps are free of known malware...

>...macOS includes state-of-the-art antivirus protection to block—and if necessary remove—malware. [0]

I'm still not sure that a claim of legal liability would hold up in court though.

[0] https://support.apple.com/guide/security/app-security-overvi...

[rightbyte]

That is not a fair comparison. A better one would be versus Apple store or MS' one.

And yes, I think MS should be responsible for apps they are selling. Aswell as Apple or Google.

Hiding behind adds and pretending it is no a proper sale and that they are mediators or whatever is BS.

[ineedasername]

We're talking about two different things.

You're saying they should be responsible. Ethically? Legally? I'm not sure which you mean, but probably both.

That's not the question I was answering though. That question didn't specify the flavor of responsibility, and I chose to answer it from a mostly legal perspective, which is that as things stand they are probably, mostly, not liable.

Traditional retail liability is probably the best place to look in this case. A store can be liable for the products it sells, but if it makes reasonable efforts to determine product safety then those are difficult cases to win unless you can show that the retailer knew, or should have known, that the product was defective or unsafe. One black & white example of that liability would be selling alcohol to underage kids who did not present any ID, or gave a fake ID.

I think "reasonable precautions" is probably the best rule from a practical standpoint. But I'm not otherwise going to address where the line should be drawn on "reasonable" precautions. That's a complex question, individual examples and product classes would vary, and there are plenty of expensive court cases that have not yet produced a universal "bright line" standard for defining "reasonable" precautions.

[izacus]

Your thinking is kinda bizarre - why do you demand accountability from the store, not the author/creator of the malware app?

For other products the accountability is always on the manufacturer/creator of the product - why, in software, do you all demand that big tech censors and polices what you're allowed to consume instead of actually punishing the wrongdoers who created malicious and dangerous software? Why can they just get away with zero accountability and you don't even spare a millisecond of thought?

[lnxg33k1]

Well, for one thing it's because I am forced to keep the play store on my phone without being able to uninstall it, along with Google play services, and also they are vetting all apps that gets to the google play store, and also the fact that they contiously bust balls justifying the existence of their ecosystem to safety and security of devices, are they allowed to have it both ways? So we need to keep them because of safety but like not really safety? More like safety of income stream for their shareholders?

[ectopod]

In the UK, consumer product liability is with the vendor. They will usually recover the costs from the manufacturer, giving them an incentive to deal with reputable companies. As a consumer I don't have to care about the vendor's suppliers.

Why should software be different?

[judge2020]

Because it's a different relationship model? With a regular product the thing the consumer interacts with never changes. With software the user is able to make it do wildly different things, stuff neither the manufacturer (Samsung, HTC, etc) nor the software vendor (Google) could envision, including running exploits in the software to do things the user didn't even intent.

[nuclearnice1]

You raise some good questions about the locus of liability and responsibility.

I’d encourage you to do it without insulting the other participants on HN.

Spare a millisecond of thought for how your tone shapes the culture here.

[petre]

They charge 15-30% of the revenue so they should also be responsible. If they had offered a free service then no.

[etchalon]

All stores charge a markup.

[withinboredom]

No they don’t. Physical stores pay volume rates to the manufacturers. They own the inventory and resell it at a markup or a loss. The app stores do something totally different. They allow “manufacturers” to list the item directly to the consumer and charge 30% in money transmission (legal term) fees. They are basically offering the same service (and licenses) as Western Union (or stripe connect), just on a larger scale and more integrated.

Whether they are actually legally set up that way (or not) I don’t know. I did go down this rabbit hole 10-15 years ago to do something similar with a lawyer.

What could be interesting is if some states/countries have limits on the fees a money transmitter can charge and an app company sued for them operating illegally.

[judge2020]

From a consumer POV it's the same as physical stores, regardless of how they acquire the product. Walmart has an average 32% markup and Target 46%[0]. Is target now liable for anything they vend to you that does something malicious?

0: https://www.retailcustomerexperience.com/news/investor-blog-... (the original marketwatch article is unavailable).

[lnxg33k1]

there are no more half-seasons

[sloshnmosh]

Google is complicit in this by their refusal to ban larger app developers that create malicious apps. Google may kick the malicious app off the play store for a couple weeks and make the developer remove the malware (or obfuscate it better) but then allows the app(s) back to the play store.

[phh]

I'm not aware of Microsoft ever being sued about the loss of malwares on Windows.

[lnxg33k1]

Windows is not vetting all apps, and is not forcing you to bribe them 30% of your sales to be on a store fully controlled by them

But yeah, I think making corps accountable would be of great benefit to IT, if we start hitting them in the wallet I guess that's the only way to make security escape conferences and make it to software companies HQs

I get to pay a corp to get a shitty product that makes me subject all sort of security issue, without being able to blame it on anyone, and in the end I have also to pay with my time because manager X didn't think that it was important to deliver a safe product. So yeah, I want to be paid for the time I have to spend to fix corps shits

[phh]

> Windows is not vetting all apps

Actually, I'm pretty sure there has been some stuff that Microsoft signed, for which MS is paid (not 30% sure), that were malwares. But I'm too lazy to find it

[dylan604]

*loss from malwares on Windows.

Then again, taking the thought experiment of your comment as written, can a malware dev sue M$ for Windows Defender blocking and/or removing their software?

Also, "being sued" isn't a very strong litmus test on its own. Anyone can be sued for anything at anytime.

[phh]

No it's not possible.

Google Play hides some permissions on its own, but very basic one (like the one allowing access to internet). That's it.

The dangerous permissions mentioned in the article need to be manually enabled by the user, after installing the application.