I don't know, I just tried downloading an APK directly (telegram). Android warns me file might be harmful.
Do you suggest they shouldn't warn someone when they download an APK? It's also browser specific and I imagine all major browser give the same kind of warning because , you know, downloading an APK directly from a website might be harmful.
Why isn't the same warning shown when installing from the play store? Apps installed from the play store can have the exact same permissions as side loaded apps. You can claim that Google vets the apps, but this is pretty much false. Just go make an app and experience the process for yourself, it's laughable. Any checks they perform are automated, and there's no reason those couldn't just run on-device.
And besides, even for side loaded apps they have a database of "bad" apps that get deleted by Google called "play protect"
So you've gone through all the weird flows to accept and enable installing. Now how do you get security updates? Google scares them again every time, even though android apps can already execute arbitrary downloaded unsigned code at runtime (otherwise V8 and other JITs that generate machine code can't work), so it isn't really protecting much and mainly makes things more insecure by not letting you add your own trusted providers permanently for timely updates.
Something like enabling instant apps and play protect scanning for any apk on the web could mean a nicer and safer experience for users. I think people would still use the app stores for their discovery/convenience but safer web installs could be an option for both users and developers.
This model exists on desktops and laptops, where there is signing or browser scanning, just not on mobile.
The difference is that the store includes any amount of heuristic tests meant to scan for malicious activity, and directly installing an APK has no such safety net.
You can argue that the testing Google does is bad or minimal, but it seems like the ideal solution would then be "improve the testing". I'd also prefer to see such tests moved on-device so they could apply to APKs from any source, but I don't know how technically feasible that'd be; depends on how they're doing the testing, I guess.
This puts google in the position of being the arbiter of what testing is "good enough" when they're also one of the supposed competitors. If there's no mechanism by which the other app stores meet the "good enough" bar for testing that would eliminate the dire warnings, then they shouldn't be penalized for not being google.
This is pretty par for the course, though. Who else is incentivized to determine what is "good enough" wrt user experience/safety on Google's platform? Microsoft, Apple, Canonical, Samsung, Steam, Amazon, etc are all the arbiters of what's "good enough" (or safe enough) for their respective platforms (and marketplaces) because it's their brand at bat when something _isn't_ good enough (or safe enough).
"Android" (by Google) takes a reputation hit when someone downloads malicious APKs from anywhere, including Google's store. Google, therefore, wants to reduce the availability of bad apps in their ecosystem; maintaining an app store that enforces their standard of quality is one approach to accomplishing this goal, dissuading unknown apps they can't vouch for is another.
Obviously, there are both pros and cons to these approaches (from both Google and the end-user's perspectives), and they could definitely be improved, but they accomplish a concrete goal of "reduce malware on Android".
> You can argue that the testing Google does is bad or minimal, but it seems like the ideal solution would then be "improve the testing"
Yes why would we believe Google on the APK scanning? There's zero transparency on this subject, zero code shared and the store is visibly full of scams anyways.
This seems necessary and good. There are occasional bad actor apps that slip through Google's app store review process and there are good apps that get sideloaded, but sideloading entails literally zero review. It's entirely up to the user to determine whether they're trustworthy or not, which is a paradigm shift for most who don't think phones could harbor anything worse than just obtrusive ads in apps.
There are plenty of good apps I've sideloaded, but thinking of the majority of the population being relatively tech-illiterate, there's a big difference between a bad actor having to convince someone to change their settings to enable sideloading (despite a big, scary warning) and then convincing them to install an app versus just convincing someone to run/install a random APK. Case in point: a huge percent of the population unknowingly opens and/or installs random bad binaries on Windows every day.
Sideloading (and all that entails) should absolutely be allowed, but the "scary warnings" do a great job preventing a huge portion of people from unknowingly opening a huge threat avenue to some of their most valuable devices/information.
> There are occasional bad actor apps that slip through Google's app store review process
It happens on a regular enough basis that consumer tech sites are warning users to be careful of what they install from inside Google's walled garden.
>With malicious apps infiltrating Play on a regular, often weekly, basis, there’s currently little indication the malicious Android app scourge will be abated. That means it’s up to individual end users to steer clear of apps like Joker. The best advice is to be extremely conservative in the apps that get installed in the first place. A good guiding principle is to choose apps that serve a true purpose and, when possible, choose developers who are known entities. Installed apps that haven’t been used in the past month should be removed unless there’s a good reason to keep them around.
this makes sense. Users who don't know what they are doing should be dissuaded. Those that do know what they are doing will not be dissuaded. Given the potential security consequences the warning approach is entirely appropriate.
...and is also appropriate for apps from the Play store. Google certainly isn't guaranteeing otherwise. If malware slips through, they will take no responsibility.
They currently have it both ways: 3rd party app stores get scary warnings front and center, whereas Play store gets the scary warnings and disclaimers of responsibility buried in TOS.
Do you suggest they shouldn't warn someone when they download an APK? It's also browser specific and I imagine all major browser give the same kind of warning because , you know, downloading an APK directly from a website might be harmful.