This is very scary from a security standpoint.
https://www.xda-developers.com/google-play-apk-replacement-pros-cons
Google pays extremely high bug and security bounties. Iām sure these security concerns will dissapear in no time right? ā¦right??
The professional thing to do here is to eliminate the risk. Instead of doing that, theyāve actually created additional risk.
A bug hunt finds the issue after the fact. In this case, it would be per app.
Google needs to mitigate the risk by closing the door on this. They need to find a better way. This method steps across a line that no company should ever do.
Think about it this way. Allowing Google to own the app signature is akin to you calling Google for support about your gmail account (assuming that one could actually call Google for support, which you canāt) and Google asked for your userID and password. That is another security taboo. Never, ever, ever, give your credentials to anyone, even the vendor of the application.
The application signature is there to prove that the code is from the developer and has not be altered. Taking that away from the developer removes the security that the code has not been altered. There is nothing good about that. It is a very bad idea.
Thanks for posting this, I hadnāt heard of it. What will that do for places like F-Droid, do you think? I only use that, but I do have a few APKs Iāve had installed, but I can live without those.
This is also why I want to know if anyone has used a PinePhone as a daily driver - itās so close I think. I can buy one as a daily driver, I canāt buy one as a ātoyā though. But I am very excited about even more ditching the Google ecosystem if I can.
Iāve been experimented with the Pinephone as a daily driver on an off using several distros (Ubuntu Touch, Mobian, SXMO, ect) over the past year.
It is (in my opinion) remarkably unusable as a daily driver even for a tinkerer or someone willing to do a lot of information/bug report digging. Thereās so many absolute deal breakers from random freeze ups, terrible battery life, unreliable charging, no incoming texts/calls or alarms if the screen is off for most distros, carrier problems, ect, ect, ect. Itās been war getting this thing to be a daily driver and the closest I got was SXMO which most people will struggle to use.
Until software improves considerably the Pinephone should be considered a good pocket sized Linux device with phone/data capabilities and a way to support growth of the genre.
What the developers do is the big question. Iām hoping that most will say āno way will I ever give access to my private keyā. To do so would destroy any trust anyone has in the developer.
Just thinking out loud here, Iāve heard many, some of my friends in the legal side of things, that Google is ripe for a break-up by the Government. They go on to say that Google has too much control over the market and pose anti-trust issues to other companies. I think this is an interesting thought. Weāll see if it ever happens.
@Ulfnic Thanks for sharing that. Iām currently using an iPhone and I absolutely canāt wait to get out of Apples closed-source eco-system. I canāt pull myself into buying a new phone when Iām still paying for the iPhone. I love the iPhone itself, but the lack of freedom/limitations of the softwareā¦itās got to go. I could use something Android-based but all of the Google crap would have to be removed. When my iPhone completes itās lifecycle I will be looking at whatās available and Iāll review phone friendly Linux distroās at that time to see where they are at. Something like SailfishOS, GrapheneOS, LIneageOS, and others. But, in the meantime, it is good to hear about others experiences.
I have a non-Google ROM and no Play Store, so Iām not Google dependent. There are a few apps I like to have, but thanks @Ulfnic for sharing that itās not quite ready yet.
Unfortunately I still use several Google store apps, particularly my bank. Definitely not the app I want to use if I canāt trust it.
I donāt have Play, so I am really not asking this to be mean. But what does your bank app do for you that you canāt get by getting on the website from a browser? This is me being an old man of āget off my lawn with your appsā knowing that Iām in the minorityā¦Iām really not judging you!
+1 I personally canāt stand bank apps on my lawn.
The information is formatted a lot nicer for a smaller screen and the fonts are larger. I can also use my finger print to login and choose certain information to be visible in the app without logging in.
I try to use Firefoxās ability to turn any website into an app widget, such as this forum, and that keeps me off the Google store most of the time.
At least in a browser I can visibly see that the connection is encrypted. With phone-based apps, I have no idea of what security measures have been taken.
Hmm, I want to get an Android app in the Play Store, but it seems that I have be quick if I want it be somewhat provable that it can be trusted to be from me
I would never do banking on my phone anyway.
I guess I mean to sayā¦why are you checking your bank on the go? I can see the app being better than the browser on the mobile.
Various reasons. I buy and sell used items locally and I use my phone to verify payments wherever I happen to be meeting a person. Or I have to split hotel costs with a co-worker for a work trip or something. Little things usually.
IMHO the only function that banking apps serve is mobile deposit, but I can do that on my phone, at home, over WiFi on my own network. Not 100% secure, but that eliminates a lot of other threat vectors.
What would be helpful would be for the banks allow us to have a read-only account that could be used to check things on the go. That makes too much sense, so itāll probably never happen.