You might sideload an Android app, or manually install its APK package, if you’re using a custom version of Android that doesn’t include Google’s Play Store. Alternately, the app might be experimental, under development, or perhaps no longer maintained and offered by its developer. Until now, the existence of sideload-ready APKs on the web was something that seemed to be tolerated, if warned against, by Google.

This quiet standstill is being shaken up by a new feature in Google’s Play Integrity API. As reported by Android Authority, developer tools to push “remediation” dialogs during sideloading debuted at Google’s I/O conference in May, have begun showing up on users’ phones. Sideloaders of apps from the British shop Tesco, fandom app BeyBlade X, and ChatGPT have reported “Get this app from Play” prompts, which cannot be worked around. An Android gaming handheld user encountered a similarly worded prompt from Diablo Immortal on their device three months ago.

Google’s Play Integrity API is how apps have previously blocked access when loaded onto phones that are in some way modified from a stock OS with all Google Play integrations intact. Recently, a popular two-factor authentication app blocked access on rooted phones, including the security-minded GrapheneOS. Apps can call the Play Integrity API and get back an “integrity verdict,” relaying if the phone has a “trustworthy” software environment, has Google Play Protect enabled, and passes other software checks.

Graphene has questioned the veracity of Google’s Integrity API and SafetyNet Attestation systems, recommending instead standard Android hardware attestation. Rahman notes that apps do not have to take an all-or-nothing approach to integrity checking. Rather than block installation entirely, apps could call on the API only during sensitive actions, issuing a warning there. But not having a Play Store connection can also deprive developers of metrics, allow for installation on incompatible devices (and resulting bad reviews), and, of course, open the door to paid app piracy.

    • @[email protected]
      link
      fedilink
      English
      610 months ago

      I hate having to be on the side of “Defending” google… but this is the app makers fault, They are the ones using whats provided and installing the artificial limitations.

      Google just provided the capability to do it. The app makers are executing it.

  • @[email protected]
    link
    fedilink
    English
    110 months ago

    This explains why I couldn’t install retroarch on the GalaxyS24 Ultra of a friend via apk or google play store. Would not work, but somehow the Galaxy store version worked….

  • @[email protected]
    link
    fedilink
    English
    2010 months ago

    which cannot be worked around.

    Well, at least not without root lol

    Root detecting apps to Side loading detecting apps:

    First time?

    • @[email protected]
      link
      fedilink
      English
      3
      edit-2
      10 months ago

      “root access is used to bypass security measures!!! We will make it harder to root your phones to keep your data safe” – Google

    • @[email protected]
      link
      fedilink
      English
      10
      edit-2
      10 months ago

      I installed FakeStore and set the app’s relevant /data/system/packages.xml properties from Aurora Store to FakeStore (installer="com.android.vending" packageSource="0" installInitiator="com.android.vending", the same as Google Play Store) and rebooted, which was enough to fool the public transport app I’m using. Is this the workaround you’re talking about, or does it require MicroG too?

      • @[email protected]
        link
        fedilink
        English
        410 months ago

        Yea that sounds about right, really hiding root is straight up magic as is (even though it’s a cat and mouse game lol) and achieving that is 98% of the hard work of hiding the fact an app has been sideloaded. Short of a complete overhaul from Google where they actually try that is.

        Which, if I’m being honest, doesn’t seem like they are. It seems like a rather simple system all things considered. There’s no Playstore specific keys or signatures or file checks or hashs as far as I can tell. Its just a flag and checking if Playstore exists on the device at all

  • @[email protected]
    link
    fedilink
    English
    209
    edit-2
    10 months ago

    This seems like a brilliant feature to roll out as they’re getting investigated by the DOJ for being a monopoly.

    • lemme inOP
      link
      fedilink
      English
      2910 months ago

      Google : “You don’t own your phone, we own you.”

    • @[email protected]
      link
      fedilink
      English
      8810 months ago

      Also, didn’t the EU declare that Apple needs to allow other app stores on their devices?

      This seems like a bonehead move all around…

      • @[email protected]
        link
        fedilink
        English
        410 months ago

        In this case, it seems like it’s the app makers themselves who are requiring the Play Store, though. Unless I’m misreading this, the developers are using the Integrity API to determine if the app was installed through “official channels” (in this case, the Play Store). Feels like people should be upset at the companies behind the apps, here.

        • @[email protected]
          link
          fedilink
          English
          110 months ago

          Okay. Then either use older backup versions of those apps before the requirement of the Play Store, or just quit using those apps and services and switch to less enshittified apps and services.

          Easier said than done these days, I know…

        • @[email protected]
          link
          fedilink
          English
          910 months ago

          Yes, I know. The point is that people seeking privacy eventually won’t be able to use their banking apps and other online financial accounts unless they’re signed into Google Play to ‘authenticate’ the app.

          AKA force you into letting them steal more of your private info…

          • @[email protected]
            link
            fedilink
            English
            4
            edit-2
            10 months ago

            I kinda understand it from the bank’s perspective… They need to reduce risk which is why a lot of banking apps check if the phone is rooted (if it’s rooted, how can you be sure that a malicious app with root access isn’t patching the app in memory and redirecting transfers to a different account?)

            Having said that, I really don’t think they need to restrict it such that the app can only be installed through the Play store, as long as the app is properly signed and uses certificate pinning to prevent MitM attacks.

            • sunzu2
              link
              fedilink
              310 months ago

              Fidelity apps doesn’t require any of this shite?

              But some shiti cash-app does?

              I wonder why 🤔

    • @[email protected]
      link
      fedilink
      English
      1810 months ago

      This has almost nothing to do with Google, it’s a feature that has to be enabled by the app developer. Meaning they want to exclude users getting the APK for their app from elsewhere.

      • @[email protected]
        link
        fedilink
        English
        46
        edit-2
        10 months ago

        Kinda. It might be 3rd parties using it but it is 100% an API designed by Google to keep apps on Google Play.

        • @[email protected]
          link
          fedilink
          English
          710 months ago

          For all we know it could have been requested years ago by developers who have apps that get pirated but there was no mechanism in place to implement it at the time, and wasn’t a priority.

          Just because it’s beneficial to Google maintaining more direct control now, that doesn’t necessarily mean that’s the origin.

          • Madis
            link
            fedilink
            English
            1910 months ago

            Well, there is a separate system for pirating prevention, the Google Play license check. That has existed for years.

    • @[email protected]
      link
      fedilink
      English
      1310 months ago

      I unironically think so. It offloads the blame onto individual app developers. Google can turn around and say oh well it’s what the market wants

  • Riley
    link
    fedilink
    English
    28410 months ago

    If the Play Store becomes required like that then Android’s already-shaky status as an open source base platform is going to go out the window. I’m glad there are non-Google distros of Android but there really needs to be more of a push to make a completely FOSS phone platform.

    • @[email protected]
      link
      fedilink
      English
      910 months ago

      There are Linux mobile operating systems like PostmarketOS, but they are too early in development to be used by most people.

    • @[email protected]
      link
      fedilink
      English
      2710 months ago

      The more I think about it, this may finally convince me to…shudders…switch to an iPhone. I’ve always stayed on Android because despite the recent Google bullshit, it still for the most part lets me do whatever. Side-loading apks is a huge part of that.

      If it’s turning into a shittier iOS clone, what’s the point?

      • @[email protected]
        link
        fedilink
        English
        1810 months ago

        Don’t do IOS, it’s such a pain. It took us 2 days to figure out how to play an audio book file that I was able to download an F-droid app for and play in like 3 minutes.

        • @[email protected]
          link
          fedilink
          English
          9
          edit-2
          10 months ago

          Yup that sounds about right for iOS.

          Meant more that if Android ends up in the same boat (and by the looks of it, that’s exactly what Google and Samsung want), then iOS starts to look viable because the situation becomes: all the same bullshit but iOS is polished to a shine.

          Don’t plan on switching phones until my less than year old Note 9 kicks the bucket 😅

    • @[email protected]
      link
      fedilink
      English
      810 months ago

      Seems stupid of them to crackdown on sideloading given their recent and ongoing monopoly spanking.

    • @[email protected]
      link
      fedilink
      English
      7410 months ago

      There are Linux phones available. I,m going to guess popularity of those devices to increase soon.

      • Dizzy Devil Ducky
        link
        fedilink
        English
        1910 months ago

        Sadly the only people who would switch over to an actual Linux phone would be the people like the stereotypical Linux using Lemmy user. The average android user would just continue on like nothing happened because they’re not tech literate enough to know what’s going on or why they should care.

        • @[email protected]
          link
          fedilink
          English
          110 months ago

          Hey! I bought this android cus Im Tech literate u-u

          Though im not one bit familiar with Linux.

      • @[email protected]
        link
        fedilink
        English
        2110 months ago

        I,m going to guess popularity of those devices to increase soon.

        I don’t want to be pessimistic about it, however I think it’s gonna be like Windows: enshittification will happen, but inconvenience is “too small” for people that they’ll rather check for a workaround than leave the platform.

        My guess is that we need something more appealing like the Steam Deck to make people take the step.

        • @[email protected]
          link
          fedilink
          English
          1610 months ago

          My guess is that we need something more appealing like the Steam Deck to make people take the step.

          Hear me out! The Steam Phone®!

          • @[email protected]
            link
            fedilink
            English
            1410 months ago

            Steam’s UI is tolerable, but inconsistent. In a SteamDeck, OK, but in a phone? Idk.

            I get that this isn’t meant that seriously.

        • @[email protected]
          link
          fedilink
          English
          910 months ago

          I’d be happy with 2010 era desktop Linux level of support. It doesn’t need to get everybody to switch, just needs to be good enough for my needs.

      • @[email protected]
        link
        fedilink
        English
        13
        edit-2
        10 months ago

        But part of the appeal of Linux is the fact that you can repurpose existing computers running other OSes to run Linux instead. This is a great way to lower the barrier to entry for Linux, because it’s easy to test it on a Live USB or a dual boot. It’s much harder to do this on phones because they have locked bootloaders.

        Another problem is that phones are not productivity devices - they’re consumption devices. Maybe this is just my personal bias, but I don’t think people will be as passionate about liberating their phones because they’re inherently less useful than computers. Convenient, yes, but useful? Not as much.

        That said, I would love to be proven wrong. I would definitely consider a Linux phone if they become more popular/useful, but I can’t really justify spending hundreds of euros/dollars on something for which I don’t see any particular use.

      • TXL
        link
        fedilink
        English
        8
        edit-2
        10 months ago

        There aren’t, really. There are a few antiques and half baked things.

        A big problem is that these days, unless you’re the size of Apple or Samsung, it’s impossible to get a reasonable hardware soc and modem other than one which only runs a soon obsolete blob laden android which is going to be EOL before you’ve even finished your design.

        The hardware is not there. The firmware/hw data/platform isn’t there even to begin OS work with. And there’s a global shipping, regulation and mobile operator hell waiting on the other side. And a product lifecycle that’s only a few years long.

        Yes, I’ve worked for phone manufacturers.

      • Snot Flickerman
        link
        fedilink
        English
        5710 months ago

        That was the hope with Android, too.

        The problem is that as the OS is “free” that means it costs less functionally for the device manufacturer to get an OS on the device, so now they can pour more money into bloatware.

        Android was supposed to stop bloatware but all it did was enable it.

        Even without a forced “store” Linux is prey to the same issue of piecemeal support from various vendors all with in-house solutions that all stink.

        • @[email protected]
          link
          fedilink
          English
          11
          edit-2
          10 months ago

          At this point, even that would be preferable.

          Your right, any open platform will be bastardized eventually, but that doesn’t mean there isn’t still a need for “resets”.

          There is no perfect platform for escaping it, because the market forces will always adapt and assimilate. The only true escape is to keep moving.

          That’s why it’s important for users to be hermit crabs, and move to the next thing, no matter how janky, because they will at least be able to influence it positively and have a relatively open platform for a number of years. Then the cycle repeats.

          If propping up Linux phones will get us the open platform we need, even if only temporarily, we should do it.

          The issue I think is that the current trends in all consumer software are increasingly user hostile, and the major platforms are creating ecosystems to support this. It’s become the norm now to be able to directly control the usage of the software on consumer devices. Apple has normalized this, Google and Microsoft followed.

          At what point will developers refuse to even create software for a system that doesn’t allow them that control?

          Look at how many developers out there absolutely jerk themselves raw at the idea they should be able to compel users to update to continue using their software. Look at how many believe the modern security culture fallacy that handcuffing users and throwing away the key is the only way to protect them.

          It’s a development culture issue. Respecting user control of their own device is no longer in vogue.

      • @[email protected]
        link
        fedilink
        English
        1610 months ago

        Linux isn’t even popular on desktop. No way a mobile version becomes popular without some massive shifts in Linux ideology and culture.

      • Vik
        link
        fedilink
        English
        3810 months ago

        As much as I want that to be the case, I don’t think full mobile gnu+Linux is really ready to use daily?

        I haven’t exactly been keeping up with things, mind you

        • @[email protected]
          link
          fedilink
          English
          29 months ago

          I used it as my daily phone for months, and… well, I’m willing to deal with the problems. Without pretty careful battery management it’s not feasible, and it’s hard to manage your battery given the glitches. I often found my phone dead after a couple hours because it woke the screen immediately after I locked it because… reasons, and then kept it awake until the battery died. The biggest issue aside stuff like that (small issues that cause big problems), the biggest issue was I couldn’t get a map app working. There are some distros with working maps, none for my phone. Also call quality was horrendous. Like. I’m known for being able to tolerate bad quality, but this was, at times, about as bad as I remember my firefly phone being when I was 12, and I could not feasibly understand people at times with that thing.

          But the only reason I stopped using it was because the wifi isn’t working on it. Once I get that back up and running I’ll likely switch back to it. As bad as it can be at times, I still feel more comfortable having that as my primary phone than my Android.

          • Vik
            link
            fedilink
            English
            29 months ago

            Really appreciate the insight

        • @[email protected]
          link
          fedilink
          English
          1110 months ago

          I sub to a few mobile Linux feeds and I want but don’t at all think mobile Linux is ready, even for tech devotees. Too battery hungry, not enough ease of use, missing functions, etc. And that’s not including lack of apps.

          Sailfish gets closest so far I think. But yes, not ready. Ubuntu touch last time I tried is fine but still a bit out of sorts.

        • @[email protected]
          link
          fedilink
          English
          510 months ago

          Yes. I think a huge issue is Linux doesn’t handle other app activities like how Android’s Intent or Broadcast does.

        • @[email protected]
          link
          fedilink
          English
          210 months ago

          Just a note, one of if not the most popular mobile Linux distro is PostmarketOS, which is not GNU (it’s based on Alpine)

          • Vik
            link
            fedilink
            English
            110 months ago

            Good to know, that’s not the one I had in mind, however.

            For whatever reason I thought PMOS was based on Manjaro. Could be something as silly as associating one green logo with another.

    • @[email protected]
      link
      fedilink
      English
      110 months ago

      If someone would be buying those, someone would be selling. You have all the opportunity to fork current android, put it on a different platform, make sure all the drivers are open source instead of blobs, and sell it.

      I’d really want to buy one. But I’ll only do that after you somehow make sure the 3-5 major messaging apps, 2-3 major browsers, and a really good maps app are available.

      So, basically, it’s a 100 mil endeavor for an MVP really. So, I think, the chances of someone actually pulling it off are pretty slim.

  • subignition
    link
    fedilink
    English
    5110 months ago

    It’s not like dedicated people aren’t going to be able to just patch out the calls to this API from the apps themselves…

    This feels like yet another attempt at DRM that is doing more harm than help.

    • @[email protected]
      link
      fedilink
      English
      110 months ago

      Why would that be possible? Wouldn’t the developer have their server rejected any calls from “unsigned” apps?

      • @[email protected]
        link
        fedilink
        English
        1
        edit-2
        10 months ago

        Possibly, but many apps don’t actually need to phone home to function.

        Of course that doesn’t stop developers arbitrarily requiring it.

      • subignition
        link
        fedilink
        210 months ago

        If functionality exists in the client app, there’s nothing to be done to stop someone from bypassing checks.

        Looking into it further this looks like it’s an API between the backend of a service and Google though. That would be difficult to defeat, but you could probably spoof the identity of the requesting device with enough effort

    • @[email protected]
      link
      fedilink
      English
      910 months ago

      Indeed, I already bypass SafetyNet and Play integrity with some kind of xposed module, I don’t expect this to change.

      • @[email protected]
        link
        fedilink
        English
        610 months ago

        Whoa, is Xposed still a thing that works? Had to use Magisk instead to get the safety net stuff working on Lineage OS android 11

          • @[email protected]
            link
            fedilink
            English
            210 months ago

            Huh…the more you know. I just assumed Magisk was a spiritual successor, apparently I misunderstood how any of it works.

      • @[email protected]
        link
        fedilink
        English
        210 months ago

        Can you tell me which modules you use? I am trying to pass SafetyNet on Waydroid but can’t pass even basic integrity.

        • @[email protected]
          link
          fedilink
          English
          310 months ago

          I’ve used Magisk with the safetynet module + hiding root from apps with like a 95% success rate. Quick search for “magisk safetynet” and look at the xdadevelopers threads

  • @[email protected]
    link
    fedilink
    English
    54
    edit-2
    10 months ago

    What’s the point of having an android phone then? I fucking hate android so much, but I only use it, not iOS, because of sideloading. Of If they take that away from us then why not just get an iPhone then? Our only hope is Linux phones picking up a little.

    • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
      link
      fedilink
      English
      810 months ago

      F-Droid

      Most of the apps I have and use are installed via Droidify. The ones that aren’t are company apps, like banking or airline. I could just used the web sites for those; they’re only conveniences.

      My phone isn’t rooted, and I didn’t read the article so I don’t know how this will affect me. If push comes to shove, I’ll simply bite the bullet and get a phone I can install Linux on next time, regardless of how polished for daily driving it is.

      • @[email protected]
        link
        fedilink
        English
        310 months ago

        Right on. I do use F-Droid and droidify. I also use Obtanium. Linux phone has never sounded better, godammit. Like you, I really don’t give a shit about those banking apps and other shit, web browsers are more than enough in this day and age.

        • @[email protected]
          link
          fedilink
          English
          110 months ago

          I would most likely be using a phone with Ubuntu Touch on it as my daily driver if it wasn’t for the fact that the cellular carriers force me to have VoLTE support for calls, which is kind of the point for a phone! And guess the one thing Ubuntu Touch doesn’t have support for!

    • @[email protected]
      link
      fedilink
      English
      1110 months ago

      One reason would be that with an iPhone, you’re paying two to five times the price of an Android phone with comparable hardware.

      • @[email protected]
        link
        fedilink
        English
        510 months ago

        Hardware isn’t everything. Apple has a couple of advantages over iPhone that let them do more with less:

        • iOS needs to support a MUCH fewer devices than Android. Even before they switched to their own silicon, they’ve been optimizing the OS to the hardware really well giving you devices that go toe to toe with Android flagships of the same generation with SIGNIFICANTLY better hardware and like double the RAM. Also why Apple doesn’t really care to increase RAM as much as the android side of things.
        • Apple silicon is actually really good and making their own hardware allows them to optimize on both sides of the equation and lets them do more with less.

        The selling points for Android (at least the way I’ve seen it over the years) have always been full control (talking about non-root, I’d rather not go down the root rabbit hole here) and (since iPhone 11 started doing firmware blocks on parts) reparability…but both seem to be going out the window lately.

        Prices are crap though, but then again Android phones on the top end don’t seem much better. 1-2 gen old iPhones are usually a bit more reasonable though tbh.

      • @[email protected]
        link
        fedilink
        English
        110 months ago

        I do the same on android, as I have always owned a Samsung Note/Ultra. Only this year have I purchased a OnePlus phone, and I’ll never fucking do it again, I hate this phone so much. Going back to Samsung for sure once the S25 Ultra drops.

    • lemme inOP
      link
      fedilink
      English
      2010 months ago

      This is just Google’s clever way of not removing the sideloading feature from their OS.

      They let app developers to prevent users from using sideloaded app.

      This way they can avoid antitrust lawsuits.

      • @[email protected]
        link
        fedilink
        English
        210 months ago

        I have high hopes for apps like lucky patcher and Revanced manager to help us avoid this bullshit

    • @[email protected]
      link
      fedilink
      English
      910 months ago

      It’s the apps that prevent themselves being sideloaded. Presumably, their devs will enact similar policy on EU iOS too.

  • chiisana
    link
    fedilink
    English
    510 months ago

    App developers need ways to know the app has not been modified in unsanctioned manner, glad to see Android finally catching up on security with integrity checks.

    • @[email protected]
      link
      fedilink
      English
      410 months ago

      Yup, this is important for certain apps with a high security bar. Surprised at all the downvotes.

      • @[email protected]
        link
        fedilink
        English
        16
        edit-2
        10 months ago

        Slippery slope. Soon it wil be for all fucking mundane apps because they don’t want you running a modded version…which is my fucking choice to do

      • chiisana
        link
        fedilink
        English
        610 months ago

        This is Lemmy. If you’re not advocating for FOSS, or piracy to spite the corporations, you’re gonna get downvoted. I don’t care. We need better security standards whether these kids like it or not.

        • @[email protected]
          link
          fedilink
          English
          1310 months ago

          This does jack-all for security, it’s just monopolization in disguise and you’re buying into it.

        • @[email protected]
          link
          fedilink
          English
          1710 months ago

          Security by default is fine, but not if its being forced.

          If I go out of my way to root my phone or sideload an app, I have a reason for that. I’m fine with an app going “Hey! This phone is rooted / this app is not from an official source! Wait 10s before you can click ‘I understand and take full responsibikity in case of a security breach’”.

          I’m not OK with an app going “I will not work on this device because yiur environment is non-standard, period”.

      • noodle (he/him)
        link
        fedilink
        English
        1810 months ago

        certain apps with a high security bar

        like the McDonalds app, which already requires workarounds to work on rooted devices?

        • @[email protected]
          link
          fedilink
          English
          410 months ago

          You want affordable food, you WILL pay them with your data. Always on location please! Oh and precise as well, thank you.

        • @[email protected]
          link
          fedilink
          English
          310 months ago

          Of course not, sometimes it really is just corpo bs, don’t use their app if it’s such an issue for you.

      • @[email protected]
        link
        fedilink
        English
        810 months ago

        They can check their own integrity without Play services. And even then, ME AS A USER, doesn’t want the app to decide this for me.

    • Natanael
      link
      fedilink
      English
      3810 months ago

      No, this will only lead people without access to Google Play to be forced to get it from somebody who has modified the app to fake the check.

      • Praise Idleness
        link
        fedilink
        English
        510 months ago

        Which obviously sucks but also is exactly what developers want or just don’t care

      • Chozo
        link
        fedilink
        710 months ago

        If they don’t have access to Play, then the developer of that app specifically does not want to service them as a user. Developers have to enable this feature in their own apps for it to do anything. If that developer wanted to support de-Googled users, they wouldn’t enable this in the first place.

    • @[email protected]
      link
      fedilink
      English
      1710 months ago

      It’s my phone. If I’m specifically going out of my way to do that, they have no right to force me to do it their way.

    • @[email protected]
      link
      fedilink
      English
      2
      edit-2
      10 months ago

      Personally, it’s not Google’s place to dictate how an app verification ecosystem works. If a company has developed an app, they need to be the ones to make sure it’s secure in the first place, not trusting a monopolist tech company that has almost all control with how someone uses their phone.

      Google has rules yes, but Android is open-source and should be open with a free & open market for apps. After all, we paid for the device.

    • @[email protected]
      link
      fedilink
      English
      1610 months ago

      Why do you think apps should verify their integrity in the first place? In the case of banking apps or other online apps, the APIs they use should be secure in the first place so a user can’t achieve anything meaningful by modifying API calls. In the case of offline games with monetization, a hacker who makes a pirated APK will also remove the restriction so legitimate players on non standart ROMs will get screwed. In the case of messaging apps with a “delete messages” or “one time view” function ie. Whatsapp, the sender shouldn’t take that their actions will be respected by other clients because modded apps exist and Whatsapp doesn’t care if you install it on a rooted device.

      • @[email protected]
        link
        fedilink
        English
        12
        edit-2
        10 months ago

        This!

        APK signatures exist and they’re enough for making sure the file you got isn’t modified. Warning people when they use apks for stuff like banking, I get, but if they wanna take the risk, it’s on them.

        Blocking root makes no sense because I’d argue that if the person knows enough to root their phone and got past all those bricked phone/thermonuclear war warnings, the onus is on them to not get their keychain compromised by giving root to some random app. Again, a warning is fine.

        Aside from that, people need to understand: THE CLIENT IS NEVER SECURE. NO EXCEPTIONS.

        Any self respecting secure API is made under the assumption that all the calls are coming from some malicious state actor using curl until proven beyond doubt that it’s an actual user.

      • chiisana
        link
        fedilink
        English
        410 months ago

        API are secure only if you can secure the authentication details. A modified app (be it as something modified and distributed on a unsanctioned channel, or custom injected by another malicious actor/app) can easily siphon out your authentication tokens to a third party unbeknownst to you the user. However, if the app verifies it came from the approved source and have not been tempered with, then it is much easier to lean on ASLR and other OS level security to make it harder to extract the authentication info.

        Multiplayer game operators have obligation to curb modified clients so their actual paying clients have a levelled playing field. By ensuring their apps are only distributed via approved channels and unmodified by malicious players, this improves their odds at warding off cheaters creating a bad time for those that actually pay them to play fairly.

        These are just simple cases where this kind of security is beneficial. I am glad Android is finally catching up in this regard.

        • @[email protected]
          link
          fedilink
          English
          010 months ago

          be it as something modified and distributed on a unsanctioned channel

          Downloading APKs from reputable sources and signature checking can help with this one. Android will refuse to upgrade an app if APK has a different signature anyways.

          custom injected by another malicious actor/app

          If this is possible there are bigger problems.

          Multiplayer game operators have obligation to curb modified clients so their actual paying clients have a levelled playing field.

          There isn’t much I can say for that.

      • @[email protected]
        link
        fedilink
        English
        1210 months ago

        personally, i wouldn’t trust a third-party created app with my banking details. what’s more, i’ve removed all banking apps from my phone.

        i don’t need to allow access to my finances on the device which is most likely to get pinched out of everything i own. plus google and apple don’t need to know which banks have accounts of mine.

        imo that additional inconvenience to conduct all banking transactions from a browser is worth the candle.

      • Chozo
        link
        fedilink
        3810 months ago

        I’ll be real, I wouldn’t trust a banking app from any third-party storefront to begin with. That’s the sort of app I’d really want to be properly vetted and secured.

        • Maeve
          link
          fedilink
          610 months ago

          When did Google start verifying security on play?

        • @[email protected]
          link
          fedilink
          English
          6
          edit-2
          10 months ago

          But, there’s no difference in security between using a different storefront? The difference in security depends on the app itself, not where it was downloaded from.

          • Chozo
            link
            fedilink
            1210 months ago

            Assuming the app is legitimate, sure. But unless you can verify the code, yourself, then you’re having to trust that the source you download from hasn’t altered the APK in some way. That’s a pretty big risk for most people when it comes to finance apps.

            • @[email protected]
              link
              fedilink
              English
              310 months ago

              APKs are signed, you can verify the integrity of an APK. If you have a previous version of an app installed, a new version with incorrect signature won’t even install.

            • @[email protected]
              link
              fedilink
              English
              3
              edit-2
              10 months ago

              Yeah but I mean if your bank would offer their app through F-Droid as an addition to Google Play, there is no reason to assume the app suddenly got less secure because of that.

        • Cris
          link
          fedilink
          English
          1310 months ago

          If you’re using a custom de-googled rom you don’t have the play store, so this would just gut that functionality :/ same for any other app that decides they need this, which if the past is anything to go on is going to be a ton of apps that really don’t need it

        • @[email protected]
          link
          fedilink
          English
          810 months ago

          The features you miss out on would be direct deposit from checks and app notifications (usually there are a few that you want enabled but are only available through the app).

          • @[email protected]
            link
            fedilink
            English
            510 months ago

            Most banks I’ve used allow SMS notifications for things like deposits and purchases.

            The check things is true but I need to use it like less than once a year so eh.

    • @[email protected]
      link
      fedilink
      English
      510 months ago

      I already have to do this. My office wants everyone to use the MS authenticator app, won’t run on LineageOS. Even if it did, I wouldn’t install it, but still.

      Ended up making them purchase a hardware security key for me instead.

  • @[email protected]
    link
    fedilink
    English
    210 months ago

    I’m pretty new to this sort of stuff. I was planning to buy Google Pixel 8 sometime in November when they usually have sales. And install GrapheneOS. I never used this type of stuff before.

    So will I have some trouble installing some stuff like some of mobile games, banking app, emails, etc? I’m in Canada if this help.