• Pxtl
    link
    fedilink
    English
    arrow-up
    41
    arrow-down
    3
    ·
    7 months ago

    As somebody who occasionally had to develop for android: the churn of improvements to app security was a huge pita. And as a user I know many of the abandoned apps that I liked that lost compatibility was for that reason.

    So the fact that in spite of this pain, Android security still allows apps to do horrible crap like that is infuriating.

    • efstajas@lemmy.world
      link
      fedilink
      English
      arrow-up
      22
      ·
      7 months ago

      If you read the original report, it says that it basically just displays a fake banking login page. It also says that it requested accessibility service permissions, which makes me think maybe it brought up the fake login pages “in the right moment” (as in as users opened their banking apps) to make it more convincing, even though the article doesn’t specify that.

      Either way, IMO the problem here is clearly with the Play Store allowing this app in, and not with Android’s security itself. These apps are misusing the accessibility service system, which is obviously necessary for a ton of important use cases (and of course also requires the user to grant very explicit permission). The fact that the accessibility services are a thing doesn’t delegitimize Android’s security improvements over the years.

      • ji17br@lemmy.ml
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        7 months ago

        If a user can open their baking app, and this app can sense that and open instead, then that is 100% an Android issue. That behaviour shouldn’t be possible.

        • Liz@midwest.social
          link
          fedilink
          English
          arrow-up
          7
          ·
          7 months ago

          “Accessibility service permissions” is a higher level of permissions than most apps get and Android will be all like “bro, are you sure you want to grant this app that kind of access and control? You really sure?” I’ve got a few apps on my phone with that level of permissions including one written by Google. They’d simply be unable to do their job without that level of access, jobs which have been straight-up good for my physical health. Ultimately there’s a balance between security and letting the user do what they want.

    • atrielienz@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      3
      ·
      7 months ago

      The app doesn’t contain malware when it’s uploaded to the play store. It forced an update after it’s installed that contains the malware.

      • Pxtl
        link
        fedilink
        English
        arrow-up
        9
        ·
        7 months ago

        That’s not what I mean. I’m not thinking about Play Store security, but Android OS security. Like, your app physically has to ask for permission (or even require the user manually change settings) to do most unsafe things.

      • werefreeatlast@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        5
        ·
        7 months ago

        So I could write an app that is okay on the Google store, then change it to steal people’s information? Hmmm 🤔 that gives me an idea…hahh! Too many projects at the moment.

    • dev_null@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      7 months ago

      According to the report, the app just displays a fake login page. I don’t see a good way to prevent this.