Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
fidotron 3 days ago

A key question here is if installation of Google Apps can fail verification if the device is offline, or if they have some magic local public key chain of pre-authed all OK keys.

DEVELOPER_VERIFICATION_FAILED_REASON_DEVELOPER_BLOCKED is very clearly the purpose of the whole thing. Presumably this one can be triggered on an already installed app - a key question being how that triggering occurs. i.e. will the Play Store act to push out details of developers that are now blocked so devices can act on it?

bri3d 3 days ago | parent | next [-]

> Presumably this one can be triggered on an already installed app - a key question being how that triggering occurs. i.e. will the Play Store act to push out details of developers that are now blocked so devices can act on it?

Your "presumably" is doing a _lot_ of work; these strings are from the PackageInstaller, and go along with all of the other reasons you can't install an APK.

Historically, apps that were pulled from the Play Store and developer accounts revoked due to malware do _not_ affect apps on the end-user device, and there's no current sign of this changing with this specific project. Google have generally achieved this goal using Play Protect, the separate app/service which _can_ download revocation lists and signal end-users to delete malicious apps, and there's no indication this will change.

jeroenhd 3 days ago | parent | prev | next [-]

Android has a bunch of special signing keys (vendor, Google, that kind of thing) that get special treatment. I assume the same will apply here.

I don't have much of a problem with developers getting blocked, blocking malware shops is the entire point.

Installations failing because of a network problem is different, though. The Android ecosystem can trivially leverage the existing app certificates + occasionally updated CRLs to verify app developers. Android needing to call to the net before installing an APK seems over the top.

throw-the-towel 3 days ago | parent [-]

> I don't have much of a problem with developers getting blocked...

for building an alternative YouTube frontend. Or a torrenting app. Or due to sanctions / trade wars. (If you think these can't happen to you personally, imagine a Mega-Trump who's even Trumpier than Trump getting elected US president.)

What's malware to Google isn't necessarily malware to the user.

charcircuit 3 days ago | parent | prev [-]

It will work the same way Play Protect does for blocking installation of malware. I don't think it will trigger on already installed apps, as I think package verifies require an actual update to the apk before they will trigger.