Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
cesarb 4 hours ago

> Why should apps have access to a user's SMS / RCS?

It could be an alternative SMS app like TextSecure. One of the best features of Android is that even built-in default applications like the keyboard, browser, launcher, etc can be replaced by alternative implementations.

It could also be a SMS backup application (which can also be used to transfer the whole SMS history to a new phone).

Or it could be something like KDE Connect making SMS notifications show up on the user's computer.

thisislife2 3 hours ago | parent [-]

That's all indeed valid.

> One of the best features of Android is that even built-in default applications like the keyboard, browser, launcher, etc can be replaced by alternative implementations.

When sideloading is barred all that can easily change. If you are forced to install everything from the Google Play Store, Google can easily bar such things, again in the name of "security" - alternate keyboards can steal your password, alternate browsers can have adware / malware, alternate launcher can do many naughty things etc. etc.

And note that if indeed giving apps access to SMS / RCS data is really such a desirable feature, Google could have introduced gate-keeping on that to make it more secure, rather than gate-keeping sideloading. For example, their current proposal says that they will allow sideloading with special Google Accounts. Instead of that, why not make it so that an app can access SMS / RCS only when that option is allowed when you have a special Google Account?

The point is that they want to avoid adding any barriers where a user's private data can't be easily accessed.

AnthonyMouse 2 hours ago | parent | next [-]

> Instead of that, why not make it so that an app can access SMS / RCS only when that option is allowed when you have a special Google Account?

Because then you still need a special Google Account to install your app when it needs to access SMS / RCS.

How about solving this problem in a way that doesn't involve Google rather than the owner of the device making decisions about what they can do with it? Like don't let the app request certain permissions by default, instead require the user to manually go into settings to turn them on, but if they do then it's still possible. Meanwhile apps that are installed from an app store can request that permission when the store allows it, so then users have an easy way to install apps like that, but in that case the app has been approved by Google or F-Droid etc. And the "be an app store" permission works the same way, so you have to do it once when you install F-Droid but then it can set those permissions the same as Google Play.

It's not Google's job to say no for you. It's only their job to make sure you know what you're saying yes to when you make the decision yourself.

OptionX an hour ago | parent | prev [-]

It'd just devolve into security whack a mole about what permissions need those special account or not, ending with basically all of them making it the same as just needing dev verification anyway for anything remotely useful.

And despite that, you assuming that dev verification means no malware. The Play Store requires developers to register with the same verification measures we're talkingand malware is hardly unheard of there.