Remix clone Hacker News

new | show | ask | jobs Github

	▲	notepad0x90 3 hours ago
		This is the worst of both worlds, you can spread your malware as a sideloaded apk just fine, but when it's so big that you're probably burned anyways, then you need to verify your account. I think a better compromise would have been for google to require developer verification, but also allow third party appstores like f-droid that don't require verification but still are required to "sign" the apks, instead of users enabling wide-open apk sideloading. that way, hobbyists can still publish apps in third party stores, and it is a couple of more steps harder for users to fall for social engineering,because they now have to install/enable f-droid, and then find the right malicious app and download it. The apk downloaded straight from the malicious site won't be loaded no matter what. Google can then require highlighting things like number of downloads and developer reputation by 3rd party appstores, and maybe even require an inconsistent set of steps to search and find apps to make it harder to social engineer people (like names of buttons, ux arrangements, number of clicks,etc.. randomize it all). What frustrated me on this topic from the beginning is that solutions like what I'm proposing (and better ones) are possible. But the HN prevailing sentiment (and elsewhere) is pitchforks and torches. Ok, disagree with google, but let's discuss about how to solve the android malware problem that is hurting real people, it is irresponsible to do otherwise.
	▲	flakiness an hour ago \| parent \| next [-]
		It's not super clear from the post, but if I read it correctly there are two modifications suggested. `- 1: Separate verification type for "student and hobbyist" - 2: "advanced flow" for "power users" that allows sideloading of unverified apps - I imagine this is some kind of scare-screen, but we'll see.` What you describe as "worst of both worlds" is about point 1. I'm not sure point 2 is powerful enough to suppor things like f-droid, but again, we'll see.
	▲	lern_too_spel 2 hours ago \| parent \| prev [-]
		> Google can then require highlighting things like number of downloads and developer reputation by 3rd party appstores F-droid doesn't want to track number of installs because that is an invasion of privacy. > require developer verification, but also allow third party appstores like f-droid that don't require verification Now you've moved the problem from Google gatekeeping apps to Google gatekeeping app stores. We don't want either.