The point was surely more that apps being exploited via the Play Store can be mitigated there without client OS updates. The only hole here requiring the update needs a sideloaded attack.

▲

array_key_first 11 hours ago | parent [-]

Except the Play Store is a hot mess, and Google does little to no review of apps. Trusted repositories work best when the repository maintainers build and read the code themselves, like on f-droid or Debian. What Google and Apple are doing with their respective stores is security theater. I would not be surprised if they don't even run the app.

	▲	ajross 10 hours ago \| parent [-]
		Again though, that's mixing things up. The question is whether or not mitigating the exploit requires an OS patch be applied promptly. And it seems like it doesn't. If there is a live exploit in the wild (as seems to be contended), then clearly the solution is to blacklist the app (if it exists on the store, which is not attested) and pull it off the store. And that will work regardless of whether or not Samsung got an update out. Nor does it require an "audit" process in the store, the security people get to short circuit that stuff.