Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
xnx 13 hours ago

> some apps (e.g., banking apps) will refuse to operate and such when developer mode is on

JFC. Why would an app be allowed to know this? Just another datapoint for fingerprinting.

nijave 11 hours ago | parent | next [-]

It's always boggled my mind what native apps are allowed to know versus the same thing running in a browser on the same device.

tadfisher 13 hours ago | parent | prev | next [-]

Yes, it is really dumb that some of these settings are exposed to all apps with no permission gating [0]. But it will likely always be possible to fingerprint based on enabled developer options because there are preferences which can only be enabled via the developer options UI and (arguably) need to be visible to apps.

0: https://developer.android.com/reference/android/provider/Set...

zzo38computer 9 hours ago | parent [-]

What might help better is having permissions that you can set separate settings that can be read for different apps (including the possibility to return errors instead of the actual values), even if they can be read by default you can also change them per apps. (This has other benefits as well, including possibility of some settings not working properly due to a bug, you can then work around it.)

ninininino 12 hours ago | parent | prev [-]

Because estimates suggest Americans lose about $119 billion annually to financial scams, which is a not insignificant fraction of our entire military budget, or more than 5% of annual social security expenditures.

tadfisher 10 hours ago | parent | next [-]

Banks do these things to check security boxes, not to prevent scams.

In this case, they don't want users to reverse-engineer their app or look at logs that might inadvertently leak information about how to reverse-engineer their app. It is pointless, I know, but some security consultant has created a checkbox which must be checked at all costs.

Zak 8 hours ago | parent | prev | next [-]

What do scams have to do with having developer options enabled?

This isn't a rhetorical question. There's no big red warning on the developer options screen saying it's dangerous. I haven't heard about real-world attacks leveraging developer settings. I suppose granting USB debug to an infected PC is dangerous, but if you're in that situation, you're already pwned.

Is there a real vulnerability nobody talks about?

ninininino 7 hours ago | parent [-]

Android is attempting to discourage good / regular users from sideloading apps, rooting their phone, etc.

Android wants good / regular users to pass things like Play Integrity with the strongest verdicts.

This helps app distributors to separate regular good users from custom clients, API scripting etc that is often used to coordinate scamming, create bots, etc. If an app developer can just toss anyone who doesn't pass Play Integrity checks in the trash, they can increase friction for malicious developers.

Zak 7 hours ago | parent [-]

Play Integrity and developer options are entirely separate as far as I know.

prmoustache 10 hours ago | parent | prev | next [-]

That is unrelated to apps installed outside of the playstore (which by the way is full of malware).

It is like mandating that people use rainjackets in the rain to avoid getting cancer.

nijave 11 hours ago | parent | prev | next [-]

So put a disclaimer in... Same way tons of other stuff works...

warkdarrior 11 hours ago | parent [-]

Nobody reads disclaimers, and people who get scammed and lose their life savings won't be made whole by being told "you accepted the disclaimer, nothing we can do."

10 hours ago | parent [-]
[deleted]
wolvoleo 12 hours ago | parent | prev [-]

[flagged]

int0x29 12 hours ago | parent [-]

Most of the victims were last in school in the 1960s when all this stuff didn't exist. Also from experience teaching people with dementia or memory issues is kinda challenging as they just forget.

acrophiliac 11 hours ago | parent [-]

I wonder if you might be relying on a stereotype of victims. Here's some recent data: "The 2024 FTC Consumer Sentinel Network reported that 44% of all 20-somethings claimed losses in 2023". More data here: https://www.synovus.com/personal/resource-center/fraud-preve...

greenchair 11 hours ago | parent [-]

That's what I would expect too - old and young.