Conversation
Notices
-
GeniusMusing (geniusmusing@nu.federati.net)'s status on Sunday, 24-Jun-2018 20:38:57 UTC GeniusMusing Google is Adding Anti-Tampering DRM To Android Apps in the Play Store Slashdot
https://nu.federati.net/url/145914
Google has introduced a small change to Play Store apps that could significantly protect several Android users. From a report:
Earlier this week, Google quietly rolled out a feature that adds a string of metadata to all APK files (that's the file type for Android apps) when they are signed by the developer. You can't install an application that hasn't been signed during its final build, so that means that all apps built using the latest APK Signature Scheme will have a nice little chunk of DRM built into them. And eventually, your phone will run a version of Android that won't be able to install apps without it.
Where is my Linux phone?
I'm still waiting...- Brandon Hall, zak storer 🎡 and INACTIVE and 11 others like this.
- LinuxWalt (@lnxw48a1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864} repeated this.
-
GeniusMusing (geniusmusing@nu.federati.net)'s status on Sunday, 24-Jun-2018 20:42:47 UTC GeniusMusing On the plus side, I guess, my phone just upgraded to April 1 release of android 8 so I can keep installing what I want for now. Hoping my next phone will not be android. -
Mr. Matt (matt@linuxrocks.online)'s status on Sunday, 24-Jun-2018 21:24:28 UTC Mr. Matt @geniusmusing hey @Purism how bout helping this guy out?
GeniusMusing likes this. -
GeniusMusing (geniusmusing@nu.federati.net)'s status on Sunday, 24-Jun-2018 21:38:06 UTC GeniusMusing Maybe I can hold out till January...
It is cool they are on non-mainstream social media. -
vurpo (vurpo@mstdn.io)'s status on Sunday, 24-Jun-2018 21:40:33 UTC vurpo @geniusmusing How is signing your packages equivalent to DRM? I wouldn't want to install unsigned packages on any of my devices...
The developer is free to just create a key on their machine (no Google involved) and sign their package with it, as long as they sign all later versions of the same package with the same key (to prevent anyone replacing a non-malicious package with a new malicious version). Honestly I wish this feature was on the other operating systems I use too.
-
GeniusMusing (geniusmusing@nu.federati.net)'s status on Sunday, 24-Jun-2018 22:14:43 UTC GeniusMusing @vurpo
>The developer is free to just create a key on their machine (no Google involved) and sign their package with it
Android Developers Blog: Google Play security metadata and offline app distribution
https://android-developers.googleblog.com/2018/06/google-play-security-metadata-and.html
>In December last year we announced that we would be making updates to app security to help verify product authenticity from Google Play. We are now adding a small amount of security metadata on top of APKs to verify that the APK was distributed by Google Play.
If only apps from Play are allowed to be installed, it is DRM. I also want signed apps but I would like to get them from sources other than Play.
Will F-Droid no longer be an option?
What if I write an app, can I only release it on Play if it is to be used? -
vurpo (vurpo@mstdn.io)'s status on Sunday, 24-Jun-2018 23:28:09 UTC vurpo @geniusmusing I'm not seeing anything like that in here. As far as I can tell, they want to verify the integrity of apps installed from the Play Store, i.e. if you install an app from the Play Store then they will be able to verify offline that the APK was distributed from Google Play and not anywhere else.
It doesn't say anything about disallowing other ways to distribute apps. In fact, it explicitly says in the blog post that this only applies to apps distributed through Google Play.
-
GeniusMusing (geniusmusing@nu.federati.net)'s status on Sunday, 24-Jun-2018 23:58:20 UTC GeniusMusing @vurpo Time will tell, sometimes I read to much between the lines, sometime it is correct.
Remember what google's motto used to be?
Don't be evil - 2000 - 2018 RIP -
neil 🍄 (neil@social.coop)'s status on Monday, 25-Jun-2018 10:43:35 UTC neil 🍄 @geniusmusing Will this affect F-Droid? (Which builds apps from source if I understand correctly.)
cc @fdroidorg ?
-
GeniusMusing (geniusmusing@nu.federati.net)'s status on Monday, 25-Jun-2018 11:31:42 UTC GeniusMusing @neil as of android 8.0 (the current I have) you have to enable F-Droid to install apps and it still works. -
vurpo (vurpo@mstdn.io)'s status on Monday, 25-Jun-2018 13:13:05 UTC vurpo @geniusmusing that stopped being their motto and became part of their Code of Conduct instead in 2015, and in 2018 they only moved it from the beginning to the end of the CoC 🤔
(also in 2015, Alphabet took "Do the right thing" as their motto)
GeniusMusing likes this. -
F-Droid (fdroidorg@mastodon.technology)'s status on Monday, 25-Jun-2018 15:47:10 UTC F-Droid @neil @geniusmusing The linked article is unfortunately very light on details. I still have no idea if this does have any impact on #fdroid.
-
Federated Republic of Sean (freakazoid@retro.social@retro.social)'s status on Monday, 25-Jun-2018 16:18:04 UTC Federated Republic of Sean @neil @geniusmusing @fdroidorg The real problem with Android is that its entire security model relies on trust of Google and individual developers. Google makes people jump through an extra hoop to install software they haven't vetted (as opposed to Apple with whom it's simply impossible without jailbreaking) but then they still host a ton of malware and useless junk in their store. And the purveyors of malware can just get around it by buying reputable developer accounts.
-
Find us on Librem One (purism@mastodon.social)'s status on Monday, 25-Jun-2018 17:01:45 UTC Find us on Librem One We're building it! https://puri.sm/products/
Thanks Mr. Matt! :)
GeniusMusing likes this. -
GeniusMusing (geniusmusing@nu.federati.net)'s status on Monday, 25-Jun-2018 17:53:15 UTC GeniusMusing @fdroidorg @neil If history is any indicator just because the app comes from Play does not mean it cannot be malicious, spyware or just a knock off app that infects your phone. If they continue to allow apps like F-Droid to install apps I would be ok with that. Maybe it is me looking at the worst possible scenario. Federated Republic of Sean likes this.LinuxWalt (@lnxw48a1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864} repeated this. -
you b you 😧 I'll b me (b@freeradical.zone)'s status on Saturday, 07-Jul-2018 12:34:58 UTC you b you 😧 I'll b me yes, create more soft pirates
Google likely doing this to PROTECT malware developers: 100% of adware IS malware
GeniusMusing likes this.