←back to thread

Is it possible to allow sideloading and keep users safe?

(shkspr.mobi)
205 points ColinWright | 1 comments | 30 Aug 25 12:03 UTC | HN request time: 0s | source
Show context
m463 ◴[31 Aug 25 05:39 UTC] No.45080628[source]
"sideloading" connotates something that is negative.

On systems before apple's locked-down iphone, it was just called "installing".

The PC revolution started with people just inserting their software into the comptuer and running it. You didn't have to ask the computer manufacturer or the OS vendor permission to do it.

And note that apple doesn't allow you to protect yourself. You cannot install a firewall and block arbitrary software on your phone. For example, you can not block apple telemetry.

replies(8): >>45080727 #>>45080995 #>>45081451 #>>45082064 #>>45082687 #>>45083125 #>>45088266 #>>45100572 #
scarface_74 ◴[31 Aug 25 10:29 UTC] No.45082064[source]
Yes and called viruses, dozens of toolbars on your computer, key loggers, malware, ransomware, etc.

If you want an open phone, buy one. But I instruct all of the older members of my family to buy iPhones and iPads.

I’ve been programming computers since 1986 and even I have never said it would be cool to side load on my phone.

replies(5): >>45082094 #>>45082096 #>>45082129 #>>45082306 #>>45083459 #
andrepd ◴[31 Aug 25 10:35 UTC] No.45082094[source]
> If you want an open phone, buy one.

Is this a joke? The reason for TFA is precisely that this is quickly becoming impossible as Google closes down Android. It's already viciously impractical to install a privacy respecting OS like Lineage or Graphene, and now they're coming for the very possibility of installing software.

replies(1): >>45084344 #
scarface_74 ◴[31 Aug 25 16:19 UTC] No.45084344{3}[source]
Is viciously impractical yet people on HN brag about doing it all the time?
replies(1): >>45085997 #
SXX ◴[31 Aug 25 19:02 UTC] No.45085997{4}[source]
5 years ago you could install custom rom and still use 99% of apps with it. Now with Google "safety" and "certification" features you won't be able to use most of financial apps and a lot of non financial apps too.

Obviously there no way on earth Google will allow you to decide whatever device you own is "safe". There is still ways to bypass it using kernel hacks, but it's both cat and mouse game and often not very trustworthy since a lot of software used to bypass safetynet is proprietary.

So yep, using custom OS on your phone is impractical because Google made it so.

replies(1): >>45086507 #
scarface_74 ◴[31 Aug 25 19:56 UTC] No.45086507{5}[source]
And people keep saying this - what financial services companies are inaccessible via a web browser? And if they do exist, why do you choose such a bank?

I’ve heard people say Monzo in the UK. But there are plenty of banks in the UK you can choose from in the UK that have websites

replies(2): >>45087721 #>>45089823 #
rstuart4133 ◴[31 Aug 25 22:38 UTC] No.45087721{6}[source]
> And people keep saying this - what financial services companies are inaccessible via a web browser?

You've already quoted one example so you know which was the trend is going, but since you asked here is another. New bank accounts handed our by https://boq.com.au/ can only be accessed from a phone, or via the web.

I started banking with them a long time ago. All accounts open back then have net banking, but no app. They've recently changed. New bank accounts can be accessed via an app, but web interface. I think this is a good thing in general. Insisting you do transactions using your phone or in a branch is far more secure that allowing payments via the web, or card.

As fraud continues to increase I suspect most payment systems will go that way. I would not be surprised if the bulk of non-cash payments on the planet are already done by phone: https://theconversation.com/no-more-card-charges-how-austral...

replies(1): >>45088180 #
scarface_74 ◴[31 Aug 25 23:55 UTC] No.45088180{7}[source]
Then choose another bank f not using apps is imprtant to you. I mean you have agency. Are you saying there are no banks in Australia that you can do without an app?
replies(1): >>45097371 #
1. rstuart4133 ◴[01 Sep 25 23:01 UTC] No.45097371{8}[source]
I was answering this question from you, not asking for advice:

> what financial services companies are inaccessible via a web browser?

Yes the fix is obvious if it was a problem. I thought I made it clear I think it is a net increase in security, and so isn't a problem, for me anyway. Even if it was a problem, your throw away suggestion of "just move to another bank" is not so easy if you've borrowed money from the bank.

None of this has anything to do with topic being discussed - which is should Google allow side loading of unsigned apps. You seem to be positively enthusiastic about handing the keys to your life and assets to Google and / or Apple. The comments you see here are from people who aren't so sanguine about it. You look to be dismissive of their concerns. I would be too, if I thought if what they are doing yielded a big increase in security.

The OS should be so secure loading any app, signed or not, malicious or not, is mostly harmless. That is true for iOS and Android. You can always uninstall an app, and you have to give it additional permissions to access your data. I don't know if an app can attest it was downloaded from the web store so organisations like banks can be sure they are talking so software they issued. If it isn't, that's a security hole that should be closed.

Unlike adding attestation, sideloading apps doesn't look to be a security hole that needs fixing to me. I'm doubt it provides much additional security. I've personally had to fix phones whose apps went rogue after a spammers bought the developer licence from an abandoned app. Worse, the app still had the permissions granted to the original.

This new requirement does create barriers. I use apps from F-Droid. They typically have no ads, and they do what they say on the box. Security in the long term is higher than a Google store app because the source is available, and F-Droid uses reproducible builds. But I would not be surprised to find some open source app developers that aren't as keen as you are to hand over their private data to Google in order to get their keys signed, so there will be less F-Droid apps. If that happens, this new requirement would lead to a net reduction in security for me.