#ArsTechnica just posted a pointer to a bit of related data:
"Google hasn't published detailed stats about the dangers of sideloading in a while, but in 2018, it used to publish yearly security reports with statistics on malware installation sources. Back then, Google found that 0.04 percent of all downloads from the Google Play Store were "PHAs" (potentially harmful apps), while sources "Outside of Google Play" had a 0.92 percent PHA install rate."
For example, the biggest #mobile #malware incident that I know about remains #XCodeGhost https://en.wikipedia.org/wiki/XcodeGhost, which got into over 4000 apps, which all passed #Apple's review and were shipped by the Apple App Store. All told, those apps were installed 128 million times. Another measure is #NSOGroup #Pegasus which seems to have maintained zero click access to #Android and #iOS for years. That is spread by exploiting messenger apps, not by #AppStore or "sideloading" 3/
Google and Apple provide data about the malware they catch in their app store review processes. Both of them talk about "sideloading" as a security risk. Notably, neither Apple nor Google provide data on how much malware comes from outside of their app stores. Nor do they provide data-based analysis of which is the bigger threat: malware that makes it into their app stores or from other channels. They have this data, they track installs and active apps plus there is #PlayProtect #XProtect etc 2/
While all software has security issues, the irresponsible behavior of Microsoft shows why anti-trust action is needed to reduce the stranglehold the big tech firms have over the cloud computing market. Without external pressure, companies tend to hide rather than fix problems. https://arstechnica.com/security/2023/08/microsoft-cloud-security-blasted-for-its-culture-of-toxic-obfuscation/ #security #bigtech #oversight
In my work with #FDroid I've discussed our work with gov regulators for South Africa, UK, EU and Japan as well as competition litigators from multiple US States and the EU. From this, I'm starting to see a picture of #Apple's and #Google's semi-related strategies of making "sideloading" (installing apps outside of their #gatekeeper control) look bad as a way to keep their monopolies in the face of #DMA and other regulatory actions. I'm still looking for data about the actual real world risks 1/
@MishaalRahman This severely worries me, especially because we are as we speak on day 4 of KDE Connect being uninstalled for F-Droid users due to a false positive in Google Play Protect with no response from Google whatsoever: https://www.golem.de/news/play-protect-google-entfernt-kde-app-aus-f-droid-von-android-smartphones-2310-178521.html (German article, but links to an English Reddit thread)
While I believe this feature is well intended, I do not believe Google Play Protect and *especially* Google support are mature enough to do this without significant damage to legitimate apps.
WTF Google Play?
You're drunk, #PlayProtect. Go home!
"Harmful app removed. #KDEConnect. The app is fake. It can steal your personal data, such as banking info and passwords."
When organizations that use #Debian maintain the packages they use in Debian, the whole ecosystem gains. The more organizations that do that, the more efficient the whole ecosystem becomes for all users. Here's a recent example from #FDroid:
https://f-droid.org/2023/10/10/f-droid-maintains-in-debian.html
I'm a Debian Developer, I'm happy to help get organizations working in this way. Reach out if you're interested!
"#Apple may be exaggerating a bit here. It wants to provide a safe experience, but in 2022 the company still removed 186,195 apps that had been previously approved. So its review process has some gaps."
https://www.theregister.com/2023/10/09/apple_app_store/
I hope the #EU will keep the pressure on #DMA #gatekeepers like #Apple and give #FreeSoftware app stores the opportunity to compete with Apple by providing more trustworthy reviews that include reviewing the source code.
🌍 Unsurprisingly, neocolonizers #Google, #Facebook, #Microsoft, and #Amazon are rushing to control connectivity and infrastructure across #Africa.
💰 #DigitalSovereignty for Africa? Not likely anytime soon: We can't even escape them in the US or Europe given their corrupt regulatory capture.
#Bitcoin hardware maker is laying off staff! That is great news, that is a clear sign that people are pulling back from Bitcoin. And they couldn't pivot to #AI, so perhaps another good sign.
https://www.theregister.com/2023/10/10/bitmain_furloughs_report/
It would help if people showed their interest on the issues there. It can be just a 👍 or even better, post about your use cases
Perhaps the most difficult case ever for #Debian packagers: #Gradle They do all the things that make packaging a nightmare:
* Build the tool with itself
* Circular dependencies: Gradle needs #Kotlin to build which needs Gradle to build...
* Depend on snapshots to build releases, but then they don't keep a way to reproduce the snapshot releases https://github.com/gradle/gradle/issues/26516
* Java-style bundling of all dependencies
* Hidden proprietary depends https://github.com/gradle/gradle/issues/16439
thanks ebourg for keeping on!
Empathy in open source: be gentle with each other · baby steps
"#Empathy is not about being nice or making the other person feel good or even feel better. Being empathetic means understanding what the other person feels and then showing them that you understand.
Understanding what the other person feels doesn’t mean you have to feel the same way. It also doesn’t mean you have to agree with them, or feel that they are “justified” in those feelings."
https://smallcultfollowing.com/babysteps/blog/2023/09/27/empathy-in-open-source/
UX designers who eliminated the filesystem from user consciousness in name of simplicity ruined the world and are morally culpable for shriveling minds of children who are unable to tackle the challenges of today thanks to a choice sold as advocacy for the user but was ultimately motivated by control of a disempowered customer.
"This bug also shows that we have an over-reliance on #fuzzing for security assurance of complex parser code. Fuzzing is great, but we know that there are many serious security issues that aren't easy to fuzz. For sensitive attack surfaces like image decoding (zero-click remote #exploit attack surface), there needs to 1) be a bigger investment in proactive source code reviews, and 2) a renewed focus on ensuring these parsers are adequately sandboxed." https://blog.isosceles.com/the-webp-0day/ #libwebp #WebP
The #WebP #security vulnerability CVE-2023-4863 demonstrates a huge advantage of the "distro" approach of shipping software, like #Debian pushes so hard to deliver. We see a mad scramble for many software vendors to ship with the patched version of #libwebp. In the distro model, the patch is shipped in the single lib package, then all of the software automatically uses the safe version. This leads to shorter times to get fixes to users with much less work overall.
I just read this op-ed about the intelligence of #LLM #AI (its 6 months old). It is the best piece I've read so far that demonstrates how things like #ChatGPT can bring in "banality of evil" amoral decision making where humans would be troubled by the moral issues in the situation.
https://www.nytimes.com/2023/03/08/opinion/noam-chomsky-chatgpt-ai.html
I'd LOVE more serious journalists digging into the recent proliferation/funding of these advocacy orgs, who use stirring tales of harm to push for surveillance, w/o engaging with ppl/orgs who do front line service work for victims (and generally reject these narratives)