It’s no secret that Google really doesn’t like it that people are installing Android applications from any other source than the Play Store. Last year they proposed locking everyone into their official software repository by requiring all apps to be signed by verified developers, an identity which would be checked against a Google-maintained list. After a lot of pushback a so-called ‘advanced flow’ for installing even unsigned APKs would be implemented, and we now know how this process is supposed to work.
Instead of the old ‘allow installing from unknown sources’ toggle, you are now going to have to dig deep into the Developer Options, to tap theAllow Unverified Packagessetting and confirm that nobody is forcing you to do this. This starts a ‘security delay’ of twenty-four hours after you restart the device, following which you can finally enable the setting either temporarily or permanently. It would seem these measures are in place to make it more difficult for a scammer to coerce a user into installing a malicious app — whether or not that’s a realistic concern or not, we’re not sure.
...read more at hackaday.com
pull down to refresh
related posts
do you think as long as developers can develop apps, there will still be a way? Or could the door close completely one day?
On Apple that door has closed. Even devs can't install apps to their own phone permanently: the apps are deleted every two weeks. And if Apple catches you repeatedly using your dev account to compile and install other dev's apps they can and sometimes do cancel your dev account.
The door might close, no doubt about it.
I’m processed already
There is also a practical problem here. The people who get socially engineered into installing malware are usually not the same people who know how to dig into Developer Options in the first place. Meanwhile the users who rely on sideloading as part of their workflow alternative app stores betas region locked apps or open source tools are exactly the ones who will feel this pain constantly. You are effectively raising the cost of an already legitimate use case to maybe slightly inconvenience attackers.
The other concern is precedent. Once the norm becomes that sideloading is possible only through an advanced flow timed lockouts and central verification lists it is much easier to justify the next restriction. At that point regulators antitrust authorities and even enterprise customers should start paying close attention because this looks a lot like soft enforcement of a closed ecosystem while still being able to claim technical openness.
A healthier approach would be layered security rather than gated access. Clear and honest warnings up front permission scopes that are actually understandable and behavior based malware detection on device and in the cloud can all make users safer without turning sideloading into an obstacle course. Let people opt into power user features without making them feel like they are breaking parole.