I use an open source SPAM call blocker (Yet another call blocker), which works fairly OK by querying a local spam phone number database.
Recently Google Play decided to display a permanent notification prompting me to uninstall that "dangerous" app because it could "damage" my device. It's impossible to disable this notification.
This app hasn't been updated in years. It has no ads. The only network request it makes is a GET to update the local DB.
My theory is that Google has decided to take into account generated revenue in their risk assessment algorithm. That would explain why FOSS apps are getting the axe while the dodgy commercial call blockers that upload your call history to their servers are still up.
It has a pretty bad set of permissions, which are necessary for it to function, but still scary for Google algorithms. Google doesn't know that its GET request doesn't get orders from a botnet and leaks sensitive data the app has access to.
Also, if the app hasn't been updated for years, chances are that it targets and outdated version of Android, which works, but is considered suspicions by Google as it is also a way to bypass some security checks in recent Android versions.
There are probably many other criteria but I think these are the most likely.
Not saying it is a good thing, but it explains the reasoning. I wish Google did human reviews and not rely that much on their bots, but then that's what Apple does, and it is even more locked down. Maybe try F-Droid, it is an alternative app store dedicated to open source.
And yet the only reason Google won't add internet access as a revocable permission is their ad business.
Chrome constantly scans your harddrive in a way you can't easily turn off, and it's not for your safety: it's for the safety of their ad business to try to catch malware that engages in click fraud. If you have media or backup drives it just constantly adds wear to them.
Is this true? Chrome is open source so someone should be able to point out the code that is doing that. What is the source of this info if not the code?
https://blog.google/products/chrome/cleaner-safer-web-chrome...
https://www.google.com/chrome/privacy/whitepaper.html#unwant...
This is interesting, I didn't know Chrome did this. But it doesn't back up the claim that "[i]f you have media or backup drives [Chrome] just constantly adds wear to them." Does anyone have anything on that?
As pointed out above, Chrome no longer does this... but adding wear is a natural consequence of any hard drive scanning process. SSDs are rated for a certain number of read/write cycles, and every time a block is read, it adds wear.
Even spinning rust wears out eventually. Not knowing any details about how often Chrome did this, it is hard to say just how significant this wear would be compared to other normal uses of the media. But it is clear that wear would occur to some degree.
Right, I understand about wear, but my point is that the behavior described in the links doesn't indicate that Chrome was scanning backup or media drives - only things like the registry, files directly related to Chrome, etc. If I have a drive with a bunch of random files on it, Chrome wasn't scanning those, was it?
I only found out about it from noise from my media/backup HDDs, it was grinding them constantly when idle, chrome and windows were on SSD.
Wow. Thanks for the info. Glad that feature has been removed...
Only write cycles cause wear, read cycles don't cause any meaningful wear.
Thank you for clarifying that! I should have known that. So perhaps it wouldn't cause any meaningful drive wear, if the system didn't do a lot of writes. Still consumes CPU and power, though.
Yeah, I mentioned media/backup drives since those are usually HDD rather than SSD. I didn't realize Chrome had stopped doing it now though. To disable it was a crazy number of steps with admin permissions.
Not only does it add wear, it slows down other processes. People notice this after OS updates where the system re-indexes the volume after the update completes. It's also why most indexing processes do it late night or while the system is idle. For an app like a browser to do it is just rude.
It no longer exists.
https://security.googleblog.com/2023/03/thank-you-and-goodby...
Glad to hear it. Interesting that the latest privacy whitepaper still includes the section on it.
I second this. This is a very strong accusation to have no proof.
Linked above, they apparently removed it last March but it was there for years and years.
Chromium is open source, Google adds some secret magic sauce to make Chrome.
Anecdotally, Chrome used to pin my hard drive at 100% usage until I killed a process called "software_reporter_tool.exe." I still have a version of the binary located at "%localappdata%\Google\Chrome\User Data\SwReporter\107.294.200" last modified 2022-11-02.
Chrome isn't open source.
When I realized that Microsoft Defender sends sample files for further inspection without keeping a history of the files I opted to just install Linux and move on. This alone gives me more reason to just only use Firefox exclusively like I always have been.
I don't know but chromium is the base of chrome. Does google release chrome in an open way?
Can't they (at least in principle) apply whatever patches they want before build and release?
Check out the Aurora store, it's a drop in replacement for the play store withot the Google nonsense.
I started using it after Google refused to let me install watch faces, because the apps hadn't been updated for foldable phones.
fdroid is ok too
F-Droid should be the default repository for safe, unobtrusive, respecting applications with your best interest in mind
I would even go so far (as I recently said on Mastodon) that nowadays using Aurora over the Google Play Store is safer since it doesn't display ads for other apps just above the search results for the app one is looking for. If one isn't paying attention or running on autopilot (it happens) one might click on the ad and install some malware.
I completely agree. There are some serious dark patterns in the play store where scammers can buy top billing over the item you searched for, pushing the real app below the fold.
Google even allows this for banking apps.
Aurora Store is a different app, but it shows the same repo managed by Google.
If an app has been removed from the “Play Store”, that means it's been removed from the repo, and a different front-end to that repo won't include it.
Do you log in with your google account? I understand that doing this could get one banned from the google polity. The anonymous log in doesn't have search working, last time I tried.
Edit: the trick I found was to search on google.com in the browser, then click on the link until it gives you the option to open in aurora v/s play store.
100 times over. It is possible to run Graphene then install DuckDuckGo browser then install F-Droid, then install Aurora, then you can have a de-Googled phone!
Fake security is a big problem to those of us who are concerned with real security.
Mischievous and dishonest use of "security" as an cover by policy bullies, profiteers and other gangsters is as much a threat as worms, viruses, zero-days, phishing scams, data leaks all other kinds of actual security problem.
Not least because it weakens rational expectations and evaluations of security and substitutes blind trust in (obviously untrustworthy) entities.
Sadly, It's a powerful lever because the average person knows so little about computer security and is easily bamboozled by scare-mongers. Indeed, many phishing and malware scams start with a pop-up saying; "Security Risk! You must update now!"
It is a form of extremely dangerous disinformation. For companies like Google to engage in it for profit is treacherous and reckless.
You have to realise when a large tech company says "security", they mean their security from your attempts to defend yourself. E.g. most of the locking down of devices isn't to make it harder for attackers who want your data (which would defeat their own objectives) but to keep things like DRM keys from you.
No, they don't. They are protecting against malicous actors or at the most buggy software doing bad things on accident.
Advances in this area definitely has been happening. The move to apps getting their own sandbox and having to be explicitly granted permission to access files outside the sandbox definitely helps against this. No longer can malware just read and upload all of one's browser history and malware. Even if an attacker got physical access to the device they would not be able to just dump what's stored either due to encryption.
This should be pretty self explanatory, but of the security of DRM keys is bad then attackers can dump unprotected versions of the content which is against what creators that have elected for DRM want to have happen with their works.
In the first and second part, you've simply defined the very bad actors who want your data as the good guys.
On the third point, we are in agreement. They want to make sure that when content right hoarders want to remove the content from the service you've paid for and move it to another service you now have to pay for all over again, you can't just keep a copy of what you already paid for. That's what I meant, keeping the device secure against you, who paid for it.
I didn't do this. Can you explain your thinking?
By sending all my data to Microsoft or Google so they can sell it on the open market ?
They are not "protecting against malicous actors". They fix bugs when they are openly exploited in the wild (hello Apple).
BTW, what happened to ProjectZero ? Never heard from them for a while.
Absolutely right. This is what I called "Zero Sum Security" (your security is my insecurity), and written about here [0] and discussed with Bruce Schneier.
It's a sure sign of an underlying toxic and abusive relationship.
[0] https://techrights.org/o/2021/11/29/teaching-cybersecurity/
I’m not an android user but from what I've understood is that Google is desperate to deprecate apps that were compiled for earlier Android SDKs before they introduced more iOS-style privacy APIs
Agree that this is the reason.
I have an app in the Play store and starting in June I have to get a D-U-N-S number, have a phone & email for users to contact me, a phone & email for Google to contact me and documents to verify my identity and my business.
Since there are also Google apps on the store, does it means that we will finally have a phone and an email to contact Google ? :-)
Rules for thee, etc.
Right, they had a deadline for apps that required them to update the target SDKs or the apps would be removed from the Store.
Mine was mid-last year. It was a huge pain, since my apps are really a PWA with a wrapper around it and is updated through the web. This means that I hadn't update the apps in the app store in a few years, as it wasn't necessary.
And of course, the wrapper I was using (cordova) didn't support some things from the new SDK, so I had to upgrade to a new major version. Anyway, it was a huge pain to upgrade all that for no functional changes for the end user, for the 10-ish open source apps I built and maintain.
Slightly off-topic, but Android does now support a much better method for submitting PWAs[1] that I'll move to the next time Android requires me to update the target SDK of every app. Hopefully, they'll continue supporting that and it won't require new submissions after that.
[1] https://developers.google.com/codelabs/pwa-in-play#0
The exact reason I am planning to dump Android entirely. Every new Android version is worse than the previous and enforces new compliance measures. Exceptionally developer-unfriendly and increasingly reliant on centralised cloud APIs for features as basic as push notifications.
Another topic is how aggressively anti-freedom Android has gotten with the standard practice of root detection. It feels like more tech overall is becoming a walled garden as of late.
Suddenly, they started doing this? I don't rely on Google Play in any capacity, but it is terrifying. Anyone not determined enough to sideload a third party app store or apps in general will find themselves unable to use a substantial amount of projects that relied on outdated SDK or just couldn't keep the pace, even if the code is out there and can be audited.
This is the most likely reason for that app to get a warning like that. They have made a lot of changes to their 3rd party app security model that would require apps to be updated, even if they were well-behaved under the old model. It's unfortunate that could not have been done with forward compatibility.
This kind of bullshit is why I'm done buying devices I can't root.
I've found that as long as the bootloader can be unlocked and I can install a custom ROM, there's virtually no reason to obtain root. GrapheneOS is good enough on its own that I've had no desire to use root.
When people say "root", they usually mean "unlock the bootloader". "A device I can root" fundamentally means "a device whose bootloader can be unlocked".
Though, Google banning unlocked devices from using Google Pay was a really user-hostile decision.
Some things are difficult to do without root depending on the ROM. Accessing displays' highest brightness mode at will, using a file manager that can actually see and manipulate every file on the device, using custom gesture utilities, altering over-underscan settings, undervolting the SoC, etc.
It's just a PR game of shifting blame. Who's responsible of all those privacy issues on mobile? Google's own ad machine powered by the GMS running as privileged user or the apps? They chose quickly.
Both companies response to the press has been to blame the apps again and again hoping that it would be enough to continue what they are doing.
Occasionally they even blame the users directly, the play store page on install displays "Safety starts with understanding how developers collect and share your data"
Per the amount of access they have some shit tier third parties will steal more privacy as they won't give a damn about it. Most people don't mind the ad company measuring your general profile of interests but really don't want people to read their messages.
Google does both, the amount of stuff collectively harvested by GMS would make any app doing the same rejected on the play store.
I think last year or so there was an issue where Microsoft Teams broke the phones ability to dial 911 in certain situations. It was something about Teams taking over the dialer or something? I can't recall exactly. Google understandably took a huge amount of flak from users for that and the FCC got involved. It was fixed, but the reputational hit was significant and I'd bet they're a lot more aggressive with any apps that interact with the phone/dialer in general now. Especially ones that aren't being consistently updated.
As a lifelong Android user, I jumped to Apple after repeated 911 failures were identified. Bugs happen, but Google did not prioritize fixing them. I recall one issue has been open for months. Evidently ensuring 911 is working does not fit into a promotion packet.
That's from Google Play protect, you can turn it off. It also blocks apps from installing.
Settings>security and privacy>app security>play protect security
Play protect can also be turned off from the Play Store: User icon > Play Protect > Settings icon
I think you can remove it by disabling play protect, no?
If it's foss you can just install the apk directly. It makes sense for google to avoid the responsibility.