Comment on Novel technique allows malicious apps to escape iOS and Android guardrails
WhatAmLemmy@lemmy.world 2 months ago
Wtf kind of clickbait is this shit? I stopped reading when I got to PWA’s, which are just a javascript website that use specific API’s to feel more offline and app-like, but still run entirely in the browser engine. This is not “novel”, it’s not “side loading”, nor is it breaking iOS/android security. It’s no different than navigating to a scam website in a browser and entering your bank credentials.
Side note: this tech could have entirely replaced most apps on Apple and Google app stores. Apple has hamstrung it’s addition on iOS for a decade, and still are, so businesses have to build iOS specific apps and pay Apple for the privilege. Both Apple and Google are effectively stealing billions of dollars from global businesses, and dramatically increasing their inefficiency, by forcing every business that wants to build a generic app to use OS specific tech, instead of a single website that you can “install” and operates almost identically across every browser, every mobile OS, and every desktop OS. They’re also more private.
The above is only one example why Apple, Google, and all of big tech deserve antitrust action, and should be forced to implement open standards across their OS’s. There’s no technical reason you can’t use a single app to communicate across SMS, iMessage, whatsapp, signal, Telegram, etc. They create these walled gardens to prevent competition and lock you into their platforms. No weakening of “security” or encryption needs to take place to do so either. Almost all encryption in use today uses completely open standards, protocols, and libraries.
Ghostalmedia@lemmy.world 2 months ago
Mobile dev here.
I’ll play devil’s advocate. Android streamlined the PWA install experience a few years ago. You no longer need to drill into a menu and select an add to Home Screen option.
On one hand, have more users using a better mobile experience, but on the other hand, I now have a lot of users that think they installed the native app.
I don’t think the end user should need to care about my tech stack, but I could see how a malicious actor could dupe people with this newer streamlined PWA install flow. These malicious actors probably caught a lot less people with the old menu > add to Home Screen flow.
WhatAmLemmy@lemmy.world 2 months ago
That’s not really playing devils advocate. You’re correct. I was just highlighting the headline was disinformation. It’s true that the average user isn’t aware of the difference, but I would blame the OS for not making that explicit on install that this is a website and that authenticity should be triple checked. There’s also nothing stopping them from delivering PWA’s via their app stores, except for their greed.
trolololol@lemmy.world 2 months ago
There’s also nothing stopping a malicious actor from putting a malicious app in the store, whether that is a wrapper on JavaScript or native code. So I don’t see the distinction at all from having pwa or native apps barriers because they’re all weak.
Ghostalmedia@lemmy.world 2 months ago
I guess I’m saying that I didn’t think the headline was too bad. There is a new PWA install flow that’s widely available on Android now, and phishing via that new PWA install UX is potentially a new hot area. I’m not particularly offended by calling that novel. Just my 2¢