Comment on Novel technique allows malicious apps to escape iOS and Android guardrails
Ghostalmedia@lemmy.world 2 months agoMobile dev here.
I’ll play devil’s advocate. Android streamlined the PWA install experience a few years ago. You no longer need to drill into a menu and select an add to Home Screen option.
On one hand, have more users using a better mobile experience, but on the other hand, I now have a lot of users that think they installed the native app.
I don’t think the end user should need to care about my tech stack, but I could see how a malicious actor could dupe people with this newer streamlined PWA install flow. These malicious actors probably caught a lot less people with the old menu > add to Home Screen flow.
WhatAmLemmy@lemmy.world 2 months ago
That’s not really playing devils advocate. You’re correct. I was just highlighting the headline was disinformation. It’s true that the average user isn’t aware of the difference, but I would blame the OS for not making that explicit on install that this is a website and that authenticity should be triple checked. There’s also nothing stopping them from delivering PWA’s via their app stores, except for their greed.
trolololol@lemmy.world 2 months ago
There’s also nothing stopping a malicious actor from putting a malicious app in the store, whether that is a wrapper on JavaScript or native code. So I don’t see the distinction at all from having pwa or native apps barriers because they’re all weak.
Ghostalmedia@lemmy.world 2 months ago
I guess I’m saying that I didn’t think the headline was too bad. There is a new PWA install flow that’s widely available on Android now, and phishing via that new PWA install UX is potentially a new hot area. I’m not particularly offended by calling that novel. Just my 2¢