Open Menu
AllLocalCommunitiesAbout
lotide
AllLocalCommunitiesAbout
Login

Novel technique allows malicious apps to escape iOS and Android guardrails

⁨88⁩ ⁨likes⁩

Submitted ⁨⁨2⁩ ⁨months⁩ ago⁩ by ⁨Xatolos@reddthat.com⁩ to ⁨technology@lemmy.world⁩

https://arstechnica.com/security/2024/08/novel-technique-allows-malicious-apps-to-escape-ios-and-android-guardrails/

source

Comments

Sort:hotnewtop
  • MurrayL@lemmy.world ⁨2⁩ ⁨months⁩ ago

    TLDR: the ‘novel technique’ is PWAs

    source
    • Ghostalmedia@lemmy.world ⁨2⁩ ⁨months⁩ ago

      I would argue that the new piece is that phishers are taking advantage Android’s ability to throw an install button in the browser.

      Enough phones support that now, and they’re able to catch more people in their nets now that folks aren’t installing web apps from a nested menu item.

      source
  • WhatAmLemmy@lemmy.world ⁨2⁩ ⁨months⁩ ago

    Wtf kind of clickbait is this shit? I stopped reading when I got to PWA’s, which are just a javascript website that use specific API’s to feel more offline and app-like, but still run entirely in the browser engine. This is not “novel”, it’s not “side loading”, nor is it breaking iOS/android security. It’s no different than navigating to a scam website in a browser and entering your bank credentials.

    Side note: this tech could have entirely replaced most apps on Apple and Google app stores. Apple has hamstrung it’s addition on iOS for a decade, and still are, so businesses have to build iOS specific apps and pay Apple for the privilege. Both Apple and Google are effectively stealing billions of dollars from global businesses, and dramatically increasing their inefficiency, by forcing every business that wants to build a generic app to use OS specific tech, instead of a single website that you can “install” and operates almost identically across every browser, every mobile OS, and every desktop OS. They’re also more private.

    The above is only one example why Apple, Google, and all of big tech deserve antitrust action, and should be forced to implement open standards across their OS’s. There’s no technical reason you can’t use a single app to communicate across SMS, iMessage, whatsapp, signal, Telegram, etc. They create these walled gardens to prevent competition and lock you into their platforms. No weakening of “security” or encryption needs to take place to do so either. Almost all encryption in use today uses completely open standards, protocols, and libraries.

    source
    • Ghostalmedia@lemmy.world ⁨2⁩ ⁨months⁩ ago

      Mobile dev here.

      I’ll play devil’s advocate. Android streamlined the PWA install experience a few years ago. You no longer need to drill into a menu and select an add to Home Screen option.

      On one hand, have more users using a better mobile experience, but on the other hand, I now have a lot of users that think they installed the native app.

      I don’t think the end user should need to care about my tech stack, but I could see how a malicious actor could dupe people with this newer streamlined PWA install flow. These malicious actors probably caught a lot less people with the old menu > add to Home Screen flow.

      source
      • WhatAmLemmy@lemmy.world ⁨2⁩ ⁨months⁩ ago

        That’s not really playing devils advocate. You’re correct. I was just highlighting the headline was disinformation. It’s true that the average user isn’t aware of the difference, but I would blame the OS for not making that explicit on install that this is a website and that authenticity should be triple checked. There’s also nothing stopping them from delivering PWA’s via their app stores, except for their greed.

        source
        • -> View More Comments
  • mox@lemmy.sdf.org ⁨2⁩ ⁨months⁩ ago

    a novel technique to trick iOS and Android users into installing malicious apps that bypass safety guardrails built by both Apple and Google to prevent unauthorized apps.

    So the “safety guardrails” being bypassed are just the restrictions imposed by Apple and many Android devices that prevent the device owner from installing apps from outside the company stores?

    And the installed apps are web apps, running within browsers that Apple and Android stores already approved?

    Um…

    It seems to me that the only safety being guarded here is corporate profits.

    source
  • halfdane@lemmy.world ⁨2⁩ ⁨months⁩ ago

    It’s a PWA

    source
  • Ghostalmedia@lemmy.world ⁨2⁩ ⁨months⁩ ago

    IMHO, getting people to install a sketchy PWA is going to be more successful with newer versions of Android that allow a PWA to throw an “install” button in the browser.

    When I look at my mobile end users, the people who install PWAs are overwhelmingly on newer versions of Android, not older versions, or iOS. Opening the share menu and adding a bookmark to the Home Screen seems simple, but it provides an amount of friction that scares off a lot of end users.

    source
  • yessikg@lemmy.blahaj.zone ⁨2⁩ ⁨months⁩ ago

    PWAs are great, this is just phishing

    source