zlacker

[return to "Google will allow only apps from verified developers to be installed on Android"]
1. 876368+tk[view] [source] 2025-08-25 20:01:04
>>kotaKa+(OP)
Official announcement: https://android-developers.googleblog.com/2025/08/elevating-...

More info:

https://developer.android.com/developer-verification

https://support.google.com/googleplay/android-developer/answ...

Personally...we all know the Play Store is chock full of malicious garbage, so the verification requirements there don't do jack to protect users. The way I see it, this is nothing but a power grab, a way for Google to kill apps like Revanced for good. They'll just find some bullshit reason to suspend your developer account if you do something they don't like.

Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps. But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.

> we will be confirming who the developer is, not reviewing the content of their app or where it came from

This is such an odd statement. I mean, surely they have to be willing to review the contents of apps at some point (if only to suspend the accounts of developers who are actually producing malware), or else this whole affair does nothing but introduce friction.

TFA had me believing that bypassing the restriction might've been possible by disabling Play Protect, but that doesn't seem to be the case since there aren't any mentions of it in the official info we've been given.

On the flip side, that's one less platform I care about supporting with my projects. We're down to just Linux and Windows if you're not willing to sell your soul (no, I will not be making a Google account) just for the right to develop for a certain platform.

◧◩
2. UncleM+RI[view] [source] 2025-08-25 22:19:10
>>876368+tk
> Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps. But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.

You've never needed the internet permission to exfiltrate data. Just send an intent to the browser app to load a page owned by the attacker with the data to be exfilled in the query parameters.

◧◩◪
3. gumby2+eL[view] [source] 2025-08-25 22:32:46
>>UncleM+RI
Wouldn't that launch the browser app and bring it to the foreground? I wouldn't compare that to having full network access.
◧◩◪◨
4. UncleM+5X[view] [source] 2025-08-26 00:03:50
>>gumby2+eL
It'd launch the browser app. You can have your evil page redirect to a benign page so it just looks like Chrome randomly opened or whatever. It is not as powerful as full network access as you can only send so much information in query parameters, but if you are doing some phishing or stealing sms 2fa codes or whatever then it is plenty to send back whatever payload you wanted to.

And of course basically every app requires internet permissions for ordinary behavior. The world where an explicit internet permission would somehow get somebody to look askance at some malware that they were about to download is just not believable.

[go to top]