undefined | Better HN

undefined | Better HN

0 comments

Do you think regular desktop computer should be locked down like this too? Scammers can also tell people to run Windows programs. Should that be banned too?

I'm fine with an opt-in lock-down feature so people can do it for their parents/grandparents/children.

Also, just let people get used to it. People will get burned, then tell their friends and they will then know not to simply follow what a stranger guides them to do over the phone. Maybe they will actually have second thoughts about what personal data they enter on their phone and when and where and who it may be sent to.

Same as with emails telling you to buy gift cards at the gas station. Should the clerk tell people to come back tomorrow if they want to buy a gift card, just in case they are being "guided" by a Nigerian prince scammer?

ravenstine6d ago

Exactly. There's a sucker born every minute. I'm not saying people deserve to be taken advantage of. The reality is that there will always be people who can be lead off a cliff with minimal effort. There will always be people who believe that a guy with a thick Indian accent and broken English is a representative of Microsoft and that he can fix their computer in exchange for gift card codes. There comes a point where society sacrifices too much under the pretense of protecting the gullible. Prevent people from using technology at all and they'll go back to buying actual snake oil.

flomo6d ago

Keep in mind that Android has like a billion users who have never touched a Windows computer. (And unmanaged Windows was/is also a disaster zone.) Coming at this from a internet forum perspective is missing the scope of the problem.

> I'm fine with an opt-in lock-down feature

Me too, but it's really just some UI semantics whether this is 'opt-in' or 'opt-out'. Essentially it would be an option to set up the phone in "developer mode".

Dylan168076d ago

There is a big difference between opt-in and opt-out that isn't semantics. You can't slowly discourage, deprecate and delete the default the way you can an opt-in, because too many people keep using it.

duskdozer6d ago

Not really. With opt-out, if I buy a new phone or even just reinstall OS, I will now have to wait 24 hours before doing anything useful with it.

pas6d ago

Maybe? Let people form CAs, and if a CA gives out certs for malicious apps remove them. (Old apps continue to work, to publish new one get new cert.)

Yes, sad, but works.

People will learn about scams, but scammers are unfortunately a few steps ahead. (Lots of scammers, good techniques spread faster among them than among the general public.)

flomo6d ago

If "they" is Google, this is just a really pointless middleman proposal. Android does all the cert stuff.

Also Chrome trusts like 300 CAs. Does that work? Probably not if you live in 200 of those countries.

The scams are more sophisticated than getting gift cards to pay the IRS. A number saying that it’s from the bank will say they need to verify some account information.

I have had to actually verify my “investment profile” with a major broker in order to unfreeze some trades, in a high friction process. To the extent that a sideloaded app that looks exactly like the bank app has a low friction install, then people can get fooled and irrevocably lose savings.

If the lock-down is opt-in, almost nobody will opt in to it. If the lockdown is opt-out, then whether scams still happen depends on how much friction there is in opting out.

Freedom to install other unsigned sandboxed apps has a solution: Banks could use passkeys and other non-phishable methods. Sideloaded apps in Android can’t get to the bank app’s passkey.

Passkeys or hardware tokens get worries about the enshittification of the theoretical recovery process. Which, if that’s the case, I guess we should hope for/pay a better world, at least with banks and brokers. For them specifically, for account recovery allow either showing up in person or using ID checks.

Both for personal accounts and business accounts (i.e. with Business Email Compromise), I believe the onus should be on the bank to use non-phishable methods to show the human-readable payee from their app for irrevocable transfers.

whatshisface7d ago

Let's say I'm sitting outside of your office with a bazooka and boxes of high explosives. You ask my why, and I say, "someone might try to rob this office." You say, "somehow, that does not persuade me that a stranger should loiter outside of my workplace with a massive stockpile of ordinance." I reply, "what's your solution to combat robberies?"

rtpg7d ago

let's say I put a lock on an office door. You say "Why? Bazookas will get through the door anyways".

I don't know how I feel about this change but context does in fact matter about whether something is a good idea or not

Is it a lock? I buy a building and the builder put an id verification lock on the doors and I am not allowed to remove it. And they also require a separate one time fee of 2 to 5 percent of the purchase price.

kelvinjps106d ago

it already has a lock, by default you're not allowed to install apps in android you have to accepts a bunch of prompts and configurations (the key) and now you won't even have the key

RobotToaster7d ago

'Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.' - Benjamin Franklin

fluidcruft7d ago

'essential' means can't be bothered to wait 24 hours (once)?

FpUser6d ago

>"'essential' means can't be bothered to wait 24 hours (once)?"

Essential means to get fucking lost and let me do with the hardware I paid for whatever I want.

You are missing the part that new 24 hour process was a response to backlash. It was not even in their plan.

To do what I want with my own property seems pretty essential to me.

Boiling the frog.

yehat6d ago

Stockholm syndrome is so pity when detected.

rvba6d ago

Why not wait 3 months just to be safe? Or 3 years?

I paid for my phone.

supern0va7d ago

Would you support Microsoft doing the same thing to Windows?

These are general purpose computing devices. It's sure taking a long time, but Cory Doctorow's talk on the war on general purpose computing is sure starting to become a depressing reality: https://www.youtube.com/watch?v=HUEvRyemKSg

Microsoft is doing the same thing, they call it S-mode. A surprisingly large amount of computers are sold with Windows S. Thankfully S-Mode can usually be disabled even if your computer shipped with it enabled.

   Windows S mode is a streamlined version of Windows designed for enhanced security and performance, allowing only apps from the Microsoft Store and requiring Microsoft Edge for safe browsing.

tadfisher6d ago

Which is frankly hilarious because the Microsoft Store is the worst offender when it comes to hosting straight-up scams.

I'm not the only one who has noticed: https://www.reddit.com/r/windows/s/6y39VNaLUh

lukeschlather7d ago

All apps should be open source and subject to verification by nonprofit repositories like F-Droid which have scary warnings on software that does undesirable things. For-profit appstores like Google and Apple that allow closed source software are too friendly to scams and malware.

I don't think that's a realistic suggestion as as the quantity of applications are huge who are going to spend time reviewing them one by one. And and even then it's not realistic to expect that that undesirable things can be detected as these things can be hidden externally for instance or obfuscated

lukeschlather7d ago

F-Droid exists and they have a much better track record than Google. I'm not actually serious, I just think if there's a single app repo that should be allowed to install apps without a scary 24h verification cooldown, it's Google's proprietary closed-source app store that needs the scary process, not F-Droid.

I think compared to the alternatives, this is the best answer.

Even if you are a bank or whatever, you shouldn't store global secrets on the app itself, obfuscated or not. And once you have good engineering practices to not store global secrets (user specific secrets is ok), then there is no reason why the source code couldn't be public.

staticassertion7d ago

That's absurd.

RobotToaster7d ago

No more absurd than letting a megacorp control what I install on my own device.

array_key_first7d ago

It's also true, the best way to audit software is source-code and behavior analysis. Google and Apple do surprisingly minimal amounts of auditing of the software they allow on the Play Store and App Store, mostly because they can't, by design. It should shock absolutely nobody then that those distribution methods are much more at risk of malware.

Not the parent or agreeing/disagreeing with them, but to your question: if you get creative, there are a lot of things you could do, some more unorthodox than others.

Tongue-in-cheek example, just to get the point across: instead of calling it Developer Mode, call it "Scam mode (dangerous)". Require pressing a button that says "Someone might be scamming me right now." Then require the user to type (not paste) in a long sentence like "STOP! DO NOT CONTINUE IF SOMEONE IS TELLING YOU TO DO THIS! THIS IS A SCAM!"... you get the idea. Maybe ask them to type in some Linux command with special symbols to find the contents of some file with a random name. Then require a reboot for good measure and maybe require typing in another bit of text like "If a stranger told me to do this, it's a scam." Basically, make it as ridiculous and obnoxious as possible so that the message gets across loud and clear to anybody who doesn't know what they're doing.

The people falling for social engineering now won't be protected by this either. You could gate the functionality behind verification of an anti-scam awareness and education training and certification course, scammers would coach people through the entire course and the verification step, and people would still be victimized.

AnthonyMouse6d ago

> You could gate the functionality behind verification of an anti-scam awareness and education training and certification course, scammers would coach people through the entire course and the verification step, and people would still be victimized.

The problem with this line of reasoning is that it proves too much, which really gets to the heart of the issue.

If people are willing to be led to the slaughterhouse in a blindfold then it's not just installing third party code which is a problem. You can't allow them to use the official bank app on an approved device to transfer money because a scammer could convince them to do it (and then string them along until the dispute window is closed). You can't allow them to read their own email or SMS or they'll give the scammer the code. If the user is willing to follow malicious instructions then the attacker doesn't need the device to be running malicious code. Those users can't be saved by the thing that purportedly exists only to save them.

Whereas if you can expect them to think for two seconds before doing something, what's wrong with letting them make their own choices about what to install?

fc417fc8026d ago

That's unfortunate if true but it isn't a convincing argument to force the rest of society to live in proverbial padded cells. There's a minimum bar here. Some people probably shouldn't have online accounts and aren't responsible enough to manage their own finances. The rest of us are (hopefully at least marginally) functional adults.

Nothing is perfect, but by what percentage would you think scams that leverage sideloading would drop? 1%? 10%? 50%? 90%? 99%?

dminik7d ago

I'm going to break your kneecaps. Oh, what's that? You don't like it? Well, what's your solution to P=NP?

singpolyma37d ago

If cooldowns work, put them on granting permissions.

There are just as many scam apps in play store and this system does nothing to help with those.

ulrikrasmussen6d ago

If I proposed putting mandatory cameras in all homes and you objected, would it then be fair for me to demand that you justify your position by proposing a better alternative to combat domestic violence?

Locking down computing is just fundamentally wrong and leads to an unfree society.

ajb6d ago

The choice is not between "individuals are on their own against scammers" and "users are locked into Google vetting their phone". Users should be able to choose another organisation to do the vetting. They bought a phone, they didn't sell their life to Google.

GeekyBear7d ago

Tell the unsophisticated users that they would be safer inside the ecosystem that has always been a walled garden.

Why destroy the ecosystem that gives you the freedom to shoot yourself in the foot?

Turning Android into another walled garden removes user choice from the equation.

mrguyorama6d ago

So there's no scamming happening in Apple's fully walled garden, "Only approved apps allowed" system, right?

https://blog.lastpass.com/posts/warning-fraudulent-app-imper...

Oh, turns out they just let you pretend to be the real company to sell your scam app.

What a load of good that "Approval" process does.

KoolKat236d ago

Enable unknown sources in developer options, have the user type out in order to proceed "If I am typing this and don't know what I am doing, I am likely being scammed".

fluidcruft7d ago

I suppose you could make the cooldown apply to the actual installed app. Like... when it's first installed it won't work for 24 hours and the clock doesn't start until you reboot. And then on boot it scares you again before starting the clock. And then "scares" you again after the cooldown.

Force the phones to be open so I can install my own OS on them.

Then Google can do whatever they want with their OS and I can do what I need with mine. You might actually get phone OS competition. This is what the walled garden is actually meant to prevent.

passwordoops7d ago

Like the ones constantly advertising across Google's plethora of platforms without any repercussions or possibility of recourse with Google? For my safety, of course.

ReptileMan6d ago

China just executed couple of them that operated in Myanmar. Since we are hurling towards the bad parts in their dystopia anyway, why not also get the good ones?

ozgrakkurt6d ago

Education is the only solution to this.

You can’t feasibly protect someone that believes the person on the phone is their family member or the chief of police.

This kind of thing has to be verified like how they try drugs. Just randomly doing things will surely be useless, similar to how randomly optimizing parts of a program is generally worthless.

poulpy1236d ago

Are scammers using sideloaded apps when they can use whatever remote connexion the apps in the store allow ?

I think a big warning in red "Warning :If you don't personally know the person asking you to install this app, you are getting scammed. No legitimate business or Institution will ask you to install this app"

rawbot6d ago

Why would you need to sideload anything when scammers can just use Teamviewer or any remote operation software, readily available in the Play Store, that will surely pass whatever "checkmark" process Google uses to validate "safe" apps?

We need to remove the play store from Android phones. People have been scammed there more than any other store.

JoshTriplett6d ago

"Warning: if someone is talking to you and walking you through this screen, you may be being scammed!"

Done.

kryptiskt6d ago

As if Google Play itself isn't a cesspool full of scammers, or Google ads, or Youtube. As long as Google get their cut they don't give a shit about scams. For a reality check, turn off your adblockers and you'll see how much Google profits from scams. Any solution to scamming can't involve Google, since they long have been a willing tool for scammers.

Pretending that this is about anything but Google's greed is giving them far too much credit.

userbinator6d ago

Something called personal responsibility and intelligence.

...which clearly companies don't want, because complacent mindless idiots are easier to brainwash, control, and milk.

But this has nothing to do with combating scammers in the first place, have you never used the play store before? It's overwhelmingly scam apps with the most intrusive ad/tracking shit imaginable. There are scammers openly buying sponsored search results for names of popular apps so their malicious app with similar name appears as the first result.

> what's your solution to combat scammers?

I'd wipe the Play Store off the face of the earth. Have you looked at the garbage on there that Google considers legit?

This: https://news.ycombinator.com/item?id=47447600

is is the shit people are exposed to when they go through the Play Store. You don't find that on F-droid.

The second thing I'd do to combat scammers is the same thing I'd do to combat child porn and disinformation: educate people. This silly process is a technical answer to a social problem, and those rarely work well.

gzread6d ago

Arrest the scammers

AlfeG6d ago

I wonder how this will help combat scammers. Do you really think they don’t have $25 for a fee?

Furthermore, this verification system also functions as a US sanction mechanism—one that can be triggered against any entity the US decides to ban.

nazgulsenpai6d ago

education

steve_woody6d ago

Don't install crap on your phone

j / k navigate · click thread line to collapse