m.krbonne.net

lemmyng , 32 minutes ago to cybersecurity in apps .. repo or not

Rant: We’re living in a time where curl | bash has become normalized. This generation’s security practices are fucked.

Back to the topic: I see it as a problem of not enough education and too much trust. People are not taught how to verify the authenticity and legitimacy of software, and put too much trust in claims of authority. It’s not just a consumer problem either, look at the CrowdStrike incident: people in the industry knew it was shit, but the decision makers kept trusting it because they are a big name. How did they become a big name? The same way a lot of other companies do, by bribing the early decision makers into using them.

Back to consumers: it doesn’t help that there’s no first class sandboxing features. Both Android and iOS rely heavily on app store controls. Sure, there are some system controls, but the user has barely any agency over them.

gencha , 52 minutes ago to cybersecurity in apps .. repo or not

It’s good to have established release channels that don’t rely on third parties in the first place. Everything beyond that is for convenience and strictly optional.

redknight , 5 hours ago to cybersecurity in apps .. repo or not

Unfortunately this is a moving target, depending on what you define as your trust anchor.

Is your anchor the original Team? Fdroid wioth the (reproducible) build? Something else?

depending on the answer, the “good” solution is probably different from mine

lurch , 6 hours ago to cybersecurity in apps .. repo or not

I don’t trust f-droid as well, because some of its apps crash the (un)installer and can therefore never be removed.

However, you need a trustworthy party and they have to digitally sign the APK after checking the code (changes) and compiling it themselves. They can also sign messages they send to the public.