Novel technique allows malicious apps to escape iOS and Android guardrails

Ghostalmedia , 3 hours ago

IMHO, getting people to install a sketchy PWA is going to be more successful with newer versions of Android that allow a PWA to throw an “install” button in the browser.

When I look at my mobile end users, the people who install PWAs are overwhelmingly on newer versions of Android, not older versions, or iOS. Opening the share menu and adding a bookmark to the Home Screen seems simple, but it provides an amount of friction that scares off a lot of end users.

WhatAmLemmy , 3 hours ago

Wtf kind of clickbait is this shit? I stopped reading when I got to PWA’s, which are just a javascript website that use specific API’s to feel more offline and app-like, but still run entirely in the browser engine. This is not “novel”, it’s not “side loading”, nor is it breaking iOS/android security. It’s no different than navigating to a scam website in a browser and entering your bank credentials.

Side note: this tech could have entirely replaced most apps on Apple and Google app stores. Apple has hamstrung it’s addition on iOS for a decade, and still are, so businesses have to build iOS specific apps and pay Apple for the privilege. Both Apple and Google are effectively stealing billions of dollars from global businesses, and dramatically increasing their inefficiency, by forcing every business that wants to build a generic app to use their OS-specific proprietary tech, instead of a single website that you can “install” and operates almost identically across every browser, every mobile OS, and every desktop OS. They’re also more private than proprietary apps.

The above is only one example why Apple, Google, and all of big tech deserve antitrust action, and should be forced to open walled gardens and implement open standards across their OS’s. There’s no technical reason you can’t use a single app to communicate across SMS, iMessage, whatsapp, signal, Telegram, etc. They create these walled gardens to prevent competition and lock you into their platforms. No weakening of “security” or encryption needs to take place to do so either. Almost all encryption in use today uses completely open standards, protocols, and libraries.

Ghostalmedia , 1 hour ago

Mobile dev here.

I’ll play devil’s advocate. Android streamlined the PWA install experience a few years ago. You no longer need to drill into a menu and select an add to Home Screen option.

On one hand, have more users using a better mobile experience, but on the other hand, I now have a lot of users that think they installed the native app.

I don’t think the end user should need to care about my tech stack, but I could see how a malicious actor could dupe people with this newer streamlined PWA install flow. These malicious actors probably caught a lot less people with the old menu > add to Home Screen flow.

halfdane , 4 hours ago

It’s a PWA

MurrayL , 4 hours ago

TLDR: the ‘novel technique’ is PWAs

Ghostalmedia , 2 hours ago

I would argue that the new piece is that phishers are taking advantage Android’s ability to throw an install button in the browser.

Enough phones support that now, and they’re able to catch more people in their nets now that folks aren’t installing web apps from a nested menu item.

Aatube , 2 hours ago

Pretty sure that was widely available two years ago. I used that to install a free VPN while in China.

Ghostalmedia , 1 hour ago

Yeah, I forget what version of Android it went out in. I only really started paying attention when, at work, we realized that a lot of our unreproducible bugs were from PWA users claiming they had installed the native app.

And those mismatched PWA / native bugs were overwhelmingly from Android users on newer versions of Android. They thought the new PWA install user experience was for a native Play Store app.

The bugs were driving us crazy and then someone in UX caught the behavior on a user test.