I dont know why the change happened but I use play store only in every couple of months when I need something really specific. Long gone are the days I was intrested in searching for new apps and trying them out.
Similar with updates, I've been hurt couple of times by keeping apps updated, so now it happens only when it stops working completely.
That's part of the over-saturation of apps I guess.
I also do the same regarding updates. More than once I've found that functionality is crippled in a newer version or it's simply is less usable so now I also avoid updating unless there's a feature I really want or as you say, it stops working altogether.
Same here, I only update when necessary. Also having auto update is painful, when you suddenly switch from 4G to WiFi your phone will try to update everything making it sluggish, regardless of what you want to do on your phone...
Yes. When I am using app, it is usually already doing everything I need it to be doing.
Example is shazam. Used to be really simple. Big button, listen and get the name and thats about it. Now its loaded with buy now links, the big listen button is gone, wants you to register, takes too long to set up and so on.
Because apps are not really good for you. They were exciting and new for a while, and those days are gone. You've either found your set of apps and settled with them, because they are finally working, or you just simply got tired of trying out stuff for the sake of trying out stuff.
I used to experiment around with some games and other interesting apps, but the free-to-play garbage has pretty much pushed me off of looking for new things in the store all together. Google used to do a decent job curating some recommended apps, but all that seems to have gone by the wayside some time ago.
Now most of what I see are free-to-play apps with like 100 million downloads and 4-5 stars, but none of the stuff I've downloaded in that criteria has managed to hold my interest for longer than 10-20 minutes.
I've gotten a lot more enjoyment out of a few humble mobile bundles than just about anything in the store.
I think this. They have killed play store discovery. Only time I use is if I want something specific, like guitar tune for example. Or I find article/intresting read about new app and want to try it out.
Too bad Google isn't more aggressive at keeping malware out of the Play Store. As it stands, I will not install anything that isn't from something very mainstream such as Google, Amazon, Netflix, etc. No small/indy apps for me.
Check out Google's excellent Android security review [1]. Google is pretty effective at keeping harmful apps out of the the Play Store; if you don't sideload apps less than 0.15% devices had malware.
How does that compare with iOS? I mean, Google may be doing yeoman's work, but if that compares with near-zero (due to Apple's walled garden), it's still looks bad in comparison (esp with the huge Android installed base).
The article doesn't go into details of how the app manged to do all these things, isn't there some sandboxing that was broken, know vulnerability or some 0day that was used or anything like it?
I've heard that android security is broken but it's seems a little too easy.
It's not all that effective; some apps (like the Hue app) just crash if you deny them anything. Why didn't Android add the option to provide blank data to apps?
That sounds like the app is badly implemented, really.
Yeah, it really is badly implemented, but the blame for that lies in part with Android for making it so easy to write apps that break. It would have been perfectly easy to write the code so that it returned "GPS signal lost" for location, "no contacts" for contacts, "SD card is empty" for storage, "no phone call in progress" for phone, etc. In fact, modders of Android have been doing that kind of thing for years. It's truly astonishing that Google got this so wrong when there are so many better examples.
Because it's a completely new API and it shouldn't have to, apps should check the return code to see if the permission was denied or not.
Sometimes an app should believe the permission was granted when it actually wasn't, because of the aforementioned bad (or even malicious) apps. Maybe you have to use a particular app in order to control the lights in your house, or your car, or to chat with someone who refuses to use anything that doesn't have a permission list a mile long. Privacy controls are useless if the true control is still in the hands of the app.
Are you talking about denying permissions to apps that don't support the new-style permissions natively, perhaps?
No, I'm not, but clearly old-style permissions could have been reimplemented as forwarding calls to a new-style API that returned blank data if the user chose blank data for that app's permission, just as privacy mods for rooted phones have already done.
They have two different privacy solutions implemented in Android 6 (marshmallow):
The first one is comparable to iOS' model - the app must ask for permission on first access. If the user denies said access, the app gets this information.
Ghe second solution is aimed at apps designed for older Android versions, if the user denies access, the app gets empty data back (e.g. Empty contact lists, no GPS satellite etc).
An app designed for Android 6 should handle negative feedback (disable functions, show a warning/explanation or something else), it shouldn't break. If you don't want to handle this, design for Android <6 and let the system take care of it.
But it should be a difference between permission not granted and no data available, apps should handle these issues differently.
If I were to deny my navigation app access to my location, it should ask me to revoke this decision and not warn me about not finding GPS satellites (which would make me run around with my phone hold up in the air hoping to get a GPS fix).
If I were to deny my navigation app access to my location, it should ask me to revoke this decision and not warn me about not finding GPS satellites (which would make me run around with my phone hold up in the air hoping to get a GPS fix).
That kind of notification should be done by the permission system itself, perhaps as an icon in the status bar.
(Tedious disclaimer: my opinion only, not speaking for anybody else. I'm an SRE at Google, with no particular insight into Android.)
> No, I'm not, but clearly old-style permissions could have been reimplemented as forwarding calls to a new-style API that returned blank data if the user chose blank data for that app's permission, just as privacy mods for rooted phones have already done.
Not only is this clearly possible, and a good idea, but it is also pretty much exactly how Android implements it. If you don't use the new API, you'll just get blank data.
I've never used the app you're talking about, but it sounds buggy to me.
From what I can say the main functionality is to take from one server and run them as HTTP requests on another. i.e. click fraud. The only permission required for this would be internet access.
There's some extra functionality for users who have rooted their phone.
I've been contemplating for a few weeks now rooting my phone. My justification for this plan is the convenience and added security of system-wide ad block. But I always wonder if I should be more concerned with the new vulnerabilities I open than with the ones I'm closing. I guess I'm wondering what people here think: is rooting something that makes sense if you're careful, or is it something you do if you're smart enough to want to play with your phone while not being smart enough to know better?
If you're a careless user, don't root your phone. If you pay attention, use common sense, and don't have a thousand Play store apps installed; you'll probably be okay. Another way to look at it is by comparing your phone to your desktop or laptop computer. How often do you unintentionally break it with malware? Often? Don't root your phone. Rarely or never? You'll be okay.
The best advice I can offer is to stay the hell away from Google Play. That trash, and the rest of their services, are the first things I strip from my phones. Instead, use properly licensed open source software, from the F-Droid repository (or similar). If it's not a proprietary app (Twitter/Facebook/Snapchat/etc.), there's likely a FOSS version that's better than anything on the Play store. Flashlight apps don't need to access your contact list, or read your call logs, or have an open port in your firewall. The damned bastards.
On F-Droid you'll find (for your rooted phone):
AFWall+, an IPTables firewall GUI. Very nice looking and intuitive. Don't think I've ever used a firewall so easy to configure.
Autostart, an app that prevents garbage from auto-starting. A bunch of junkware usually loads up when you activate things like WiFi and GPS, or reboot the phone. Autostart can be configured to block the bloat, and in turn, make your phone run much more efficiently.
Disable Manager, to disable unsavory services (Play, Facebook, etc.). If you're worried that deleting things will break the phone, this app will put your mind at ease, because you can use it to turn things off and on, like a switch, instead of outright deleting.
AdAway, generic name, but it does what it's supposed to; system-wide ad blocking. It's FOSS, under GPL. If you avoid the Play store, configure your firewall, and use an ad blocker addon on Firefox, you might not even need an app like this one.
There's a bunch of other cool, trustworthy, stuff on F-Droid that's not going to abuse your phone. When it comes down to it, if you stick with FOSS, you won't need to root the phone; a non-root firewall will suffice.
Apologies for the rant, this was supposed to be a short reply, I don't know what happened.
There are 4 other Apps mentioned in the article that seem to distribute the Malware, but it appears as if you need to install this malicious code yourself
I feel like every time I read about something ad-related it's usually in a negative context. This malware doesn't even care if it's not executed as root... it just needs the device to falsify ad clicks/impressions. And I guess nobody really cares, because the probably huge amount of bot action on ad exchanges just makes the pie larger for everyone.
(With all of Google's talent and machine learning and AI, it can't detect this junk? please...)
All the more reason to avoid hardware from this company.
I'm pretty sure that this is not what Google wants although they might -as you correctly point out- profit from it in the first place.
But the negative publicity in combination with possibly loosing companies buying ad space on Google because of fake clicks can not be worth it. Google is too big to profit from a scam like this in the long-term.
I agree, and like you, I doubt fake clicks/impressions have an impact on Google's revenue.
Still, one has to wonder how one arm of the company can be so successful at creating artificial intelligence (smart cars, tensor flow, deep dream, just OTOH), while the other - its primary revenue driver, at that - manages to overlook things that are so simple.
Or am I really expecting it to be much more difficult than simple heuristics like "game + SMS privileges = fishy"?
Similar with updates, I've been hurt couple of times by keeping apps updated, so now it happens only when it stops working completely.