> so it's still possible to target someone with malicious update
I'm no Android or iOs dev, so I might be wrong, but to my knowledge there is no feature to push an app update specifically to a narrow set of devices?
So at the very least, third parties (Apple/Google) would have to be involved in such an attack. This removes some entities from the list that could create an attack.
Also, Apple/Google have a big reason not to play such games. Their app stores are partially so popular because they, as companies, are trusted. Apple/Google would only do this if they'd be legally required to. IF they were involved, even against their will, this would mean tremendous risk to trust in these companies, meaning risk to the stock. And for a publicly traded company, there is no bigger motivator. Apple/Google would get out all the lobbying power they have, trying to fight off whatever coercion tool the US government uses against them to make them comply.
Even if there'd be no opposition from Apple or Google, people outside would notice sooner or later that they've got malicious updates. If they use it once or twice, they might go undetected, but if governments or other entities start using this as a vector repeatedly, it will get to the public.
This doesn't mean that I think that these issues aren't important. Reproducible builds, binary transparency, gossip protocols, all these things are very important areas to invest research in, but right now they aren't a vector that is being abused on observable scales.
> I'm no Android or iOs dev, so I might be wrong, but to my knowledge there is no feature to push an app update specifically to a narrow set of devices?
Yes, it's possible to target "narrow set of devices" by using Device Catalog. An excerpt from the ToS:
> Google Play Console Device Catalog Terms of Service
> By using the device catalog and device exclusion tools in the Play Console (“Device Catalog”), You consent to be bound by these terms, in addition to the Google Play Developer Distribution Agreement (“DDA”). If there is a conflict between these terms and the DDA, these terms govern Your use of the Device Catalog. Capitalized terms used below, but not defined below, have the meaning ascribed to them under the DDA.
> 1. The Device Catalog allows You to review a catalog of the Devices supported by Your app and search the Devices by their hardware attributes. It also allows You to exclude specific Devices that are technically incompatible with Your app.
I'm no Android or iOs dev, so I might be wrong, but to my knowledge there is no feature to push an app update specifically to a narrow set of devices?
So at the very least, third parties (Apple/Google) would have to be involved in such an attack. This removes some entities from the list that could create an attack.
Also, Apple/Google have a big reason not to play such games. Their app stores are partially so popular because they, as companies, are trusted. Apple/Google would only do this if they'd be legally required to. IF they were involved, even against their will, this would mean tremendous risk to trust in these companies, meaning risk to the stock. And for a publicly traded company, there is no bigger motivator. Apple/Google would get out all the lobbying power they have, trying to fight off whatever coercion tool the US government uses against them to make them comply.
Even if there'd be no opposition from Apple or Google, people outside would notice sooner or later that they've got malicious updates. If they use it once or twice, they might go undetected, but if governments or other entities start using this as a vector repeatedly, it will get to the public.
This doesn't mean that I think that these issues aren't important. Reproducible builds, binary transparency, gossip protocols, all these things are very important areas to invest research in, but right now they aren't a vector that is being abused on observable scales.