back to article (Cryptographically) sign me up! Android to take bad app checks offline

Google says Android will no longer require an internet connection to check whether applications are legit or potentially malicious. From now on, the Play Store will embed metadata into apps' APKs that will be used to check whether or not the software is authentic, and confirm whether it came through the official Google souk or …

  1. TonyJ

    On the one hand...good.

    On the other...what could possibly go wrong?

  2. Lee D Silver badge

    Hooray.

    Google invents code-signing with a Google certificate as things pass through their hands in the App Store.

    It's almost like it's 1990 again.

    1. Mark 85

      And thus, anything NOT from App Store can be labeled as "malware". Google continues to fortify and move closer to a monopoly.

  3. Waseem Alkurdi
    Pint

    Made me laugh!

    the official Google souk

    I know the author intended as a pun/joke, but in Arabic, Play Store is actually called "souk Play"!

    1. Anonymous Coward
      Anonymous Coward

      Re: Made me laugh!

      > I know the author intended as a pun/joke, but in Arabic, Play Store is actually called "souk Play"!

      Out of curiosity, what is it called in Kurdish?

  4. Waseem Alkurdi

    Has a disadvantage too

    This further encourages peer-to-peer sharing "APK file sharing" instead of curbing it. It creates a false sense of security.

    The problem is that malware might one day find a way to dodge the offline crypto check. This will exploit the sense of security advertised by Google while rolling out this feature and push malware distribution further.

    1. Anonymous Coward
      Anonymous Coward

      Re: Has a disadvantage too

      > This further encourages peer-to-peer sharing "APK file sharing" instead of curbing it. It creates a false sense of security.

      I am not convinced by the false sense of security argument, and how is peer to peer sharing a bad thing? In some places, that is the only practical way of actually sharing anything. This is not just academic, see: https://blog.grobox.de/2017/how-f-droid-is-bringing-apps-to-cuba/.

      (As a very marginal note, the author of the above blog is one of the core contributors to Briar, which is what you want if you actually need an actually secure messaging solution, unlike those running high on hype and marketing which I shall not name, and especially any "solution" that may come from the US)

      1. GIRZiM

        Re: Briar

        That looks interesting.

        Can't find any info on the underlying crypto though - do you know what algo is used?

        1. Anonymous Coward
          Anonymous Coward

          Re: Briar

          > do you know what algo is used?

          For which part of the stack?

          Description of each component may be found in the wiki.

          Last year's security review is at https://briarproject.org/raw/BRP-01-report.pdf.

          1. GIRZiM
            Thumb Up

            Re: Briar

            Cool - thanks!

          2. GIRZiM

            Re: Briar

            Unfortunately, the list of supported devices is too short to include mine - I'll keep an eye on the project though.

    2. doublelayer Silver badge

      Re: Has a disadvantage too

      Even if it encourages more people to share binaries, it should prevent as many malware-infected ones from being there. For me, that will be a benefit. I tend to prefer having no google account set up with an android device and avoiding the play systems entirely, but there are things I can't get in fdroid. For example, some google packages are useful to me but don't come installed. I just have to hope that whatever site I get the APKs from haven't infected them (by the way, anyone know whether there are some trustworthy apk collections out there?). For me, this will be somewhat helpful.

      1. Waseem Alkurdi

        Re: Has a disadvantage too

        y the way, anyone know whether there are some trustworthy apk collections out there?

        You can try Yalp Store, available on F-Droid. This fetches the APK files for any app you want directly from Google's servers.

  5. karlkarl Silver badge

    What? How will this help? In a rural area, I now obtain an app from the local file share... Go to run it and it says invalid license and exits.

    How will this bit of DRM help anyone but Google make money?

    1. Waseem Alkurdi

      If the app weren't pirated or illegal then it's supposed to work according to the proposal.

    2. David Nash Silver badge

      Go to run it and it says invalid license and exits.

      I would imagine that in fact it will present you with dire warnings of all the terrible things that could happen if you continue, but will still allow you to run it. A bit like Chrome when you go to a site with a self-signed (or worse, a self-signed and expired) certificate.

  6. Joe Harrison

    I don't understand why we need App Stores

    DOS/Linux/Windows managed for decades without one

    1. Waseem Alkurdi

      Re: I don't understand why we need App Stores

      Apples to oranges. These are all desktops and laptops.

      Smartphones are ubiquitous mobile devices which collect huuuuuge amounts of data about you.

      Malware spread on these is much more dangerous.

      And having no App Store just makes malware writers' lives easier and gives them a bigger market of the great unwashed.

      TL;DR: As if the desktop and laptop aren't enough malware vectors.

      1. lglethal Silver badge
        Facepalm

        Re: I don't understand why we need App Stores

        *cough*Steam, GOG, Windows Store, Itunes, etc, etc, etc*cough*

        1. David Nash Silver badge

          Re: I don't understand why we need App Stores

          "Steam, GOG, Windows Store, Itunes, etc, etc, etc"

          This does not invalidate the fact that Windows, Dos etc. DID manage for decades without one.

          1. lglethal Silver badge
            Go

            Re: I don't understand why we need App Stores

            OK OK, I'll go back to the decades of DOS and Windows 95 (and earlier). The App stores were called

            Tandy Electronics, JB Hifi, Dick Smiths Electronics, Game World, Computer Land, etc.

            They might not have been online, but you bought your "apps" in them.

            1. JeffyPoooh
              Pint

              Re: I don't understand why we need App Stores

              lglethal noted, "The App stores were called....Tandy Electronics..."

              And sometimes the "Apps" needed to have their contacts cleaned with an eraser.

    2. Anonymous Coward
      Anonymous Coward

      Re: I don't understand why we need App Stores

      > DOS/Linux/Windows managed for decades without one

      Think of "App store" as marketing speak for "repository".

    3. GIRZiM

      Re: I don't understand why we need App Stores

      Does Poe's Law need to be invoked at this point, or were you actually being serious?

      1. Alistair
        Coat

        Re: I don't understand why we need App Stores

        @GIRZIM:

        Not sure about Poe's -- but since we're speaking of stores, I sure miss Cole's.

        And its summer, so Coles Law anyone?

    4. karlkarl Silver badge

      Re: I don't understand why we need App Stores

      I imagine we can keep DOS applications running far longer than we will be able to for programs from an AppStore (i.e iOS apps).

      This makes DOS "modern" in comparison to phone apps.

    5. Anonymous Coward
      Anonymous Coward

      Re: I don't understand why we need App Stores

      We don't *need* them but they tend to enforce some standards so it's better than (your family) downloading crapware infested junk from Sourceforge (and then having to fix the mess).

  7. GIRZiM

    Re: Cole's Law

    Damn you!

    I just got back from the shop.

    Now I'll have to go out again!

    1. doublelayer Silver badge

      Re: Cole's Law

      But most of them do have app stores. It's just that all apps are free and you can go elsewhere. Really, for those installing apache on a linux box, how many do you think went and downloaded a source or binary from apache's site, and how many did apt/yum/pacman install apache2? That's usually more convenient, so that's almost always what I do if I want something straightforward (just the default version) or running as a service, rather than just something to run myself.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like