Android to block sideloading and unsigned apps

[8833]

It depends how it'll be implemented in practice, but for that we can only wait.

Skimming through the blog, I can see what's the goal. Blacklisting a signature (developer ID) is much easier than hunting for a known pieces of malware in non-play signed apps. Android validates the signature anyway as of today before letting you install the apk, so it could be even ad-hoc fake one but it has to be there. I guess that the identity validation for non-play store developers will get hardened over time to make it hard enough for the bad guys to stop them mass registering identities for malicious distribution purposes. Another reasons for this is scanning the app before signing it. That's actually even more important that the ability of disabling it efficiently on all devices. Although, scanning for viruses is one thing, scanning for behavior/code, aka reverse-engineering is another. With the gate keeping in place they'll be able to reject apps which miss-behave according to their opinion, or to be more polite they'll just quickly patch the OS to prevent this and that, i.e. break the apps.

With all the good intentions, the question is how they'll honor the freedom?

- Will they let you turn it off via developers settings? I guess not. If yes, perhaps it'll be something like running iOS apps on macbook, you can run them but only if csr is enforced, but if you need to turn it off suddenly you can't run any iOS app from AppStore. However that'll be fine for me. I already have device with play, and de-bloated device without it to run only FOSS apps.

- What if an app from a hobbyist get blacklisted? Are they banned completely (all their apps, by developer ID)? Are they blacklisted forever, because they are deemed now as high-risk or intentionally malicious developers? Are their details passed over to law enforcement to let them start forensic investigation if they distributed the malware consciously or unconsciously (being compromised without knowledge)? etc.

IMO, the whole problem is that people tend to use one device for everything. I know, that was the exact intention of smartphones, but it's silly and risky. Nowadays hardware is really cheap so why take so much risk? I use a nice simple low-performance device for managing all my documents, etc, but no games or anything risky, and another computer on which I have zero personal information, to be stress free used for anything else, like games, apps obtained from wherever, visiting whatever corners of the internet with no fear of having it nuked by malicious javascript, etc. Same with mobile, I have one old phone for just the token apps, banking apps, which I don't even use for internet browsing, another one as my daily driver. If they force me to split the daily driver phone into two: one with play to run the simple everyday apps like an app for parking tickets, another for my current FOSS choice, that'll be an annoyance as I'll have to start carrying 2 phones, but it's not the end of the world.

I like Linux, and the true user freedom it brings with. Too bad that the non-x86 devices are so hard to get Linux onboard. However there are interesting choices in the tablet space already, for example https://www.chuwi.com/product/items/...10-max-en.html The only real drawback of that device is short battery life. The performance is really good enough for a tablet. They packed SoC in 14nm inside, imagine what would be the efficiency if it was made with 3nm. Just give me such hardware packed in smartphone form factor, in 3nm lithography for excellent battery life, with just one full-spec thunderbolt :-)

[neil_swann80]

Quote:

Originally Posted by 8833

I like Linux, and the true user freedom it brings with. Too bad that the non-x86 devices are so hard to get Linux onboard. However there are interesting choices in the tablet space already, for example https://www.chuwi.com/product/items/...10-max-en.html The only real drawback of that device is short battery life. The performance is really good enough for a tablet. They packed SoC in 14nm inside, imagine what would be the efficiency if it was made with 3nm. Just give me such hardware packed in smartphone form factor, in 3nm lithography for excellent battery life, with just one full-spec thunderbolt :-)

You can get UBPorts running on quite a few smartphones and a couple of tablets.

https://devices.ubuntu-touch.io/promoted/

[haertig]

If I want to do something that I consider unknown and potentially insecure/risky, I first boot my computer from a thumbdrive and load the entire OS into RAM. Then I pull the thumbdrive. No writable storage media is present - no hard drives, SSDs, thumbdrives, microSD cards, etc. When booted this way, I have the computer on it's own separate VLAN - networking is only allowed to the WAN (internet), not to any of my other VLANS containing other computers or devices. As a bonus, when everything is in RAM you are using a layered file system so that if you want to see exactly what a suspicious program does to your computer you can look at the proper layer individually. Power cycle the computer and reboot normally to clear out RAM and any insecure/risky stuff that may have inserted itself there when you want to go back to normal mode.

[8833]

The thumb drive idea won't work on most typical laptops though, where you no longer can disable internal drives in the BIOS. It's funny you mention this, back in the days, I was making modifications of my "special" system for being online, writing it to CD, booting from it, only then connecting to the internet

These days pen drives are so cheap, so I'd rather re-flash a pendrive every day, but keep it writable, or even use a new pendrive each day, like rotating them at some interval to be able to go back to some if I'd discover in a few days that I saved something really important on desktop a few days ago

But the main concept of separating the use cases works well for me. Like in 90ties I really don't care if some day my box-for-fun-things will blow up or otherwise I'll have to wipe it out clean. It's just that, it's for simple enjoyment of using computer and the internet without any fear.

[8833]

Quote:

Originally Posted by neil_swann80

You can get UBPorts running on quite a few smartphones and a couple of tablets.

https://devices.ubuntu-touch.io/promoted/

Yes, I know. I have Pine phone but I don't find it quite suitable. Sure, for a phone you need a tailored UI and tailored apps. However for tablets using a standard desktop OS is feasible, so I would like to use any Linux distro/desktop I like rather than being sold to Ubuntu touch. There's also Minisforum which makes interesting small Linux friendly tablet, if we're on the topic.

[haertig]

Quote:

Originally Posted by 8833

The thumb drive idea won't work on most typical laptops though, where you no longer can disable internal drives in the BIOS.

I don't disable the drives in BIOS. I simply have the OS, via boot parameters if necessary, not mount them. Some flavors of Linux - antix for one, at least older versions of it - default to NOT mounting drives discovered on boot by default. Other distros WILL mount them by default. I'm guessing that most of the large distros like Ubuntu, Mint, MX, etc. will mount drives by default. But you should be able to change that via boot parameters. Or remember to manually unmount them after booting.