Google’s malware scanning Play Protect service will now automatically turn off an Android app’s permissions if it’s potentially harmful. The feature is designed to prevent malicious apps from having access to your phone’s storage, photos, camera, and more.
Though you can still restore the permissions for these apps, Google will ask you to confirm your decision for “added security.” Google Play Protect runs scans on all the apps on your device, including those that have been sideloaded. If Google identifies a harmful app, it will remove it from the Play Store and then warn users if they have it installed on their phone.
I do find it funny that Google can’t seem to figure out a way to prevent malware from being available on the PlayStore so they have to come up with these type of fixes.
It has to do with how the company is run and the culture of work within. My friend is a senior software engineer at Meta. The entireity of SV is moronic but worth trillions. It breaks my mind.
It’s weird knowing that Google are even allowing those apps to have unnecessary permissions in the first place
But Google can’t control this right? If a dev wants it in the app, the dev gets it. Because from Google’s POV, they think as long as the app is of high quality, its good for them. And they justify it by letting things like this pass because they leave believe the dev knows their app and business more.
Like I said, it’s the culture of work, understanding (or rather misunderstanding) tech, and how things should be and why - it’s all out of whack.
I tend to think they could. They obviously have the ability to scan apps and find potential threats. Wouldn’t it be better if they used that to not allow suspicious permissions by default and force the user to consent to those permissions afterwards?
You’re right! I was just thinking about it from an ethical and cultural standpoint
And who or what makes Google the authority to decide on another person’s app/software business whether something is needed or not or if something is suspicious or not. They need to be able to prove it against the dev to take such action. The dev will always have plausible deniability unless something is properly malicious.
The user and the dev when they consent to using Googles App Store.
Yes but that doesn’t stop what we consider suspicious permissions needed for an app. And I more meant that Google doesn’t get to decide the decisions a dev makes for their app.
That App Store/Play Store terms of service doesn’t stop them from still having it.
Google needs to start preventing apps from requesting every permission under the sun for no good reason. They could at least use their app distribution monopoly to do some good.
fair enough. I guess what I was getting at is that it seems like they could do this type of stuff at install as well instead of just after scanning a users phone, where the user may have already been affected.
Thank God there is something like Graphene OS which can let me manage my apps permissions without trusting Google to scan all my apps.
I fundamentally don’t like it, even though you can disable Play Protect (for now). Didn’t Play Protect previously mark legitimate apps as harmful? I think that happened to NewPipe for example, which got disabled automatically.
Honi soit qui mal y pense…
False positives happen and are unavoidable, regardless of whether it’s Play Protect or a FOSS equivalent. I don’t think there is much sense in accusing Google of intentionally targeting apps they don’t like (unless you have proof for such a claim).
I’m in favour of Google removing permissions (but not the app) in cases where apps with millions in installs is later covertly sold by its original developer to some rouge spyware/trackerware company.
Some of the more onerous permissions require user consent (trust on first use). Though, permission fatigue is real, and most folks simply don’t bother evaluate their choices and grant every requesting permission (as some stubborn apps would refuse to work if denied).
The problem isn’t Google here tbh, it is one of scale (3b+ users!) and the kind of scammers it attracts.
They’ve started doing this since Android 9+ (6 years ago), iirc. Some permissions require special review before updates get published. The app I develop usually takes longer to get its update live (than it normally would) because of the kind of permissions it requests and the mandatory review process. I’ve lost count on how many times I’ve sent them videos of me explaining (sometimes new) functionality in the app and how it all ties in with the permissions requested from the user.
AOSP has also scoped down all (what’s internally called) “dangerous” permissions by either making them temporal (expire after a preset time), on-demand (only when the app is in the foreground), or disposable (one-time).
Yes, and for many of those dangerous permissions, they require permission to be critical to the app’s core functionality. I think it would be reasonable for Google to extend this requirement further. There is no sane justification for a calculator app needing network access, which is only made worse by the fact that Google will never make network access a runtime permission. This applies to plenty of other permissions which are dangerous enough, just not considered such by Google.
Plenty of apps also simply refuse to function if they aren’t granted the permissions they want, which defeats the point of asking for permission in the first place.
If the calculator supports currency conversion then it makes sense. If calculators ask for Contacts, Precise Location, Mic, Camera, Calendar, Call Logs, Phone permissions, then it really makes no sense.
The application code could be obfuscated, and if enough is known about the internal verification process happens, the app could function one way and then function differently when the app is on our devices.
I actually think this happened a few years back with an app that changed it’s behavior, and tried to find news, but came up empty handed.
Obfuscation isn’t even needed to achieve something like this (though, it makes static analysis & reverse engineering a pain): Dynamic Code Loading | Security | Android Developers