Continuing the discussion from GitHub:
Hypatia
Where is the discussion on this? I mean, I think this shouldn’t be just pushed to the website without the forum thread. I actually do not think this is quite recommendable at all. […] Also, this app doesn’t stop you from being infected at all, and the chance that it will notify you about it in my eyes is exceptionally low. […] I understand the need of this app for DivestOS as it does not have Google Play, but for others I do not see much benefit TBH.
- AFAICT this provides a similar level of protection as Google Play Protect does, without relying on Google services which aren’t always available.
- Google Play Protect wouldn’t provide this protection while sandboxed (e.g. on GrapheneOS)
- I don’t think Google Play Protect scans downloaded APKs at all (yet), which is the main use-case for this app IMO.
Spyware like this can only be well detected with pattern based behaviour analysis. Once hashes of known things are out, you are far too late, and things like Google Play protect.
- Doing this type of analysis is outside the scope of all the tools we’re looking at anyways.
The app is just a hash check AFAIK, the user interface is completely impossible to understand for a general user.
- My understanding is that the main use for this app is more for real-time scanning of downloads and less for on-demand scanning, in which case the in-app UI is less critical.
cc @ph00lt0
Also my Android phone is currently broken, so I haven’t tested usability, which is why the PR hasn’t been merged yet anyways (waiting for either my phone to work or for another team member to test).