Always good to know and remember how to mitigate if not eliminate risk.
1 Like
Couldn’t read it because of VPN
2 Likes
Bypass Paywall add on works well too. VPN or not. FYI.
2 Likes
Nothing too special in that article that is worth mentioning tbh.
But I do dislike that part tho
More generally, exercise “strict control” over what gets installed on your device.
At the same time, avoid side-loading on Android
People need to stop sound like side-loading is evil huh.
Just look a little into what you’re installing, period.
Some images with a “safe-looking” checkmark of a product to reassure your fears, some fake reviews and friendly name like “Safee Messenger 
” on the Play Store does not make it more secure than a random passionate guy on github trying to make something nice.
Example, sorry to say but the lady doing this tool is doing a great job.
Looks spooky and dangerous huh? 
But wait, we’re safe because we have this app
SuperCards is
- Super Fast: Add cards in seconds & enjoy lightning speed using your cards.
- Super Easy: Intuitively designed & 4000+ card templates. Our AI ensures flawless in-store scans.
- Super Clean: No ads, no tracking, just your cards.
- Super Simple: No signup required. Quickly import your rewards cards from other loyalty wallets—including one-click migration from Stocard and Klarna via screenshot.
Look at their website too, they have the famous lock-that-makes-me-feel-safe-and-sound! 
Damn fiiiiiou 
, for a split second I was worried about my data being uploaded to some random server with shady practices and no knowledge of what will become of it.
Now, I can finally feel reassured! 
I’m SO happy that I downloaded this app from an Official and Trustworthy Simple and Secure app store rather than the dangerous, shady and ghetto combo of Obtainium + Github. Wow, who in their crazy mind would take such ill-mannered crazy maniac thing? 
Also, SuperCards got my back because they have dem trusty reviews! 
Their website is also functional with no JS enabled!
Oh wait, it is not. Hm weird why do they have React + some analytics on their static landing page[1]?
Privacy policy page
The Application collects information when you download and use it. This information may include information such as:
- Your device’s Internet Protocol address (e.g. IP address)
- The pages of the Application that you visit, the time and date of your visit, the time spent on those pages
- The time spent on the Application
- The operating system you use on your mobile device
Data Retention Policy
The Service Provider will retain User Provided data for as long as you use the Application and for a reasonable time thereafter. If you’d like them to delete User Provided Data that you have provided via the Application, please contact them at support@supercardsapp.com and they will respond in a reasonable time.
At least, they seem to have an official info regarding the company
Not sure how real this office’s location might be tho, given that it looks like more of a residential house from somebody that maybe didn’t ask for nothing.
A bit unfortunate (huh) that there is no landing page for that studio either and that it uses a generic name that clashes with another company. Damn, how unfortunate huh. 
But it’s fine because they do have a LONG track record of apps and will definitely not disappear within the next 2 years out of thin air while trading your data.
Gosh, I am so happy that I listened to security experts and chose to never oh gosh no, sideload an app.
It would have been a dramatic and bad life decision to take such a risk.
Also, publicly available source code makes my skin crawl, damn all those symbols are scary and hate HACKERS that use code like that in the open. 
Please keep my loyalty cards in the hands of professional experts that know their craft and hide their app’s code so that it’s safe and sound from anything malicious and evil. 
Did I get it right? Oh yeah, it was /s in case people missed it.
to their credit, I’ve seen faaar worse than this so it’s not that bad I guess ↩︎
1 Like
People also ought to use different words to explain simply installing apps on your device you own and operate. Side-loading implies you’re doing something that’s not right or unethical or bad and that you’re bypassing something that’s more or inherently right. It’s not.
A tad bit too dramatic with all that you wrote but alright.
1 Like
To be fair to Wired (although they did keep paywall up on information they think is important enough to write about yet not important enough for everyone to read), the security benefits of play store are mostly supply chain and minor filtering benefits (for apps that require permissions that Google deems harmful), so using it over getting apks over the internet is definitely more secure for an app you trust and wish to use (Signal and other serious security vendors agree).
It is almost entirely unrelated to trust in the apps itself (outside of the minor filtering) if you listen to what the security folks say.
Excellent rant, though 10/10. I especially liked the open code = scary and hacker, that is 100% the reason I got into open source development 
1 Like
I’ll defend Wired’s recommendation here. Google says their data shows that 95% of malicious apps downloaded on user devices were side loaded and around 40% of all Android malware is installed via side loaded applications.
When giving a recommendation to normies I think recommending against side loading is good advice. Advanced users, like yourself, face far lower risk as you know how to evaluate the trust worthiness of an app source.
The average user who can’t remember to use a f$&?king turn signal when changing lanes on an interstate cannot do that.
Also the argument is that there aren’t bad apps on the Play Store, but rather that the ratio of malicious apps is far smaller and thus the risk is lower,
For iPhones the argument is even stronger as the Apple App Store is far more effective in its filtering. Though nothing is 100%
Use the play store, but I want Molly, ok use Accrescent, but I don’t want the FOSS only version because of battery usage, ok use fdroid or obtainium, oh you can’t use those, they’re insecure.
Just an example I’ve gone down myself for sideloading an app. And some arguments for why people say not to do that.
1 Like
Glad I didn’t pay for that article indeed. 
True, meanwhile I rather just get the thing at the source rather than go through a 3rd party (the store). Also, I don’t like when politics get into the way aka Google saying no because they just feel like so that day.
I do agree that it might be safer, yet safer is also a lack of education here. Download an apk from the official website should feel just as safe tbh.
Good example is Tor, official and straightforward.
Even better, Fedora’s ISO download page is there with an explanation on how to double-check for the checksum.
Honestly, having the official website teach you how to double-check what you just downloaded should be the way for mobile/desktop software.
Or how GOS does it is also quite nice. It’s also not that hard once you understand the workflow:
- find the link for the app on Github
- copy the SHA
- paste to confirm
- enjoy your app
that will prompt you for an update when the time comes
If I’m not mistaken, those stats were proven to be bonkers and of course, Google won’t put themselves in some bad light so yeah, they’re trying to tell a story with those numbers that make them seen as the good guys that make the whole thing safe.
Also yes, you can install more nonsense but that’s up to you.
At the end of the day, bad apps are available everywhere, it’s a matter of common sense.[1]
Unfortunate but mostly because you’re not used of the other way.
Installing an app from a store or from Github is not super different, just a matter of what you’re used to.
Because at the end of the day, there is less nonsense and restrictions to downloading an app from Github.
And I’m saying that as a guy that spent literally 3 damn days trying to install an app in a new country because of nonsense restrictions after going through a lot of hoops and tricks regarding my location, credit card and being faced with a “oh, sorry but it is actually just not available” kind of situation. 
Github (for now), doesn’t discriminate you anyhow.
Get the code, paste the link, enjoy.
But yes, those indie devs do not make a dime unlike Apple/Google, so the duopoly will still stay in place and the stores will be kept marketed + sold as a safer/simpler alternative because this is how those companies make all their money.
If you’re interested enough and look into it, you realize it’s not that bad to use Obtainium for everything and the reason as of why it is so complex in the first place, are the 2 big companies in the first place.
I still think that there are not a lot of dirty stuff out on Github but rather on those apk downloading websites that probably inject some extra stuff to it along the way ↩︎
2 Likes
Molly (there is now no longer a Molly-FOSS as the two application distributions have merged) supports Firebase Cloud Messaging (notifications on a device with Google Play Services active). Battery consumption should be exactly the same as Signal in the same conditions.
2 Likes
That’s awesome, and looks to be a new development. Simplifying for the user like that is great.
I did run the FOSS version for a while, but decided that I preferred the notifications and battery life of the non-FOSS version since I use GOS with play services anyways. I was just giving an example of my past experience and how certain communities try to argue the issue.