The two security features Google Play provides beyond web-installed APKs are the malware scanner that runs during app submission, and the ability to quickly delist apps that are discovered to be bad. Both could be opened up to all software sources rather easily.
-
Show this thread
-
The malware scanner could run as an web-based APK-signing process, and those certificates could be revoked if malware is later discovered. This untying of Android security features from the Google Play Store would greatly advance Android’s safety as an open platform.
4 replies 12 retweets 94 likesShow this thread -
And that’s it! There isn’t any magical security pixie dust achievable only with a smartphone app store monopoly. Any talk of this by platform companies is just silly propaganda.
18 replies 16 retweets 129 likesShow this thread -
Replying to @TimSweeneyEpic
Who would issue those certs? Who would revoke them? There's a cost to that, so would anyone be willing to give Alphabet a cut if they were managing the certs? I guess your point is that it's a business problem, not a technical problem?
1 reply 0 retweets 1 like -
Replying to @idbrii @TimSweeneyEpic
Alphabet hosting apks means that all users get the same binary. With web-based, a bad actor could give out malware in limited quantities to avoid detection (e.g., avoid locations with higher populations of security researchers). Don't you need centralization for that?
2 replies 0 retweets 0 likes
Cryptographic code signing solves that problem, and can unambiguously identify the author or other signing authority.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.