this post was submitted on 20 Aug 2024
7 points (88.9% liked)

cybersecurity

3249 readers
1 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS
7
apps .. repo or not (m.krbonne.net)
submitted 2 months ago* (last edited 2 months ago) by kristoff@infosec.pub to c/cybersecurity@infosec.pub
 

Hi all,

Interesting problem. An open-source project gets their app removed from google play, so they post a message on mastodon that -for the time being- you can download the app via direct download.

I post a reply saying that directing people to a direct link is not a good idea, as hackers could start doing the same to spread malwhere, better use an official repo (like f-droid, where they are already on).

A typical problem of somebody who writes a genuine post, but without realising it himself writes something that is very close to what a phishing message would look like.

However, this got me thinking. What you want to avoid is that people get used to the idea that it is OK to download and install apps from a random URL. But if you point people to f-droid, they need to also download the apk for that, and configure the security on your phone that apk's downloaded via may be installed.

I guess, the later should surely be avoided as most people will then leave that option enabled. (I had to search deep into the security setting to find the option to switch it off again).

What are your opinions on this? What would be the best way to do this and not teach people bad security habbits?

Direct download or f-droid? Other ideas? Is there a good sollution for this?

Kr.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] lemmyng@lemmy.ca 2 points 2 months ago (1 children)

Rant: We're living in a time where curl | bash has become normalized. This generation's security practices are fucked.

Back to the topic: I see it as a problem of not enough education and too much trust. People are not taught how to verify the authenticity and legitimacy of software, and put too much trust in claims of authority. It's not just a consumer problem either, look at the CrowdStrike incident: people in the industry knew it was shit, but the decision makers kept trusting it because they are a big name. How did they become a big name? The same way a lot of other companies do, by bribing the early decision makers into using them.

Back to consumers: it doesn't help that there's no first class sandboxing features. Both Android and iOS rely heavily on app store controls. Sure, there are some system controls, but the user has barely any agency over them.

[โ€“] kristoff@infosec.pub 2 points 2 months ago

Well, in principe I do not see that much different between 'curl | bash', 'sudo apt-get install' or installing an app on your phone. In the end, it all depends on trust.

Considering how complex software has become and on how many libraries from all over the internet any application that does more then 'hello world' depend, I do not see how you can do if you are not prepared to put blind trust into some things.

Concerning CrowdStrike, I am just reading an book on human behaviour (very interesting for everybody who is interested in cybersecurity), and I am just on the chapter about the fear of deciding with unknown parameters vs. the fear of not deciding at all. Any piece of software will brake at some point, so will you wait forever to find something that will not have any vulnerabilities?