> As the article you listed above shows, xHelper has had 33K detected cases. That's literally two decimal orders of magnitude less than Conficker, which had over 9M cases, in 2008, when there were, if anything, fewer Windows devices than there are Android devices now.
That's some odd cherry-picking when I actually listed several different articles with much larger case counts. If it's magnitude you're looking for, HummingBad has infected 85 million Android devices, Chamois has infected 199 million, SimBad has infected 150 million. If you total up all of the Android malware attacks since the platform launched you're looking at several hundred million infections at the very least. This is not a small problem and is far from "good enough".
> Yes, because developer abuse of legitimate APIs is irrelevant to what we're talking about here, which is whether or not to allow third-party app stores. Why?
Sorry, I disagree. There are many APIs that can be used for legitimate purposes (for example loading my contacts so I can message my friend) that can be abused by developers who don't care about privacy (for example subsequently scraping my contacts and selling them to advertisers without my consent). Sandboxing or permissions or notifications don't really help address this issue, whereas at least with an app review policy you can say this behavior is unacceptable and you will be banned if you abuse it. Will the review process catch all of theses abuses? No. But it serves as a deterrent, and if you're comparing an app that is distributed via the App Store and subject to its privacy rules versus a version distributed directly via their website where they can do whatever the hell they want, I'd prefer the former any day. That's why it's relevant to the discussion of third-party app distribution.
> both Apple and Google's app store review processes have let malware through before and
No process is perfect and of course sometimes things will slip through the cracks, that doesn't mean there isn't value in the process. The statistics indicate that malware is a significantly larger problem on the Android platform compared to iOS and this is directly tied to the existence of side-loading and third-party App Stores.
1. Android is responsible for 47.15% of mobile malware infections compared to 0.85% on iOS. Windows accounts for 35.82% and IoT devices take up the remaining 16.17%. In other words, Android is now a larger malware vector than Windows itself, and your suggestion that malware is less of a problem on Android compared to Windows is statistically incorrect. (https://onestore.nokia.com/asset/205835)
2. Google's own reports show that Android devices that use side-loading have an 8x higher incidence of malware compared to devices that only use the Play Store, meaning it's specifically direct downloading and third-party stores that are the cause of the problem. (https://source.android.com/security/reports/Google_Android_S...)
> As the article you listed above shows, xHelper has had 33K detected cases. That's literally two decimal orders of magnitude less than Conficker, which had over 9M cases, in 2008, when there were, if anything, fewer Windows devices than there are Android devices now.
That's some odd cherry-picking when I actually listed several different articles with much larger case counts. If it's magnitude you're looking for, HummingBad has infected 85 million Android devices, Chamois has infected 199 million, SimBad has infected 150 million. If you total up all of the Android malware attacks since the platform launched you're looking at several hundred million infections at the very least. This is not a small problem and is far from "good enough".
> Yes, because developer abuse of legitimate APIs is irrelevant to what we're talking about here, which is whether or not to allow third-party app stores. Why?
Sorry, I disagree. There are many APIs that can be used for legitimate purposes (for example loading my contacts so I can message my friend) that can be abused by developers who don't care about privacy (for example subsequently scraping my contacts and selling them to advertisers without my consent). Sandboxing or permissions or notifications don't really help address this issue, whereas at least with an app review policy you can say this behavior is unacceptable and you will be banned if you abuse it. Will the review process catch all of theses abuses? No. But it serves as a deterrent, and if you're comparing an app that is distributed via the App Store and subject to its privacy rules versus a version distributed directly via their website where they can do whatever the hell they want, I'd prefer the former any day. That's why it's relevant to the discussion of third-party app distribution.
> both Apple and Google's app store review processes have let malware through before and
No process is perfect and of course sometimes things will slip through the cracks, that doesn't mean there isn't value in the process. The statistics indicate that malware is a significantly larger problem on the Android platform compared to iOS and this is directly tied to the existence of side-loading and third-party App Stores.
1. Android is responsible for 47.15% of mobile malware infections compared to 0.85% on iOS. Windows accounts for 35.82% and IoT devices take up the remaining 16.17%. In other words, Android is now a larger malware vector than Windows itself, and your suggestion that malware is less of a problem on Android compared to Windows is statistically incorrect. (https://onestore.nokia.com/asset/205835)
2. Google's own reports show that Android devices that use side-loading have an 8x higher incidence of malware compared to devices that only use the Play Store, meaning it's specifically direct downloading and third-party stores that are the cause of the problem. (https://source.android.com/security/reports/Google_Android_S...)