Am I the only one that basically gave up on the Appstore and Apps in general?
It used to be exiting, but nowadays it's almost always complete annoying garbage.
E.g. recently I wanted to try an App to identify insects. There were a few that seemed nice and free. After I installed them they were full of ads and nagged me for a 7-day trial signup. And even after I did, the app didn't even work particularly well.
I still download new apps on iOS and once in a blue moon on Android, but they're rarely discovered through the App Store/Play Store.
Nearly all new installs are apps by indie devs that I saw someone mention in a Mastodon post or HN comment or something, because that's where the gold is. Midsize and up companies generally don't care enough about user experience to build great apps (instead, optimizing for "engagement" and leaning on A/B tests for design decisions), and obviously neither do shovelware devs of any size. The interesting stuff is almost always built by small operations run by passionate people.
The stores tend to promote the apps that generate the most revenue; often times the best app for your needs is not the one that's making the most money.
I feel similarly about all digital stores from apps to games. There's zero curation anywhere. Everyone wants to be the "dump all your garbage here and let consumers pick while we get 10-30% cut". It's like wading through a sea of cheap rip offs and apps named like a terrible Amazon listing trying to hit as many keywords as possible.
I would love an app store that commits to much higher standards on all fronts. I think the subscription format that the likes of Setapp use could be very useful here in that it would be shared among these apps that meet high standards.
I don’t particularly have a problem with stores filed with junk (as long as it isn’t fraudulent) because I don’t really use the stores unless I know what I want. I don’t think I could trust in-store curators but that’s okay because I get good recommendations from friends and writers. Look for curation outside of the stores.
Same thing on iOS. Every time I open the App Store the "Today" section is the same goddamn set of "popular apps", the same stupid-ass MTX "matching" game with the same goofy face, and the same old same old services and apps.
What's pushing me to discover if every time I open it it's an ad begging me to install TikTok?
>Am I the only one that basically gave up on the Appstore and Apps in general?
No, you're not alone, but I get the sense we're in a small group of users. Maybe there are more collected here on HN, but in the wild, most people will install an app without any consideration for possible reasons not to install.
Out of curiosity, did you needed some particular feature in such an app? I've found that Google Lens is pretty darn good at identifying plants, insects, fungi and whatnot (assuming your camera has a decent macro mode).
The only problem with Lens is that it is "magic" and doesn't have a failure state beyond giving junk results should it fail. I don't think I would ever trust it for a "can I eat this" indicator on a mushroom with how many visual lookalikes there are out there. What if the contrast isn't good enough to catch colorations and the gills are not in sight?
Merlin Bird ID is so good in comparison, probably the best in the "ID this thing" category of apps I have ever tried. Photos do a lot, but if you don't get a good ID it will ask some questions about the bird's behavior and your circumstances to narrow down your search.
Even if you identified the mushroom species, sometimes that is not enough to know whether it is safe to eat. The same species can be edible (perhaps after some soaking) or dangerously poisonous depending on the geographic area where it grew.
Mushrooms are literally one for the categories of things that are "DO NOT EAT UNLESS YOU'RE 100% CONFIDENT AND KNOW THROUGH YOUR OWN KNOWLEDGE" types. (Caps used because it is a yelling thing)
Seriously, just don't eat any mushroom that you can't personally identify with 100% confidence from your own knowledge and references, with some app saving its xyz not being considered a reference.
Even experienced mycologists have sometimes made mistaken identifications so anyone else should be so cautious as to presume poison in all cases except the most certain.
Question for people with more expertise here. I just switched to Android recently because I don't fancy getting mugged again for a huge pile of cash for an iPhone. So I've got a Pixel 6A. It's pretty much loaded up with MSFT software and some very well known high profile apps. What risks do I have if I stay out of the play store gutter?
Don't download Microsoft Teams if it claims an app developer with an unrecognisable name and only 500 downloadeds, don't download cracked games, be wary of the obvious free-to-play clones, and if a web page shows a flashing gif warning you that Whatsapp is outdated, don't install the APK file it's trying to push through your browser. It's also important to keep your browser up to date and to think before you grant apps permission described like "control the entire screen" and "give app access to all input and screen content".
Android malware is not that different from Windows malware. It spreads through devices infected from the factory, pirated software, fake download ads, and less commonly, through clones and abandonware on official storefronts like Google Play.
This threat actor is buying abandonware and spreading viruses through updates. Dime-in-a-dozen PDF readers and file managers (that your phone already came with anyway) are at risk, but if you stick to reputable brands you'll be fine. Pick "Google Drive PDF" over "Insomnia Media PDF Viewer - Reader & Editor" with 10k downloads.
Google Play comes with an antivirus program built in (Google Play Protect) that will warn you of known risks. You can disable it if you don't want Google to know about every app you install from other sources, but if you leave it enabled you'll minimize the risk of getting infected.
If you want to be sure you're not getting infected, use F-Droid. F-Droid compiles open-source apps on their own servers, so the source code they receive is the source code the compiled APK uses. Even if your app is open source, there's no way to upload a precompiled APK to the F-Droid website. This makes introducing malware without anyone noticing quite difficult.
> F-Droid compiles open-source apps on their own servers, so the source code they receive is the source code the compiled APK uses. Even if your app is open source, there's no way to upload a precompiled APK to the F-Droid website. This makes introducing malware without anyone noticing quite difficult.
This is a common model, and is basically how most Linux distros work, but it only scales (safely) with people actually paying attention. How many people does F-droid have reviewing the apps that update that they build?
I agree it will be hard to introduce malware without anyone noticing in a strict sense, I'm just not sure they have enough resources to notice before it becomes a problem given how I assume that must work, but I would be happy to be wrong.
You're right, of course; being open source does not automatically make apps safe. There's a vetting process by the F-Droid devs before an app gets added ot the repo, but after that changes get picked up without an in-depth review.
With F-Droid it's almost impossible to hide the infection. Once your malicious code has been found eventually, you're one quick scan of every other app away from getting all of your infected apps kicked from the store. You can obfuscate your source code, but that makes any app with obfuscated source code suspect immediately.
This is a lot harder with precompiled apps, especially those loading native libraries. With the tens of thousands of vague shadow companies that hobbyists and small dev shops have left behind over the years, it's impossible to find out which apps to reverse engineer if you're looking for similar infections. Obfuscating compiled code is quite normal as well, whereas open source projects stand to gain very little from obfuscating their source code.
You still need a certain level of trust (and a certain amount of hobbyists/security researchers to go through the apps) but that's inherent in any modern computer system. The days of the VIC-20 where one person could understand the entire system from top to bottom are long behind us, for better and for worse.
> Don't download Microsoft Teams if it claims an app developer with an unrecognisable name and only 500 downloadeds, don't download cracked games, be wary of the obvious free-to-play clones, and if a web page shows a flashing gif warning you that Whatsapp is outdated, don't install the APK file it's trying to push through your browser.
Ah, so pretty much all the warning signs people ignore when clicking on a phishing link or an advertisement saying they’re the millionth visitor.
I don’t want this coming anywhere near iOS. Maybe a controversial opinion, but I’d rather have that than my Grandma’s entire retirement account being emptied because of a malicious app.
I just searched for Microsoft Teams in the Play Store and there were no imposters in the search results. Searched for just "Teams" and again, no app trying to masquerade as MS Teams was in the results.
You could download cracked games but you can't install them without enabling third party apk installs. Grandma isn't likely to do that.
The attack vector was normal apps purchased by the hackers were modified to download and install malicious apps. This should have been caught by Play Protect on the device, but failed due to the bug
iOS receives immediate security updates on supported devices (even thos that do not run the latest iOS version), while most two year old Androids have two updates a year if at all.
Well I never had an iPhone and from Android I only had Chinese stuff coze it's cheap. Mostly Xiaomi but also weird stuff like Lumigon, which for $100 had an infrared camera and (at the time) an unbelievable 128 Gb of storage.
I also never had viruses or malware or what else because I only install official app versions (Teams / WhatsApp / Skype messengers, Netflix / Amazon / HBO / Disney streaming platforms, Google / Microsoft / Custom Bank authenticators, Chrome / Firefox browsers etc).
My kid though ... my God. He installs random games from PlayStore, if I wouldn't have seen I wouldn't have believed it. Every corner of the phone was infested with ads and popups and crap, had to do a factory reset to clean it as even after uninstalling the games the crapyware continued).
Overall if you stay out of games and stick to tried and tested official apps, you're good. Well, apart from Chinese phone bugs, which are unavoidable given the price tag.
Like at least I got used to Xiaomi's bugs but my kid just wanted so much a Huawei Honor Magic5 Lite coze it looks nice and that's all that matters.
Crashed once right when I was setting up my Google account, second attempt succeeded. Then started pre-installed YouTube and took 5 crashes before the 6th attempt finally succeeded and the application started.
For the same money he could have gotten a Redmi Note 12 Pro from Xiaomi, with slightly better hardware specs (but not the slick curved glass look) and as it seems, leaps and bounds better tested software.
> Every corner of the phone was infested with ads and popups and crap, had to do a factory reset to clean it as even after uninstalling the games the crapyware continued).
Xiaomi phones themselves are malware. My EU Redmi 8 was running tcpdump in the background 24/7, capturing the first 50 bytes of every packet and sending the logs to some chinese server twice per day. One would say 50 bytes is not much and most of the traffic is encrypted (HTTPS, etc...) but the IP addresses are still in there, the DNS requests and replies are not encrypted, and having the first 50 bytes of IP packets might be enough to capture an unencrypted IMAP, SMTP or POP3 login.
It's the part of the "recover lost/stolen phone" thing, but it's an overkill for that purpose. It's not documented what they are doing with the data, and this clearly violates the GDPR. Btw. never had this feature enabled.
Flashed a custom ROM the next day after my discovery.
google needs to clean up the whole QR code reader app category. they trick users by having a big button saying 'OPEN' that takes the user to a website asking them to enter their credit card to verify their ID.
> ThreatFabric detailed how the crooks behind Anatsa will purchase older, abandoned file managing apps, or create their own and let the apps build up a considerable user base before updating them with malicious components.
Maybe it's time to turn off auto update for apps. Auto update is important from a security perspective but if the actor is bad, it might be better to wait and update on demand to catch up with missing fratures and by that time hopefully the malicious app has been removed from the app store. Of course this would only work for standalone apps.
Similar to how we often have intermediate package managers that pin packages to a particular version to not get malware injected one day.
> Maybe it's time to turn off auto update for apps.
It's very frustrating that I cannot specifically exclude certain apps from auto-updates.
Android forces me to either permit blanket auto-updates, or to click through a big list of pending updated, where a single mis-tap will permanently update the wrong app with no easy way to undo or downgrade.
Why do you need to use auto updates? I am on manual and go through the list of pending updates every few weeks. Takes 2 min. I can't believe how vendors have gaslit people into "auto updates are the only way"
Release notes is MUCH bigger problem. App stores should show a history of every update issued since your current version. Also, ban devs who just write useless two word "Bug fixed" release notes.
You most definitely can exclude specific apps from auto update on the Play Store. Go to the app's Play listing page and tap on the overflow menu in the top right (vertical ellipses) and uncheck "Enable auto update".
Not doing that is cheaper and there's no regulation that forces companies to do those audits to get things released. We live in capitalism where cheaper wins.
Forget government force, I am talking about industry standards and defaults. People have RedHat, Apple and others for distributing stable app and service versions with operating systems. Same principle should apply to package managers. How can a low-level package break or poison 40,000 other repos overnight?
This culture of Tweeting at 5 am to 5 million people before the truth has a chance to get its pants on is defended in the name of “freedom of speech”, but I much prefer the peer review gated approach of science. Not one monopoly gatekeeper but at least 2 reputable ones, before your OS or package manager allows the download (but users can override it if they insist). I think rpm and yum do that..
Supply chain attacks are a thing in Linux too. Some activist clown tried to brick devices with Russian or Belarusian IPs in the same manner. This system is compromised.
Or just use iOS and text, take photos, and use big name apps only like IG.
I used to be into phones. These days I use $150-200 used iPhone SE (2020). Don’t care if I drop it or break it. And it takes decent photos (not amazing, not terrible). And it’s small.
Just because this article references Android doesn't mean iOS is without its own security issues.[1] The "just use iOS" portion of your advice may be a bit optimistic.
I have an old Android phone out of published support updates now but am on the fence about switching to a new Lineage OS just because who knows how much cross checking happens for an old phone's code port maybe its just one or two contributors and who's watching the watchers ?
I don't remember last time I read about malicious code found on an app here:
forum.f-droid.org/
Code is available, and license allow the project to distribute them.
E.g. recently I wanted to try an App to identify insects. There were a few that seemed nice and free. After I installed them they were full of ads and nagged me for a 7-day trial signup. And even after I did, the app didn't even work particularly well.