
Popular Google Play store apps are abusing permissions and committing ad fraud - mzs
https://www.buzzfeednews.com/article/craigsilverman/google-play-store-ad-fraud-du-group-baidu
======
rayraegah
It's not just ad fraud, they've been copying information like whatsapp phone
number, reddit username, telegram username etc.

[https://www.reddit.com/r/miband/comments/8eqtve/why_did_mifi...](https://www.reddit.com/r/miband/comments/8eqtve/why_did_mifit_copy_my_reddit_account_information/)

~~~
DarwinMailApp
I actually can't believe this. How in the name of all the is holy are we
letting them get away with this.

Sure, we talk about the problem a lot. But we need to take action. It seems
every big corporation are abusing the trust we give them in some form or
another.

Please, for the love of God, can anybody prove me wrong. Are there any
companies than don't abuse our trust?

~~~
tremon
Microsoft, for all their other flaws, usually keeps out of the business of
selling their consumers. Perhaps it's because they have better (internal)
monetization possibilities.

~~~
lotsofpulp
Last time I used a Windows computer, there were tons of advertisements in the
start menu.

~~~
deadbunny
And on the lock screen.

------
blantonl
One of the things that is really troubling about the Google Android Play store
is the ease that an app developer can develop an app and remain totally
anonymous unless you are forced to file a lawsuit or subpoena to Google to
reveal information.

I own and operate a fairly popular audio streaming platform, and I've had to
deal with numerous instances of unscrupulous app developers who steal API keys
from our licensed developers, release apps wrapped in tons of ads, and are
able to remain totally anonymous by:

1) Setting up what is presumably a fictitious company

2) Privacy policy link that directs to pastebin

3) Email address for support where nobody responds

These apps steal tens of thousands of dollars of ad revenue from my business
monthly, and I have absolutely zero recourse. Filing DCMA and other complaints
with Google typically goes into a black hole, and when they do respond or
address the issue its typically "we don't see the need to take any action
here" \- presumably because these apps are generating enough revenue for AdMob
and the Play Store that Google has zero incentive to take action.

How often does this happen in the Apple App Store, almost never.

It's absolutely infuriating.

~~~
076ae80a-3c97-4
Time to cycle API keys?

~~~
lima
App update cycles are slow so this would break old versions of his apps.

~~~
blantonl
That, and they can steal the new API keys just as fast as we rotate them. And
since these API keys are licensed to third-party developers we've got to
manage business impact for that third-party.

The problem is Google has no incentive to address these issues, because they
prioritize their own platform growth revenue over user and partner experience.

With all the frustration one can have with the Apple App Store, including huge
wait times for new releases, arbitrary reasonings for declining apps etc, it's
almost worth it vs the wild-west of the Google Play Store.

------
gameswithgo
the locked in store model has completely failed. both for ios and android it
is a terrible experience compared to PC. you are stuck with only the search
tools the hardware maker gives you, often designed in a user hostile way (ios
brings up ads) and no way to bail out to a different store. as well the
monoculture leads to a race to the bottom with garbage programs shoving their
way to the top via misleading a dishonest means, and by sheer numbers.

i want no part of it. when a phone maker comes to the market without this
locked down model i will buy it, and if windows goes this route i will drop it
for linux.

and yea i know you can sideload on android, but the unwashed masses don’t know
that so it doesn’t matter.

~~~
nemothekid
> _and yea i know you can sideload on android, but the unwashed masses don’t
> know that so it doesn’t matter._

Then what is your solution? The unwashed masses _tried_ the wild wild west of
digital software delivery back in the 2000s. It ended with tears, viruses, UAC
and SaaS. Even today, most sideloading, for general consumers, begins with
trying to pirate apps and ends with even more invasive spyware.

The locked in store model is better than than what we had before for the
general consumer (at least iOS's, unequivocally is, IMO). The App Store might
be bad for developers, but it's way better for consumers.

~~~
Yetanfou
The solution is what has been suggested earlier: allow users to choose their
own 'store', don't lock them to a single vendor. This is already possible with
Android where F-Droid is a good example of a 'store' where the chance of being
exposed to these shenanigans is close to zero.

Currently iOS users lack this option so for them the only way out is to change
platform.

~~~
acdha
That doesn’t seem like much of an improvement: if it became popular, you’d see
the same social attacks switch from getting people to install apps to enabling
a new store. F-Droid is safer because it’s much smaller and mostly free
software: that’s good for people who don’t want anything else but it seems
unlikely to satisfy mainstream demand or survive a motivated attack.

~~~
Yetanfou
Linux survived these attacks. Debian survived them. Ubuntu did. More or less
all Linux distributions have been attacked but survived, many of them thrive.

Yes, this is free software. Being less susceptible to these problems has been
one of the stated advantages of using such for a long time. Alternative
'stores' carrying 'pirated' non-free software do not have this advantage and
can easily turn into dark places so the solution does not lie there.

Will people choose a 'boring' free software 'store' over a 'cool pirate store'
(Arrrrr!)? Some will, some won't. Those who will will end up being mostly
silent as the thing just works. Those who won't will be susceptible to the
whims of those who put up those 'stores' and are likely to come home with a
bit more than they asked for.

Some 'stores' will get a good reputation along the lines of that of F-Droid,
some will get the reputation of being the place to go to get the latest craze
but also the latest infection. Users will start making conscious decisions
based on those reputations, just like they already do elsewhere.

Will opening up closed platforms like iOS for third-party software
repositories get rid of these problems? No, it won't, it will even raise the
average level of problematic software on that platform. The difference between
closed systems and more open ones is not that the closed ones are inferior, it
is that they limit the user's choice to get something which is _better_ as
well as _worse_ than what the walled garden offers. In this context _better_
can mean software which does not come with tracking, analytics, profiling and
other such privacy-invading nonsense. I can get the source code and build it
myself, I can host my own repository, only time limits where I can go. This is
not true for the Google Play Store or the Apple Appstore, nor is it true for
the Amazon equivalent or any of those Chinese alternatives. That is why I
chose to use something like F-Droid.

By the way, there is nothing keeping e.g. Facebook or Twitter from releasing a
free software version of their apps. Their value - and most of their profiling
proficiency - lies in their platforms, not in the apps used to access them.
They might lose any additional venues for leaching the user of data but they
would gain some believability when they state that they're not up to no good.
Of course there are plenty of alternative apps for these services so they
don't really _need_ to but they _could_ if they wanted to.

~~~
acdha
> Linux survived these attacks. Debian survived them. Ubuntu did. More or less
> all Linux distributions have been attacked but survived, many of them
> thrive.

Really? Is there a huge market of mainstream consumer Linux software which
I've missed in the past 3 decades of using it?

The answer is, of course, no. Linux distributions have mostly been used by
developers and other IT people and there's never been the equivalent of the
mainstream mobile app ecosystem used by people who are asked to make critical
security decisions which they don't know how to answer. If there was an
equivalent, there would be the same sleazy sites pushing free porn, games,
taking successful apps and repackaging them, etc. that we see in the
mobile/Windows desktop world, and normal people would routinely be socially-
engineered to get access to free stuff, just as Linux users have for years
been fooled into running binaries or installing packages. This isn't more
widespread because there's not much money in it but if that were to change it
would immediately require the same kind of hardening which every other
consumer OS has had to make.

~~~
Yetanfou
Well, there is Android, that uses Linux and is as mainstream consumer as it
gets. Do mind that I specifically said 'Linux survived' as in 'the Linux
kernel project', followed by a number of Linux distributions.

Also, where are those _Linux users [who] have for years been fooled into
running binaries or installing packages_? The majority of Linux users get
their software from repositories maintained by whichever distribution they
use. This fact is one of the reasons why Linux users are far less likely to
install 'random' software. It is that aspect of Linux distributions which
'stores' like F-Droid bring to Android.

Last, what kind of 'hardening' do you deem _every other consumer OS has had to
make_ which Linux distributions have yet to accomplish? I'd go so far as
saying that the likes of Windows and MacOS are playing catch-up here in
finally getting around to implementing a sane repository infrastructure from
which users can install and update software instead of having them hunting
around the web for some _SETUP.EXE_ to download and click on - which then
proceeds to install not only the requested program but also a host of toolbars
and 'shopping assistants'.

That both Apple as well as Microsoft took one step further in making these
software repositories single-source to the detriment of their user's freedom
of choice is what started this discussion in the first place.

------
kenoph
I did my Master Thesis on this kind of stuff. There are many Apps among the
top 100 free ones that ask permissions completely unrelated to their
functionality. Yeah I know, not surprising. What surprised me at the time was
that Android gives away much information "for free". For example, if I recall
correctly, GET_ACCOUNTS was granted automatically and it allowed to get the
"title" of every account on the phone as shown in the Android UI. Most Apps
use the actual username as the title, google included (aka, every App could
read your email address). Nice exceptions are Signal and WhatsApp.

~~~
cjsilver
I'm the author of this article and I'd love to learn more about what you found
in your research. You can reach me at craig dot silverman at buzzfeed.com.

~~~
snaky
This review from USENIX Enigma 2019 might be interesting for you. They tested
over 80,000 of the most popular Android apps to examine what data they access
and with whom they share it, how mobile apps are tracking and profiling users,
how these practices are often against users' expectations and public
disclosures, and how app developers may be violating various privacy
regulations.

Some numbers from the presentation

    
    
      - the "GPS icon" is visible for only 0.04% of actual accesses to location data
    
      - of 42000 apps transmitting personal information, 21000 (50%) don't use TLS and send data unencrypted
    
      - 1,325 apps that don't have location permission, actually obtain street-level location data and transmit it home
    

[https://www.usenix.org/conference/enigma2019/presentation/eg...](https://www.usenix.org/conference/enigma2019/presentation/egelman)

~~~
cjsilver
Thanks!

------
mzs
> As noted earlier in this thread, I didn't go looking for Chinese developers
> for this story. But if you go hunting for permissions-abusing apps, this is
> where you might end up. …

[https://twitter.com/CraigSilverman/status/111862075124903936...](https://twitter.com/CraigSilverman/status/1118620751249039360)

~~~
nine_k
Cheaper labor, I suppose.

I bet Eastern Europe is also represented.

~~~
shard972
Are chinese really cheap labor though? Their tech companies are quickly
eclipsing that of western companies.

I don't think it's fair to say it's just a cheap labor thing.

~~~
nine_k
Not utterly cheap, but likely not as expensive as Silicon Valley.

Also, I suspect that those who concentrate on adding spyware and ad fraud,
repackaging, etc are not the top talent.

------
codedokode
The article puts blame on specific apps of Chinese origin, but lot of said in
the article can be applied to other apps too, for example:

> Kaltheuner, of Privacy International, told BuzzFeed News the policies are
> vague about how third parties, including potentially the Chinese government
> or other authorities, can gain access to the data being collected.

Google's privacy policy [1] is also very vague. Instead of clearly writing
technical details, what data they collect and when, they just give a general
description. Take this phrase, for example:

> We may also collect information about you from trusted partners, including
> marketing partners who provide us with information about potential customers
> of our business services, and security partners who provide us with
> information to protect against abuse.

Or this:

> We provide personal information to our affiliates and other trusted
> businesses or persons to process it for us, based on our instructions and in
> compliance with our Privacy Policy and any other appropriate confidentiality
> and security measures.

Absolutely no details. I don't see how Google hiding its "partners" identity
is different from Chinese companies hiding their identity.

The article says that Chinese company can share the data with their government
(without any proofs), but doesn't Google share the data too when required by
the law?

Also, there is an interesting note hidden in Chrome's policy [2]:

> Chrome won't allow a site to access your location without your permission;
> however, on mobile devices, Chrome automatically shares your location with
> your default search engine if the Chrome app has permission to access your
> location and you haven’t blocked geolocation for the associated web site.

So instead of singling out a Chinese company, we should pay attention to all
of the mobile apps and their practices.

Regarding excessive permissions, I think Google could improve the situation by
promoting apps with few required permissions in the search results and making
permission list more noticeable. For example, currently, if you browse Google
Play, permission list is hidden behind a tiny link.

[1] [https://policies.google.com/privacy?hl=en-
US](https://policies.google.com/privacy?hl=en-US)

[2]
[https://www.google.com/intl/en/chrome/privacy/](https://www.google.com/intl/en/chrome/privacy/)

------
doublepg23
It's amazing how poor the filtering is. There are plenty of developer horror
stories of legitimate apps being taken down by some broken, automated process
- sometimes taking peoples' entire Google accounts with them. Then you're
stuck dealing with more automated systems for support.

Of course these garbage apps make it through somehow. My favorite is an SNES
emulator that's full of ROMs. Clearly a copyright violation, but somehow made
it through state-of-the-art AI...

~~~
userbinator
_My favorite is an SNES emulator that 's full of ROMs. Clearly a copyright
violation, but somehow made it through state-of-the-art AI_

I'd actually be fine with it letting stuff like that through, but filter out
actual _malicious to the user_ apps.

------
keerthiko
In an ideal world, OS maintainers, instead of running a software store with a
client-end on consumer devices, would run just a repository, with version
control, metadata and downloadable packages for apps submitted to and
supported on their platform, but allowed any third party to link to their
repositories for fetching information or downloads. This would allow external
review hosting, discovery, competing marketplaces, or even users directly
fetching the application without navigating marketplaces if they knew what
they wanted.

Of course, there's nothing in this approach financially for the maintaining
company, so this was not going to happen.

~~~
scarface74
What could possibly go wrong? Viruses, malware, ransomware, toolbars, etc.

------
comradesmith
Installing f-droid and using more simple and open source apps is one of the
best things I've done lately.

~~~
ac29
Its too bad its still flakey at updating apps. I've been using it for a few
apps for many years, and I'd say easily half of app updates simply fail for
non-obvious reasons. Its been this way across multiple devices and countless
versions of Android, so I'm left to believe the problem is with F-droid
itself.

~~~
Avamander
I also heavily heavily hate the idea that they sign everything, the app stores
must not be trusted. They should _only_ be signing over packages already
reproducibly compiled.

~~~
ubercow13
Why? Isn't that how signatures of any Linux distro work too? The packager
signs the package not the developer.

~~~
Avamander
Because they force users to trust them unnecessarily.

------
yccheok
There are several app categories which become breeding ground for malware.

\- battery booster \- phone cleaner \- anti virus \- note taking app \- file
manager \- ···

For risk management from getting banned, those adware companies, will usually
register multiple accounts, with offshore address in Hong Kong or Singapore.

This is a good starting move by Google, but not enough still. We still see
companies like Cheetah mobile, Du group being active in Google Play Store.

Those companies (and their associated accounts which distributes malware) who
caught red-handed, should be banned permanently.

------
shittyadmin
Good. This is what advertising agencies asked for and what they deserve.
Implement a "click button to get money" system means of course people are
going to try to beat that any way they can. I'm surprised any web advertising
firm manages to stay afloat.

~~~
userbinator
In fact, there's a browser extension which users willingly install that can
help you "commit ad fraud":

[https://news.ycombinator.com/item?id=19278936](https://news.ycombinator.com/item?id=19278936)

It might actually be beneficial for privacy, since trying to "poison the well"
of tracking data gets detected by the adtech companies and they'll likely
start ignoring you. In that sense, affecting their bottom line is the only way
to make advertisers leave you alone...

~~~
touristtam
I would rather not being subjected to the adverts and the associated data
mining in the first place. Nothing more creepy than the feeling you are being
stalked through your internet journey to sell you yet another useless product
you don't want or need.

Creepy and deceitful.

------
gyaniv
I'm not entirely sure I have that much of a problem with ad fraud, doesn't it
only hurt the ad companies and companies like google (which I have a problem
with anyway), by basically scamming them into believing that I interacted so
that company should be compensated.

I do object to collecting and sending my personal information, but I feel they
just mixed it, as that probably relates to more then just these Chinese apps.

And I really don't like the fact that it seems that Google only cares about
abusing the users, and breaches of trust and privacy when it hurts the
advertisers (and themselves), and not when the normal user gets hurt.

Not surprising though, but still annoying.

~~~
pergadad
It hurts mostly the companies paying for ads, and probably mostly smaller ones
that can't detect the issue. Think your local car dealer.

~~~
lostgame
I’ve never seen an ad for my local car dealer, or similar, in an iOS app, for
instance. Just saying.

------
thinkloop
They're mixing so many issues and confusing the matter. They have discovered
ad fraud, which is interesting, but doesn't actually directly harm the user
(right?), just the advertisers and Google. But then to make sure they are
propagating fear, they bring in the completely unrelated issue of data being
sent to China. And there is some confusion there too - is it only through the
(unnecessary) permissions that users _approve_ (a much different problem) or
are they able to send unexpected data also without the permissions? I wish the
world didn't have this sensationalism arms race to get their articles read.

~~~
comex
If the ad fraud runs in the background as claimed, it harms the user by
wasting their battery.

------
yeahitslikethat
People think I'm weird for not installing whatsapp because it downloads all my
contacts and I can't prevent that in this version of android which I can't
update because I can only do that through at&t while on their network but I
get service through someone else because at&t doesn't cover my area.

It's absurd.

~~~
Sylos
Just get a written permission from all of your contacts that you're allowed to
upload their data to WhatsApp, like the rest of us clearly have.

Or make it so that no one has anything against you ever. Because people have
been sued already for uploading their contacts' information to WhatsApp
without permission.

I really don't want to encourage you to use WhatsApp, but one possible
solution would be to use this app:
[https://f-droid.org/app/opencontacts.open.com.opencontacts](https://f-droid.org/app/opencontacts.open.com.opencontacts)

It's a separate store for your contacts, so that you don't have to use the
Android contacts implementation where every app and their mum wants access to.

However, mind that WhatsApp is not going to be particularly user-friendly
whether you do this or block access to the contacts in newer Android versions.
It won't display people's names until they've chatted to you (and then only in
a shitty secondary GUI), so you will often have to guess from their picture
who they might be.

And worse still, there's no way to initiate a chat from within WhatsApp to
someone who's not in your contacts.

Thankfully, there's an app for that nowadays, too:
[https://f-droid.org/app/io.github.subhamtyagi.openinwhatsapp](https://f-droid.org/app/io.github.subhamtyagi.openinwhatsapp)

~~~
codedokode
Isn't exporting a contact list a violation under GDPR? Contact names and their
phone numbers are a personal information and the app must get that person's
consent to process their data.

~~~
Sylos
Let me put it like this: I consider it only a matter of time before a lawsuit
for this completes and Facebook has to pay a multi-million dollar fine. A
lawsuit against WhatsApp was filed in the night that the GDPR became active:
[https://noyb.eu/4complaints/](https://noyb.eu/4complaints/)

The lawsuit is not just for this matter, it's rather because users were forced
to consent to the privacy policy in order to continue using the services,
which is very hard to justify under the GDPR, but I presume/hope, they will
also look into what WhatsApp wanted users to consent to and how they presented
it (89 screens full of legalese).

In theory, there is some clause in WhatsApp's terms of service which requires
every user to get that written permission from all their contacts that I joked
about.

One actual thing that WhatsApp will be able to cling to, is that they do have
a 'legitimate interest'. Without uploading these contacts, their service would
not anymore grow at even just half the pace.

------
Walf
>“If an app violates our policies, we take action

Bullshit, Google. Bullshit. Only a very small proportion of the apps on Play
ask only for the permissions that are needed to perform their task, and
Internet access is not a deniable permission, leaving a nice little back door
for them to siphon off your data. The example of the flashlight app is not an
edge case, it's the norm. Google does not care because they'd rather earn more
ad revenue than have quality apps, and the number of apps with the ability to
seriously spy on you is staggering.

------
circular_logic
> BuzzFeed News manually identified apps that requested a high number of
> permissions, including those assigned as “dangerous,”

A useful automated tool for this is 'Exodus' it will scan APKs for trackers
and permissions and provide a web report.

Here is a report for one of the apps mentioned. [https://reports.exodus-
privacy.eu.org/en/reports/15627/](https://reports.exodus-
privacy.eu.org/en/reports/15627/)

------
Kiro
> Ad fraud is simply the norm in China

Why is that? I can't even imagine what's going on at the meetings leading up
to implementing ad fraud in what I presume is a normal company otherwise and
not a bunch of gangsters. Is it morally OK to do this in China for some
reason?

~~~
snaky
> While on my most recent flight to Beijing, I sat next to an chatty elderly
> Chinese woman. We started discussing the topic, and she said that Chinese
> society lacks su zhi 素质, which translates roughly to manners or etiquette.
> Before the Cultural Revolution, she explained, Chinese society was guided by
> the moral lessons of Confucianism, with its emphasis on being a gentleman,
> respecting one’s elders, and obeying one’s leaders. But during the Cultural
> Revolution, Mao Zedong put Confucian principles on its head, pitting the Red
> Guard youth against their parents, the less educated against the educated
> elite. This chaos tore the social fabric and transformed the society into a
> survivalist one, a dog-eat-dog world, the vestiges of which are still felt
> today.

> When Deng Xiaoping implemented the Reform and Opening Up policy in 1978,
> capitalism was added to the mix of the survivalist culture; in order to get
> rich, you had to compete fiercely, fend for yourself and take care of your
> own with no regard for rules. This would also explain the rampant corruption
> among government officials, who use their position to amass wealth for
> themselves and their family. And nowadays, a third phenomenon has also added
> itself to the dangerous cocktail of selfishness and competition: the digital
> age. Many Chinese young people spend the majority of their days glued to
> WeChat, or taking selfies everywhere, or shopping at the ubiquitous malls
> around the country. This “me” culture is certainly not unique to China;
> indeed, we see the same thing happening to the youth in New York to Buenos
> Aires to London to Brussels to Moscow. But in China it exacerbates the
> already self-centeredness brought on by the cruelty of the cultural
> revolution and the competitiveness of capitalism with Chinese
> characteristics.

> In other words, China doesn’t just lack common etiquette and basic manners;
> it lacks a moral compass altogether.

[https://thediplomat.com/2016/09/chinas-quest-for-a-moral-
com...](https://thediplomat.com/2016/09/chinas-quest-for-a-moral-compass/)

------
qmanjamz
> Google confirmed it found fake ad clicking on all 6 apps, and said ad fraud
> was against Play store policy. So why aren't you removing the apps, I asked.
> They said they banned them from ad products and were still investigating.
> Really? Finally, not long ago, Google removed them.

What's wrong with this guy? Does he not understand what investigating means?
God forbid Google actually investigates claims of malfeasance.

~~~
shittyadmin
BuzzFeed News is a trash rag, what are you expecting?

~~~
freehunter
BuzzFeed yes. But this is BuzzFeed News, featuring their Pulitzer Prize
winning editorial staff. Very different from BuzzFeed.com.

[https://en.wikipedia.org/wiki/BuzzFeed_News](https://en.wikipedia.org/wiki/BuzzFeed_News)

~~~
busymom0
> Pulitzer Prize winning editorial staff

That's no longer a reliable way of trusting the credibility. There's been many
Pulitzer Prize news reporting which have come out to be completely false.

~~~
lucasmullens
Maybe, but it helps make them less of a "trash rag"

------
HillaryBriss
google play store and android have consistently shown that the first priority
is gaining market share. user safety and security, app quality, data privacy
and positive developer experience are far, far lower priorities.

------
craftinator
Here is a solution for this problem: let's devalue mobile advertisements. How?
Simple: every time you see an ad, add the product advertised to a blacklist.
Refuse to download any app that advertises to you. I've been doing this for a
few years, and have felt no negative effects; in fact I have way less app
clutter on my phone, and I still find all of the apps that I look for.
Advertising has changed in nature; it used to be about increasing visibility
of your products. Now it is about compelling people who don't want or need
your product into buying it, by using deception and psychological
manipulation. So how do we kill the beast that the ad industry has become?
Don't feed it.

~~~
Sylos
I appreciate the vigour, but it's probably easier to just use an ad blocker:
[https://f-droid.org/app/org.blokada.alarm](https://f-droid.org/app/org.blokada.alarm)

~~~
craftinator
An adblocker keeps you from being exposed to an advertisement. This means
you'll be adding zero value to the ad. What I'm talking about is a boycott,
and you'll add negative value to it. I find this much more effective, and
again, it has had no discernable negative effect on my life. I research to
find the things I need. Word of mouth is more powerful, and gives more value
to people's opinions.

------
paulcarroty
> This means they can no longer use any of Google’s ad products to earn money.

Really? Guess it can be easily done with new virtual firm and new contact
data.

------
rezeroed
This is as surprising as the facebook story.

------
AFascistWorld
To consider the versions of Chinese apps uploaded to Play is already much
cleaner and toned-down than their China versions.

DU Group is an affiliate of Baidu, which has been using ads like "Click a
button to boost your signal 5X stronger" to harvest users. It's common and
unfettered in China, since they are all watchdogs of the party.

------
eriktrautman
Has anyone ever gone to jail for this? Oh, you committed massive fraud and
stole millions of dollars? We’re just going to tell you not to do that
anymore... in what world would they NOT incessantly scam the system with these
completely asymmetric incentives?

------
tmalsburg2
I'm using a non-Google version of Android (provided for the Fairphone 2) and
install apps from the F-Droid store (exception is WhatsApp which is a
dirctinstalll). Can I consider myself safe?

------
dcdevito
THIS, among many other reasons, is why I (and my wife), switched to the
iPhone.

~~~
mellow-lake-day
That is a not a cure-all solution. It may be better as Apple has a higher
barrier of entry into their store but those apps still exist. And Apple
doesn't remove these apps right away either, for instance it took Apple one
month to remove the app that was sending browser data to China.

[https://www.macrumors.com/2018/09/07/adware-doctor-
stealing-...](https://www.macrumors.com/2018/09/07/adware-doctor-stealing-
history/)

[https://www.forbes.com/sites/bernardmarr/2015/10/20/data-
thi...](https://www.forbes.com/sites/bernardmarr/2015/10/20/data-thieving-
apps-banned-from-apples-app-store/#4440859cb89f)

