Hacker News new | past | comments | ask | show | jobs | submit login
'I Want to Expose Google's Mistakes': Hacker Blamed for Big Android Fraud (forbes.com)
36 points by known 10 months ago | hide | past | web | favorite | 26 comments



"The biggest problem is that the device can install any application, get full access to the device and can be substituted for fake banking applications [that can] intercept SMS [and] manage the device. In general, everything is possible."

PCs can do this too at the moment. I do not want my freedom taken away to install what I want and end up in a walled garden like ios.

Next thing you can only install government approved apps...

Some security risks will always exist.


I am a big proponent of "freedom to tinker", but I simultaneously believe that iOS' walled garden is the best thing about Apple's mobile devices. All not-so-savy PC and Android users I know have trouble with misleading apps and devices that slow down to a crawl because so many apps are running in the background. It's frustrating because they absolutely have nothing to gain by said freedom.


I think they have a lot to gain by said freedom. I think it's fair to say that they don't have the understanding of how to use it though.

All of the crapware on my Android phone comes from companies approved by Google. In fact, most of it... ahem... comes from Google. Blimely... I forbid Google maps from even running.... Literally every app I use comes from Fdroid and you wouldn't believe how much better the phone runs.

The walled garden is not so much a walled garden as a zoo. You are a valued guest as long as you provide value to the proprietors. You get lovely meals and safe-ish surroundings. The fact that your pen is completely inappropriate for your body type... Well, you can't have everything, right? But the paying customers are the ones making the rules and you shouldn't forget it.

Yeah, I don't think you'll get many Madagascar type prison breaks from the walled garden, as you say, but I think it's a stretch to say that there is nothing to gain from doing so -- whoever you are.


Look at this from say your mom's perspective, not IT geek one - the real benefits potentially gained are minimal compared to threats.

These academic discussions have no meaning for most folks out there - they want a device where their few favorite apps work fast and reliably, and generally a device they can trust will not take away their ie banking info and steal money or identity.

Rest are details for nerds like us.


It is sometimes possible for a nontechnical person to have a friend or family member set up something technical on their device for them. In that situation, it may become important to the non-nerds whether the walled garden blocks the nerds.


And f-droid better moderates (naturally) than any closed source stores.

Android is bloated of frameworks to enable adware kiddos to earn revenue. If it was the spirit of a regular linux distribution.......


I get it but for developers, it's just a nightmare, I would like a root feature on my phone by default since I own that phone.

It does not have to be a simple access, it could be to type manually 10 command lines in a prompt on the phone to get rid of the people who don't know what they are doing but it really needs to be there.

> devices that slow down to a crawl because so many apps are running in the background

Most of those are not even installed by the user but by the manufacturer or Google and the users are unable to get rid of them.


In iOS, you can't even have tools like Termux because an app is not allowed to execute unsigned binaries. Like, I get how this can be a security measure, but why not give control to people who want to take the risk.


I would not have a problem with the iOS app stores policies if they permitted me to install another app store like F-Droid. They don't, so they are the exactly what we do not want as they will incrurage others to do that same as they are the ones people are looking up to at the Moment (because of profits).

If google wants to crack down on apps in the play store that's fine. But do not lock down the phone so I can't install what I want.


lock down device so idiots can't screw up, hackers and tech savvy influencer folk move onto a platform they can modify coz it's cool, general public follows

wash, rinse, repeat.


I don’t understand why these two are in oposition. I can certainly imagine systems that would give you the power to do things, while isolating apps from each other and limit their permissions.

Right now you will have to recommend ios to those who are not that technically inclined, because it is safer.


So this is interesting because it already kind of exists within Android. For example, I can't install the banking app for my bank if my phone is rooted. So it forces a choice - you can use a non-rooted fully secured(at least in theory) phone and the approved apps will run, or you can root it and in theory get complete control over your device, but you lose the ability to run certain restricted applications(funny how getting more control gives you less choice in a way).


But you don't interact with your bank through apps on a PC. You interact with your bank through a web browser. And if you're like most people, that's the only secure application you have installed. Android and iOS devices focus much more on bespoke applications over general browsers. The OS security models are also very different.


I specifically not use my phone for bank access, since that would undermine two factor authentication in case of a compromised system. I would recommend everyone to do the same. It is one of the first things I explain to new users.


You can sandbox things without locking down the entire device. These devices all have an MMU, after all.

Android doesn't even try.


> "I wanted to show the vulnerability of the Android and thought that Google would take care of security.” ... Maza-In said he didn’t contact Google.

There should be criminal liability for willful negligence that clearly increases risk to others. That kind of "I never thought" mindset is so...I don't even know what word to use...antisocial? Careless?


Seems like a lie to me. That forum he posts in seems to be a den of criminals.

You don't sell crowbars to a bunch of thieves and be surprised when they use it for burglary.


Yeah

> Unlike security pros who disclose bugs in return for credit or monetary reward, Maza-In said he didn't contact Google.

This guy does not have my sympathy


Responsible disclosure is a scam.


Freedom of expression.

We humans have created all kinds of things that get misused. The Nobel prizes were set up exactly because people were blaming Nobel for the violent use of dynamite. Let us not further hobble the spreading of ideas with political concerns about which ideas are dangerous. Blame the (mis)user, not the manufacturer and certainly not the discoverer.


Distributing software that is intended to steal money from people is not freedom of speech.


Of course it is freedom of speech. The only thing that was distributed was text: an encoding of an idea. The act of using that idea to build something to defraud someone is the criminal act.

Jurisdictions censor all kinds of speech, and maybe you think this kind of speech should be censored, but at least in the USA you would have to argue incitement which is a stretch.

The historical example was the publishing of the PGP source code in book form to distribute it. You might consider the software to be "military grade arms" but describing to someone how to build it is just an idea.

Certainly the US government might want to reign in this interpretation and might love to create a new exception, but there is no intrinsic reason for a rational individual to insist upon that interpretation.


I'd go as far as calling it malicious...


Is it much different than youtubers showing how to break into locks (ex. lockpickinglawyer)?


Mods should tag this as being from 2017.


Although as many people wrote he shouldn't have done this without first contacting Google, I agree that Android allows the developers too much without asking user permission. Google had many years to fix this issue, but it doesn't take it seriously.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: