Hacker News new | past | comments | ask | show | jobs | submit login

Yes, alas, same for iOS AFAIK. It's a flaw in the security/trust model of both platforms. Similarly, you'll be prompted for new permissions if a malicious new owner adds new permissions to the app, but nothing tells you it's a new owner so you will likely grant permissions without realising everything might have changed.





It's not really a flaw. Whether it is the same app or not is being distinguished by package name + signing key. If both versions are signed by the same key, for all intents and purposes the newer version is legit.

On Android, in offline scenario, the installer doesn't even know who is the author and whether it changed. Here, all it knows is the above: package name + key used to sign.



That sure sounds like a flaw to me.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: