this post was submitted on 20 Aug 2024
5 points (100.0% liked)

cybersecurity

64 readers
1 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS
5
apps .. repo or not (m.krbonne.net)
submitted 2 months ago* (last edited 2 months ago) by kristoff@infosec.pub to c/cybersecurity@infosec.pub
 

Hi all,

Interesting problem. An open-source project gets their app removed from google play, so they post a message on mastodon that -for the time being- you can download the app via direct download.

I post a reply saying that directing people to a direct link is not a good idea, as hackers could start doing the same to spread malwhere, better use an official repo (like f-droid, where they are already on).

A typical problem of somebody who writes a genuine post, but without realising it himself writes something that is very close to what a phishing message would look like.

However, this got me thinking. What you want to avoid is that people get used to the idea that it is OK to download and install apps from a random URL. But if you point people to f-droid, they need to also download the apk for that, and configure the security on your phone that apk's downloaded via may be installed.

I guess, the later should surely be avoided as most people will then leave that option enabled. (I had to search deep into the security setting to find the option to switch it off again).

What are your opinions on this? What would be the best way to do this and not teach people bad security habbits?

Direct download or f-droid? Other ideas? Is there a good sollution for this?

Kr.

you are viewing a single comment's thread
view the rest of the comments
[–] gencha@lemm.ee 1 points 2 months ago (3 children)

It's good to have established release channels that don't rely on third parties in the first place. Everything beyond that is for convenience and strictly optional.

[–] kristoff@infosec.pub 1 points 2 months ago (2 children)

The problem is here is this: how is a user supposted to know if the official website of an application is organicmaps.app, organic-maps.app, organicmaps.org or github.com/organicmaps?

And even if she/he knows, hackers do ways to make you look the other way. The funny thing in this case is that the original author complained that the app was removed from google playstore, and did so on the fosstodon mastodon-server. Although I guess this was not at planned, he made the almost perfect social-engineering post. :-)

[–] gencha@lemm.ee 1 points 2 months ago

I totally agree with you on the phishing aspect. Good thinking.

I would prefer it if people already knew the domain from prior association. I still download desktop software regularly on the developer website, even though I am also aware that this is not without safety concerns. I know this is an unrealistic expectation at this point, but I dislike that the Google/Apple Stores have more trust, even though they regularly publish fake apps or apps with security/privacy issues.

Ultimately, publish on multiple channels regularly and let your users be aware of alternatives. Then they are enabled to switch when they need to, and it might also be easier for new users to recognize which release channels are official

[–] moonpiedumplings@programming.dev 1 points 2 months ago

https://en.wikipedia.org/wiki/Organic_Maps

Repositoryorganicmaps on GitHub

Unironically, wikipedia is pretty good for getting official links to projects/websites. It's not a guarantee, but it's a lot betted than just googling it,