Novel technique allows malicious apps to escape iOS and Android guardrails - eviltoast
  • Ghostalmedia@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    3 months ago

    Mobile dev here.

    I’ll play devil’s advocate. Android streamlined the PWA install experience a few years ago. You no longer need to drill into a menu and select an add to Home Screen option.

    On one hand, have more users using a better mobile experience, but on the other hand, I now have a lot of users that think they installed the native app.

    I don’t think the end user should need to care about my tech stack, but I could see how a malicious actor could dupe people with this newer streamlined PWA install flow. These malicious actors probably caught a lot less people with the old menu > add to Home Screen flow.

    • WhatAmLemmy@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      3 months ago

      That’s not really playing devils advocate. You’re correct. I was just highlighting the headline was disinformation. It’s true that the average user isn’t aware of the difference, but I would blame the OS for not making that explicit on install that this is a website and that authenticity should be triple checked. There’s also nothing stopping them from “installing” PWA’s via their app stores, except for their greed.

      • Ghostalmedia@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 months ago

        I guess I’m saying that I didn’t think the headline was too bad. There is a new PWA install flow that’s widely available on Android now, and phishing via that new PWA install UX is potentially a new hot area. I’m not particularly offended by calling that novel. Just my 2¢

      • trolololol@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 months ago

        There’s also nothing stopping a malicious actor from putting a malicious app in the store, whether that is a wrapper on JavaScript or native code. So I don’t see the distinction at all from having pwa or native apps barriers because they’re all weak.