Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> ADB installs are not impacted by the waiting period, so that is an option if you need to install certain unregistered applications immediately.

Someone is just going to make a nice GUI application for sideloading apks with a single drag-and-drop, so if your idea is that ADB is a way to ensure only "users who know what they're doing" are gonna sideload, you've done nothing. This is all security theatre.



> “For a lot of people in the world, their phone is their only computer, and it stores some of their most private information,” Samat said.

Not applying the policy to adb installs makes a lot more sense if the people this is trying to protect don't have a computer


I've seen a few apps that run locally on Android and hook into the ADB connection over loopback networking to do certain things.

This just adds the step of "download Cool ABD Installer from the play store" to the set of directions I would think.


Google could easily put an end to that if they wanted. Just block adb access from the loopback address and VPN. I'm surprised this isn't already in place. The setup flow for those apps you're referring to is awkward enough that it's clear it was never intentional to be able to access adb on-device.


You can run adb install locally without a computer


If you mean things like Shizuku or local adb connection through Termux, it's quite an awkward process to set up even for someone like me who's been building Android apps since 2011. Like, you can do if you really really need it, but most people won't bother. You have to do it again after every reboot, too.


Scammers will figure something out to help that workflow smoother, you can count on that.


People who want your money always want to have really great UX. I remember how painless buying lottery tickets online was, it was the smoothest checkout experience in all of online shopping I have ever done.


The scammers don't even need to make a GUI, they just need to get you to enable adb-over-tcp and bridge that to their network somehow - an ssh client app would do the trick.


How many people do you suspect are gullible enough to fall for these scammers but also competent enough to install an SSH client and enable port-forwarding for an ADB proxy? Like fifteen people worldwide?


How many people are gullible enough right now to plug a phone to a laptop over USB and execute an exe on an operating system with no sandboxing at all? ADB even seems to work over webusb. (at that point you may as well give up on hacking the phone, but I digress). That's exactly why I believe the problem is more complicated and why Google's solution is not really fixing anything, not for the users.


There's going to be a lot of people who don't have a laptop/desktop handy right now - because they're out of the house, because it's unplugged in a cupboard, or because they borrow it from a friend or use an internet cafe when they need that. So a requirement to use that and connect your phone to it is effectively similar to the 24 hr waiting period: time to think, time to mention it to a friend who's heard about this scam before. This is why phones are such an attractive target in the first place.


More than the number of people who will wait 24h


scrcpy can already do that.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: