Kristoff Bonne 🇪🇺 🇧🇪 (@kristoff@m.krbonne.net)
m.krbonne.net
@organicmaps@fosstodon.org OK fair point. However, if I look at this from a hacker perspective, you post looks like the ideal opportunity to post a message similar to yours, but pointing to a fake app containing malware. Proposing to people to download an app at some random URL, even if it has organiscmaps.app in it, is a bad idea. Also by mentioning that your app got blocked by google in a platform like fosstodon, directs people attention away from "is this real or mallware?" to "grr. I hate google"

Hi all,

Interesting problem. An open-source project gets their app removed from google play, so they post a message on mastodon that -for the time being- you can download the app via direct download.

I post a reply saying that directing people to a direct link is not a good idea, as hackers could start doing the same to spread malwhere, better use an official repo (like f-droid, where they are already on).

A typical problem of somebody who writes a genuine post, but without realising it himself writes something that is very close to what a phishing message would look like.

However, this got me thinking. What you want to avoid is that people get used to the idea that it is OK to download and install apps from a random URL. But if you point people to f-droid, they need to also download the apk for that, and configure the security on your phone that apk’s downloaded via <browser> may be installed.

I guess, the later should surely be avoided as most people will then leave that option enabled. (I had to search deep into the security setting to find the option to switch it off again).

What are your opinions on this? What would be the best way to do this and not teach people bad security habbits?

Direct download or f-droid? Other ideas? Is there a good sollution for this?

Kr.

  • kristoffOP
    2·
    23 days ago

    Obtainium seems to have a very interesting take on this. Thanks for the link! I will check it out 👍