126 comments

[ 3.8 ms ] story [ 660 ms ] thread
Oh yeah, they can spread malware for months, but I submit one fucking app that allows you create signs for your business for COVID-19 and all of a sudden I get a 'Sensitive Events Violation Suspension' and get a ding on my Google Play account.

Google has become Apple except worse because at least Apple is reachable.

Apple is pretty much the same, I've been trying to create a developer account for three entire weeks and it still shows as "pending" without info. I saw on the forums that for some people it can take months. It looks like some bureaucratic government body from the 90s.

I now advise my friends to switch to Android if they want to see the app, there's a limit on what I can put with. These companies should just be broken up in pieces.

At least Apple doesn’t serve you malware or harvest your personal data for profit.
I think that's the only positive thing I can say about them yes.
On the contrary, Apple has served malware to far more users than Google despite having far fewer total users. https://blog.lookout.com/xcodeghost-apps

Apple also uses your GPS data to update its location service (for profit), and unlike Android offers no way to opt out — if you want to get your location on an iDevice, Apple will get it, too. If you want to do something crazy like write apps for your own device without having to reinstall weekly, you have to deanonymize yourself with payment.

That's interesting to know, I was originally convinced by their marketing claiming the walled garden was at least helping a bit for security purpose but even that seems false.
It happened because developers in China were using a hacked version of XCode. The apps never escaped the sandbox.

I have no idea how Apple makes money by collecting location data.

I separate their concept of the sandbox (app permissions) from the walled garden (the App Store & the lockdown of user install). You can totally have a sandbox without a walled garden. It seems that in this case, the walled garden did not help in any ways.
This is all the apps could do.

The malware removes information off the device like the device’s name, country, and unique identifiers.

This part is complete conjecture.

According to Palo Alto Networks, it may also have the ability to push dialogue boxes to your iPhone or iPad’s screen. Theoretically, a bad guy could use one of these dialogues to steal your username and password or other personal information. The malware may also be able to open websites in your mobile browser, which could be used for a variety of malicious purposes again including phishing and installing other potentially malicious software.

(comment deleted)
>unlike Android offers no way to opt out — if you want to get your location on an iDevice, Apple will get it, too.

As far as I know there is not a way to opt out of this in (Googlified) Android. If you have Play Services installed (which you do, unless you've taken unreasonable steps to avoid it such as rooting and installing a 3rd party ROM), you get a dialog box popup whenever you enable location services which informs you that Google will be watching (it's framed as a consent dialog, but if you decline then location services will not be enabled). And you need location services even to use the GPS.

If you don't like Google, installing a community ROM that doesn't violate your privacy would be perfectly reasonable. If you want a megacorp service but not from a megacorp, I think you won't find that anywhere.
But then all banking apps stop working (including the 2FA apps "required" for using credit cards from some EU Banks; for EC cards you luckily still can use ChipTAN).

Also mobile payment will stop working, normally I wouldn't care about that but currently paying without touching anything is nice.

Then some apps you need for work might stop working.

Not even speaking about hounded of other apps.

The problem is to many app depend strongly on Google services which are not part of Android itself but shipped with every Google Android phone.

And to many institutions except you to either have a Google Android phone or a iPhone.

I could get away most of the time with a non Google Android phone but I will would need a second Google Android phone like 5 times a month or so.

Not true. With things like magisk and systemless root, the banking apps continue to work. At least my 4-5 banking/payment/credit card apps all work, with lineageos and magisk.
Thanks, I will look into it.

But how do you replace FCM? I mean most apps which where not intentional distributed over alternate app stores will just try to send notification through it.

Also I'm not so sure how legal it is to side load a app which is only meant to be distributed over google play.

Apps in the iOS App Store are allowed to embed silent spying that you can't disable (also known as spyware) that upload your location and activity data to third parties without your consent.

You're deemed to have agreed to this as a user based on the App Store Terms of Service.

Don't buy Apple's lies about privacy. It's just marketing.

The user decides if an app has access to his location.
Yes, but the permission is per-app. Let’s say I approve location for the app because the app’s function requires it: the third party spying SDKs embedded in the app send that location data off to third parties without notifying me or permitting me to stop it.

Apple permits this behavior in the App Store.

Furthermore, IP address is coarse location even if you don’t grant the app permission, via GeoIP databases.

Long story short, Apple allows apps in the store to embed silent, nonconsensual spyware that you can’t disable.

That's not how it works. If you install the app you are giving permission to the app to use your location however they want. It is pretty explicit.

From a legal perspective they are supposed to indicate as such in their terms and conditions, which you are supposed to read.

If an app's function requires location, how is it Apple's fault that the user decides it's better to enable that app to spy on him? If I use Waze do I expect privacy from it when it's essential that it knows my location?

Furthermore, on iPhone you get a warning when an app abuses the location permission, unlike Android.

At least on iPhones you have per app control, on Android it's either "location on" or "location off"

> At least on iPhones you have per app control, on Android it's either "location on" or "location off"

Where did you get that notion? Location permission has been per-app since before Android launched. Even better, you can get your location without telling Google, unlike on iOS, which always tells Apple.

> Furthermore, on iPhone you get a warning when an app abuses the location permission, unlike Android.

If you're talking about https://www.cpomagazine.com/data-privacy/apples-new-ios-13-w..., this warning just covers a bug in iOS. Android already requires the app to request location permission to use any API that will allow the location to be inferred (e.g., Bluetooth and WiFi scanning). Therefore, no such warning is required on Android. The app already had to explicitly request location permission.

> If an app's function requires location, how is it Apple's fault that the user decides it's better to enable that app to spy on him

Apple makes the iOS SDK and writes all the app store policies. They could deny apps that embed third party location data mining/spying that is nonessential to the app’s functionality, just as they do that now for checkouts/payments of subscription services that don’t use App Store IAPs.

Apple has taken an aggressive stance regarding the curation (alternately, censorship) of the App Store. Everything that is or isn’t in it is “Apple’s fault”.

They let App Store apps spy and harvest data for shady data and location miner companies.

This argument is very much the same as saying “just don’t install spyware” and literally proves the point that neither store is trustworthy.

On Android you too have this featureset, though the settings app is very limited and also has the same problem as OP mentioned. Just look at whatsapp, constantly trying to launch all other facebook apps in the background (verify this with a freezing app).

On Android (or AOSP, Omni, Lineage and the like) you at least have fdroid as an alternative.

The user isn’t assumed to be male. So in your sentence the preferred phrasing is “their location.”
i learned that you call them and it gets done immediately. submit, wait 24h, call. easy
My app got suspended because my self publish ebook reader could be used to search for books one of which had a kid with a nerf gun on its cover.
why would anyone need an app to print a text stating their business is closed?

probably someone was just looking for any reason to get rid of this.

Not closed... it's an app to generate signs from your phone about social distancing and other measures that are the law in some states.
They're not picking on you. You're just easier to identify. Don't take it so personally. That's a very biased view.
App stores are a trap. As developers we should be doing everything we can to keep the web alive. Every power you cede to a third party gets abused sooner or later.
Does google know which apps were infected and does it plan on letting folks installed know? It’s unfortunate their own project zero didn’t catch this.
The article lists the package names of the infected apps.
Let this be another nail in the coffin of the "walled garden" farce.

We learn this lesson again and again. People want someone to trust, but a bureaucracy isn't trustworthy. It has its own agenda and values inconsistent with yours. They take 30% from everybody whether they approve malware or not, and whether they reject legitimate apps or not.

Trust doesn't come from size. If you want someone to vet your apps, it has to be someone whose interests are actually aligned with yours, not just whoever is big enough to force everybody through the tollgate into their store.

I would still prefer to have to trust just one authority for my platform than a multitude of random developers.

> Let this be another nail in the coffin of the "walled garden" farce.

There is no coffin, the walled gardens are not dying, and have long since become the norm, which happened because the people found them to be better than the alternative: getting apps (and manually updating them) from many different sources of varying quality and convenience.

That's why you have package managers to work with thousands of repos for you.
yes, my granny loves working with her package manager with thousands of repos when she wants to install a funny kitty photos app.
Fdroid, ubuntu store, Discover, etc are all graphical interfaces to these. There is no reason to have one authority over packages.
> which happened because the people found them to be better than the alternative

Walled garden only exists because mobile devices make self-install alternatives very difficult or impossible to get on purpose, otherwise they would not be able to compete in any ways.

Case in point, the Mac App Store and the Windows Store are both moderate failures despite a lot of technical & marketing push.

Which is why with every macOS and Windows release there is some small fine tuning to drive the herd into the sandboxing model.

Like frogs cooking in water, macOS and Windows users will be eventually realize that all their apps are store based as well.

And for everything else they get Web apps, including AAA games.

Which AAA games are web apps?
The ones being served by Stadia, xCloud, GeForce NOW and PS Now.

Plenty to choose from.

That's a pretty loose definition of a web app, but I agree that those services are pretty poor.
Well, one needs a browser to access them....
I guess I’m splitting hairs. At least these systems aren’t the only delivery method for games, but who knows what will happen in the future.
I don't know anybody nor recall seeing more than a handful of mentions online of anyone getting their playtime via those services.
The only demographic that matters in the long run is the youngest demographic, and that demographic is the most likely to own/use very underpowered hardware (Since they don't have their own money to spend on nicer hardware. Often they use hardware issued to them by their schools, or hand-me-down hardware from older siblings or their parents.) The specific implementations of Stadia/etc may not prove successful, but eventually I expect a service like this to overtake the alternatives for very young users, and subsequently, achieve dominance when those young users come to view those services as normal and familiar.
The sandbox isn't the problem.

The missing authority the user has over it is.

E.g. you can have no wallet gardens but still sandbox every single application (which btw. I would prefer).

Most of the apps on my Mac are from the App Store and I wish all of them were.

The Mac App Store is not a failure from the user side, it's where users would look first. Nobody wants to have to go to different websites/repositories every N days to update all of their apps/drivers, or put up with spam from 10 different update notification mechanisms. I still remember that hell from barely 12 years ago. Why do you think gamers flocked to Steam?

As a developer, it's more of a failure of Apple's dismal documentation; I -want- my product to be a nicely sandboxed, well-behaved citizen that only accesses exactly just what it needs, but the state of macOS API documentation was too grim to learn how to do that the last time I tried (like "security bookmarks" and "file providers" from a relatively-simple Swift app).

You don't need a walled garden for that, a unified update api would suffice.
So much this. Linux distros with popular package managers offer official and 3rd party sources through one API. It's a dream compared to Windows and Mac IMO
I'd say that they are more than moderate failures. I've heard from many acquaintances who aren't as tech literate as myself that one of the major reasons they got rid of their iPhone was not being able to install applications from outside sources.

Myself, I would never want to trust anything centralized.

Clearly the iPhone is a massive failure and everyone is getting rid of theirs. In what country are you seeing this?
I never said it was a massive failure, but many people have switched over the years to some form of Android after getting fed up.
>>I'd say that they are more than moderate failures.

So... major failure? Is that what's in between moderate and massive?

If so, I'd love to have a major failure. :)

Meaning the central stores they attempt to force on us, not the devices themselves.
> Myself, I would never want to trust anything centralized.

How is that different from trusting multiple sources? You'd just be multiplying your concerns. Any of them could slip in some malware.

The only advantage I can think of is censorship resistance, or access to older versions and discontinued products.

It enables competition, which keeps everyone honest. If Amazon had an app store which was known to be full of malware then people would stop trusting them, but when there is real competition they need that trust to make money, so they would put in more effort to prevent that. If you find that your platform's app store is full of malware today when there is no competition, what is your alternative? Throw away your phone? Never install any apps?

The exposure is also not any worse when the people you trust are equally trustworthy. If you install ten apps from one distributor or ten apps from ten distributors and all of the distributors are equally trustworthy, the chance of an app you installed being approved even though it was malware is the same. It may even be lower because the distributors have to worry more about their reputations when there is competition.

And it also applies the other way. Right now they can reject apps that you want not because the apps are malicious but because they compete with the distributor's own. If there were five other trustworthy distributors then you could install it from any of them. So you could always get e-readers that compete with Amazon from Google, search apps that compete with Google from Microsoft, web browsers that compete with Apple from Mozilla and so on, no matter what kind of device you have.

> acquaintances who aren't as tech literate as myself that one of the major reasons they got rid of their iPhone was not being able to install applications from outside sources

Which applications did they want to install from outside sources? Which sources?

Where does something advertise itself as an iPhone app but not available on the App Store?

You misinterpreted. OP was saying that "Apple has walled garden while Google is open" farce is dying and this another confirmation.

Sadly people in general can't be trusted to make good decisions because of lack of knowledge and preference of short term gratification over long term well-being.

> OP was saying that "Apple has walled garden while Google is open" farce is dying and this another confirmation.

It's very hard to get that interpretation even after re-reading the OP's comment.

The authority isn't trustworthy though. They're a direct conduit to malware. That's the point here.

And try not to conflate walled gardens with software repositories. The benefits of the latter are available without the wall. The wall is significant because it stops you making your own trust judgements.

> I would still prefer to have to trust just one authority for my platform than a multitude of random developers.

You mean like open source developers?

> I would still prefer to have to trust just one authority for my platform than a multitude of random developers.

Single point of failure.

> > Let this be another nail in the coffin of the "walled garden" farce.

> There is no coffin, the walled gardens are not dying, and have long since become the norm, which happened because the people found them to be better than the alternative: getting apps (and manually updating them) from many different sources of varying quality and convenience.

No. The people have no alternative. How many people are able to install F-Droid on theyr phone ?

(comment deleted)
> There is no coffin, the walled gardens are not dying, and have long since become the norm, which happened because the people found them to be better than the alternative: getting apps (and manually updating them) from many different sources of varying quality and convenience.

No they haven't. Given a fair choice customers have opted for the alternative the vast majority of the time.

The walled garden models have only worked when companies have engaged in anti-competitive behaviour.

> Given a fair choice customers have opted for the alternative the vast majority of the time.

As in, Steam versus... Buying and downloading directly from the publishers' websites?

The Xbox and PlayStation stores? The Nintendo eShop?

The stores of the console makers use the same anti-competitive platform lock-in as Apple and Google.

Steam is the alternative where you get to choose where to install things from -- one of those places is Steam. Installing Steam doesn't prevent you from installing other software from the developer's website or the Linux package manager or Windows store or wherever you like.

> I would still prefer to have to trust just one authority for my platform than a multitude of random developers.

These are not the only two options. What about multiple authorities, but not random individual developers? That's basically how it works with e.g. game stores on PC (though Steam is certainly the largest), or package repositories on Linux.

Like you, I like being able to trust an authority to vet the software I install rather than having to judge the trustworthiness of each individual developer, but I'm not a fan of there only being one authority by design (as it is on e.g. iOS). It introduces a single point of failure and gives that authority full control over all software on that platform - for better or worse. Many package managers specifically deal with the issue of consolidating updates to a single system while not relying on a single authority.

> What about multiple authorities, but not random individual developers? That's basically how it works with e.g. game stores on PC (though Steam is certainly the largest), or package repositories on Linux.

> Like you, I like being able to trust an authority to vet the software I install rather than having to judge the trustworthiness of each individual developer, but I'm not a fan of there only being one authority by design (as it is on e.g. iOS).

You can already do this on Android though. Samsung offers an individual app store for it's phones, and FDroid works on all phones.

When it comes to the system's core sandboxing mechanism, only one authority can sign the certificates and provision capabilities etc.

If multiple authorities can sign apps, it sort of defeats the point and makes the sandboxing less trustworthy.

Right now, I can either: Rest assured that an app is sandboxed (via the App Store or macOS Notarization) or choose to let it run anyway (on macOS.) A dev could notarize their game (or not) and distribute it through Steam or the App Store, or both.

If Steam and GoG etc. could sign apps, then you're back to having multiple authorities of varying trustworthiness.

HTTPS has multiple authorities. do you use HTTPS?
That's not a good analogy for OS sandboxing:

• Will third-parties have the same standards for checking if an app uses only the authorized APIs and gating privacy/resource access?

• What happens when Apple/Google introduce new OS APIs, will those third-party signing authorities update their standards at the same time?

• What if a third-party goes rogue and starts signing malicious apps? How and how soon will we know?

> Will third-parties have the same standards for checking if an app uses only the authorized APIs and gating privacy/resource access?

You get to choose who the third parties are, so choose ones who do. Some of them may even have higher standards than the platforms do.

> What happens when Apple/Google introduce new OS APIs, will those third-party signing authorities update their standards at the same time?

This was solved decades ago. You introduce new APIs with new operating system versions and provide development releases to developers ahead of time so they're ready by the time the new system is released to the general public.

> What if a third-party goes rogue and starts signing malicious apps? How and how soon will we know?

Presumably the same way you know when Google or Apple does it.

> You introduce new APIs with new operating system versions and provide development releases to developers ahead of time so they're ready by the time the new system is released to the general public.

Even major companies still haven't implemented something as trivial as Dark Mode in all of their apps by now, I wouldn't count on them to keep up with more complex changes.

Google still hasn't implemented Picture-in-Picture on iPads. Others still don't support split-view multitasking. Both these features have been out for years.

My impression was that you were talking about API changes that actually require the developer to use them, e.g. because the old thing doesn't work with the new system anymore. Then you give them some notice and they're ready with the new thing because they want their app to keep working.

The things you're listing are optional features. That doesn't require some kind of coordinated effort. If one distributor requires support for Dark Mode on day one and another gives developers a year and another never requires it at all, so what? If you really love Dark Mode you can decline to install apps from distributors who don't require it. Or just decline to install apps that don't have it, which you could do regardless of what any distributors allow.

But security is not binary. They (especially Apple) are doing something to limit the amount of fraudulent apps on their platform.

I would strongly prefer having a free-for-all platform because I have some basic knowledge of information security. Most people don't.

How is your “knowledge” going to help you? Are you capable of vetting every app you install?
I’m capable of knowing which app I’m going to install. I’m unlikely to fall for Instagram-styled icons that promise me free face filters.
So would you have possibly side loaded an app from a trusted vendor like Epic?

https://www.theguardian.com/games/2018/aug/10/fortnite-on-an...

Back in the day would you have installed an app from a supposed trustworthy source like SourceForge?

https://www.information-age.com/hotbed-malware-another-blow-...

Or even further back, would you have trusted downloading software from CNet owned Download.com?

https://malware.wikia.org/wiki/Download.com

No, I only use Facebook and WhatsApp at the moment. I used to downloads lots of malware from porn sites back when I was much younger though.
So you realize your anecdotal usage doesn’t scale well to the general population, right?
I'm not sure what we're arguing about. I'm professionally involved in the field, I understand the risks when I press "download" or invoke a third-party script. I run things in temporary VMs. I only have Facebook, WhatsApp and Uber on my personal phone (those may be fraudulent, but on a whole other level).

General population is vulnerable to all sorts of malware and social engineering. I've personally witnessed people dear to me fall for the Clean you Mac javascript scams. That's why I'm pro-walled-garden, as I've expressed in the original response.

How does this:

That's why I'm pro-walled-garden, as I've expressed in the original response.

Jibe with this?

"I would strongly prefer having a free-for-all platform"

The original post was against the review process imposed by the platform owners. I wrote that while not perfect, it helps with security. Then there was one subjective statement on what I'd like for myself. I have limited knowledge of the language; I could have expressed that a little more clearly.
So instead of lots of malware you just stick to one.
You don't vet the app, you vet the distributor. This in no way requires there to be exactly one distributor.
Google play != Apple App Store
Good comment, I was just about to confuse them.
I never here users complain - just developers.
(comment deleted)
Nobody has yet said the words "lock-in device". Everybody moans about lock-in devices when it's convenient for them, but then they throw away the ability to use anything else by committing full-tilt to these mobile platforms where to install "unapproved" apps you have to literally hack your own device.

Apple and Google got rich doing what we would have lambasted Microsoft for, because our judgement is clouded by brands.

And yet Apple's walled garden is stronger and hasn't had anywhere near the malware problem that Google's has? I don't understand your point.

Privacy is where these companies' interests might not be aligned with users; when it comes to security, they very much are. It's just that for Google that's limited to their own services; they don't care so much when it comes to Android as a broader platform. But even then their interests are not not aligned with users. Just under-incentivized.

This used to be true. But both Google and Apple release badware numbers and independent analysts do as well. Badware rates are similar on both stores and have been for several years. Play used to be considerably worse than the Apple store, but that is no longer the case.

Being late to take security seriously has harmed google though, since this idea is now out there in the wild and keeps getting repeated regardless of the current evidence.

Of badware they know about. The linked article shows that isn't exactly a useful metric.
Of course it is of badware they know about. This is why 3rd party analyst reports are useful, since you get a second datapoint. This same issue is present for iOS too, so I don't see why it should lead us to believe that Play is worse.
Why are you shilling for AAPL shareholders? All megacorps are regulated by the same lack of rules other than maximizing their limited liability profits.
What about Facebook's API? It is basically at the same level of malware as the apps mentioned in the article
"a bureaucracy isn't trustworthy"

This kind of rhetoric has been popular in California at least since the 1970s and it has consistently played the same role, which has been to disguise reality. Bureaucracy is expanding because complex societies need complex bureaucracies. This isn't new. You can trace this far back in history. In some sense, the era of bureaucracy began around 3,300 BC when the first Pharaohs wanted to put up the first pyramids and found that they need hundreds of scribes to keep track of all the material, and payments for the material. And bureaucracy has gotten a lot bigger since that time. There are some totally legitimate criticisms that you can make about civilization, especially the way a complex civilization necessarily infringes on some of our basic rights, and the fact that there is a certain kind of inefficiency to bureaucracy. All the same, bureaucracy also has a kind of efficiency to it, especially when organizing things of immense scale. Lazy libertarianism is popular but it is not an accurate guide to the changes happening in our society or our economy.

The wording of the title is interesting - how it puts all the responsibility onto Play store and none of it onto the people actually developing the software.

We truly live in an age where the mass media demands that corporations censor and police everything we see and use.

I wonder when they'll start targeting Linux and Windows for allowing you to download and run malicious programs without any corporation approving them.

No worries Google fan. arstechnica is a paid Google "news" outlet. In the article, they downplay the damage and reach of the attack. If they titled it "Move along, nothing to see here" their ruse would be too obvious.
If I'd be a Google fan, I wouldn't have problems with them deciding what I'm allowed to download to my phone :(
It's not the media, that's the stance Google themselves adopt with Google Play by acting as non-neutral gatekeepers.

Few people lack the intuitive understanding of the difference between free platforms and controlled ones. People don't blame Google Search for linking to Stormfront, but they would blame Facebook for hosting it. People don't blame Linux and Windows for allowing you to install malicious apps, because these allow you to install any apps.

>People don't blame Linux and Windows for allowing you to install malicious apps, because these allow you to install any apps.

Ah you've really put your finger on something there. The entire concept of an app store, gatekept through a series of hoops to jump through and from which the company takes n% of profit where n is some shockingly large percentage, is a highly costly departure from the traditional model of "obtain software from third party, install". The justification for this mafia-like intercession between vendor and customer has always been "for your protection". If they don't provide any protection, why do we tolerate this racket at all?

Google advertises their store has "Google Play Protect" which promises to ensure no malware in the apps you download from them. Of course Google is going to get the blame when they make promises like that.
It doesn't say anywhere that it's infallible. https://support.google.com/android/answer/2812853?hl=en
Do you really expect it to say “Google Play Protect is infallible”? It’s obviously pitched as anti-malware and the fact that it’s not working is an issue despite them not saying it’s perfect.
The fact that it's failed to stop this particular attack does not mean this anti-malware solution is "not working".
I'm not really sure what you're arguing. An anti-malware system letting through malware is definitely not working as intended and should be fixed.
Except this isn't the first time happening; Google Store was fulled with malware forever. The techies will of course say it doesn't mean anti-malware solution, while greater masses will say it's deff an anti-virus of some sort by looking at it.
> The wording of the title is interesting - how it puts all the responsibility onto Play store and none of it onto the people actually developing the software.

But this is how app stores advertise their only benefit over traditional sales channels.

Besides what other comments noted there is the problem that sometimes Google knowingly tolerates software incompatible with their AGBs and through this endangering the privacy of users.

If I remember correctly TickTock was such a case.

Tin foil hat on. We had these iOS zero days and now conveniently we get something about Android security.
There's no tinfoil hat needed. It's pretty common for people who get their feelings hurt to lash out against "the enemy" with whatever they have. It doesn't matter how old the news is when they can just post it again and people will upvote it like it's new.

And it doesn't even necessarily have anything to do with Apple themselves. They don't need to spearhead this movement because fanatics will defend them like this anyhow.

The same goes for Google fanatics, and every other kind out there.

If you think this is the only news article that has ever talked negatively about Android security, I'd recommend reading the news more often.
Why haven't antitrust lawsuits made it mandatory that you can chose your app store after first use like it happened with browsers?
There's no monopoly in the phone market like there was with Microsoft.
I currently have F-Droid installed on my stock phone and Google did nothing to stop me other than a single "unknown app" warning.

Also, that's not how it works with browsers. You have one browser installed. I don't think I've ever seen windows or mac (or any linux distro I've tried) ask which browser should be installed. There's just the default one and the choice to install anything else.

They likely will eventually, but the browser verdict took a long time.

It's also unhelpful that many politicians have realised in retrospect that they quite like having single choke points that can be used to enact legislative control over the public.

It's emotionally difficult to find out about flaws in something you trust. I think humans really like black and white thinking, and crave association with people and institutions with blemish-free reputations. But the truth is that nothing and no-one is blemish free, especially if you zoom in on them enough. If you let it, then this truth can make you feel like you can't trust anything or anyone.

But its not true. You can trust. Although blemishes are universal, the scale of the blemishes are not. The key to trusting again in a world of flaws and faults is perspective. Is the flaw large or small? Does the agent accept it and want to fix it, or do they deny it exists (a much worse problem!)?

Everything has flaws, everyone makes mistakes, often people behave badly. That is never going to change. The thing we have to judge is whether the self-corrective systems in place are doing their jobs to acknowledge and repair the damage. IOW, making a mistake shouldn't determine trust, but failing to address the mistake should. One might call it "second-order trust". If you accept that, then the missing piece of this story is Google's response -- although they removed the offending malware from the Play Store, the journalist didn't apparently contact Google for anything else, like what steps they are taking (if any) to prevent this sort of thing from happening again. Ars didn't say anything about contacting Google, so I'd say that is an indication of lazy journalism, itself a sad but endemic problem in a world where we all have another false belief, that useful screens should be free (as in beer).