464 comments

[ 4.2 ms ] story [ 319 ms ] thread
I had fullscreen ads on unlock with another barcode scanner app - IDK if it was this one or another one, but I remember blaming several other apps before figuring out it was a barcode scanner and removing it. The really frustrating part was that trying to open the app switcher to find out what app this was coming from would also dismiss the ad somehow.
(comment deleted)
(comment deleted)
This is precisely why I have auto-updates turned off. No minor security or bug updates are worth getting an all-out infection(or unexpectedly losing features).
How do you decide when it is safe to update?
The short answer is "when the benefits outweigh the risks"; i.e. if there's a huge bugfix or new feature you need, but something like a barcode scanner is something whose change frequency should be very close to zero.

The "update culture" has unfortunately trained users to obediently "bend over and take it", which is horrible from both the security and change-management point of view; but is the dream of those who want to exert control over "the sheeple".

Your dogmatic approach to updating would prevent you from installing a version _without_ malware attached. For example, a version of Xcode circulated in China was infected with malware and once Apple had detected it, they asked all developers to recompile and update their apps immediately.

https://www.zdnet.com/article/how-malware-finally-infected-a...

With your attitude, you wouldn't have necessarily seen the efficacy in updating the apps and could still be infected to this day.

Every Google Play update prompt in My Apps has a description provided by the publisher. If there is an urgency to update and they don't say so, I'm not going to blithely accept every update.

Ior example, had there not been the exploit risk, I would have left Chrome at the older version, as their new tabgroup implementation is horrible, and it doesn't even allow you to open a new tab without creating a group or going incognito!

> Every Google Play update prompt in My Apps has a description provided by the publisher.

I hate to reply like this but, the vast majority of Google Play app updates go something like this:

"Updates."

"Fixes"

"..."

Having genuine changelogs would be glorious.

Apple and Google should require proper source and issue management, they could then generate changelogs automatically. Having that, they could then use machine learning against the code commits and issue titles to ensure that what people say are happening, are actually happening in the code.

I mean we've got ML that can generate code from natural language, I'm sure the bright sparks at Google and Apple could use some ML to, with a high degree of probability, say that the code does what the comment/issue says it does.

"performance improvements and bug fixes".

I just looked at the messages for the last ten or so updates on my phone and the last three were worthless like the above, but the rest were relatively detailed and informative. I imagine they are more motivated to give details when it's for new features.

  the vast majority of Google Play app updates go something like this
That's exactly my point. Unless they state something that accurately communicates risk and urgency, I don't upgrade.

Most updates of embedded-ad apps just seem to be changes in ads or ad engines.

Probably never. I mean, I am on iOS and as a developer I know how hard it is to get your code to run on iOS. Heck, security flaws that jailbreak an iOS device just via network/OTA is paid serious money for, there is no need to implement this.

I seriously ask the question what damage could a potential malicious app on iOS cause? There is no running in the background, so no exploiting while I don't use the app, no being part of a botnet when the app is closed. There is a FS sandbox that will not let you access another Apps data without being able to jailbreak etc. I think an auto-update is more risky on iOS than to live with an older version of the app that does its job (you never know what an update changes/breaks for you, and downgrading is not an option in the appstore).

Same here. Every now and then some app stops working or politely asks me to update, so an update it'll get (and at that point I have time to look it over and rethink whether I even need the app).

Last time I went on an "update spree" and updated everything I tend to use frequently, I got the new Firefox mobile update, which is frankly utter garbage, and now I regret it.

(Why it's utter garbage? It's much more laggy across the board, and there are issues getting uBlock Origin to work on it. And this tends to be the story with updates - I haven't seen the app that got leaner, or faster, or more ergonomic with an update. Not a single one.)

The OG Barcode Scanner app is getting absolutely throttled with negative reviews. But this posting seems to be about a clone app by a different developer.

https://en.wikipedia.org/wiki/Barcode_Scanner_(application)

https://play.google.com/store/apps/details?id=com.google.zxi...

(comment deleted)
(comment deleted)
I wonder if there's a coordinated effort to exploit barcode reader apps, because (at least where I'm from) its becoming a government mandated Covid tracing thing to use a QR code to "check in" to certain classes of businesses/venues?

I bet there's a _huge_ increase in use of QR code scanning apps compared to this the last year...

Its kind of amazing that there isnt an official qr code scanner app preinstalled on phones given how ubiquitous QR codes are.
I think Android 9 and up has QR code scanning built into the camera app, same as similarly recent vintage iOS. iOS is somewhat less problematic given that ~98% of devices are running current or one version old OSes, where the Android fleet has a huge install base who won't or can't upgrade from pre Android 9 versions. Last time I looked it was still over 40% of all Android devices.

I've side loaded LineageOS into a few old old Android devices, Galaxy S3 and S4s, but my S6Edge is still running the Android7 OS it has when Samsung abandoned it. My similar vintage 2015 iPhones 6S is running fully current iOS14 - but it is the oldest Apple device that'll run it. (To be fair, my Samsung S3 vintage iPhone 5 can't run anything newer that iOS10.3).

There is, on Android point the camera at a QR code and it will scan/read it.
I think both Android and iOS have been shipping a built in QR code scanner for some years now.

Wechat had 1.17 billion users last year and has had a QR scanner built in for many years now. Given that you need the app to login to their web or desktop applications, it can be presumed that that many users have the app installed, possibly making WeChat the most popular QR code scanner app.

Interestingly, I just checked the QR code scanner app I have on one of my Android devices (A Samsung S6Edge abandoned and unupdateable from Android7 - without jumping through some hoops I've not been inclined to do yet).

As soon as I opened it, it popped up a dialog box with non ascii text in it (Arabic or maybe Thai script?) with yes/no options, for all I know asking fro permission to steal my contact list... I just closed the app and uninstalled it.

It was "QR code scanner free" by Application4u. It does disclose "Contains ads". 4.5 stars, 10million+ downloads. Has some expected permissions (camera) and a few less expected ones (storage/sd card) and a few very suspicious ones (full network access, prevent phone from sleeping, connect and disconnect from wifi, view wifi connections - I guess maybe these are needed for the ad serving in the free version? Seems like over reach to me...)

My phone was affected by this, and I can confirm I had the original barcode scanner app in your first link installed, and I'd had it installed for years.

I now use Google Lens through the default phone app.

Yeah it's a really bad idea that they just called the app "Barcode Crossing" instead of "Zebra Crossing" or whatever. Completely generic and impossible to defend the brand.
I had this one (by ZXing Team) and never noticed any negative behaviour, but given that the default camera app now supports QR Code scanning I don't see a reason to keep the Barcode Scanner app.
Which default camera app? From which version?

(The proliferation of manufacturer camera apps is one of the worst things about android)

Good point. Whatever the default is for a Samsung S10e. I agree that the forking by all the manufacturers is a PITA.
Apple’s (often critical) review process for app updates is shining right now!

Edit: /s

(comment deleted)
Apple does not let you back out an update you made and regret.

Apple does not block apps from using the network or give you any way to find out what they are doing and who they are talking to.

In fact, apple does the opposite - it blocks apps that let you firewall your phone.

Applications like Charles [1] allow you monitor network connections and data closely. Apple do not actively prevent this.

You can also setup a VPN to route traffic and strictly firewall.

[1] https://www.charlesproxy.com

Charles must have some wild carveout from apple. All other apps that do that have been shut down. I still run a very old version of adblockios that starts a vpn (proxy) at 127.0.0.1 and blocks traffic that way. mostly.
I think the parental control app Circle does something similar (faux-vpn proxy). When I tried using Circle, it seemed a bit convoluted to me, so we ended up uninstalling it. So, I’m not sure how unique this method is. But, I’m not sure I can think of another way for a network blocking/security app to work on iOS.
Charles is great, but it can't view the data for any app running pinned certificates.
This works as long as the app does not enforce certificate pinning. But if it does, there's no way to override it and inspect what's actually going on, as I can on my desktop.
Apple does a pretty bad job here too. The difference is is that their sandboxing model is better.
Stallman calls autoupdates a "universal backdoor".
He is right in a sense, and cases like this give him proof, but on the other hand, most people don't see the point in patching their software. They'd just keep it around unpatched, while connecting it to the network. Is millions of vulnerable devices better than giving vendors of some software the ability to remotely patch their software?
There's a third possibility, and I think it's Stallman's ideal computing landscape: all users care deeply about the code running on their machines and they are competent in applying and vetting patches, building from source, etc. It's unrealistic, sure, but it sounds nice right about now.
I think back when he posted it, it might have been possible for sufficiently motivated and talented individuals to do such vetting, albeit even then it would have been a stretch. Nowadays the amount of code running on various devices in a single home has increased so dramatically...

Think of TV remotes. They used to work with infrared. Nowadays, there are bluetooth remotes (not sure how widely deployed they are, but at least some vendors offer them instead of IR remotes). An infrared device can be send only. No way to hack it even if you have an infrared sender in range. The pattern transmitted was quite simple. The bluetooth protocol however requires both sending and receiving ability. Bluetooth stack is in the tens of thousands of lines range. There will be a security bug somewhere...

This TV Remote exactly clearly gets to the point: What do you think is more likely, a malicious hacker driving a van and parking in front of your house? Just to exploit the TV remote via Bluetooth, a device that has no sensitive data, is not connected to the internet and can only be used to make TV inputs like switching channels? Or rather that your TV vendor like Samsung or LG decide one day that they offer a firmware "update" that will log what you watch on the TV, upload screenshot of the device and installed App to the cloud and sell to 3rd parties? My bet is on the later, and it exactly makes the point that auto-update is more dangerous than having a security flaw in a bluetooth TV remote.
I agree it's unrealistic, but I think Stallman and many others like him would rather forego the benefits of a bluetooth remote than embrace the status quo.

OpenBSD for instance, was recently discussed on here for dropping a Bluetooth stack over concerns about the correctness of the implementation, and no one has bothered to write a better one.

I don't think it was ever Stallman's point. He is smart enough to recognize most users aren't going to be technically competent.

He's also smart enough to recognize is that most people are going to have someone technically competent in their circle of friends, or within few minutes of walking distance. So people need a set of rights that will allow them to ask or hire someone else to care for their computing. In this sense, Free Software is like Right to Repair - it isn't about making individuals technically competent; it's about enabling local markets of specialists.

Not everybody needs to do that, but then you need to rely on people you can trust. Of course we already do that to some extent in app stores: I don't install something from unknown developers that requires all sorts of permissions it shouldn't need, I do install from developers I think I can trust. But if I don't trust them, I lack the ability to inspect their code. That's indeed the big thing that's lacking.
> He is right in a sense, and cases like this give him proof, but on the other hand, most people don't see the point in patching their software.

We are not talking about patching. We are talking about updating.

> They'd just keep it around unpatched, while connecting it to the network. Is millions of vulnerable devices better than giving vendors of some software the ability to remotely patch their software?

Yes. Vendors do not patch their SW. For the average SW developer fixing bugs is like castor oil. Remember the forced transition from Win 7 to Win 10 when a good OS was replaced by an abomination ? And no, 10 is not better securitywise than 7. There are lot of RCEs in 10. Did you ever play an EA game ? With Origin doing a 4GB update before playing ? On a 25 Mbps internet connection ?

So for me if you have a security patch for your sw i will apply it. Maybe after some buffer period in the case of known offenders (MS) depending on severity. If it's "performance and usability improvements" just forgetit. If you did't bother to write a changelog for your SW i will not waste my time and money (an internet connection is not free ) updating it.

What stops them bundling something malicious into the “security patch” and then not writing it into the change log?
App review... maybe? But the review (especially on Android) would have to be much more careful than it is nowadays...
Traditionally, when someone deliberately does something that causes significant harm to someone else, we address that by giving them a chance to defend their actions in court and if their defence is not acceptable we penalise them. It is strange how easily we forget normal behaviour as soon as technology comes into the picture.

If you had a shower fan/light that broke, and the manufacturer supplied a new model to replace it that had a working fan but no light and also an undisclosed camera and connectivity that sent everything it saw home to the manufacturer, no-one would be debating the situation. People would be going to jail.

Basically all phones are behind a NAT/firewall. You can't connect to them directly.
They can connect to whatever they want, it's more than enough.
Plus many services can send push messages to the phone. E.g. Whatsapp. Bezos for example was hacked through a Whatsapp message containing an exploit.
On my home WiFi, my phone is on IPv6, and therefore not behind NAT (it is on a NAT address for IPv4, though). I've not done any super-geeky things to enable this, it's a standard router from a mainstream internet provider.

Pinging the IPv6 address from outside doesn't seem to work - I guess there is some sort of firewalling going on.

Maybe I'm a luddite but updates are not always necessary. It's a barcode app, what updates does it need? Is there a cve that needs to be patched? No? Then I don't need a new version
"is there a CVE" is not a question that regular people can, will, or in my opinion even should ask.

I mean, if they do, all the better, but my point is that advanced enough tech knowledge should not be a requirement for a safe system.

I’m usually like this. Then my bank’s app refused to launch until I updated.

They re-designed it. When I went to click my usual “schedule payment” button on a bill payment, it just said “Coming Soon”.

I wasn’t a happy person about it.

Big Canadian bank too. US$65b mkt cap.

I never use my bank app because I don't fully trust my phone but they redesigned their website to be more mobile friendly. Now I can only see 10 operations at once instead of 30 before, and I can no longer sort by amount...

When I complained 2 years ago about it my banker told me to participate in their feedback program... Now they send me market research polls about future products and features, no way to report usability issues, it's not even run by the bank itself...

Financial services companies do seem to be particularly bad when it comes to UIs for their customers. Both awful apps and broken "mobile-first" sites seem to be par for the course these days. A few do try to do better, but the reality is that most people don't change banks for much more serious reasons than this, so the banks have a financial incentive to just throw some mostly workable junk together and ship it as cheaply as possible. :-(
It’s a bank app. Keep your bank apps up to date.

Complain about updates all you want but not keeping your bank apps up to date is the wrong solution.

> Big Canadian bank too. US$65b mkt cap.

Well then, let me tell you about Toronto Dominion bank (TD, market cap ~$105B)

The app allows you to photograph a cheque to deposit from the app. This option is displayed for their TD USD chequing account.

I scanned a cheque from a US bank in the app (to deposit into my USD chequing account), only to be informed that cheques from US banks cannot be deposited using the app and that I'd have to go to a branch.

The same app is missing transactions and does not correctly display the current balance of some accounts (which are correctly shown in EasyWeb) The app has also blocked screenshots, so I was unable to provide their customer support with proof of the missing transactions.

Call me entitled, but I would expect all transactions and current account balances visible in the web interface to be accurately reflected in the bank's official app.

If you have ever experienced N26, Revolut, or any number of European "FinTech" banks, you will understand that Canadian banks are busy banging rocks together while telling you they're hot shit.

> I scanned a cheque from a US bank in the app (to deposit into my USD chequing account), only to be informed that cheques from US banks cannot be deposited using the app and that I'd have to go to a branch.

Dunno if Canadian banks would be game for this, but back when AdSense only mailed cheques in US$, and inexplicably refused to e-deposit to my US-based bank account, I’d mail my cheques in.

Generally the apk can be decompiled and the protections stripped if it really bothers you to update.
(comment deleted)
Better scanning in low light, better error correction in code recognition, ability to recognise codes from a further distance, faster capture of codes, more options of what to do with the resulting data, reduced power usage while scanning, better user interface choices (e.g. updating to support more devices or matching new platform UI), ability to interface with external barcode scanners, better privacy protections for the user, reduction in overall package size, etc etc etc.

There’s always more things you can do to a product to improve it for its users.

(comment deleted)
I use iOS and have App auto-updates disabled (not the system update). We are at a point where auto-updates are more risky than the security flaw itself - especially since iOS has a pretty good sandbox, especially since its impossible for one app to access the data of another. Additionally, the App usually connects to a pretty limited set of servers, and is not publicly reachable. So the attack vector is pretty small.

Another point is the often complete change in UI or app behavior and you only find out about when you want it the least. I once had the case where I came out of a bar in the middle of a cold night, tired, had some beers and just wanted to use my Bikesharing app to unlock a freefloating bike to get home - whilst the app decided that it had to introduce a completely new UI and forced me to take an unskippable "guided tour" through the new features right at the spot.

> We are at a point where auto-updates are more risky than the security flaw itself - especially since iOS has a pretty good sandbox, especially since its impossible for one app to access the data of another. Additionally, the App usually connects to a pretty limited set of servers, and is not publicly reachable. So the attack vector is pretty small.

I'd have to say that most apps now connect to a rather large number of hosts/servers, and it's getting increasingly untenable to not offer users proper control of this. I get that Apple wants to be "friendly computers", but looking at my firewall logs I'm seeing:

- third party audience segmenting - third party analytics - third party static content being fetched - third party ad networks - first or third party generic cloud server connections

I think the attack vector on apps is quite significant if you consider the app itself to have been built to monetize data - there's no outbound traffic filtering to check the system isn't leeching user data and/or device identifiers (the latter getting better and hopefully Apple will require consent soon for the ID for advertisers).

It's trivial to make an app that leeches a user's contacts regularly to a server, then does anything the developer feels like to build a social graph. See clubhouse. I fear the biggest issue for most users' privacy are the "legitimate" apps they use simply not being built with incentives aligned with their interests, and having access to phone home to any server with anything they can access.

hopefully Apple will require consent soon for the ID for advertisers

Just think through the implications of that phrase for a moment, though. Your own device comes with a built-in mechanism specifically designed for advertisers to track you. Why was that ever a good idea in the first place?

Such mechanisms have already existed and never needed OS-level sanction. It’s pretty clear that Apple is employing the strategy of “embrace, extend, extinguish” against tracking and privacy compromising dark patterns. In other words, force developers to use a special API, then give consumers the ability to block it. The current stoush with Facebook is only the most formidable hurdle Apple has encountered so far.
That is the usual argument, but I don't see how it stands up to scrutiny.

Either there are alternative ways to track a user of an Apple device without IDFA or there are not. If there are, then it is reasonable to assume that unethical advertisers will return to using them if their access to IDFA is gated.

So, whether or not IDFA exists, the only robust way to protect users is to block apps from having access to anything about the host device that implicitly provides a unique method of identifying the user.

This is what other platforms have been trying to achieve. For example, in the web browser ecosystem, software has been restricting programmatic access to features that can be used for fingerprinting or deliberately reducing the level of detail exposed by some APIs.

With control of the entire ecosystem, why is Apple not better placed to adopt this strategy than anyone else, and whether or not Apple is technically capable of achieving the perfect result, how does introducing IDFA make any difference?

It does seem like when IDFA goes, apps will be struggling for identifers, at least on iOS. I've seen a few articles suggesting they will be back to trying to fingerprint devices (in manners that break the App Store terms of service).

I agree entirely - it seems that the solution going forwards is to prevent any access to any kind of persistent identifier that is part of the runtime environment. This might get in the way of some security mitigations (which seem pretty weak to begin with) and some monetisation models (i.e. enabling pervasive tracking across apps), but the end result feels more "clean" and like users would expect - the app runs in a sandbox where there's no access to anything to distinguish the app from any other instance of it.

Clearly keeping this up at the network level is far harder (and some app developers will probably fall back to using the WAN IP and other factors), but perhaps there are even solutions here - perhaps TCP relay servers mix user traffic (while leaving it HTTPS-protected) to prevent services from seeing user IPs, and a virtual network interface internally in the runtime ensures apps only see an IP of 10.0.0.1.

It seems a worthy goal to try to ensuer that runtime environments are indistinguishable, at least to end cross-service ad tracking once-and-for-all. Handling it within apps probably comes down to policy - not sure any technical mitigations can prevent this while apps can remain Turing complete (as they can simply store their own identifier).

> I don't see how it stands up to scrutiny.

That would be premature. Nobody is in a position to know how the "extinguish" portion of the plan will turn out because it hasn't happened yet. All we can say is that the plan looks quite robust in theory and would be a significant coup for Apple if they can pull it off.

Obviously there will always be some unethical operators, but that is true of all major platforms. Apple has the benefit of top-down control and some amount of market incentive to get it right.

> For example, in the web browser ecosystem

...there is precious little to block effective fingerprinting of 99%+ of installs and little prospect of that changing.

Agreed - it really is absurd. One time I tried to design as a thought experiment a "platform" where each execution environment of the app was absolutely indistinguishable from any other.

Unfortunately to make it work you can't give it network access (easily, at least). But you have a whole host of stuff in /proc and /sys that you also need to block (at least on Android) - there's just too much unique per-device information available to apps. Clearly ensuring runtimes are indistinguishable was never a design goal (as some simple chroot'ing together a virtual filesystem would help to prevent a lot of this, as long as the APIs are limited enough).

But alas, when your phone OS comes from an adtech company, that is probably a hint they are not interested in making it indistinguishable from others.

> there's no outbound traffic filtering to check the system isn't leeching user data and/or device identifiers

But there is the iOS sandbox FS. So if an App gets exploited, it can only every leech the data from exactly THAT app. Just the same as an auto-update might just start to leech and upload that data. Given the real-world practices, I think it is more likely an App creator choses to upload the data, than some malicious hacker doing it.

> It's trivial to make an app that leeches a user's contacts regularly to a server

On iOS this is not possible - either the App requests access to the contacts list then I have to consent via iOS sandbox features, or it doesn't get access. And if I didn't give this consent, any security hole that exploits the App will need to get that consent too (at which I will not give it).

From a technical perspective, you're of course right.

I fear however that the majority of "regualar users" are being coerced into giving consent without realising what is happening - seeing the number of people end up in a FOMO-induced panic to join Clubhouse (or whatever the next big popular phone number based app is), a simple "give access to your contacts to invite a friend" masks the fact the app uploads your contacts to the server every time you open the invite tab.

It feels we need to address coercive practices or at least try to do some kind of taint analysis to allow iOS to alert that it believes the memory buffer about to go into a networking API originates from a permission-protected memory buffer, and are you sure you want to let the app upload your contacts... But I suspect we just end up shifting the problem, and they coerce users again, ad infinitum, until they harvest their social graph (illegally, at least in Europe/UK).

And even when you choose to only manually upgrade, carefully looking at the changelog, but it just says "Bugs fixed."

The Play Store doesn't give enough information to really judge if the upgrade is necessary.

"Bug fixes and performance improvements". ~AirBnB
My Nokia 7.2 has had so many performance improvement updates I fully expect it to be faster than the latest iPhone flagship.
We need a culture that distinguishes between truly necessary updates like security ones and general updates that change functionality and interfaces. One type is essential and we want to encourage everyone to install those promptly. The other should always be optional and the changes being made should always be transparent. Bundling the two is a common but user-hostile behaviour.

This separation should be the price of admission for software developers who want to use online updates, and by now there is probably a need for real laws to regulate the industry since firstly it is very clear that it will not regulate itself effectively and secondly it is no longer just random applications but essentials like operating systems, web browsers and even the software controlling your car that are being treated in this cavalier way.

This would be nice, but a developer could still publish a malicious update as an important security fix.

Also it gets very hard for developers to keep track of past versions and apply new fixes to them, when they also have to apply fixes to the new versions.

Also it gets very hard for developers to keep track of past versions and apply new fixes to them, when they also have to apply fixes to the new versions.

Then maybe they release too often?

I have been developing software professionally for a long time, much of it code that needed to be high quality. I have never worked on such a team that couldn't keep track of its own software, often over a period of years or even decades, and backport fixes when necessary.

Yes, it's less convenient for the developers than just having a single version that users are forced to update constantly if they want fixes. But it is achievable if you drop the pretence that every minor change in functionality or appearance must be pushed into production instantly through some CD system, which is of course a luxury that only those running hosted software have anyway.

Stallman is almost always right but nothing he says is particularly surprising or useful.

Yes auto updates allow delivery of malware but its not like manual updating was any better. No user was auditing changes before hitting the update.

But if you were slow updating you could avoid a malware once it was known.
Who will detect the malware if we are all slow to update?
The early adopters. There are always people that will weight that risk of latest & greatest and vs buggy differently, it should be a choice. Especially for apps that don't have a beta testing or early bird channel.
Also if you were slow updating, you could avoid critical security patches (and many people did)
Yeah and missing security updates was WAY more common, autoupdates is the lesser of the two evils by far ...
Which affect the OS mostly and not individual apps. Funnily enough OS updates are usually not automatic. Which I think is a good thing because vendors keep mixing them with "feature updates" which end up making things worse (looking at you Samsung).

I'd love for Google to take away the security update channel from the phone vendors and auto-update ONLY security-related things through that.

So what happens if you are on an old version, a security issue is discovered, but they only fix it in the new version?
Give a user a choice though, and they dismiss the update notification because it's naggy and annoying and usually involves restarting your app or OS (I'm mainly thinking of operating systems here).

Microsoft went in hard / aggressively and are forcing update installs and restarts, which IMO is going the wrong direction.

Wasn't there a Linux project where they could update the OS / kernel without a restart? I feel like this is what all OSes should aim for. I like to think Android is going in one direction, moving shared libraries (Play Services) outside of the core OS so it can be updated independently.

> Wasn't there a Linux project where they could update the OS / kernel without a restart?

Ubuntu? Last time I updated, they asked me if I wanted to start using Livepatch, so it seems pretty integrated: https://ubuntu.com/security/livepatch

(though I'm horrible at noticing the critical battery warnings so I get frequent reboots for free – but that method wouldn't work on Windows which installs updates on shutdown!)

> Give a user a choice though, and they dismiss the update notification because it's naggy and annoying and usually involves restarting your app or OS (I'm mainly thinking of operating systems here).

...or because it doesn't justify its right to be there. As a user, the updates mean to me a high probability of getting more bloated, less usable app with important functionality moved or missing. The security implications are abstract. The usability impact is real.

Windows is in an even worse position because of NTFS file locking shenanigans. A lot of the time you can't even update the userspace without rebooting.
I didn’t know that automatic app updates could be turned off until I just tried it now in iOS, thanks! Just a side note but think that Google and Apple took way too long to provide built in apps for using your phone as a flashlight or scanning a QR code. They allowed this malware cottage industry to flourish.
iOS these days also grants Apple full automatic OS updates by default, too.

You can turn it off, but you have to dig in settings. During initial iOS 14 setup it has a screen telling you it's turning autoupdates on, but you're not allowed to opt out there.

Unattended upgrades are a remote code execution vulnerability.

I used to think he was "crazy" and I disregarded a lot of what he said. Recently I was reading the FSF website and I realized a lot of the stuff on there is actually full of some pretty good points, even if it's sometimes presented in a slightly "judgemental" or perhaps emotionally-charged manner. Some of the statements might not be 100% perfectly factually precise, but the jist of them is generally on-point. I have recently been a LOT more cognizant of the ways that corporations and software outfits exert control over the people who use their software. Now that I see it more, and look for it more, I am getting suuuper unhappy with the current state of computing. :( A lot of the complaints I've had about software and computers in the recent years are generally the direct result of the software motivations of for-profit/proprietary software vendors. I can still use all the OSS stuff just as I always have, and it's actually the most stable and reliable stuff I use.
I've seen Stallman live, and in many interviews. The guy is in fact "crazy" in a loose sense. Really. Unfortunately, he is also often right. It's not a useful combination.
This, is why I am going to buy more apple stock tomorrow.
Thinking about it, Apple seems like they'd have better dealt with this sort of issue in four ways:

* Stricter review process to catch this preemptively

* Stricter app isolation to limit impact without a vulnerability explicit

* Longer maintained and more forceful operating system updates to minimize the number of phones running with known exploits

* Likely removing/disabling app from phones and not just the app store

I think you mean Google, but also noting that #4 is possible (supposedly) through Google Play Protect
Stuff like this happens on iOS all the time and everyone just ignores it because it's mostly sandboxed. Apple is terrible at stopping malware until it ends up in the news.
Source? Or you just made that up?
The first didn't cause any user issues as I'm reading it except extra data usage. I don't think it even did it in the background but only when the app was running. So I wouldn't even call it malware. Unlike this Android app which showed ads to users outside the app.

The second is Mac not iOS which had a much more relaxed security model.

The article about the 18 apps says that the ads were running in the background.

A Forbes article on the same incident also reports that data was exfiltrated from the infected devices:

> the trojan [...] sent data from the infected device to an external command and control server.

The only reason this was detected was very overt behavior - opening AD popups. So I guesstimate for each one of these we have 10 that go undetected. This means the whole ecosystem is broken, as there is no reason this will happen only for updates and not for new apps as well. Apple's ecosystem is somewhat better, but I can't imagine they go through every line of code in each package, so most of their review is probably done with some combination of automatic static and dynamic analysis, and these can be fooled. The problem with both platforms is that they don't provide run of the mill users the option of installing an effective firewall and security solutions.
This happened on ios for me years ago.

I had two apps that radically changed their business model (owner?) through updates with no recourse.

I had an app called gas cubby, which let me locally - on the phone - keep track of all my vehicles. I could enter detailed information about each car such as year, make, model, vin, insurance policy, gas purchases, oil changes and the like. It would tell you gas mileage and remind you of upcoming maintenance. One day, I updated the app and all my local data was uploaded to the cloud.

Another app I updated was camscanner from tencent that basically did the same thing. Think of all the PDFs you scan going to their cloud.

School tried to make me use camscanner, glad I took the extra effort to do something else. Thanks for the anecdote.
I absolutely love Camscanner, and I have been for over a year on the old version because I refuse to update to the new version which requires network permissions. I exactly suspected this is why it needs those permissions.

To what did you switch? Camscanner is otherwise an excellent app, especially for combining multiple images and straightening them out.

Not OP, but I switched to using Microsoft Office Lens.
Thank you! This one seems to have the features of Camscanner that I use: straightening documents and combining multiple images into a single PDF.
Adobe Scan is a solid option as well.
Adobe has lost my trust years ago, and I see that viewpoint vilified often enough to never use Adobe software again. The only Adobe product that I still use is Magento, and only that on client sites. I would love to find a non-Adobe alternative.
I just continue to use the brother scanner in the other room. I don’t recommend brother, they updated the software and somehow took away features.
Unfortunately the HP scanner doesn't fit into my meeting bag!
Try OpenScan, open source document scanner app...

Source: I am a user

Thank you. Unfortunately, it seems that OpenScan does not have the feature to straighten out photographed documents. Cammscanner has its own camera app, which has features specific to photographing documents.
yeah this is one reason why I can't take mobile app end to end encryption, or client side only, claims seriously. a single update at any time could undermine all of that

and secondly, they or an analytics package can just read everything client side and upload it to a server anyway

doesn't matter if its whatsapp, or signal, or some protonmail client if such a thing exists

I just don't use them with that assurance in mind, I use them for other things.

>yeah this is one reason why I can't take mobile app end to end encryption, or client side only, claims seriously.

If it's a large company like Facebook that values these products like Whatsapp at billions I trust them at least on this issue. I'm pretty sure they're not going to put junk third party malware for 50k into the Whatsapp client.

This is mostly an issue for apps done by individual developers who have huge incentive to take these deals, like the barcode scanner in question.

They've been sideloading with React Native, allowing updates even for people without automatic updates enabled, and have abused enterprise/privileged developer keys which allows access to additional parts of the system. I just don't see how you can draw that conclusion.

I use the apps for other things, not for any assurance of privacy.

> I trust them

You literally mentioned a company that betrayed trust so bad a government tried to call them to account.

Are people capable of enough nuance to distinguish between issues that large tech firms are likely trustworthy on and issues that they aren't?

When they stand to make billions from breaking my trust I'm sceptical. When they stand to make a penny and ruin their entire product, then no I' not.

The problem in question here, that rogue developers sell out their product to third parties, is not an issue that Facebook, Google etc have. They have every incentive to keep their software secure.

A betrayal of trust will not "ruin their entire product", we've already seen that it won't (no matter the scale). Believing a small betrayal to be worse than a big one is your right, but that doesn't mean it isn't naive.
Your whole premise is based on a very arbitrarily low value of collecting your plain text data? From a company that is a machine built for monetizing this specific thing? And that they wont because their users care about trust too much, users of Facebook products but specifically whatsapp? And you think the rest of us arent compartmentalizing our issues with that company enough?

this is.... I’m speechless, I ran out of words for this absurdity

I get what you're saying, but it's funny because what the dodgy small players do with the data is actually sell it to facebook. You're just cutting out the middleman here.
>If it's a large company like Facebook that values these products like Whatsapp at billions I trust them at least on this issue. I'm pretty sure they're not going to put junk third party malware for 50k into the Whatsapp client.

Zuck: They "trust me"

Zuck: Dumb fucks.

That's a one dimensional way to think.

You may not be able to trust facebook with your privacy, but you can trust them not to install a malware that swipes your bitcoins.

That being said, I despise the current state of affairs with cellphones. I don't like needing to trust any corp. I'm jumping to a Linux native phone when my current device dies.

>you can trust them not to install a malware that swipes your bitcoins

Sure, they might not take malware that swipes my crypto, but I wouldn't put it past them to take malware that uses my resources to mine for crypto. What is the downside for them?

Camscanner was a blatant bait and switch. When I first started using it, I paid for a license to get full functionality with no ads/watermarks/etc. Magically, years later I got reverted to the ad-supported/free version, and my license was nowhere to be found. This was at the same time they moved to "cloud features" and a subscription model. Their reviews are littered with people having the same issue and the developer copy-pasting some response that doesn't work.
I haven't had this issue with Camscanner, but I've had it with other apps. One outright disappeared from my library, as if I have never had it installed.
> One day, I updated the app and all my local data was uploaded to the cloud

This happened to me with Chrome. It auto-updated, then automatically synced browser history, passwords, and who knows what else, to Google. They soon changed it to opt-in sync, but it was too late for me at that point; they had already hoovered up my personal data. That was when I stopped using Chrome and switched fully to Firefox.

I gave Slacker Radio the big heave-ho when they decided they wanted to help themselves to my contact list. They did that just before I was about to pony up for a paid subscription. Bullet dodged.
I've been writing apps for a long time. They are usually free/Tier 1 apps.

A while back, I was approached by a [NATION OBFUSCATED] developer, asking to buy up one of my older apps (they are all open-source).

I ignored the request, and reported the approach to Apple, as I'm sure that this actor has been doing the same for many other apps.

This is apparently a common method for malware-slingers. They buy established, older apps, that they assume the developer has abandoned (I hadn't abandoned it, but it's a simple app that hardly ever needs tweaking. If I stop supporting an app, I remove it from the store).

They then "update" the app, with a little "extra flavoring."

> This happened on ios for me years ago.

Neither of the 2 scenarios you describe are even remotely what's happened here. Not sure how you got from 'malicious ad popups' to 'app added cloud feature'.

You probably overestimate Apple here. I'm pretty sure you can do a lot of fuckery with WebView, JavaScript and an innocent-looking API and feature flags in JS that gets swapped for bad behavior remotely after the review process is complete.
Can't Google remove apps like Rocket Cleaner, that participate in these ads?
Not a good idea - I can pay for an ad for an app I don't like and it will be removed.
Apps and websites running ads they don't know about or don't vouch for is another problem. It's like a propaganda backdoor.
I don't get why no barcode scanner app is shipped with Android. It's such a basic functionality. Edit: apparently it IS shipped on iOS and at least my Lineage OS default camera app has a QR code reader too.
I don’t think my past two phones (one Android, one iOS) have built in QR scanning, or at least it’s not very discoverable. No fun to have to find something in an App Store when it all looks like 7 year old malware.
(comment deleted)
You can point the builtin Camera app on iOS to any QR code, it will pick it up just fine.
Try your plain camera... this seems like such a hidden anti-feature though... no one I know has tried just the camera
I discovered this week when fooling around with QR code makers that the Android camera app, at least the one released on Samsung phones, does not read QR codes. That was very surprising to me.
Switch to Google Lens in the Camera app. It's way less reliable but it usually gets the job done.
What do you mean by way less reliable?

While Google will not start any overly obnoxious ad-serving, who tells you they will not upload all or a bit more stealthily some pictures for some AI user profiling thingie? Cannot happen? They collected WiFi access points when doing Streetview back when their motto was "Don't be evil".

Sometimes it decides that I'm actually searching for pictures of QR codes and gives me Google Search results for similar pictures of QR codes, which is kind of useless.

As for the second part, that's your personal risk tolerance so I'm going to leave that to you. Google is generally a high-trust brand in America, so most people will find the risk tolerable. If you don't find it tolerable, you shouldn't use it.

> Google is generally a high-trust brand in America, so most people will find the risk tolerable

Sure, nobody doubts that. Whether the trust is deserved, that's another story.

They scan your email to find out where you traveled and what you bought. I guess most people don't know and many are shocked once they find out.

https://news.ycombinator.com/item?id=19942219

My boring AndroidOne phone does. If there's a clear QR code in the field of view of the camera app it'll recognize it.
I found this behavior in the Barcode Scanner app by "the space team"

That was not one that was mentioned by the article

It's url: https://play.google.com/store/apps/details?id=com.qrcodescan...

(See the reviews)

I also found this pop-up add behaviour Saturday (6th) morning. I distinctly remember looking at this app last year when a different barcode scanner had an issue and it was not owned by "the space team" then,maybe a takeover? App now uninstalled
The one I remember being popular before on Android was the "zxing" one: it's still on the Play Store but has tons of recent reviews complaining about adware... confused users (and/or competitors taking advantage) leaving reviews on the wrong one?

The zxing one seems to not have been updated in years (plus it's still on the store).

Right. Space Team's app was a fork of the zxing demo app updated to newer SDK versions, but with the same name and basically identical interface. It had a malicious version uploaded recently, and was nuked by Google.

People then found the original, that looks the same, and started leaving negative reviews, attacking the "maintainer" (who does not really maintain it anymore, since Google no longer pays him to do so and it is no longer possible to update for the play store without some substantial code changes to target the newer android API versions) on Github, etc.

Glad you brought this one up. I also had the app you mentioned installed and noticed pop-up ads in Chrome.

I immediatly uninstalled the app and left a review. Like many other negative reviews I received some copy-pasted response stating they only have some in app ads.

It is beyond me that the developers just lie about including malware in their app while it is so obvious they are.

When the Apple App Store contained malware compiled by unsuspected Chinese developers using a local cache of Xcode [1], Apple emailed the developers to prompt them to update their application immediately and removed them from sale.

Apple also contacted users directly to alert them of whatever apps they had purchased on the App Store were compromised so they could monitor for updates, or remove the app entirely.

Has Google done the same? Neither Apple or Google have the ability to directly remove apps on a users device, but simply removing it from the store and then having users rely on a solution like MalwareBytes seems like Google is abnegating their responsibility of a safe marketplace.

[1] https://en.wikipedia.org/wiki/XcodeGhost

> Neither Apple or Google have the ability to directly remove apps on a users device

I'm pretty sure both can. But it's a legal problem, not a technical one.

So why aren't we hearing about someone being arrested?

Google knows who their devs are. Law enforcement can demand they give up that info.

They are most likely Chinese. I’ve been getting asked by Chinese accounts on LinkedIn to let them use my account to submit their apps on the Google Play Store for a fraction of their revenue. I’m guessing there’s a similar scam going on here too.
This is also very common on freelance sites like Upwork.
Computer crime is so very rarely traced and prosecuted, like most white collar crime.
Right, which is a massive problem. If these people and those like them were prosecuted then we'd have far less of a problem.
It's still a massive issue if the crime crosses borders; if the entity behind the malware is from, say, Russia, what can a prosecutor in the US do? This is why internet crime is such an issue.
(comment deleted)
There is a difference between ‘infects’ and ‘shows pop-up ads’. Annoying? Sure. Comparable to a complete security breach? No.
It's not a data breach, but it is fraud and should be treated as such.
(comment deleted)
Even legitimate app developers have no incentive to keep their apps sterile. Someone just has to approach you with your 10+ million users barcode scanner app and offer you +50,000$ in order to install some automated ad clicker for them.

Don’t be naive, the majority will accept the money and gladly.

I believe that particularly makeshift applications such as e.g. barcode scanners are susceptible to this kind of overtake. Apps that offer what should have been offered by the OS vendor in the first place. Why should the app developer refuse the money if what their app offers will be incorporated in a next OS update by anyways? Why defend your mini-adapter-app in an ocean of mini-adapter-apps, with yours becoming so large just because of a random seed and path dependency?

This can have a big impact for end users. Imagine an authenticator app ending service to all their users in such a scheme and how you will be cut out from all your accounts by this. How many authenticator apps do you have to use in parallel to mitigate this risk of a single point of failure?

> This can have a big impact for end users. Imagine an authenticator app ending service to all their users in such a scheme and how you will be cut out from all your accounts by this. How many authenticator apps do you have to use in parallel to mitigate this risk of a single point of failure?

This right here is a big reason, apart from actual restorable backups, why I root my Android device. Sure it is not required nowadays but it does give a sense of control if thats the right word.

So many times I had to restore older copies of apps like Chess or even Yoga app. The older apps allowed a functionality (downloadable content for offline view) which was straightup removed in newer versions.

Same for Authenticator or any other app which does things locally.

I, like many other HNers, simply store the secret passphrase & QR code in a separate keypass database.

Recently Google Authenticator app added the ability to move all codes to next phone by displaying multiple sequence of QR codes, but I coded a simple no internet just local storage & javascript app to to utilize otpauth:// protocol to eadily readd the codes on new phone https://spa.bydav.in/otp.html

You can write down the code for all authenticator entries upon scanning the installation code with a barcode reader app for later reuse :) (I suggest to use fdroid versions for both barcode reader and authenticator anyway to mitigate the issue)
> Imagine an authenticator app

I will imagine that anyone who creates an authenticator is half-decent enough to NOT take that bribe and serve the greater good.

I will also imagine that when people install authenticators, they would NOT trust one from HenryBemis but only from sources that they recognize (Google, Microsoft, Yubikey, etc.)

It always amazes me how come all smartphone OS creators switch every connectivity option to ON by default on every new app installation. It would take a use another 3-4 seconds per app installation to prompt the user whether they want this app to access Wifi/Data/Background/Roaming. In the same sense than the OS asks you whether you allow access to Calendar, Contacts, Camera, etc. At least half my apps on my Android do NOT need access to the internet to function. They may 'want', but definitely not need.

Sadly, the permissions-by-default problem is not unique to Android. I bought a new iPhone a couple of years ago and spent nearly an hour straight away just turning off all the junk I didn't want. That is now the way of the world, if all you want is a phone for communications and running a small number of essential apps because too many organisations now assume everyone will have a smartphone.

I suppose I should be grateful that I can turn off a lot of permissions for apps at all these days, unlike the malware built into recent versions of the major desktop operating systems. :-(

You cannot trust established players either. For instance, cheaper Samsung phones ship with a lot of shady software, as I found out helping relatives.

And a lot of reputable software companies have sold out to peddling adware. Adobe is one, and there are a lot of others. Abandoned shareware or open source often resurface with adware installers.

https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...

> When inserted into a computer, the CDs installed one of two pieces of software which provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Neither program could easily be uninstalled, and they created vulnerabilities that were exploited by unrelated malware. One of the programs would install and "phone home" with reports on the user's private listening habits - even if the user refused its end-user license agreement (EULA), while the other was not mentioned in the EULA at all. Both programs contained code from several pieces of copylefted free software in an apparent infringement of copyright, and configured the operating system to hide the software's existence, leading to both programs being classified as rootkits.

> on about 22 million CDs

https://en.wikipedia.org/wiki/Superfish

> The installation included a universal self-signed certificate authority; the certificate authority allows a man-in-the-middle attack to introduce ads even on encrypted pages. The certificate authority had the same private key across laptops; this allows third-party eavesdroppers to intercept or modify HTTPS secure communications without triggering browser warnings by either extracting the private key or using a self-signed certificate.

> I will imagine that anyone who creates an authenticator is half-decent enough to NOT take that bribe and serve the greater good.

Dear HenryBemis,

As a CEO of TRC, I would like to extend you an offer to purchase source and distribution rights to your app, SummerChildAuthenticator, to the form of $500,000 (five hundred thousand US dollars). We are a fast growing SV startup that wants to make it easier for people to secure their papers and money on-line. We have developed a streamlined, easy-to-use, user interface for authenticator applications and are looking for a way to quickly put it in front of a wide audience. We believe that your SummerChildAuthenticator, with its established base of over 50 000 users, is the gateway we are looking for.

If you are interested in this offer, please reply to this e-mail.

Sincerely yours,

TeMPOraL, CEO, TRC

<smallfont>Temporal's Rackets and Cons is a startup registered in Southern Vescillo, Arstotzka.</smallfont>

--

You think to yourself: "this is a good deal! The app is unlikely to grow more, it isn't making you any money anyway. Here is this hot new startup with great ideas, what's the worst that could happen? They'll just inject an ad here and there. Meanwhile, I have medical expenses, and..."

So you agree, and I take your app, and run a "growth hacking" campaign on Reddit to blow its userbase up to 500 000 people, and then proceed with my main business plan, which is selling access to OTP codes to the mob running phishing scams.

(Oh, dear reader, you've noticed Arstotzka and thought I'll be selling data to evil government? Nope, we registered there only because it'll make it mighty hard for anyone to sue us.)

I hear you.

Any developer knows/understands if the offer comes from a legit source or scumbag. I cannot make other people's choices for them. My answer would be 'no' even for 100k, BUT I am in HN and I suggest people get off facebook and google because they are privacy nightmares (also certified in a couple of audit/security areas - so there's that). Btw I did have an app on Apple store, target audience was children (3-6 years old), it did OK, I just didn't have the time to keep it around (for the little revenue it was bringing). It worked 100% offline, no tracking, no ads, no nothing. I have a free version as a sample and the full version at $0.99. I chose to sell than help the ad beast grow bigger and track children more.

But that is just me. $50k is a serious amount but it won't make me or break me. For some other parts of the world, where a monthly salary may be $200.....

I did offer $500k though, not $50k :).

And while I don't think you personally will sell out like this, I wanted to highlight that a) it's easy to make such an offer sounding legit enough (particularly to developers with little experience with the world at large), and b) an Authenticator app is a perfectly valid target for such offer. I'd even say it's more lucrative target than most.

> It would take a use another 3-4 seconds per app installation to prompt the user

I yes, I too rememeber the FirefoxOS. Good times.

> Apps that offer what should have been offered by the OS vendor in the first place.

This is really it. The Google/Android team have already made the "Zebra" library that actually reads barcodes; why on earth do they not include this as a standard app. Instead we get this myriad of different barcode scanner apps with all sorts of harmful features. All the heavy lifting is done by the Android team anyway (the actual barcode scanning).

To make matters worse, scanning a barcode when you enter a store/cafe (to register your location), is now begin done everywhere in order to track potential covid19 spreaders. This forces anyone without an iPhone to install at least one of these potentially harmful apps.

It is 2021 and Android still doesn't have a QR code scanner by default.
It's built into the camera app
There is no "the camera app"; the manufacturer often provides their own. It may well be in recent versions of GCam, but quite often it requires you to bail out to Google Lens for some reason.

Android is like Forrest Gump's box of chocolates: you never quite know what you're going to get. And sometimes it's stale.

I don't know if it differs from various vendor releases of android but certainly on my Samsung S20, QR codes can be read without an additional app just by pointing the camera app at one. I seem to recall my Pixel XL did the same.
Actually they do if they have Google Assistant, which I imagine anyone with Android 7 or later will. If you use the Google Lens feature it will decode barcodes and QR codes. But unfortunately this feature is pretty much self-discovery rather than a publicised function
Not everyone wants to use more spying software.
It isn't obvious, needs Lens installed, which needs Internet to work properly.
Samsung phones have it in the camera, so I guess most Android users do have a barcode scanner built-in.
Why are Android users installing all these apps then? https://play.google.com/store/search?q=QR%20scanner&c=apps&h...
Because most Android users don't know about Google Lens/their camera app and google "Barcode Scanner app" when they get their phone.
My Samsung has a built-in QR scanner, which I found out by accident.

I downloaded an app for it because it never crossed my mind it would be built into the camera app. After all I don't want to take pictures of the QR code, I want to decode it...

No idea when it was introduced. I've had an S3, S5 and now an S8 where I discovered it by accident last year. Pretty sure the S3 didn't have it.

Personally, when I installed the app, there wasn't one built in. I just still had it lying around.
the camera app scans qr codes on my pixels.
Limited to certain phones. Otherwise, how do we explain millions of installs on QR code apps?
(comment deleted)
Google lens does it, is it not part of stock android? My phone runs Android One, so I think it's all stock but I could've missed a subtlety.
Lens isn't AOSP, so it gets different treatment depending on your manufacturer.
The stock Camera app on my Android phone recognises QR codes. This is on Android 11 on a Pixel 3. I think this has been the case for a few versions of the OS (but don't have access to old versions to check).
Yeah, it's always in the flashlights, the barcode scanners, the background packs. They all address super basic functionality that many, many people seem to want (if I could just set a ringtone from YouTube, it'd save me from going through a bunch of shady apps, if I ever needed a ringtone that is). Yet they just aren't included in the base OS (or weren't always, my lineage OS has a flashlight currently). Therefore, they offer very low hanging fruit(super simple app, one can hardly ask money for it, so how does one make money?)

I heard from a friend that iOS has TOTP and indeed a barcode scanner build in, same goes for cal/carddav. To be fair, my wife's Pocophone also comes up with a QR-code icon when the cam detects a QR code. And, FireFox for mobile has a QC code scanner build in (although since I now have to open a new tab for each new page and I end up with many many tabs of the same 4 websites I find myself using FF less and less).

Maybe the experience on Pixel Phones is better? GCam makes a lot of difference in many aspects.

> Yeah, it's always in the flashlights, the barcode scanners, the background packs.

Why are Google afraid to release a free non-harmful version of those popular apps. Is it to keep the illusion the app-store is a vibrant market place where tons of developers get rich? It just seems nuts to allow all those harmful apps (that does virtually nothing) to float among the top downloads.

> Why are Google afraid to release a free non-harmful version of those popular apps.

Fear of anti-competition lawsuits and complaints. They're seeing what happens when Apple integrates stuff into iOS / OS X core that previously were third party provided, or the flak that Amazon gets for pushing AmazonBasics products.

> Fear of anti-competition lawsuits and complaints.

They could just create an open source variant that suddenly shows up top when people search for QR or barcode scanner. It would be in their best interest, and it would not violate any anti-competition laws, nobody can demand to see how these apps are ranked I guess?

Manipulating the search results so blatantly? How are they going to do this without generating more criticism?

It’s better to bake it into the OS and push an update. But then you’d have to get an OS update to heaps of phones.

> How are they going to do this without generating more criticism?

From the people who make those crummy apps; criticism surely cannot hurt Google all that much?

> But then you’d have to get an OS update to heaps of phones.

That's not a viable option, this requires tons of work from OEM's that Google would have to pay for. I've rarely ever gotten any OS updates at all on Android - apart from my latest phone. But I think the only reason I get OS updates now is due to the fact that Nokia just ships stock Android under the "android_one" brand.

QR scanning is already built into the camera app. So, not this has nothing to do integration, it's already integrated.

Those QR code scanner apps are basically taking advantage of people not knowing they don't need one.

FWIW I've not had an Android phone lacking a flashlight in the OS since... ever, I think. At a guess, the apps are preying on customers not aware of the OS-level functionality.

QR scanning seems a little more complicated. FF for Android integrates a QR scanner, but chrome does not. Google's default camera also opens links, if you allow Google Lens.

About four years ago, when I had a low end Android phone, some kind of "make the screen white" app was really useful.

I remember the play store being scary but I think there was something in fdroid.

I am not so sure on this, but I do not recall my nexus 5 having flashlight in the OS.

I have a Nexus 5, and I can confirm the flashlight is available in the system tray icon. This is true for all Google phones since at least Nexus 4. It is my understanding that AOSP as well as Google's Android implementation has always exposed access to the flashlight hardware (although somebody mentioned this not being the case with Nexus One).
Since it's not an app, but hidden under edit in the pull down notification tray, people may still end up looking for a flaslight app. Perhaps a warning in the Play store that "You already have a flashlight, it's here..." would be a good comprimise? Although that might be considered "MS pushing IE", because the Flashy flashlight app has features(tm) (omg blink S.O.S., gotta have that :s).
(comment deleted)
> Why are Google afraid to release a free non-harmful version of those popular apps.

They already did; these have both been built-in for years. The flashlight was added in Android 5.0 (https://www.androidauthority.com/android-5-0-lollipop-offici... I'm having a harder time figuring out when the barcode scanner was added, but my phone does it automatically in the camera app now.

(Disclosure: I work for Google, speaking only for myself)

> these have both been built-in for years.

If Android has a built-in QR scanner now, that must be something that came with Android 11, but September 8 2020 cannot qualify as "for years". It takes a while for OEM's to catch up as well.

There are certainly Android phones that ships with this feature (QR-scanner), but stock Android 10 does not. (Google lens != Standard Photo app).

If you know about it, you can start "Google lens" app, but that app does not even come up as a suggestion when you type QR scanner into the play store. I.e. even when you have a QR scanner available on your phone, you wouldn't know unless you somehow knew about "Google lens".

I have a Pixel 3a, and I'm pretty sure it's done this since it was new (Spring 2019). I also thought my previous phone (Pixel 1) did it, though I don't have anymore and can't check.
There are many phones that have it (and have had it for a while like the Pixel it seems). Some can also enable Google lens from within the camera app, I cannot though on stock Android version 10.
I even have a pixel3 and forgot Lens existed; the first time I was exposed to it by the phone it looked like yet another Google scans all your stuff and gives you questionable suggestions feature. It never occurred to me it would do something as straightforward as decode QRs.
Yeah, on Pixel phones you can just scan the barcode from the camera app, or from Google Lens
Yeah the problem I think is other vendors implementing their own camera apps without this feature.
Same on iOS; the camera will recognize QR codes and offer to open.
I just tried the camera app with a QR code (on a Pixel 5) and nothing happened.
Its provided by Google Lens suggestions, so you'll need to have that enabled in the Camera settings for it to appear. It also seems a little slow sometimes, give it a few seconds for it to show up a small suggestion bubble at the bottom of the viewfinder.

I'm using Google Camera version 8.1 on a fully updated Pixel 4a and it works for me.

> (if I could just set a ringtone from YouTube, it'd save me from going through a bunch of shady apps, if I ever needed a ringtone that is)

I don't like that example of utilitarian because it fights the youtube platform which does not want you downloading videos. Anything that sidesteps some sort of security fence or functionality is shady to begin with; even if you think it's fair use. Plus there's the whole copyright minefield.

> they just aren't included in the base OS

Both a QR-capable camera and a flashlight in the notification bar are in all my Android phones, and they've been for a very long time. I know the Nexus One didn't include it, but those will have problems with modern TLS anyway.

The problem is likely elsewhere. It wouldn't surprise me if many of these users are tricked into installing these apps. It is quite popular for malware to disguise itself as a legitimate app as to not raise suspicion.

Discoverability is just as much an issue as feature including. If you have to go into a special QR mode (which a lot of cameras did), you’re never going to use the feature, and it’s hard to break those mental models if the feature gets silently added in later iterations; you’re always going to remember that first encounter where something didn’t work seamlessly.
Indeed it is. It wasn't at all obvious on my phone that I could put a flashlight toggle on my notification bar, so for a long time I still kept the old Motorola DroidLight app, which, despite being unmaintained for a very long time, worked beautifully.
I have a pixel but i don't have qr scanning built in to the camera. It was at one point built into the "google vision" thing, but i haven't seen it in the ui for a while.
In a very google move, Google goggles was rebranded as Google lens and the Google goggles app stopped doing anything. As far as I know Google lens still does everything goggles did, including bar code/qr codes.
You just have to point to a QR code and it will automatically scan it.
My Moto G8 Power (G Power in the US) Android phone has it as part of the Camera app; when you point the camera at a code, a small bubble will pop up at the bottom allowing you to follow the link/see the content.
> To make matters worse, scanning a barcode when you enter a store/cafe (to register your location), is now begin done everywhere in order to track potential covid19 spreaders. This forces anyone without an iPhone to install at least one of these potentially harmful apps.

Our (New Zealand) Covid tracing app scans QR codes itself. What jurisdictions are requiring to scan an arbitrary QR code using random apps?

https://www.health.govt.nz/our-work/diseases-and-conditions/...

Is there anything you guys in New Zealand haven't done better during this pandemic? :-)
"Better" is certainly a point of view here. Having to tell the government all of your whereabouts when you already live on an Island with no spreading is an overreach, IMO.
The 21,000 dead here in Canada would like to argue that it is much, much better but, well, they can't.

I literally can not believe you are arguing it's not better.

Believe it or not but not everybody believes that human rights like privacy are always optional when lives are at stake. Ever heard of the phrase "the end doesn't justify the means"?
exactly, how are you going to visit the mistress(es) if government tracks everything and eventually will be leaked? (a bit of sarcasm but the point stands, privacy shouldn't be optional)
We have a similar system is AU. It’s not really enforced all that well. But most people cooperate and life is generally back to normal. You also only need to do it in enclosed areas like shops. Mask wearing is still mandatory on public transport.

Unfortunately very low cases doesn’t mean the virus is gone. Occasionally there is a case and if you want to clamp that down as fast as possible, you need contact tracing. Which means we need to know where you are.

For most people, no extra information is being leaked. Facebook and google already know where they are and they are far more malicious than the AU or NZ government. The tin foil hatters like you can take extra measures I’m sure.

The US has over 25million cases and over 400k dead. That’s literally the entire population of Australia infected. So I’d argue that NZ and AU are objectively better and we shouldn’t worry about “overreach” just yet.

Well, when the users already give the government access to their location 24/7 with that app, at least they include a barcode/QR scanner.

But privacy is clearly one of the victims of this pandemic. At least some countries are now opening up the source-code of the front and back-end of their apps. They had to do that here in Norway (they had to replace the whole app actually) when the original closed source version was demonstrated to contain harmful features...

The New Zealand government doesn't learn "all your whereabouts" by default. The app is storing locally what it has learned about places you visited by scanning QR codes, and comparing that to information it is being sent over the Network (by the government) to discern if you went anywhere that the government says warrants special action - if so you get notified.

For most Kiwis this means a bunch of QR code data is stored on their phone and, months or years from now when the emergency is over (depending on how incompetent other countries are) that data is deleted. There is no NZ department of health MySQL database full of geo data of every New Zealand citizen and never will be.

If you're a case (remembering that New Zealand has elimination, so rather than cases being millions of people as in the US for example, they're very rare) then you can choose to help the contact tracers by giving them your data and in that case they do get all the data because you gave it to them. Because New Zealand has elimination contact tracing is something done by a handful of experts.

I would guess that like most countries New Zealand's contact tracing experts worked previously with sexually transmitted infections - so they already understand the sensitivity of this work. COVID-19 is actually less awkward, because at least you don't have to admit to fucking somebody you claim you're not sexually attracted to, just that you were in the same room as them for a period of time.

But of course none of what I wrote above matters much because those are merely facts, and for so many Americans mere facts can't oppose a Truth they have become certain of despite all evidence to the contrary. Not that Mother Nature gives a damn whether you believe her.

I'm glad NZ chose to develop the app the right way, but I certainly wouldn't expect any American government to do that.
I recall back in the early days (before NZ Covid Tracer was released) we had the same system where every shop had a QR code that linked to its own guestbook type website.
(comment deleted)
What do people without smartphones do?
My Android 10 phone from Samsung has both the flashlight and the QR code scanner icons in the drop down notification bar. I don't know if it is a standard Android feature or something from Samsung.
It's Samsung, though many other vendors also offer it.
OnePlus seems to have the QR code scanner built into its standard camera app. And the flashlight into the setting shortcuts. Very convenient, and perhaps necessary, considering all these app stores becoming malware vectors.
There should probably be a "standard apps" project, similar to prog-langs "standard library" - sponsored by goog et al but not owned by it, and heavy on security and standardisation.

what do you recon would be included?

- barcode scanner, - auth app, - calculator of some kind, - wifi management, dns/network/firewall management.

The same is true of things like Instagram, where they have made downloading an image so difficult that people install malware purporting to be able to do it all the time. Pretty huge vector.
On last point, Firefox/Chrome and derivatives have scanning built in. It would be very simple to have an app that links to Chrome.
The ability to read QR codes should be added to Android's Compatibility Test Suite (CTS) default camera app, this way vendors would need to ensure their camera app are all equipped with this if they want to ship with Google Play Store.
A great argument for installing F-Droid in my eyes.
"Google creates barcode scanning app, replacing popular app with 10m+ downloads".

Platform providers are also criticized when natively offering features that apps offer. You sort of can't win.

the platform should accept the criticism, because it doesn't hurt them. they have no feelings.

People doing low effort apps can only just whinge when the floor shifts under them. i have no sympathy - they just need to adapt and improve, and create new value to sell.

There probably could be some backlash, but it would be easy for Google to brush this off by listing harmful features they removed in the process.

They have done more drastic things in the past. They have even removed apps entirely from Android phones due to very harmful features, and nobody cared when they heard about the horrid things these apps did in the background.

On android (and I think iPhone too) you can scan barcodes with the camera app. It's not obvious, but I learned this from servers this year.

When we sit down they just say, "use your camera app to scan the barcode". It seemed to work for everyone at the table. Samsung, Pixel, and iPhone.

My S21 Ultra has a QR scanner built in, but no barcode. Are the old ones still used for such purposes? I've only seen QR codes used for eg contact tracing.
While Google Lens does the job for the most part, we created a free privacy minded security first app - https://dhiway.com/seqr/ This app plugs in to Google's anti-malware lookup service to flag harmful content from making it to the device.
The issue is not having a default app or not, the issue is having a qr reader external service.

Imagine you are an app developer of a really simple app that takes a number and tells you if that number is in a valid phone format or not. You have a textbox, the user enters it, you do the checking and display the result. Easy. Now imagine you want to allow scanning a qr which contains a number, to do the checking afterwards. You need to either ask your users to use an external app to scan and then open yours, include all the qr related library inside yours, or use a special intent from a third party app (that the users need to have already installed).

First solution is slow and inconvenience for users, the second is what almost all apps do, but then the code logic is duplicated on all of them (with the increment in app size). The third option is the best, both for the developer and for the user, however there is no official qr service so in the end this is basically option 1.

I mean, you already have a service to get a picture, a file and a contact, among others (you don't need to include all the code, simply do a call to the respective intent and wait for the result) so why don't extend this with the qr too?

This is why I get all of these kinds of apps from F-Droid instead of the Play Store. Here's the QR code scanner I use: https://f-droid.org/en/packages/de.t_dankworth.secscanqr/
Right, I'm an avid user of F-Droid and a large percentage of my apps come via this route. The trouble is that I have found that QR code scanners are very significantly different in both their feature sets and in their ability to recognize different barcode/QR code scans.

That's to say:

(a) The time for a given barcode to be accurately detected varies considerably from app to app.

(b) And various apps have different detection capabilities with respect to one another (i.e.: the detection performance varies from app to app depending on the contrast across the barcode image, camera focus or lack thereof, etc.).

(c) For a given app, the detection capability for different types of barcode scans can vary considerably.

For that reason, I have five different QR scanners installed including SecScanQR that you've mentioned and the one with the same namesake as mentioned in this Malwarebytes article.

It seems there's a great deal of variability in the detection algorithms between apps. Unfortunately, from my experience I've found that some of the commercial apps have better detection performance than those on F-Droid—but granted that's only from my limited testing. Which app I use sometimes depends on other features, for instance, the fact that it has a better database or export ability, etc. is more important than the fact that it's insensitive in the detection department.

I wish someone with more knowledge and experience could give others and me the good oil on this. Reckon it'd save us considerable time experimenting.

I'm terrified of browser extensions for this very same reason (and yes, I still use them). I wish the browser vendors supported some kind of pinning to source code for open source extensions. Right now I have at least 2 extensions running that I know could access my passwords on any website as I enter them. One of those is Lastpass, which I use for storing/generating those passwords anyway, and the other is AdBlock Plus. Could other extensions access sensitive information? I'm not sure, but I hate not being able to see the source code of apps which need so many permissions.
Given the reputation of ABP, I'd be worried too.
Re AdblockPlus, I can recommend Ublock Origin instead. The UBO developer (Raymond Hill) repeatedly chose ethical behavior over money.
Alas the Great Suspender just fell prey to malware after its creator sold it off: https://news.ycombinator.com/item?id=25846504

I think Apple have the right idea with app review on browser extensions for Safari.

I hear that a lot of companies are doing unethical things. Maybe the government should only grant corporations to form which are headed by approved people?

/s

The other nice thing about Safari’s approach is that for common extension functionality it is just a set of rules that are executed. So no malware can be run because extension code isn’t actually reading the dom. Nor does it have access to load remote resources.
At least with LastPass you know they have a commercial model and reputation to incentivise better behaviour. If you download something that is free then that pressure doesn't exist.
(comment deleted)
AdBlock Plus is owned by a company who is selling ads. Use uBlock Origin instead, please.
To be more precise: You can pay them to get your ads listed as "acceptable ads" which will then pass the filter rules of ABP.

Would be a real shame if some software would block your ads because you didn't want to pay, wouldn't it?

> I wish the browser vendors supported some kind of pinning to source code for open source extensions.

Chrome used to. You used to be able to just download the source code of an extension, point Chrome at it, and done you are.

Well, you still can. But Chrome will CONSTANTLY nag you about it and try to forget you added that extension using source, like it's some vile crime.

They removed it because of "security", which is a hilarious reason because it just made everything so much worse.

Most apps never need to be updated, problem solved. Especially stuff like barcode scanners, authenticator apps and other apps that I'd call phone infrastructure can just be static from the time of install.
And then the app isn't working anymore due to newer os breaking change

Or it suddenly gone from app / play store

If it's gone from the play store that doesn't matter, you have it installed.

Breaking OS changes are a problem, it's true. Thankfully they basically never happen on phones (certainly if you have a phone that stopped updates ~4-5 years ago it will still work).

It's true if you don't need to change device. In 3 or 4 years (my usual device lifetime) many non updated apps is no longer supported at newer os version.
You're on HN. You should say such blatantly false things like

"Thankfully they basically never happen on phones"

There has probably never been a phone OS update that didn't break things. And not in a "technically something broke so haha gotcha! way"

Broken in a "half the apps out there need to be rebuilt with a new SDK version and/or deprecated or there'll be obvious bugs" way

I think you are absolutely right about how easy it is to fall prey to lots of money for adding a simple payload.

In the early days Wordpress sold use of their domain to black hat seo / spammers.

> Apps that offer what should have been offered by the OS vendor in the first place.

Wouldn't that be anti-competitive? Similar situation when Microsoft was including IE on their system that made them a quasi monopolist with subpar product. I'd rather have Google having stricter rules when it comes to malware.

You’re right. How dare Microsoft abuses their monopoly and ships Windows with a clock in the taskbar!

And why stop here? We should open the market for TCP implementations. The status quo is anti-competitive and stifles innovation!

Funny how Microsoft's including a useful tool for you know, getting on the internet, with their OS was the subject of an anti-trust suit just a few decades ago and now it's ok to force users to purchase all apps from the apple store, which takes 30% from every company wanting to sell an app on iOS.
Anti-trust has many fewer teeth that it used to.
I'm just about old enough to remember the versions of Windows which didn't ship with TCP and you had to install "Trumpet Winsock" to get on the Internet. This was silly.

The key to understanding the browser case is that, as MS wanted it, it would have tied client and server and rich application development together, all of which would have necessitated Windows. IE was a threat because of ActiveX.

It wasn't silly. It was third-party software which provided functionality that the OS simply lacked.
agreed, I lived through those times, TCP/IP was not a thing, until it was. There was no reason for it to be in the OS until it actually became popular and therefor useful

I used various competing systems before that in Windows/DOS

> And why stop here? We should open the market for TCP implementations.

_Re-open_. There were, indeed, commercial TCP/IP stacks available for various operating systems until the operating systems started including them.

If we do a comparison with the browser situation, then it would be quite sufficient to allow people to install 3rd party TCP/IP stacks. Does Microsoft prevent that? I honestly don't know myself since I don't really use Windows. :D

> Apps that offer what should have been offered by the OS vendor in the first place.

The questions are: how do you decide is necessary and how do you present it to the user? Different people have different needs and making every should have been feature visible ends up making every other feature less visible. That may be fine if you're developing software for a specialist who will take the time to learn a particular application which is relevant to them, but it's a drawback when you're creating software for a general audience since only a handful of enthusiasts will take the time to learn the software.

> Imagine an authenticator app ending service

imagine android version of Google Authenticator having no way to export data to the iphone version..

oh wait..

> How many authenticator apps do you have to use in parallel to mitigate this risk of a single point of failure?

Just one, together with alternative forms of 2 factor auth, such as a Yubikey (U2F token) or printed backup codes.

One or two years ago a Chinese guy contacted me asking me if I wanted to put an app or multiple apps on the AppStore for his company. In return I would receive 1.000 USD per month or so. I found this really suspicious, so I never accepted the offer. I also didn't want to risk getting banned by Apple for an offence like distributing malware.

I wouldn't be surprised if there are app developers that actually do accept these kinds of offers though.

> Don’t be naive, the majority will accept the money and gladly.

I wouldn't accept it to sneak the change in, but I'd probably be

Apps that offer what should have been offered by the OS vendor in the first place.

Bundling can be seen as bad in terms of competition [0], but it can also be good for the user experience. I wonder if these apps go unimplemented for fear of regulation. It might be silly to think of a barcode scanner (or other small utility) in that way, but, if the app is so silly, then is it really worth the risk (not just from regulation, but from having to deal with bugs)?

0 - https://en.wikipedia.org/wiki/United_States_v._Microsoft_Cor....

> Don’t be naive, the majority will accept the money and gladly.

I wouldn't accept it to sneak the change in, but I'd probably be perfectly willing to take their hand off and sell rights to the product. Assuming of course I didn't just delete the message assuming it was some sort of phishing scam or other rather than a genuine offer.

I'd feel obligated to make it known that I'd done this, perhaps via a notification in the app prior to hand-over and in its README. Something along the lines of a normal change of ownership message (copyright has been transferred to X, contact them for further information, future official releases will come from their fork, of course existing open source releases remain open source even if they change licencing arrangements for future releases, yadda yadda). Though we all know how often people just click through notifications, so I'm not sure how much difference that would really make - so if I were a robot I might be considered culpable under the second half of the first law...

If the buyer would walk away if I didn't agree to a more silent sale then I wouldn't touch it. It is a thin line that I won't cross, but still a line I like to think wouldn't cross. Then again I have the luxury of being relatively comfortable at this point in my life (decent day job at a company which is weathering the current collection of world crises pretty well, the little flat's mortgage near paid), for many others out there the financial incentive would be much harder to ignore. I'm not sure that I like that I wouldn't draw my line in a different place, but I'd be dishonest if I tried to claim that I would.

I stopped using apps from companies or projects I don't know some time ago. Which left basically small local companies, the big global ones and FOSS-projects. This of course is not perfect but at least leaves some sort of accountability.
This is why I root my phone. I block internet access to any new app that shouldn't need it, if it refuses to work, I uninstall it.
All my employees use a JSON formatter on Chrome. Such apps require permissions to view all sites...

I require them to create 2 profiles in Chrome (and a 3rd for personal purposes), one for dev and one for official purposes, but I know that, in remote work, they get less serious.

It’s a major security problem. I’m wondering whether I should purchase the Chrome extension’s source code and deploy it myself on the store.

The title says "Barcode scanner", but this is a QR Code scanner app from qrcodescanner.com
I'm glad that Firefox on Android now has a built-in QR code scanner. This is the best UI and security improvement they added in the last 5 years.
It has? How does one use it?
When you open a new tab, it is right above the search bar.
Indeed there it is, I hadn't noticed. Thanks!
(comment deleted)
The iPhone stock camera app also scans QR codes btw, guess most people just don't know since it isn't advertised heavily
Google's stock camera app supports QR codes.
Vivaldi just added one too.

I'll never undertand why Google didn't include one from the start. They finally added it to the camera app but very few people know about it.

(comment deleted)
I noticed the package name com.qrcodescanner.barcodescanner. and went to https://qrcodescanner.com/ which advertises another very popular barcode scanner wescan.

they also offer an sdk of their own for including a barcode scanner into your app. https://github.com/WeTransfer/WeScan

I'm not really sure they are connected (package names don't verify domain names AFAIK). Just curious.

One can say that the solution to this is more control/power for the app store, but te opposite, the solution for this problem on computer was solved decades ago:

Open source software and more open and transparent platforms!

Today users of common brands of Android and Apple devices are really restricted in control of their devices, so there is very few ways to check what the system or apps are doing, inspect, firewall/limit things, go tinker inside the apps.

And as said by other people, most of the time you have auto updates forced on users and so app developer does not even have to really justify what changed and why.

(comment deleted)
Agreed. The only way reviews can be done is by stores doing the review based on source code, and have submitting source code be mandatory with automated builds before review. That is not something companies like Apple or Google would even care about, it is not in their interest, since it is not their problem.

The phone market is a duopoly, Google and Apple have the market shared between them. There is no need to really improve this situation for end-users. For me it feels like Windows XP all over again.

I am a happy user of a Linux phone. I very much enjoy and support Jolla and Sailfish OS, while also hoping for the Pinephone and the Librem 5 to take off and be available as an option for daily use.

QR Reader are load of everything. I went mad to find one a decent one for my parents’ android phone and apparently it doesn’t exists. So in a weekend I’ve created one without any kind of tracking, ads, permission, whatever. Here it is if you guys need one ->

https://play.google.com/store/apps/details?id=com.prof18.sec...

But this is the classic cycle don't you see? They almost always start as "here is an app I threw together, no ads, don't be evil".

But then a lot of people like your app, and ask for a small extra feature. You support it, and then get a bit annoyed by all the features people are asking for. Then you have to update it for the latest release... then suddenly fix it when some obscure version of Android breaks on it.

Then someone offers you £60k for a small ad no-one will even see and you think.. don't you deserve a bit of credit?

Maybe you'll be the good one who doesn't take it, but the free model is generally unsustainable.

If the OP open sources his QR code reader app then the "free" model is absolutely sustainable.
I'll never do that, because I've done it without any kind of profit in mind. I've done it just to help people and the community.

I think that if the app is open source, it's harder to hide such behavior.

That’s why you should try to use apps from reputable developers, who’ve already had countless such offers and refused them all.

The usual "400$/month per 1k users" stuff, just integrate an ad network is common, but sometimes as dev you even get offers like "we hire you, with a contract, you can’t be fired, legally you’re a consultant to us for 2 years, at a few hours per week officially, for a silicon valley wage, unofficially you just don’t do anything and collect but we get full control over your apps".

Personally I’ve had quite a few such offers, and I’ve rejected them in the past and will also reject them in the future

Trust devs who’ve proven themselves :)

Nice. Once you have a million users, are you open to selling it? ;-)
Nope. Because I truly believe in community and open source. I'd not be able to sleep on night and I'd prefer to shut it down rather than selling.
Obligatory XKCD: https://xkcd.com/927/

But in this case, there is only one standard, and lots of imitators: https://play.google.com/store/apps/details?id=com.google.zxi...

But fallout from the bad app, or possibly deliberate actions by the malware maker have caused hundreds of bad reviews. It might be that removing the malware app from the store means people search for Barcode Scanner, find ZXing instead of the bad one, then post their bad review there. Or maybe the bad app is deliberately telling people "Click here to review the app", and pointing to the wrong app.

There's also reports of some sort of malware doing fishy things with intents to make it look like the ZXing software is bad https://github.com/zxing/zxing/issues/1345#issuecomment-7590....

I'd like to see a proper investigation by someone at Google Play. The original Barcode scanner is not needed for QR codes any more - almost any camera app will recognise those, as will Google's lens application, but it is still useful for scanning other barcode formats and for generating barcodes by sharing data with it from other apps, without needing to upload to a server or anything.

It doesn't exist? What were your feature requirements?

You wrote a wrapper around ZXing, which already has an official app as well as simple variations of that app from the ZXing team. That app is open source and ad-free.

There are already many similar wrappers around ZXing on the Play Store.

So what does your app do (or not) that makes it special?

4M for just a scanner??

I appreciate the app but...don't you think that's too much?

I recently noticed that the "Barcode Scanner" app by ZXing (https://play.google.com/store/apps/details?id=com.google.zxi...) was being review-bombed with 1* reviews. People were talking about the "recent update", even though the last update is from February 2019. As far as I know, that app is open source and never contained ads. (Of course, without reproducible builds, we'll never know for sure.)

Was ZXing also hit by some issue, or is that just confused people that mistook the ZXing barcode scanner for the Lavabird barcode scanner?

In the comments of the article, someone wrote:

> The Zxing project is the flagship open source barcode scanner project for many years, and the December 2020 build was infected with malware. That bad build has been removed, of course, but the damage to the project continues.

Is there any further information on this?

Probably the people responsible for the malware barcode scanner have other scanner apps in the game and trying to prevent user from their app from installing the Foss app and live happily ever after.
Yep, fake reviews by malware-ridden competitors was also one of my thoughts. But there's this motto "don't attribute to malice what can be attributed to stupidity".

It could also be both of course.

To be clear : "the December 2020 build was infected with malware" only refers to the lavabird barcode scanner and not other apps (that use ZXing library or not).