TLDR: the ‘novel technique’ is PWAs
I would argue that the new piece is that phishers are taking advantage Android’s ability to throw an install button in the browser.
Enough phones support that now, and they’re able to catch more people in their nets now that folks aren’t installing web apps from a nested menu item.
Pretty sure that was widely available two years ago. I used that to install a free VPN while in China.
Yeah, I forget what version of Android it went out in. I only really started paying attention when, at work, we realized that a lot of our unreproducible bugs were from PWA users claiming they had installed the native app.
And those mismatched PWA / native bugs were overwhelmingly from Android users on newer versions of Android. They thought the new PWA install user experience was for a native Play Store app.
The bugs were driving us crazy and then someone in UX caught the behavior on a user test.
Wtf kind of clickbait is this shit? I stopped reading when I got to PWA’s, which are just a javascript website that use specific API’s to feel more offline and app-like, but still run entirely in the browser engine. This is not “novel”, it’s not “side loading”, nor is it breaking iOS/android security. It’s no different than navigating to a scam website in a browser and entering your bank credentials.
Side note: this tech could have entirely replaced most apps on Apple and Google app stores. Apple has hamstrung it’s addition on iOS for a decade, and still are, so businesses have to build iOS specific apps and pay Apple for the privilege. Both Apple and Google are effectively stealing billions of dollars from global businesses, and dramatically increasing their inefficiency, by forcing every business that wants to build a generic app to use their OS-specific proprietary tech, instead of a single website that you can “install” and operates almost identically across every browser, every mobile OS, and every desktop OS. They’re also more private than proprietary apps.
The above is only one example why Apple, Google, and all of big tech deserve antitrust action, and should be forced to open walled gardens and implement open standards across their OS’s. There’s no technical reason you can’t use a single app to communicate across SMS, iMessage, whatsapp, signal, Telegram, etc. They create these walled gardens to prevent competition and lock you into their platforms. No weakening of “security” or encryption needs to take place to do so either. Almost all encryption in use today uses completely open standards, protocols, and libraries.
Mobile dev here.
I’ll play devil’s advocate. Android streamlined the PWA install experience a few years ago. You no longer need to drill into a menu and select an add to Home Screen option.
On one hand, have more users using a better mobile experience, but on the other hand, I now have a lot of users that think they installed the native app.
I don’t think the end user should need to care about my tech stack, but I could see how a malicious actor could dupe people with this newer streamlined PWA install flow. These malicious actors probably caught a lot less people with the old menu > add to Home Screen flow.
That’s not really playing devils advocate. You’re correct. I was just highlighting the headline was disinformation. It’s true that the average user isn’t aware of the difference, but I would blame the OS for not making that explicit on install that this is a website and that authenticity should be triple checked. There’s also nothing stopping them from “installing” PWA’s via their app stores, except for their greed.
I guess I’m saying that I didn’t think the headline was too bad. There is a new PWA install flow that’s widely available on Android now, and phishing via that new PWA install UX is potentially a new hot area. I’m not particularly offended by calling that novel. Just my 2¢
There’s also nothing stopping a malicious actor from putting a malicious app in the store, whether that is a wrapper on JavaScript or native code. So I don’t see the distinction at all from having pwa or native apps barriers because they’re all weak.
It’s a PWA
a novel technique to trick iOS and Android users into installing malicious apps that bypass safety guardrails built by both Apple and Google to prevent unauthorized apps.
So the “safety guardrails” being bypassed are just the restrictions imposed by Apple and many Android devices denying owners the ability to install apps from outside the company stores?
And the installed apps are web apps, running within browsers that those stores already approved?
Um…
It seems to me that the thing being safeguarded here is corporate profit.
(Wasn’t Ars Technica known for quality articles in the past?)
IMHO, getting people to install a sketchy PWA is going to be more successful with newer versions of Android that allow a PWA to throw an “install” button in the browser.
When I look at my mobile end users, the people who install PWAs are overwhelmingly on newer versions of Android, not older versions, or iOS. Opening the share menu and adding a bookmark to the Home Screen seems simple, but it provides an amount of friction that scares off a lot of end users.
PWAs are great, this is just phishing