Epic
Coming to an iPhone near you if Epic wins its case against Apple.
The Microsoft Authenticator extension in the Chrome store wasn't actually made by Microsoft. Oops, Google
The trustworthiness of Google's Chrome Store was again called into question after an extension billing itself as Microsoft Authenticator was published by the software souk without the simplest of checks. The legit Microsoft Authenticator generates one-time codes for multi-factor authentication, and lately gained password- …
-
-
-
Wednesday 19th May 2021 10:15 GMT Anonymous Coward
Re: Epic
No, but Epic's case partly revolves around the monopoly Apple have over their control of the Apple Store. If Apple were ultimately forced to allow third party stores access to their devices, that would remove Apple's control over what software is allowed on an iDevice which would, in turn, open the floodgates for rogue apps and vendors through alternative stores.
-
Wednesday 19th May 2021 11:16 GMT lglethal
Re: Epic
So your objection is that people should not be able to, for better or worse, install whatever they want on their own devices?
Hmm, so you wouldnt object to Microsoft telling you exactly what you can install on your Windows machine? Or Linus Torvalds being the gatekeeper for what programs you can install on your Linux box?
By the way, I object strongly to what you've written. " If Apple were ultimately forced to allow third party stores access to their devices, that would remove Apple's control over what software is allowed on an iDevice..." The Device in question belongs to the Person who bought it. It is not Apple's Device to decide what can go on it...
-
Wednesday 19th May 2021 11:59 GMT Anonymous Coward
Re: Epic
No, I made no such objection.
I was merely providing information as to why the Epic Vs Apple case might have repercussions beyond the 30% payment paid to Apple by developers.
As for your strong objection, don't be intentionally stupid. I meant devices made by Apple and you know it.
-
Wednesday 19th May 2021 12:00 GMT Headley_Grange
Re: Epic
My objection is that other people shouldn't be able to install whatever they want on my devices.
If app stores become an unregulated wild west then how do I know whether the metronome I've just bought for my phone isn't going to download malware, steal log in creds and spam all my contacts? I'm not daft enough to believe that Apple's store is perfect in its screening, but it's better than what will happen if there's no trusted gatekeeper.
Sure, I could stick to the Apple store because I, rightly or wrongly, trust it, but devs will move away from it - the good ones because other stores are cheaper and the bad ones because they can get away with stuff and I'll end up having to use the cowboy stores cos the Apple store will be empty.
It might be OK for IT-literate people who know what they're doing and can understand and manage the risks, but for normal users out there it could be a nightmare, especially for those who don't understand the risks and whose only point of contact for everything they do online is their smartphone.
-
Wednesday 19th May 2021 13:24 GMT Strahd Ivarius
Re: Epic
You did note that the extension was provided through Google store, not an alternate one, did you?
How long before the same kind of issue occurs on your phone of choice using the manufacturer-approved store?
Oh wait, it happens every week or so that Apple removes dodgy apps from its "curated" store...
-
Wednesday 19th May 2021 13:52 GMT Anonymous Coward
Re: Epic
> My objection is that other people shouldn't be able to install whatever they want on my devices.
Sleep safe, because nobody is proposing that.
> I'm not daft enough to believe that Apple's store is perfect in its screening, but it's better than what will happen if there's no trusted gatekeeper.
Nobody's saying there will be no gatekeepers, only that you, as the customer and owner of the device, should be able to choose which gatekeeper or gatekeepers you trust.
> Sure, I could stick to the Apple store because I, rightly or wrongly, trust it, but devs will move away from it
Unless they already have a billion-dollar cash pile and a grudge (eg. Epic), devs will go where the audience is, and that means being available in all the popular stores - especially the one store that's guaranteed to be installed by default on every Apple device!
> It might be OK for IT-literate people who know what they're doing and can understand and manage the risks, but for normal users out there it could be a nightmare
Normal users are going to turn to a name they know and trust - Apple, Google, Microsoft, Steam, etc. So I expect alternate app stores from those kinds of well-known brands to take off if this market does get opened up.
There will undoubtedly be some smaller, more niche stores, but they're not likely to pop up on any normal user's radar, nor need they.
-
Wednesday 19th May 2021 14:26 GMT Headley_Grange
Re: Epic
Nicely reasoned post, AC, but maybe I'm more of a pessimist than you are.
"..only that you, as the customer and owner of the device, should be able to choose which gatekeeper or gatekeepers you trust." I spent ages building up relationships with my local shopkeepers and grew to know and trust many of them. They're all gone now - replaced by Turkish barbers, nail shops and vape shops - and I have a "choice" between one of the big supermarkets or Amazon. If Amazon decides to take the supermarkets on properly in the UK then soon I'll have bugger all choice except Amazon. Amazon, as a gatekeeper, doesn't give a toss whether it sells me genuine stuff or Chinese knock off stuff, as long as it gets its cut.
"Normal users are going to turn to a name they know and trust" See above. In my experience most people turn to the name that's the cheapest and most convenient, not the one that provides best quality. That's why the shops on the high street are disappearing.
Like I say, I'm pessimistic about this, and let's hope I'm wrong, but why wouldn't app stores follow the same pattern?
-
Wednesday 19th May 2021 17:45 GMT claimed
Re: Epic
The cheapest store will be the one that charges Devs the least... so most convenient, its going to be hard to make a one click process less convenient, so playing field effectively level.
People will use what's on their device (MS IE monopoly, Chrome, etc), or what their mates use.
The high Street is not the equivalent of the App Store. A better one would be Alibaba vs Amazon... both doing ok...
-
-
-
Thursday 20th May 2021 08:39 GMT RyokuMas
Re: Epic
"If app stores become an unregulated wild west then how do I know whether the metronome I've just bought for my phone isn't going to download malware, steal log in creds and spam all my contacts?"
Very simple. If the app store becomes unregulated and/or Google is reigned back in from their attempts to turn the Play store into their own walled garden, vendors would be able to offer the apps to download from their own websites.
Not only would this shatter the monopoly status of the stores, it would also vastly reduce the problem of malware on mobile: if I want Fortnight, I'd download the app from the Epic website - any other site offering it, I know there's a chance it might be containing an unwanted passenger.
And the irony of this is that in this new world of total market freedom, Google and Apple could still win by repurposing their stores as promotional sites - users would still use them to discover and rate/review apps, but instead of purchasing the app via the store, the user would be directed to the vendor's own website. By charging a "reasonable" fee to register each app on the store, Google and Apple could still make a considerable profit. However, the choice of whether or not to do this would lie with the app's vendor thus satisfying the legal requirement of "not a monopoly" - for example, the vendor could decide to promote their app solely on social media and not use the "app store".
Breaking the current stranglehold is the best thing that could happen to the mobile app market IMHO.
-
-
-
-
-
Wednesday 19th May 2021 18:33 GMT Anonymous Coward
Re: Epic
Is that really true? It's more about allowing another inbound revenue stream and how much of a slice Apple gets from it.
Personally I'd very much like an alternative means of payment, because Apple put country restrictions on payment which seriously screws up people who live in a number of countries like me.
As soon as you move, you have to "move" App Store as well, but there's zero clarity over the consequences. What happens to apps only available in that country? Will the other ones still get updates? Why the *&^$% can I not pay Apple from another country (read: give them more money!). It's a freaking mess, all because they started off with more interest in film and music rights than an understanding of life outside America. Morons.
-
-
Wednesday 19th May 2021 09:00 GMT Dwarf
Certificates
Why not require that apps are signed by a certificate owned by the submitting party and make part of the checks before publishing a validation that the certificate is valid and lines up to the submitting party.
Back in the old days, we used to download applications direct from the vendors website, hence we could check if we trusted the vendor ourselves.
Looks like we have taken yet another step backwards in the race to dumb down technology with the inevitable outcome that security gets worse as users get less visibility on the source and trustworthiness of the code they use as other, better routes get gradually taken away for <reasons>.
-
-
Wednesday 19th May 2021 12:46 GMT Lyndon Hills 1
Re: Certificates
Indeed. In the web world, the browser can check that the ssl certificate from a site does at least match the web site domain.
Forcing an app (or extension) to be signed really just tells you the dev got a certificate. Without some method to validate that the certificate belongs to the purported publisher, it's not really very useful.
-
Wednesday 19th May 2021 13:33 GMT Dwarf
Re: Certificates
@Tomato Krill
Precisely, so their CN in the cert will not be microsoft.com and its then crystal clear that its not a Microsoft extension. This should be a mandatory step during validation, so well before the app is published into the app store for joe public to consume. I'm not talking about client side validation on the end device.
Not sure why I'm standing up for Microsoft here, I'd better go for a lie down.
-
Wednesday 19th May 2021 16:28 GMT Anonymous Coward
Re: Certificates
You're missing the point.
The certificate wouldn't say Microsoft, but unless all app submissions were checked by hand to ensure there were no mentions to any other application or software not released by the same developer it wouldn't be caught anyway. The certificate would match the developer (in this case Extension-) which would pass the automated checks.
As it happens all apps submitted to the Play store must be signed anyway, but only with a auto-generated certificate from Android Studio (as far as I am aware) which clearly doesn't help.
-
Wednesday 19th May 2021 20:11 GMT Dwarf
Re: Certificates
@def
You're missing the point.
The certificate wouldn't say Microsoft
Like I said before, that's precisely the point the CN in the cert is not matching the submitter. something.microsoft.com != something.extension.whatever
Its exactly the same logic as when you hit a website, if the cert doesn't match, then you get a cert error. The same logic could be used as part of the validation of apps submitted to make sure that they do come from the same source. You can't submit as acme, since you can't get a cert issued from them.
Its irrelevant how it works today - since clearly that is broken - otherwise no story to report.
Are you sure its not you who's missing the point :-)
-
Thursday 20th May 2021 05:56 GMT Anonymous Coward
Re: Certificates
I think that you may have missed the point. The developer isn't listed as Microsoft, it listed as extension. The name of the application has Microsoft in it.
So the application would have been submitted as the developer that submitted it.
They would have to check if the cert signing the application matches applications developed by that company.
-
-
-
-
-
Wednesday 19th May 2021 12:13 GMT iron
Re: Certificates
They do. Well for Android anyway, I have no idea how Chrome extensions work because I do not allow that ad display app on my network. Requiring signed apps doesn't prevent any of these things on Play so I doubt it would do much for the Chrome Extension Store or whatever they call it.
-
Wednesday 19th May 2021 20:25 GMT bsimon
Re: Certificates
Certificates are no bulletproof solution.
This thread remind me when many years ago Verisign issued a code signing certificate to some impostor that pretended to be Microsoft
https://www.techrepublic.com/article/look-out-for-fraudulent-microsoft-digital-certificates/
Also I've read some stories about shady CAs issuing SSL certificates for googlle sites to malicious third parties and government agencies.
-
-
-
Wednesday 19th May 2021 09:38 GMT Pascal Monett
"Google declined to comment [,,] about how this add-on slipped through the net"
It slipped through because the net has links that are a mile wide.
Let's be clear : Google is not there to curate the content of its Store, it's there to make money. Anything goes until someone complains. That's when Google reacts and goes fishing for a reason not to remove the app.
In this case, it didn't find any, so it removed the app.
But if you think Google is going to pre-emptively deprive itself of revenue when nobody has noticed anything, I have a bridge to sell you.
-
Wednesday 19th May 2021 12:08 GMT Graham Cobb
Re: "Google declined to comment [,,] about how this add-on slipped through the net"
I think you underestimate the power of bad publicity.
I am sure that, as from tomorrow (ish) they will have created a list of words which, if they appear in the name of an app will trigger a manual check on whether the app is really being submitted by the correct entity. It will be a fairly short list to start with (as they don't want to make more work for themselves) but it will grow over time (I am wondering when "NHS" will be put on the list - my guess is about a year away).
-
Wednesday 19th May 2021 14:25 GMT entfe001
Re: "Google declined to comment [,,] about how this add-on slipped through the net"
> I think you underestimate the power of bad publicity.
And I think you overestimate that.
While it might be true for a startup where bad publicity could scare away investors and the de-funding kill the failed initiative, Google (or Microsoft or Facebook or Amazon or...) are too big and have too much momentum for anything like this to actually matter.
Next week no one will remember this.
-
Thursday 20th May 2021 10:27 GMT Graham Cobb
Re: "Google declined to comment [,,] about how this add-on slipped through the net"
I was possibly too subtle. I didn't mean bad publicity for Google, I meant bad publicity for Microsoft. Google doesn't care about what you and I think. But it does care about what other major US corporations (and their lawyers and the governments in their pay) think.
I am willing to bet that that list now exists and that "Microsoft" is already on it. I am sure there were a few quiet phone calls to make sure of that within 24 hours of this being exposed. If you don't believe this, show us that you can still publish a new Chrome extension with Microsoft or Facebook or Amazon in the name. The list exists.
The only question is how big will Google let the list get and will they formalise it?
-
-
-
-
Thursday 20th May 2021 13:41 GMT Anonymous Coward
Maybe, maybe not. This isn't the monolithic Microsoft of old where everything is wrapped in TechNet, this is the new, hip Microsoft that uses git and works on FOSS and submits Linux patches. It could be that the hipster goons at Google, if they noticed anything at all, might have just though it was some happening new group at MS trying to make a name for themselves, and let it right on through.
-
Wednesday 19th May 2021 19:28 GMT steviebuk
Googles checks just don't exist
I bet. To save every fucking penny they get "AI" to do the checks. This is evident with their fucking constant disregard for all the clear fucking scam adverts on YouTube of late.
Over the past month, I've lost count of the amount of times I've seen the starscope monocular advert scam. And lets not forget the "I have this amazing fomula on how you can make £5k a day. Just sign up to this free course" which turns out to be one free course convincing you to pay lots of money for the other lessons. Which turn out to be nothing more than "Sell my courses and you'll get commission" none of them realise the guy/woman (don't see many women doing this scam but know they do, one from the apprentice did) who has this "Secret", the secret is flogging the bullshit courses.
-
-
Thursday 20th May 2021 03:22 GMT JBowler
And firefox also supports Chrome extensions
Including the one in question:
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Chrome_incompatibilities
No mention there that they check extensions for misusing Microsoft's trademark.
Now let's all join hands and find a web browser that is NOT based on webkit. At least if we fail we can circle round in our flowy skirts singing about world pieces.
-
Thursday 20th May 2021 03:23 GMT JBowler
And firefox also supports Chrome extensions...
Including the one in question:
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Chrome_incompatibilities
No mention there that they check extensions for misusing Microsoft's trademark.
Now let's all join hands and find a web browser that is NOT based on webkit. At least if we fail we can circle round in our flowy skirts singing about world pieces.
-
Biting the hand that feeds IT
