• WolfhunterGer@feddit.de
    link
    fedilink
    English
    arrow-up
    207
    arrow-down
    2
    ·
    1 year ago

    KDE Connect is also available through Google Play and most likely signed with a different key as the F-Droid Version. Since Play Protect checks the App signatures, it probably detected this discrepancy and determined the App was fake. Not really an Assholedesign as this is a valid concern if a normal user downloads an app from the internet.

    • gressen@lemm.ee
      link
      fedilink
      English
      arrow-up
      33
      arrow-down
      1
      ·
      1 year ago

      On the other hand it’s a valid case to have the app installed by means other than the play store. I can’t imagine they have found this discrepancy in signatures for the first time.

      • Jajcus@kbin.social
        link
        fedilink
        arrow-up
        9
        arrow-down
        4
        ·
        1 year ago

        Probably most other apps are correctly signed with the same certificate on both sites.

        • leinardi@lemmy.world
          link
          fedilink
          English
          arrow-up
          24
          ·
          1 year ago

          No they are not: F-Droid builds a signs the apps independently. Source: I have apps on both stores.

          • JoeyJoeJoeJr
            link
            fedilink
            English
            arrow-up
            11
            ·
            1 year ago

            You can actually sign the F-Droid app yourself, if you use reproducible builds.

            There’s reasonable odds the signatures still won’t match though, because Google requires App Bundles now, and then they build and sign the APK, rather than allowing the developer to build and sign their own APK.

            Technically you can use the same key (see “Best Practices” of this page), but it’s kind of shady, and requires giving your private key to Google.

    • deweydecibel@lemmy.world
      link
      fedilink
      English
      arrow-up
      31
      arrow-down
      1
      ·
      edit-2
      1 year ago

      It could just ask before removing shit. Remove the permissions, freeze the app, prompt the user to confirm they meant to install it from somewhere other than the playstore. Hell, since it can detect F-Droid is installed, maybe use some context clues and ask the user to confirm this app was installed from there?

      More importantly, can you tell it to ignore certain apps? I don’t know, I’ve had Play Protect turned off forever. If not, that’s absolutely asshole design.

      • glibg10b
        link
        fedilink
        English
        arrow-up
        11
        ·
        1 year ago

        More importantly, can you tell it to ignore certain apps?

        Yes, but it stops ignoring them after a while

        • Hello Hotel@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          edit-2
          1 year ago

          and you come back to your phone and its uninstalled again, scummy! uninstalling also REMOVES the user’s data they stored in the app. turn off Play Protect!

  • smileyhead@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    99
    ·
    1 year ago

    Imagine doing a business if Google one day start to hate you.

    No listing on most popular and the only search engine that counts. Most popular browser gives a big red warning for your website. Even with different browser it won’t connect due to Google being the most popular DNS provider. No app on the only widely used app store on Android - the only OS phone manufactures use besides Apple. Your app is automatically uninstalled on >99% Android phones. Your calls gets blocked by Android spam detector. Your e-mails get blocked by Gmail. And besides that, Google would pumps all of your competition up.

    That much power over the market is very dangerous and should not be legal.

  • ElectroLisa@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    73
    arrow-down
    2
    ·
    1 year ago

    There was a similar thread where Play Protect blocked installation of Signal. As it turned out, said copy of Signal was indeed fake, as op downloaded it from F-Droid, where it’s not being distributed.

    Maybe it’s the same case here?

      • Martin@feddit.nu
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        2
        ·
        1 year ago

        Then this is a KDE Connect issue. If they sign with different keys, they should use different app names (in the manifest, the visible name could still be the same). If two apps have the same identifier but are signed with different certs, Google is right to treat one of them as an impostor.

    • cooopsspace@infosec.pub
      link
      fedilink
      English
      arrow-up
      21
      ·
      1 year ago

      Yeah and imagine if Google decided they don’t like your small business and ruins your livelihood overnight.

      In no time you’ll lose your house to a bank, all because a company that you have little association with chose to.

      • BolexForSoup@kbin.social
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        edit-2
        1 year ago

        I can’t even imagine what pernicious elements they can add to it to bog down someone’s website too. They don’t even have to introduce it on purpose, if it’s just a byproduct they can shrug and not worry about it. It’s shocking how much traffic you lose if your website takes three seconds to load.

        Everyone should switch to Firefox/Mullvad

  • fartsparkles@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    30
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Hilariously, Google Play Protect is one of the worst tools on Android at detecting malware and triggering false positives, and consistently scores poorly in independent tests like AV-Test and AV-Comparatives. You can find links to these tests on the AMTSO website.

  • Darken@reddthat.com
    link
    fedilink
    English
    arrow-up
    20
    arrow-down
    1
    ·
    edit-2
    1 year ago
    • (open) play store
    • (tap) your profile picture
    • (open) Manage apps & device
    • (open) Google play protect
    • (tap) settings icon at the top
    • (disable) scan apps with play protect
    • congratulations, google will babysit us less than before
    • install kde connect again

    Optional:

    • send a hate email to google support but do not abuse the employee reading it, because he is probably under pressure 25h a day by google
  • glimse@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    1
    ·
    edit-2
    1 year ago

    This is great design for the average user. Just bad for the power user

  • Sir_Kevin@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    13
    ·
    1 year ago

    Why would anyone enable Google Play Protect? You want them combing through your personal data with the ability to delete anything they disagree with?

    • pedro@lemm.ee
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      I don’t think they waited on Google Play Protect to comb through your personal data

  • grue@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 year ago

    Not only did the same thing happen to me, now that I’ve disabled Play Protect and reinstalled it I’m having trouble getting it to re-pair with my PC. Thanks for fucking up my property, Google. 🖕

    Where’s the Computer Fraud and Abuse Act when you need it?

  • leinardi@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    Interesting. But should this apply to many apps on F-Droid? I also have an app published on both the Play Store and F-Droid and I don’t recall having seen requests to change the application ID to avoid clashes between stores.

    • 520@kbin.social
      link
      fedilink
      arrow-up
      14
      ·
      edit-2
      1 year ago

      KDE Connect is likely a special case; as it is a PC integration app, and a very feature-loaded one at that, it accesses a whole bunch of sensitive stuff like notifications, clipboard, direct file access, SMS functions, keyboard inputs and more.

      More than any other non-root-accessing app, you do not want a trojanised version of KDE Connect on your phone.

    • Martin@feddit.nu
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      If the signature matches, Google probably won’t care where they are installed from. I suspect that the KDE Connect in fdroid is signed with a different certificate than on google play, causing it to be flagged as an impostor. This could probably be easily prevented by using the same cert or different app identifiers (to cause them to be treated as different apps).

      • leinardi@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        ·
        1 year ago

        All F-Droid apks are signed with a different key than the play store one: you do not upload your key when you publish on F-Droid and all the apps are built from source by the F-Droid build servers.

  • 𝒍𝒆𝒎𝒂𝒏𝒏@lemmy.one
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    4
    ·
    1 year ago

    And this is why Play Store is disabled on my device!

    Disabling just play protect works too, but it occasionally shows popups asking for it to be re-enabled ☹️