The gist is that spammers message the publishers of Play apps looking for willing developers to (a) integrate random tracking/advertising/analytics "SDKs", (b) integrate dubious/malicious software like cryptocurrency miners, P2P relays, or (c) sell their app outright.
The idea is that, at any given time, you don't know whether an app you've downloaded from the Play store has done any of these things, and the spammers probably know they can keep such "infected" apps on the Play store for long enough to turn a profit.
Too many good apps fall victim to the temptation. For example, ES File Explorer. It went from a great app to one with too many ads to outright malicious and now the developer is banned from the app store entirely. I still haven't found a file manager that let's you manage mtiple tabs of file folders with windows shared folders with the same level of elegance.
You can access SMB shares in Amaze by tapping the plus sign (+) floating action button at the bottom-right, choosing "Cloud Connection", and then selecting "SMB Connection".
After a bit of digging, it looks like Amaze is limited to 2 tabs, which you switch between by swiping left and right. I guess that's technically "multiple tabs" as their Play Store listing states.
There's also Ghost Commander if you're looking for an open source file manager with more capabilities. It uses a 2-panel layout, supports plugins, and has a long list of features:
I learnt a nice way to answer these kind of questions for myself lately. Ask yourself the following question: One which side do you want to fail? (or on which side do you want to err?)
Do you rather have an app on your phone with access to your files that most probably runs dubious software alongside? Or, do you rather not miss out on the elegance and convenience it provides? I guess the answer depends largely on the content of your files and your personal preferences.
Interesting thought - a spammer can use the Play Store’s visible metadata on an app to decide which ones to prioritize. For example, one criteria might be, apps with lots of interesting permissions, decent number of users, but no recent updates. For such an app a spammer could increase their incentives or try more hard-sell tactics.
Not really that far fetched. It's the Raccoon blog. Raccoon, being an open source APK downloader partially reimplemens the play store app and app discovery is what that app is all about.
App works well for my purposes and haven't noticed any issues. If they've been banned from the play store then they can push any updates making it worse than it is now, and the current version doesn't appear to be malicious.
Also, Google hasn't flagged the app, which I believe they would if it was malicious as opposed to made by a company that had issues in other apps. So unless there's specific malicious behavior tracked, which I don't see, I'm not going to get rid of it.
"The Lumen Privacy Monitor" developed by the ICSI Haystack Project collects statistics of outgoing tracking traffic and their app origin on your device.
I wouldn’t say so - even if the built in file explorer works well, if someone built a really slick one with features I wanted, I would probably just use that. It’s like why many people might choose, for example, iTerm2 over Terminal.app, even though the latter is provided with the OS and works well enough for most purposes.
I think it is one of the big failures of Android to have been unable to come up with something better than a file explorer in order to manage your documents on Android.
They have good intentions, e.g. with a system level image picker, but it's UX is one of the worst among the system level components.
To come back to the photos example, by default Android has a Document picker. Its .. bad. Unless you are picking a picture you have just taken, you won't be able to find what you are looking for.
At the very least, either allowing apps to respond to the search intent in order to allow them to handle the search however they want or at least delegating this task to one app (like Google Photo) that already has a good search feature.
More generally, I am not a big fan of exposing the file system to end users. It is relatively convenient for power users, but for all the other users it is a complete mystery.
For pretty long, Android has toyed with the idea of doing something else. Hiding away the file system as an implementation detail users don't need to know and offering a document based interface instead.
Whether this could work or not has remained unanswered though .. their implementation is so half assed that it is barely worth mentioning.
As far as I've been able to figure out it's the only way to create albums in the photo gallery. Bizarre, and I have to think I'm wrong, but I haven't been able to find anything to contradict it.
1. Google Play Store's requirement that app devs publicly post a contact email address
2. Google's failure to invest more into eliminating bad apps from the App Store (somehow)
3. Google's scorched earth policy with regards to sucking all of the money out of the ecosystem for itself and a very small number of app dev winners -- leaving most of the app devs in the poverty zone
Google could partially address #1 by creating a mail relay which filters out the bad library actors. App devs could use an address into the relay instead of publicly posting their own address and being left to fend for themselves. Of course, that would mean even more of a developer's customer communication would be routed through Google. So that's not exactly optimal either.
I think that the author speaks about the play store because they are an Android dev.
Unfortunately the grass is not really greener on the other side. Apple's app store is also focusing on the free with ads model.
As far as tracking goes, my experience as an app dev is that we have been adding the same sdks on both platforms at the same time with roughly the same possibilities and limitations.
I have only worked on high profile apps, so these SDKs were not on the shady side, but I have seen the spam as well.
I should note that even though the sdks are not shady, we are still tracking a LOT of data. I have a pretty neutral opinion on this though .. our only use for this is to look at how new features influence our metrics.
Which can be positive for everybody. It is good to know that feature x has improved customer satisfaction by 5% so it is worth continuing to invest in it.
I wish there was more regulation on what we can collect, how we can use or not use that data, etc.
Having a standard for TOS where you can use customer data internally to improve your service but are forbidden to sell it might be beneficiary. Right now we have tons of pages of lawyerspeak for each and every app or service.
Even reading only those of the main services you use is a very time consuming task. Especiaylly when they change every five minutes for some companies.
The Play Store requires each developer to include a contact email address, which is then published in the store listing for each app. This makes it very easy for someone to scrape all the store listings to collect all of the contact emails to spam.
By contrast, the App Store only requires a support URL to be included in the listing, not an email address.
Apple does not publish the developer's e-mail address but they are usually trivially available on the developer's website.
Personally I have not received any of the offers mentioned in the article. Rather, I get spammed semi-regularly by 1. marketing firms/individuals promising to SEO and ASO my app to top places, 2. design/coding shops located in remote locations to help me with development
If any of the companies actually read the description of my app they would know that their services make no sense for me but hey, I guess they need to find the clients somewhere.
Part of the problem is also that Google promised developers a large Android community, und users free apps. Obviously there's a slight problem with getting paid for work here.
With this culture of "free", it's no wonder if app developers cave and sell out to shady companies.
App Store apps in general have significantly fewer ways to be “truly malicious”, and App Store review is somewhat more stringent than Google’s process from what I’ve heard. However, run-of-the-mill tracking SDKs are commonplace on both stores.
Both stores use automatic detection for malware, the manual testing used by _both_ store is mostly there for business reasons in my experience.
Google used to be laxer about what you could do with its APIs, but it has started to become way stricter one or two years ago.
It always cause some drama in the dev community when they stop apps from misusing an API (even if the misuse was not shady) but it is mostly for the best.
You're not wrong, but it's one of the many reasons that the Play store has become a complete sewer in terms of quality, safety, and legality of the products offered.
Like Facebook, Twitter, etc. Google built the Play store (and Android at large, really) as a barn with all the doors open, and have been slowly closing them when users get too angry about a given (ridiculous for a multi-billion dollar corporation) problem.
Apple, on the other hand, built a walled garden and added doors to it as needed, and occasionally has taken some away too. You can use the cynical read and say this is to further their position in the market as the "pro privacy" alternative to Google, or you can say it's part of their core company ethos, but the result is the same either way: buying an app off the App Store carries little/no risk, and Apple strongly favors users during any issues that may arise. Play store on the other hand can be 100% safe or extremely risky, with little/no way to tell beforehand, and Google's end user support is notoriously terrible.
The gist is that spammers message the publishers of Play apps looking for willing developers to (a) integrate random tracking/advertising/analytics "SDKs", (b) integrate dubious/malicious software like cryptocurrency miners, P2P relays, or (c) sell their app outright.
The idea is that, at any given time, you don't know whether an app you've downloaded from the Play store has done any of these things, and the spammers probably know they can keep such "infected" apps on the Play store for long enough to turn a profit.