[SECURITY] Request QUERY_ALL_PACKAGES and scan all installed apps for non-play-store apps.

[sebastiannielsen]

There is a security issue, where someone could "link" or "share" the app by installing apps outside of Google Play on the phone. These apps does not meet Googles Rules for API usage, meaning they can for example bypass restrictions set by the app maker that prevents for example taking screenshots and similiar.

To combat this, many security sensitive apps now request QUERY_ALL_PACKAGES access, and then scans the all installed apps on phone.
If any app is found to come from outside the Play store (and is not a app from the phone manufacturer), the user is asked to uninstall the app before further usage of the app is allowed.

It could be sensible to have an whitelist of "approved non-play store apps" like Samsung Pay and such that are installed from Samsung Store - but this is then dependant on phone manufacturer, so each phone model has its own whitelist.

The app BankID ( https://play.google.com/store/apps/details?id=com.bankid.bus ) which is an electronic ID app does this. (you can verify this by checking the manifest for the QUERY_ALL_PACKAGES permission, you cannot however verify this in-person as it requires a valid electronic ID from Sweden).

I think this app should do it aswell. Theres absolutely no reason to install apps from outside the Play Store, and it can harm the integrity of the age verification app despite using Remote Attestation.

[TheArcaneBrony]

I believe this is against basic human rights, as well as EU regulations that allow users to use whichever app store they desire. This also includes privacy-centric app stores such as F-Droid.

[Sazu-bit]

The Play Store has enough dominance thank you very much. What about those users trying to de-google their phones to prevent data harvesting (by Google).

[Logianer]

Theres absolutely no reason to install apps from outside the Play Store

That's not for the EU to decide! As other users already said, if you install Android, there is absolutely no reason to use the Play Store in the first place, because it is a seperate service offered by Google that you do not need to use if you want to use your Android phone.

[Secret-chest]

Theres absolutely no reason to install apps from outside the Play Store

There's absolutely no reason to benefit from your phone being a computer!

[Secret-chest]

Also the DMA says we must open up, doesn't work when this app contradicts it by requiring almost everyone to not install those apps. And yes, there are many valid reasons to install apps from outside the Play Store!

[Secret-chest]

@sebastiannielsen please comment on why this wouldn't make the DMA useless.

[sebastiannielsen]

@Secret-chest It only applies to OS manufacturers and device manufacturers, not app developers. App developers are free to implement which restrictions they want, including checking the phone from unverifierd apps.

Why I suggest this implementation:
As how the system is now built, the person in question submits an anonymous age proof to the site in question. Theres a risk, that such anonymous age proofs would be shared or otherwise abused in different ways, as theres noting that links 2 age proof together by design.

For the same reason for example BankID enforces this to prevent fraud (prevent you from, for example installing a remote control app from outside Play store, that a fraudster controls, and then this permits the fraudster from remote controlling BankID, or can atleast send data to it to scam the end user) I think the EU age verification app needs to enforce the same restriction.

To prevent you from "sharing" access to the age verification app. As long as third-party apps is permitted, the age verification could be bypassed in the same way theft of vehicles with an "keyless" system is done - by forwarding the "authorized" signal to the car over a long distance.

This is why the device that the age verification app is installed on, must be trusted fully, which means, that no apps outside of play store should be allowed to be on it.

An alternative way to solve this, is to use android protected confirmations ( https://source.android.com/docs/security/features/protected-confirmation ) to confirm age, but then this requires showing for example, a random code, on a website, that should be entered, then confirmed with button.

This will atleast restrict it so people with physical access to the device can use it, age proofs cannot be shared online, but it still makes it possible for 2 collaborating persons to share age proof.

Restricting non-play apps is the only way to be completely sure, that you could trust a device held by the end user. In the same way many apps that for example give money for doing "missions" inside certain grocery shops, use this type of restriction to prevent you from using a third-party app to cheat the mission and gain the money anyways.

[Sazu-bit]

If third party apps are not allowed... and Google Play is not exactly a 'safe haven' either... this project is dead in the water and won't see uptake. F-Droid for example is extremely valuable to those seeking to de-google their phones.

Your suggestion is extremely anti-competitive. It's almost as if you have an interest in Google.

[TheArcaneBrony]

I agree here with the sentiment that some kind of built-in protection (ie. FLAG_SECURE to disallow screen capture) would be a better fit. I too use F-Droid and a whole host of non-Google Play apps on my devices, such as my messaging apps, KeepassDX, DNS66/TrackerControl, FairEmail, ...
I don't believe it is fair to block end users from using true open source apps on their devices, especially when the Play Store itself is a pay-to-play kind of game, as well as the requirement to accept Google's Terms of Service in order to be able to use the device you purchased.

On that note, who said the machine that's requesting the age verification proof isn't compromised in some way?

[Secret-chest]

@sebastiannielsen You didn't say how this doesn't invalidate a major part of the DMA, if every citizen is required to only use Play apps. There will still be ways to compromise this app and your restrictions will just harm many legitimate users.

[Secret-chest]

The DMA's app store regulation will become theoretical if everyone is required to not use other stores in order to be a citizen.

[sebastiannielsen]

@TheArcaneBrony The problem with FLAG_SECURE is that it only prevents screen capture, it doesn't prevent external input. Which is the reason BankID have restricted non-play apps on the same device.

This is so a malicious app cannot live and wait until the PIN code entry activity disappears, (which now means it waiting for approval) and then send the touch screen events and keypresses that would approve the transaction without the user's approval.

These technologies are restricted at the Play Store so only approved apps can use them, and the permissions are deemed sensitive so they have to have their servers and people vetted by a external security company before they get approval.

If you download the app from outside the store, you bypass those restrictions. I think in the future it will come a DMA compliant solution, where a special google-issued certificate is required to use those permissions, regardless of which app store you download them from. And to get this certificate, you have to pass the same restrictions as if you were publishing it on Play Store.

[Sazu-bit]

That's not at all just handing Google an entire monopoly. (Which violates market competition laws). Remember google take a 30% share of the sale price of apps, naturally Google want everyone to use the play store to maximize their profit. The EU are currently ruling against Google to prevent this.

[sebastiannielsen]

@Secret-chest I think a DMA approved solution will come soon. Both google and apple is working on a solution where a app developer, that wants to use certain sensitive functions, need to gain a approval certificate from Google, and embed the certificate in the app. In this way, the permission to use a specific permission, becomes "portable" and not tied to the Google Play Store, meaning only the developer needs to adhere to the terms of service.

And this will then of coruse only be used for the most sensitive permissions, where apps needs to be vetted before gaining access to those permissions.

And this would then mean, the developer would need to get approval from Google for certain permissions (like MANAGE_EXTERNAL_STORAGE) regardless of which app store the app developer releases on, and this permission check will then be enforced by all android phones, including de-googled ones.

[nukeop]

This is why I don't use smartphones. Dudes like this think they're entitled to have your device compromised and work in ways they want. Smartphones should have a way to send garbage or empty data if an app attempts to scan your installed apps, same for other apis like geolocation, camera access, etc.