Sean Hollister

Senior Editor

Sean HollisterNov 21, 2023

“If your drawbridge is down, attackers can just walk right in.”

Dr. Qian is explaining the security concept of “defense in depth,” using a castle with a moat, drawbridge, walls, and guards as an analogy.

You want to introduce multiple layers of defense in case one layer is bypassed by the attacker.”

“We want to grant that [app install] permission only when it is necessary.”

He says the sideloading friction screens follow another principle, “securing the weakest link,” because the weakest link is often the human being who doesn’t think it through.

Sean HollisterNov 21, 2023

“There is a general consensus that sideloading is risky.”

That’s Google’s security expert. He told Google’s lawyer that sideloaded apps inherently have a higher risk of being malware (because they haven’t been reviewed, which seems obvious), that the research is consistent that sideloaded apps are riskier, and that entities like Samsung and Verizon warn their users about the risks of sideloaded apps.

Sean HollisterNov 21, 2023

“I think Professor Mickens and I agree on this point.”

Now that Epic’s expert Professor Mickens is no longer on the stand, his Google counterpart is taking advantage — twice suggesting to the jury that Mickens would agree that some of Google’s existing screens make sense, at least in terms of ensuring user consent to an app install.

Mickens is still technically here — now, he’s in the courtroom galley like me, taking notes with pen and paper.

Sean HollisterNov 21, 2023

“There never was Cyberpunk for Android, but unfortunately users don’t know better.”

Google’s security expert Dr. Qian is describing various types of annoying and scary malware that have hit Android devices, including adware, ransomware, and spyware. One example was a fake Cyberpunk 2077 game that wasn’t a game at all.

Like his Epic counterpart, Qian has three basic arguments that we’re now seeing on-screen:

Android devices face a significant threat of malware that can harm users
Android sideloading screens are prudent and consistent with best practices
Prof. Mickens’ proposals are less flexible, would introduce new security risks, and impose significant burdens on Google.

Sean HollisterNov 21, 2023

We’re now hearing from Google’s expert witness: Dr. Zhiyun Qian.

He’s a professor at UC Riverside who spent two years working on Android anti-malware solutions, and Google is taking care of a question about his financial conflict of interests right away: his lab received a grant from Google for a couple hundred thousand dollars, but he says it was less than 5 percent of the lab’s funding and received none personally.

He didn’t say if Google paid him to consult on this case though, yet.

Sean HollisterNov 21, 2023

Epic explains why game consoles don’t have sideloading.

Mickens, prompted by Epic’s attorney, says the Switch, PlayStation and Xbox gaming devices — not general purpose computers like an Android phone — and that game consoles are often sold at a loss, making their money back on software, so there’s an economic reason to lock them down.

Sean HollisterNov 21, 2023

“There’s no requirement that all app developers register with Google.”

Mickens says his notarization proposals would keep that optional.

In other words, Epic Games could make Fortnite a trusted, non-scare-screen app by getting it notarized, but other developers wouldn’t have to if they’re fine with more warnings.

Sean HollisterNov 21, 2023

Google points out Epic makes Fortnite available on consoles, which don’t offer sideloading.

Google also tried to draw him into some questions to promote its “we compete with the iPhone” narrative, asking if Android was much less restrictive than iOS (he agreed) and if Apple hammers Android on security in its marketing.

Google asked if Apple would have a field day if it dropped its sideloading warnings — setting up a straw man, since Mickens doesn’t propose dropping them entirely.

I think I got one word wrong in this quote, but this is almost entirely what he said:

“I think if Google did not replace those sideloading warnings with something that protects users, then Apple would make some hay out of that.”

He’s Epic’s witness again, just to go over some fine points of what he told Google.

Sean HollisterNov 21, 2023

Google is suggesting the existing sideload flow on Android isn’t incredibly far from what Mickens is asking for.

We’re seeing that after we eliminate steps in the modern install flow that are out of the Android operating system’s direct control, there are few that Mickens takes issue with — mostly just the scare screens.

“You agree with the concept of asking users for consent before you allow one app to be an installer on the phone, right?” Yes.

In a March video deposition, Mickens suggested that the discriminatory nature of the scare screens (that is to say, they don’t pop up when you install via Google Play, only third-party stores and sideloaded apps) was his primary remaining concern with them.

Sean HollisterNov 21, 2023

Google introduces us to “Nitflix,” a supposed Netflix app from a site called APKFab.

“All APK/XAPK files on APKFab.com are original and 100% safe with fast download,” reads the listing at APKFab, which also has a fancy “Trusted App” badge with a green checkmark.

Professor Mickens admits he doesn’t know if APKFab reviewed this app at all, and that the “com.tveemobilee.nitflix” file hosted there is likely not a legitimate app.

The point, I assume, is that decentralized notarization would lead to confusion about which websites have legitimate apps? We didn’t quite get to that.

Sean Hollister

Senior Editor

Senior Editor

More From Sean Hollister

Most Popular

Sean Hollister

Senior Editor

Senior Editor

More From Sean Hollister

Most Popular

The Verge Daily