I can’t even imagine what pernicious elements they can add to it to bog down someone’s website too. They don’t even have to introduce it on purpose, if it’s just a byproduct they can shrug and not worry about it. It’s shocking how much traffic you lose if your website takes three seconds to load.
There was a similar thread where Play Protect blocked installation of Signal. As it turned out, said copy of Signal was indeed fake, as op downloaded it from F-Droid, where it’s not being distributed.
Then this is a KDE Connect issue. If they sign with different keys, they should use different app names (in the manifest, the visible name could still be the same). If two apps have the same identifier but are signed with different certs, Google is right to treat one of them as an impostor.
Strongly advice you to just turn off Play Protect. It sends your list of installed apps to Google (not that the Android as a whole will stop doing that even after you turn it off). They don’t do shit.
It’s really a shame that that is even normalized. Why is it their business to know what apps are installed on a personal device? Just one more way to fingerprint users and advertise to them.
I remember arguing with a google fanboi about Google’s diktat for Android apps to not have a shutdown button. He was waxing lyrical about how Google PBUH is all knowing and works in mysterious ways. I said google does this so that you can’t turn off its spyware shit.
Interesting. But should this apply to many apps on F-Droid? I also have an app published on both the Play Store and F-Droid and I don’t recall having seen requests to change the application ID to avoid clashes between stores.
KDE Connect is likely a special case; as it is a PC integration app, and a very feature-loaded one at that, it accesses a whole bunch of sensitive stuff like notifications, clipboard, direct file access, SMS functions, keyboard inputs and more.
More than any other non-root-accessing app, you do not want a trojanised version of KDE Connect on your phone.
If the signature matches, Google probably won’t care where they are installed from. I suspect that the KDE Connect in fdroid is signed with a different certificate than on google play, causing it to be flagged as an impostor. This could probably be easily prevented by using the same cert or different app identifiers (to cause them to be treated as different apps).
All F-Droid apks are signed with a different key than the play store one: you do not upload your key when you publish on F-Droid and all the apps are built from source by the F-Droid build servers.
KDE Connect is also available through Google Play and most likely signed with a different key as the F-Droid Version. Since Play Protect checks the App signatures, it probably detected this discrepancy and determined the App was fake. Not really an Assholedesign as this is a valid concern if a normal user downloads an app from the internet.
On the other hand it’s a valid case to have the app installed by means other than the play store. I can’t imagine they have found this discrepancy in signatures for the first time.
You can actually sign the F-Droid app yourself, if you use reproducible builds.
There’s reasonable odds the signatures still won’t match though, because Google requires App Bundles now, and then they build and sign the APK, rather than allowing the developer to build and sign their own APK.
Technically you can use the same key (see “Best Practices” of this page), but it’s kind of shady, and requires giving your private key to Google.
It could just ask before removing shit. Remove the permissions, freeze the app, prompt the user to confirm they meant to install it from somewhere other than the playstore. Hell, since it can detect F-Droid is installed, maybe use some context clues and ask the user to confirm this app was installed from there?
More importantly, can you tell it to ignore certain apps? I don’t know, I’ve had Play Protect turned off forever. If not, that’s absolutely asshole design.
Still making it look like you can get rid of the ads but it doesn’t do that is assholedesign anyways, because they make it a don’t show again button, but they don’t say it only applies to that specific ad. Meaning they can push different ads to you
assholedesign
Hot
This magazine is from a federated server and may be incomplete. Browse more on the original instance.