I guess my question is, is this problem really unique to sideloading, and if not, can it be addressed in the same ways we address other problems?
For example, does everyone know the official source of Facebook? If so, why, and if not, why is there not an epidemic of fake Facebook scams that steal login credentials? I know there are targeted phishing attacks, which is a separate issue, but I haven't heard of significant attacks from people who just didn't know the correct login page.
One way we do deal with this is with targeted blacklists of known-bad sites, particularly Google Safe-browsing. That's certainly a mechanism that could be employed for Android Malware—and I think it already is, actually.
Problems do happen—but I don't see anyone calling on Google to restrict Chrome to a whitelisted set of approved URLs. And I'd posit that gaining access to someone's Facebook account is no less invasive than gaining access to their phone.
Don't the overwhelming majority of people access Facebook via the app these days? So the official source of Facebook for those people is... the App Store or the Google Play Store.
> And I'd posit that gaining access to someone's Facebook account is no less invasive than gaining access to their phone.
I don't think so. Accessing someone's Facebook messages and photos is one thing, gaining access to their phone means gaining access to their email which means potential access to any account linked to that email. Given how many people use mobile banking these days, I'd say there's a lot more potential for damage if your phone is compromised.
For example, does everyone know the official source of Facebook? If so, why, and if not, why is there not an epidemic of fake Facebook scams that steal login credentials? I know there are targeted phishing attacks, which is a separate issue, but I haven't heard of significant attacks from people who just didn't know the correct login page.
One way we do deal with this is with targeted blacklists of known-bad sites, particularly Google Safe-browsing. That's certainly a mechanism that could be employed for Android Malware—and I think it already is, actually.
Problems do happen—but I don't see anyone calling on Google to restrict Chrome to a whitelisted set of approved URLs. And I'd posit that gaining access to someone's Facebook account is no less invasive than gaining access to their phone.