Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> The original ezone tablet had been running Android 6.0, this Samsung was still on 5.0 but I didnt think that would cause any issues so I got started on doing what was clearly missing: The required apps. All ezone apps are available both on the Advantage Air website and the apkpure site. I only learned of the apkpure site from a post claiming he had been directed to it by a AA tech support person.

Redirecting your customers to a third-party/pirate APK redistributor of unknown authenticity... reality defies parody.



The apps are signed, so it's possible to compare signatures against the originals. I haven't seen any reports of signatures not matching from Apkpure, though certainly possible.

But more importantly, what's the actual threat vector here? This isn't his personal phone. Just don't connect the tablet to your Wi-Fi. What's it going to do, sneakily increase your temperature by 1 degree?


AFAICT you need to have it connected to the internet so that their phone app can connect (presumably via cloud servers) to the control tablet and provide controls from your phone in and out of the house.

Also if you want to integrate the air-con with general smart home stuff.


Android doesn't surface app signatures beyond requiring that updates share the same signature while the original is installed. I thought a potential app could exfiltrate data, voice, do crypto mining, act as an unauthorized VPN exit node for commercial VPNs or cyberattacks, etc.


I was just reading an official Volvo technical bulletin for an issue that can occur in a latest XC90....the manual literally says "download this patch, load it into the patching software, you will get a warning about the patch not being signed and invalid for this car, click ignore and then click proceed anyway".

Why even build those warnings in, if you're going to make your own mechanics ignore them.


Isn't this exactly what SolarWinds did when someone bypassed their build system and inserted a backdoor? Made a tweet about how users could just accept the unsigned build?


It's not too dissimilar to Blizzard using BitTorrent for their software updates --- a clever way of avoiding bandwidth costs.

As the sibling comment mentions, they are signed files.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: