I will imagine that anyone who creates an authenticator is half-decent enough to NOT take that bribe and serve the greater good.
I will also imagine that when people install authenticators, they would NOT trust one from HenryBemis but only from sources that they recognize (Google, Microsoft, Yubikey, etc.)
It always amazes me how come all smartphone OS creators switch every connectivity option to ON by default on every new app installation. It would take a use another 3-4 seconds per app installation to prompt the user whether they want this app to access Wifi/Data/Background/Roaming. In the same sense than the OS asks you whether you allow access to Calendar, Contacts, Camera, etc. At least half my apps on my Android do NOT need access to the internet to function. They may 'want', but definitely not need.
> I will imagine that anyone who creates an authenticator is half-decent enough to NOT take that bribe and serve the greater good.
Dear HenryBemis,
As a CEO of TRC, I would like to extend you an offer to purchase source and distribution rights to your app, SummerChildAuthenticator, to the form of $500,000 (five hundred thousand US dollars). We are a fast growing SV startup that wants to make it easier for people to secure their papers and money on-line. We have developed a streamlined, easy-to-use, user interface for authenticator applications and are looking for a way to quickly put it in front of a wide audience. We believe that your SummerChildAuthenticator, with its established base of over 50 000 users, is the gateway we are looking for.
If you are interested in this offer, please reply to this e-mail.
Sincerely yours,
TeMPOraL, CEO, TRC
<smallfont>Temporal's Rackets and Cons is a startup registered in Southern Vescillo, Arstotzka.</smallfont>
--
You think to yourself: "this is a good deal! The app is unlikely to grow more, it isn't making you any money anyway. Here is this hot new startup with great ideas, what's the worst that could happen? They'll just inject an ad here and there. Meanwhile, I have medical expenses, and..."
So you agree, and I take your app, and run a "growth hacking" campaign on Reddit to blow its userbase up to 500 000 people, and then proceed with my main business plan, which is selling access to OTP codes to the mob running phishing scams.
(Oh, dear reader, you've noticed Arstotzka and thought I'll be selling data to evil government? Nope, we registered there only because it'll make it mighty hard for anyone to sue us.)
Any developer knows/understands if the offer comes from a legit source or scumbag. I cannot make other people's choices for them. My answer would be 'no' even for 100k, BUT I am in HN and I suggest people get off facebook and google because they are privacy nightmares (also certified in a couple of audit/security areas - so there's that). Btw I did have an app on Apple store, target audience was children (3-6 years old), it did OK, I just didn't have the time to keep it around (for the little revenue it was bringing).
It worked 100% offline, no tracking, no ads, no nothing. I have a free version as a sample and the full version at $0.99. I chose to sell than help the ad beast grow bigger and track children more.
But that is just me. $50k is a serious amount but it won't make me or break me. For some other parts of the world, where a monthly salary may be $200.....
And while I don't think you personally will sell out like this, I wanted to highlight that a) it's easy to make such an offer sounding legit enough (particularly to developers with little experience with the world at large), and b) an Authenticator app is a perfectly valid target for such offer. I'd even say it's more lucrative target than most.
You cannot trust established players either. For instance, cheaper Samsung phones ship with a lot of shady software, as I found out helping relatives.
And a lot of reputable software companies have sold out to peddling adware. Adobe is one, and there are a lot of others. Abandoned shareware or open source often resurface with adware installers.
> When inserted into a computer, the CDs installed one of two pieces of software which provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Neither program could easily be uninstalled, and they created vulnerabilities that were exploited by unrelated malware. One of the programs would install and "phone home" with reports on the user's private listening habits - even if the user refused its end-user license agreement (EULA), while the other was not mentioned in the EULA at all. Both programs contained code from several pieces of copylefted free software in an apparent infringement of copyright, and configured the operating system to hide the software's existence, leading to both programs being classified as rootkits.
> The installation included a universal self-signed certificate authority; the certificate authority allows a man-in-the-middle attack to introduce ads even on encrypted pages. The certificate authority had the same private key across laptops; this allows third-party eavesdroppers to intercept or modify HTTPS secure communications without triggering browser warnings by either extracting the private key or using a self-signed certificate.
Sadly, the permissions-by-default problem is not unique to Android. I bought a new iPhone a couple of years ago and spent nearly an hour straight away just turning off all the junk I didn't want. That is now the way of the world, if all you want is a phone for communications and running a small number of essential apps because too many organisations now assume everyone will have a smartphone.
I suppose I should be grateful that I can turn off a lot of permissions for apps at all these days, unlike the malware built into recent versions of the major desktop operating systems. :-(
I will imagine that anyone who creates an authenticator is half-decent enough to NOT take that bribe and serve the greater good.
I will also imagine that when people install authenticators, they would NOT trust one from HenryBemis but only from sources that they recognize (Google, Microsoft, Yubikey, etc.)
It always amazes me how come all smartphone OS creators switch every connectivity option to ON by default on every new app installation. It would take a use another 3-4 seconds per app installation to prompt the user whether they want this app to access Wifi/Data/Background/Roaming. In the same sense than the OS asks you whether you allow access to Calendar, Contacts, Camera, etc. At least half my apps on my Android do NOT need access to the internet to function. They may 'want', but definitely not need.