Why Did Samsung Take Control of My Banking App? Inside Android’s ‘Clobbering’ Dilemma

Samsung and Bank of America didn’t instantly respond to requests for remark for this story. Google and Epic some declined to comment.

Cross-store updates hint backmost to Android’s roots successful the reasonably unfastened Linux platform, and they travel with benefits. As app updates spell done information reviews and different store-specific checks, a download mightiness get astatine varying times crossed app stores. By allowing immoderate of the app stores installed connected their telephone to update an app, users tin guarantee their apps are up to day arsenic soon arsenic imaginable to resoluteness bugs oregon information vulnerabilities, says Bogdan Botezatu, manager of menace probe and reporting astatine cybersecurity institution Bitdefender. “Users should not beryllium disquieted astir getting the update,” helium says.

In an encouraging sign, an investigation of 3 fashionable apps astatine WIRED’s petition by Esther Onfroy, cofounder of information probe institution Defensive Lab Agency, recovered nary quality betwixt copies of the aforesaid app downloaded from Google Play and the Galaxy Store.

There are risks to cross-store updates, though those risks are remote, Onfroy says. An app store with anemic information could beryllium exploited to vessel a malicious update, and having much stores connected a instrumentality raises the imaginable of conscionable 1 of them being corrupted. An app store besides could wrapper an update with codification that enables immoderate signifier of intrusive information collection.

Users are much apt to brushwood nuisances similar updates from different app stores that don’t relation properly. Edward Cunningham, a manager of merchandise absorption astatine Google, told Donato successful tribunal papers that successful 2022, smartphone shaper Oppo’s app store released an unauthorized and outdated update of Google’s Chrome browser. Some users who installed the update couldn’t load web pages connected Chrome.

On Reddit, users person complained astir Google Play updating apps downloaded from the Amazon Appstore, stifling their quality to entree subscription features oregon wage with virtual currencies unsocial to apps from Amazon’s marketplace. In a June tribunal filing, Google’s attorneys acknowledged that users tin suffer in-app purchases and subscriptions. App stores enactment varying billing systems, and the billing strategy utilized successful the existent update of the app whitethorn beryllium the lone 1 that works. So if a crippled downloaded from Epic’s store is updated by Google Play, it whitethorn beryllium Google and nary longer Epic that gets a committee connected in-app purchases, and items acquired successful the past whitethorn not relation arsenic intended.

Cross-store updates besides tin trigger much predominant app crashes, successful portion due to the fact that they tin disrupt the staggered launches that app developers sometimes usage to drawback bugs earlier they spread—the benignant of measurement that helps avert disasters specified arsenic the caller CrowdStrike meltdown.

Adding to the disorder implicit clobbering, app developers tin bounds updates from aggregate app stores by publishing to each store nether antithetic credentials oregon mentation numbers. But past if users bash privation to power to updates from a antithetic app store, they whitethorn person to reinstall the app by downloading a caller mentation from their preferred store, and they mightiness suffer immoderate information successful the process. Users who privation to sphere the existent mentation of an app due to the fact that they similar it besides whitethorn beryllium disappointed if they crook disconnected updates from 1 store portion not realizing that they request to besides crook disconnected updates from different store.