> now-malicious app that you never use

Mildly off-topic, do you know of any good studies in the dangerous defect rate of auto-updating vs never/manually updating in a semi-sandboxed environment like Android?

Here is a rather convincing answer about why not require user approval for internet access in Android applications. From the Android developers themselves.

https://old.reddit.com/r/androiddev/comments/ci4tdq/were_on_...

I don't know about "running in the background" but Android work using "intents", which mean an app can be woken up effectively at any time, so "don't allow app to run in the background" may not do what you expect.

Huh. I remember a while ago Google Authenticator hid TOTP codes until you tap on them to reveal them. I remember thinking this was an absolutely stupid feature, because it did not mitigate any real threat and was annoying and inconvenient. Apparently a lot of people agreed because a few weeks later, Google Authenticator quietly rolled that feature back.

I wonder if they were aware of this flaw, and were mitigating the risk.

https://unscreenshottable.vercel.app/?text=12345

A patch for the original vulnerability is already public: https://android.googlesource.com/platform/frameworks/native/... and explicitly states in the commit message that it tries to defeat "pixel stealing by measuring how long it takes to perform a blur across windows."

The researchers aren't releasing their code because they found a workaround to the patch.

Then there's a bunch of "no GPU vendor has committed to patching GPU.zip" and "Google has not committed to patching our app list bypass vulnerability. They resolved our report as “Won’t fix (Infeasible)”."

And their original disclosure was on February 24, 2025, so I don't think you can accuse them of being too impatient.

As for "This app will take periodic screenshots of your phone", you still need an exploit to screenshot things that are explicitly excluded from screenshots (even if the user really wants to screenshot them.)

The initial disclosure to Google was on February 24, 2025. They had more than enough time.

Since there's only 3 or so (google, microsoft authenticator, okta, anyone else?) apps in widespread use, that seems not actually like an obstacle?

>but I'm guessing if you install an app on a Windows Desktop computer it can do more chaos faster and more discreetly than pixnapping can on Android.

On desktop, apps aren't sandboxed. On mobile, they are. Breaking out of the sandbox is a security breach.

On desktop, people don't install an app for every fast food chain. On mobile, they do.

In the previous discussion everyone seems happy it’s been patched and not to worry (even though androids mostly don’t run anything like the latest android)

But in this write up they say the patch doesn’t work fully

Would love a terminal and make world while on the go (-;

Bunnie's Precursor? It sounds cool, but it's also expensive as fuck. If you thought $100 for a graphing calculator was a ripoff, the Precursor is a similar form factor and level of computational power, but costs $1000 and can't be used in maths exams.

https://www.bunniestudios.com/blog/2020/introducing-precurso... (currently down, might be up later)

From reading comments on hn over the past couple of years, I'm disappointed how terrible the security practices and knowledge has become. All of this stuff is about to get a lot worse with generative AI.

There are complaints on this story, and on the recent one about the fsf phone project about how inconvenient it is to not be able to access banking apps on your mobile phone. I can't be bothered to enter my banking password every 30 minutes on my desktop! What, I'm supposed to have two phones?

The first thing someone is going to do when they steal your phone (after they saw you enter your password in public) is open your banking and money apps and exfiltrate as much as they can from your accounts. This happens every single day. None of those apps should be installed or logged in on your phone. Same goes for 2FA apps. That's like traveling with Louis Vuitton luggage which is basically a "steal me" sign.

That's the most basic stuff for people who aren't a CEO of a company that is in the crosshairs of state sponsored espionage attacks.

The problems with "bare bones secure OS" device remain the same from a physical access standpoint: social engineering, someone sees your password, steals the device. But otherwise, yes, the devices you install a bunch of spyware/adware games on and take to bars should not be the ones you are doing your banking, 2FA, work, etc on ever.

Or... don't use Android?

App developers can already dynamically mark their windows as secure which should prevent any other app from reading the pixels it rendered. The compositor composites all windows, including secure windows and applies any effects like blur. No apps are supposed to be able to see this final composited image, but this attack uses a side channel they found that allows apps on the system to learn information about the pixels within the final composition.

Biometrics can't be changed if someone ever figures out how to duplicate them.

think it's a fair point. but it still triggered this in me: "only way to prevent more of my data from being stolen is to give Android more of my data"

Consider that your thoughts are a consequence of what you've consumed. They're not guessing what you think, they're influencing it.

Similar people thinking similar thoughts I'd wager

Are you sure that isn't just the horoscope effect?

No OS vendor wants you to do that, unless you're using a desktop, and then Google wants you to use Chrome. They all want a 30% cut of revenue and/or platform lock-in. They'll rely on dark patterns and nerfing features to push you to their app stores.

Similarly, software vendors want you to use apps for the same reason you don't want to use them. They'll rely on dark patterns to herd you to their native apps.

These two desires influence whether it's viable to use the web instead of apps. I think we need legislation in this area, apps should be secondary to the web services they rely on, and companies should not be allowed to purposely make their websites worse in order to get you on their apps.

The unfortunate truth is that so many things require a dedicated mobile app these days to use.

I don't own or carry a smart phone. I'm still able to get by without one, but just barely.

I wish Uber or Lyft allowed me to use a website. I hate having to find a regular taxi or rely on the kindness of others to use their app.

I am not familiar to this type of side-channel attacks but the article says they use GPU.zip which is exploitable through Chrome:

https://www.hertzbleed.com/gpu.zip/

With JS disabled!

I'd say it's _not_ serious when they need to market it.

Anyone remembers the OG heartbleed?

It's quite standard for "big" CVEs nowadays

It started at least since https://www.heartbleed.com/ if not earlier

https://taptrap.click/ has been around for a while.

Interesting. Looks like I upset someone. Not sure why admitting to ignorance is so offensive. Maybe because it's so rare, hereabouts?