In article <ttnbou$3ublf$1@dont-email.me>, Chris <ithinkiam@gmail.com>
wrote:

> >> If
> >> it's not the thief, so what? The thief has confirmation that a reset has
> >> occurred but no actual information. Or banks send out passwords in plain
> >> text emails?!
> >
> > the banks (or other companies) generally send a link to the email on
> > file to confirm the change and go through the reset process, which is
> > where a new password is entered. the thief has the phone and will
> > receive that email, and will be able to easily complete the process.
> >
> > in some cases the user is sent a temporary password or one is dictated
> > over the phone (i've experienced both)
>
> No sensible organisation should be able to see your passwords. That's
> security 101.

i didn't say they can see them. what i said was that in some cases, a
temporary password is sent instead of a link to click. usually it's via
email but it can also be dictated. it's *temporary* and will expire.
the customer service agent handling the call has access to everything
anyway.

> The person in the article should sue her bank not complain about Apple.

customers are not liable for fraudulent activity.

her money will be restored, but that doesn't make for good headlines.

nospam <nospam@nospam.invalid> wrote:
> In article <ttnbou$3ublf$1@dont-email.me>, Chris <ithinkiam@gmail.com>
> wrote:
>
>>>> If
>>>> it's not the thief, so what? The thief has confirmation that a reset has
>>>> occurred but no actual information. Or banks send out passwords in plain
>>>> text emails?!
>>>
>>> the banks (or other companies) generally send a link to the email on
>>> file to confirm the change and go through the reset process, which is
>>> where a new password is entered. the thief has the phone and will
>>> receive that email, and will be able to easily complete the process.
>>>
>>> in some cases the user is sent a temporary password or one is dictated
>>> over the phone (i've experienced both)
>>
>> No sensible organisation should be able to see your passwords. That's
>> security 101.
>
> i didn't say they can see them. what i said was that in some cases, a
> temporary password is sent instead of a link to click. usually it's via
> email but it can also be dictated. it's *temporary* and will expire.

Doesn't matter. A bad actor service agent could impersonate a customer.

> the customer service agent handling the call has access to everything
> anyway.

Definitely not true.

>
>> The person in the article should sue her bank not complain about Apple.
>
> customers are not liable for fraudulent activity.
>
> her money will be restored, but that doesn't make for good headlines.
>

In article <tto3d4$qdi$2@dont-email.me>, Chris <ithinkiam@gmail.com>
wrote:

> >> No sensible organisation should be able to see your passwords. That's
> >> security 101.
> >
> > i didn't say they can see them. what i said was that in some cases, a
> > temporary password is sent instead of a link to click. usually it's via
> > email but it can also be dictated. it's *temporary* and will expire.
>
> Doesn't matter. A bad actor service agent could impersonate a customer.

that's always been an issue, which is why their actions are logged and
calls recorded.

> > the customer service agent handling the call has access to everything
> > anyway.
>
> Definitely not true.

very much true.

when the bank verifies a customer, they need to have access to the
account, including the insecurity questions, account balance, recent
transactions, etc.

nospam <nospam@nospam.invalid> wrote:
> In article <tto3d4$qdi$2@dont-email.me>, Chris <ithinkiam@gmail.com>
> wrote:
>
>>>> No sensible organisation should be able to see your passwords. That's
>>>> security 101.
>>>
>>> i didn't say they can see them. what i said was that in some cases, a
>>> temporary password is sent instead of a link to click. usually it's via
>>> email but it can also be dictated. it's *temporary* and will expire.
>>
>> Doesn't matter. A bad actor service agent could impersonate a customer.
>
> that's always been an issue, which is why their actions are logged and
> calls recorded.

And why passwords shouldn't be visible.

>>> the customer service agent handling the call has access to everything
>>> anyway.
>>
>> Definitely not true.
>
> very much true.
>
> when the bank verifies a customer, they need to have access to the
> account, including the insecurity questions, account balance, recent
> transactions, etc.

Not the password nor any PINS. So not everything.

In article <ttogv0$2d4l$1@dont-email.me>, Chris <ithinkiam@gmail.com>
wrote:

> >>>> No sensible organisation should be able to see your passwords. That's
> >>>> security 101.
> >>>
> >>> i didn't say they can see them. what i said was that in some cases, a
> >>> temporary password is sent instead of a link to click. usually it's via
> >>> email but it can also be dictated. it's *temporary* and will expire.
> >>
> >> Doesn't matter. A bad actor service agent could impersonate a customer.
> >
> > that's always been an issue, which is why their actions are logged and
> > calls recorded.
>
> And why passwords shouldn't be visible.

they're not visible. the reset password is a *temporary* password that
is *sent* to the user and expires.

one entity did dictate a password one time, but that's the exception,
not the rule, and the customer service agent already had access anyway.

it's a complete non-issue.

> >>> the customer service agent handling the call has access to everything
> >>> anyway.
> >>
> >> Definitely not true.
> >
> > very much true.
> >
> > when the bank verifies a customer, they need to have access to the
> > account, including the insecurity questions, account balance, recent
> > transactions, etc.
>
> Not the password nor any PINS. So not everything.

internal employees don't need passwords or pins to access someone's
account, for reasons that should be obvious.

VanguardLH used his or her keyboard to write :

>> Do you think this app was ever on the Google Play Store ...
>
> I was never interested in this app, so I cannot say if I've ever before
> seen it at play.google.com. My suspicion is that Google would ban this
> app when their attention got focused on it.

You didn't get it that the question was rhetorical.

>> ... or that it was always sideloaded such that it's impossible for
>> Google to yank the app.
>
> I suspect it was never at Google's Play Store, or it got yanked.

The former. Not the latter.

> It's
> not there now, probably never was there, and it had to be retrieved from
> elsewhere.

Like any app which competes with Google by using Google's public APIs.

> There are lots of apps available that cannot be hosted at
> Google's Play Store due to violating Google's rules, or the app author
> not wanting to go through the hassle and restrictions imposed by Google.

These apps are way better than the Google apps they're replacing.
Google doesn't have your best interest in mind. These apps do.

> There are payware apps not at Google's Play Store, because the author
> doesn't want to give a slice of each sale to Google.

These are open source free apps that only ask for voluntary donations.
> My point was that Google doesn't explain why they ban or yank apps. I
> didn't go into why app authors host their apps somewhere else.

You need to understand that Google doesn't have your best interest in mind.
These apps do.

You also need to understand that Google provides a legally public API.
These apps use them.

What you need to understand is that it doesn't matter if Google doesn't
like that these apps compete with Google since they do it 100% legally.

If you don't want to use these apps, it's your loss, not Google's loss.
But don't complain that Google will never give you what you want.

Because these apps do give you what you want.
That's why they were written.

Because everyone wants to be able to filter app searches the way you want.

On 2/28/2023 2:29 PM, VanguardLH wrote:

<snip>

> Of the apps that I've installed on my phone, few were retrieved using
> Google's Play Store app. Instead I would visit play.google.com to find
> the app, and select to have their site push it to my phone. I don't
> even have to be on my phone. I can visit their site using a web browser
> on my desktop PC, an iPad, or wherever as long as it can connect to
> play.google.com.

Yes, this is enormously convenient.

On Android, if you see an app that is promoted on some web site while
using your Windows, Linux, or MacOS computer, you can click on a link
and push the app to your Android devices. I do wish that it included an
option to push it to multiple Android devices at once, but it doesn't.

For the iPhone and iPad, you’ll get a message "This app is available
only on the App Store for iPhone and iPad." You have to go onto your
iPhone or iPad and search for the app in the App Store. Usually there
are a bunch of apps that show up in the search and you have to find the
one you’re looking for.

I wish that Apple would make this feature available for iPhones and
iPads. Actually, the right thing to say is "I wish that Apple would
bring back this feature for iPhones and iPads," since the capability to
search for, and install iOS and iPadOS apps used to exist in iTunes on
Windows and MacOS. It was removed in the iTunes 12.7 update, "Management
of apps, books, and tones has been removed from iTunes 12.7." see:
<https://discussions.apple.com/docs/DOC-12234>. Amusingly, the removal
of this functionality was touted as "the new App Store makes it easy to
get, update, and redownload apps—all without a Mac or PC," see
<https://web.archive.org/web/20210410115758/https://support.apple.com/en-us/HT208075>.
I'd love to know the real reason that this enormously convenient
capability was removed.

I have this in the document
<https://docs.google.com/document/d/1JznrWfGJDA8CYVfjSnPTwfVy8-gAC0kPyaApuJTcUNE/>
as 112a on page 57.

On 2023-03-02, sms <scharf.steven@geemail.com> wrote:
>> Of the apps that I've installed on my phone, few were retrieved using
>> Google's Play Store app. Instead I would visit play.google.com to find
>> the app, and select to have their site push it to my phone. I don't
>> even have to be on my phone. I can visit their site using a web browser
>> on my desktop PC, an iPad, or wherever as long as it can connect to
>> play.google.com.
>
> Yes, this is enormously convenient.

What's even more convenient is you can extract all the APKs from one phone
to a hard drive (or USB drive) and then re-install onto any Android phone.

That requires more than you think because the APKs for Android are usually
CPU-independent (one APK contains the installer for all possible CPUs).
> On Android, if you see an app that is promoted on some web site while
> using your Windows, Linux, or MacOS computer, you can click on a link
> and push the app to your Android devices. I do wish that it included an
> option to push it to multiple Android devices at once, but it doesn't.

That is a bonus but you can already "drag and drop" any APK file sitting on
a Windows computer to the Android phone (connected over USB or Wi-Fi) and
it will automatically install itself when you let go of the mouse button.

> For the iPhone and iPad, you'll get a message "This app is available
> only on the App Store for iPhone and iPad." You have to go onto your
> iPhone or iPad and search for the app in the App Store. Usually there
> are a bunch of apps that show up in the search and you have to find the
> one you're looking for.

Android, by default, always keeps the original APK on the phone for every
app that was ever installed on that phone, so you don't ever need to go to
the App Store once you have installed an app once onto any Android phone.

You only need to go to the App Store when you are installing an app that
you've never installed before on any Android phone (which isn't often).

> I wish that Apple would make this feature available for iPhones and
> iPads. Actually, the right thing to say is "I wish that Apple would
> bring back this feature for iPhones and iPads," since the capability to
> search for, and install iOS and iPadOS apps used to exist in iTunes on
> Windows and MacOS. It was removed in the iTunes 12.7 update, "Management
> of apps, books, and tones has been removed from iTunes 12.7." see:
> <https://discussions.apple.com/docs/DOC-12234>. Amusingly, the removal
> of this functionality was touted as "the new App Store makes it easy to
> get, update, and redownload apps-all without a Mac or PC," see
> <https://web.archive.org/web/20210410115758/https://support.apple.com/en-us/HT208075>.
> I'd love to know the real reason that this enormously convenient
> capability was removed.

What is nice about Android is that it keeps by default every APK that was
ever installed on the phone, even for all the carrier & Google system apps.

If you copy those APKs to your hard drive, you can re-install them onto any
phone because Android APKs can include all architectures in that installer.

> I have this in the document
> <https://docs.google.com/document/d/1JznrWfGJDA8CYVfjSnPTwfVy8-gAC0kPyaApuJTcUNE/>
> as 112a on page 57.

That seems like a comprehensive document that must have taken you years.
I just downloaded it but haven't had a chance to read it yet.

The main thing that iPhones & iPads are missing is sideloading of apps plus
extraction of the existing apps from any one phone so that you always have
the installer which will work on any other phone, plus for that installer
to contain all the architectures for all the phones, plus the ability to
tap on the installer to install it.

Powerful combination of those four things is what the iPhone is missing.

With those four things that are missing from the iPhone, Android can
install all apps from one phone on any number of other Android phones
without needing anything other than a place to store all those installers.

In article <ttr0ls$ck3r$1@dont-email.me>, sms
<scharf.steven@geemail.com> wrote:

> For the iPhone and iPad, you¹ll get a message "This app is available
> only on the App Store for iPhone and iPad." You have to go onto your
> iPhone or iPad and search for the app in the App Store. Usually there
> are a bunch of apps that show up in the search and you have to find the
> one you¹re looking for.

there is no need to search, but even if that was true, if you found it
the first time you can find it again.

> I wish that Apple would make this feature available for iPhones and
> iPads. Actually, the right thing to say is "I wish that Apple would
> bring back this feature for iPhones and iPads," since the capability to
> search for, and install iOS and iPadOS apps used to exist in iTunes on
> Windows and MacOS. It was removed in the iTunes 12.7 update, "Management
> of apps, books, and tones has been removed from iTunes 12.7."

it's still in the 12.6 fork and can be done in other ways.

I updated the section of the document that goes into this because there
was some confusion, by at least one person, about how Secure Folder
works. The web version is at
<https://docs.google.com/document/d/1JznrWfGJDA8CYVfjSnPTwfVy8-gAC0kPyaApuJTcUNE/edit#bookmark=id.8m5lho8ne3if>.

Here is the text version:

There are a number of Android apps that add the ability to lock
individual apps, i.e. "App Lock - Pin, Pattern, Fingerprint" Apps on
Google Play
<https://play.google.com/store/apps/details?id=mstoic.apps.applock>.

If you want to hand a phone to one of your children, or to a colleague,
or even a stranger (to take a photo or whatever), it makes sense to have
apps with personal information secured when the phone is unlocked.

A typical phone theft scenario in cities is for a thief to run up (or
bicycle up) and grab a phone out of someone’s hand while they’re walking
down the street. Or they may offer to take a picture of your family when
you’re on vacation then run off with your phone. In this case, the phone
is unlocked and the thief has access to all the apps on the phone,
including apps like Amazon which does not require a separate login.
Locking certain apps makes sense in terms of security. See "Woman had
$10,000 taken from bank account minutes after iPhone stolen"
<https://finance.yahoo.com/news/woman-got-locked-her-apple-163000848.html>.
For most banking apps, you usually will need a separate passcode or
biometrics to get to a screen where it uses 2FA (the 2FA is essentially
worthless of course because the SMS comes to the unlocked phone), but
you'd need to enter the passcode to even get to the point where 2FA is sent.

What's needed is the ability to individually require biometrics, or a
PIN, to open certain apps even when the phone screen is already unlocked.

For newer Samsung Galaxy phones, this feature is built in, using "Secure
Folder." For older Samsung phones you can install the Secure Folder app
from the Play Store
<https://play.google.com/store/apps/details?id=com.samsung.knox.securefolder>.
Other Android device manufacturers with this feature are Asus, Huawei,
Honor, OnePlus, Redmi, and Xiaomi; see How to lock apps on your Android
phone to prevent unauthorized access
<https://www.xda-developers.com/how-to-lock-apps-on-your-android-phone/>
Motorola, Google Pixel, Sony, and other Android devices do not have this
feature built in. Read more about Samsung’s Secure Folder at "This
Sublime Samsung Security App Has 1 Billion Downloads, Here’s Why"
<https://www.forbes.com/sites/daveywinder/2020/08/01/this-samsung-security-app-has-passed-1-billion-downloads-heres-why-secure-folder-privacy/?sh=1beab0ca3ac1>.

There are Android Apps like AppLock
<https://play.google.com/store/apps/details?id=com.domobile.applockwatcher
> which provide the same type of protection. However an easier way to
achieve this is to create a separate Android user profile that contains
apps that require additional security (bank accounts, shopping, etc.).
The ability to have multiple user accounts on an Android device is
another significant advantage of Android over iOS (see 45a, “Multiple
Users”
<https://docs.google.com/document/d/1JznrWfGJDA8CYVfjSnPTwfVy8-gAC0kPyaApuJTcUNE/edit#bookmark=id.igct6rif5df1>
on page 38 of the document). Apple does support this on some versions of
iPads, see Shared iPad overview - Apple Support.

Unfortunately, as "Learn how to passcode protect individual Android
apps"
<https://www.komando.com/smartphones-gadgets/secure-your-apps-and-protect-your-phone/695779/>
states: "Unfortunately, Apple lags behind Android in this regard. Sure,
you can lock your iPhone or iPad by setting a passcode or taking
advantage of Touch ID and Face ID. Although some apps like Whatsapp have
built-in lock mechanisms, Apple doesn’t offer any native feature that
lets you lock apps." Also, unlike Android, iOS doesn’t allow multiple
user accounts on one device so you can’t use that method either (Apple
does allow multiple accounts on iPads sold into the education market).

You can lock an iPhone to a single app, with "Guided Access"
<https://support.apple.com/en-us/HT202612> (so when you give your kid
your phone to play a game they can't switch to other apps), but you
can't lock individual apps. Hopefully a future version of iOS will add
this capability. For now, this feature may be available on jailbroken
iPhones, not sure if this Tweak is still available, see "Cydia Tweak:
Passcode Lock Individual iOS Apps With iAppLock"
<https://appadvice.com/appnn/2014/02/cydia-tweak-passcode-lock-individual-ios-apps-with-iapplock>
.. When a Tweak for jailbroken phones is available this generally means
that a feature that’s in demand by a large number of users is not
available in iOS. Also see the "BioProtect Tweak BioProtect XS"
<cydia.saurik.com/package/net.limneos.bioprotectxs/> which provides
biometric protection for individual apps. There is also a jailbreak
tweak that adds multi-user capability, "Restriction"
<https://repo.twickd.com/get/com.twickd.southerngirlwhocode.restriction>.

Note that the “Secure folder” in iOS 16 isn’t the same as what Samsung,
and other Android device makers, offer. See "iPhone gets Secure Folder
with iOS 16 in a still WEIRD way!"
<https://tech.hindustantimes.com/mobile/news/iphone-gets-secure-folder-with-ios-16-in-a-still-weird-way-71654578631042.html>
which explains what iOS is offering.

On Samsung devices you need to set up a Samsung account before using
Secure Folder. If you ever forget your credentials you can retrieve them
with the Samsung account. You would also have to connect to the account
if you change your credentials, but other than that nothing in the
Secure Folder is stored in the Samsung Cloud, everything is done on your
phone.

One person was extremely concerned that in order to use Secure Folder on
a Samsung device you must create a Samsung account. He believed that the
data and apps in the phone’s Secure Folder were somehow stored in the
cloud on Samsung’s servers. This is not how it works! What is stored in
the Samsung account is solely the ability to retrieve your login
credentials to the Secure Folder in case you forget them (you would have
to also log in if you want to change your credentials). Your data and
your apps are stored on the phone, not in the cloud! However if someone
is concerned about Samsung providing a way to retrieve their login
credentials then they can remove their Samsung account after enabling
Secure Folder (though that would be really stupid) or they can use one
of several Android app lock apps that don't have such a requirement.
This person’s objection to Secure Folder appeared to be based on the
fact that the iPhone doesn’t have this feature!

In article <ttr59m$d6rq$1@dont-email.me>, sms
<scharf.steven@geemail.com> wrote:

> I updated the section of the document that goes into this

as usual, it is not entirely correct.

> For most banking apps, you usually will need a separate passcode or
> biometrics to get to a screen where it uses 2FA (the 2FA is essentially
> worthless of course because the SMS comes to the unlocked phone),

that's a flaw with sms, not banking apps or choice of phone.

many banking apps use totp 2-factor codes, which is not reliant on sms
(and works when outside of cell coverage areas). some can be secured by
a yubikey or similar.

> What's needed is the ability to individually require biometrics, or a
> PIN, to open certain apps even when the phone screen is already unlocked.

banking apps and some email apps do exactly that.

On Thu, 2 Mar 2023 at 21:43:17, sms <scharf.steven@geemail.com> wrote: (my
responses usually follow points raised):
> There are a number of Android apps that add the ability to lock
> individual apps, i.e. "App Lock - Pin, Pattern, Fingerprint" Apps on
> Google Play
> <https://play.google.com/store/apps/details?id=mstoic.apps.applock>.

Why did you pick an app lock with a low 4.5 rating and has ads when you
could have picked one that has a 4.7 rating and doesn't have any ads?

> If you want to hand a phone to one of your children, or to a colleague,
> or even a stranger (to take a photo or whatever), it makes sense to have
> apps with personal information secured when the phone is unlocked.
> What's needed is the ability to individually require biometrics, or a
> PIN, to open certain apps even when the phone screen is already unlocked.

It also can make good sense to be able to give each app a different lock.
> There are Android Apps like AppLock
> <https://play.google.com/store/apps/details?id=com.domobile.applockwatcher

Why would you pick an app with a low 4.3 rating and which contains ads?

> One person was extremely concerned that in order to use Secure Folder on
> a Samsung device you must create a Samsung account. He believed that the
> data and apps in the phone's Secure Folder were somehow stored in the
> cloud on Samsung's servers. This is not how it works! What is stored in
> the Samsung account is solely the ability to retrieve your login
> credentials to the Secure Folder in case you forget them (you would have
> to also log in if you want to change your credentials). Your data and
> your apps are stored on the phone, not in the cloud! However if someone
> is concerned about Samsung providing a way to retrieve their login
> credentials then they can remove their Samsung account after enabling
> Secure Folder (though that would be really stupid) or they can use one
> of several Android app lock apps that don't have such a requirement.
> This person's objection to Secure Folder appeared to be based on the
> fact that the iPhone doesn't have this feature!

The problem is having to have that Samsung account in the first place.
It's no better than Apple or Google or Microsoft requiring an account.

Real security doesn't require an account.