As a Google engineer, it's really saddening to see the Welchism completely taking over Google. There are more than enough examples showing focusing on bottomline to increase shareholder value doesn't work in the long run, but it's obvious the current leadership doesn't care.
I’m surprised HTML5 never took off. Browsers ended up regressing on some features like offline apps. Honestly with things like web components, you can bypass a lot of the needed steps to make halfway decent multiplatform applications by relying on a browser engine.
Sure you could use a react based app with some of the compilers but it’s like opening another bag of worms.
Looking at your profile, on the bright side I have heard GCP is still more of a forward looking unit, and Google Cloud Run for example is a pleasure to use, especially for small side projects.
This is an interesting corporate paradox that existed forever. It boils down to this: profit centers are always more frugal than cost centers. With cost centers you can say “you gotta spend money to make money” and PHBs will nod their heads. With established profit centers the most profitable (in the short run) course of action is to cut cost.
I would say this slightly differently. Cost Centres are increadibly focussed on the bottom line costs, but they fight fiercely to defend necessary spend and are not scared of spending astronomically higher amounts to get to a better place longterm. Mostly I believe because cost centres retain staff and have to have a long term outlook.
Profit centres, lacking any understanding of costs, are scared to increase them and fixed on reducing them, even when short-term profit destroys long term market share. Mostly because profit centres reward on a short cycle and have high turnover as staff seek bigger profits.
Is this backwards? A cost center is something that (management believes) doesn't makes money, only spends it. A profit center is something that (management believes) makes money AND spends it. The former is (in this framing) pure cost, to be cut to the bone, while the latter gets more leeway since it is an "investment". In reality, I think the causality works the other way: stuff management wants to cut is defined as a cost center (requiring cost cutting), while stuff management wants to spend money on is defined as a profit center (requiring investment).
No, not backwards. That’s how it is. I’ve observed this in several companies in the industry, starting with Microsoft. At the time the most profitable business unit was Office, and you couldn’t even get a t-shirt or other swag.
Or just make sure that we don't put too much into place that will get in the way of future disruptors, so that as they slowly fall out of favour due to chasing the bottom line and it eventually affecting their offerings to the point where a critical mass of users seriously look for alternatives¹, there are viable alternatives there waiting to be found. Google and the other entrenched big companies spend a lot of lobbying money on trying to make sure the status quo can be maintained, by raising the barrier for entry into their markets.
----
[1] this takes time: after _years_ of saying I'm going to I've finally started experimenting with using Kagi for search instead. It also takes _good_ alternatives, a paid option won't be seen as good by many.
And Apple while we're at it. Stuff like adding hardware to their devices to implement their own version of Tile ("Airtag") so that Tile pretty much immediately dies off is just scummy, imo.
At least Google's M.O. has mostly been to make stuff and then just throw it out into the open (with no support). Apple has been the opposite, ingesting the ideas and features of whole other companies without buying them, because they control their own little ecosystem.
Yes, developers can use basic/locked down UWB functionality in their apps, but no they cannot run it in the background constantly like Apple does for their airtags, essentially making it useless.
Is Android just so good there are no major vulns anymore?
Does Apple have a comparable program?
I don't see a reference in the Apple materials about any bounty reward program for Apps vulnerabilities [1]. If this is true, then Google was going above and beyond and is now simply reverting to the mean so they can reduce any potentially excess financial spend. Maybe they don't actually care so much about their users after all? If they were shifting the limited funds to a more effective vehicle, they missed the prime opportunity to mention it (tongue in cheek, because Elgoog doesn't have real resource constraints).
They still have the bug bounty for the Pixel devices. I don't know they ever had one for the open source Android OS (AOSP), but a bug in AOSP would be likely to effect a Pixel device. The bug bounty that is getting removed is one that google offered for certain very popular apps in the play store. I also see that have bug bounty's for some of the main Google android apps.
This was a program finding vulns in non-Google apps on Play. A cool idea, but I suspect challenging to operate without teeth making the developers actually update their apps.
Good question, I don't know, but it feels as if their bug bounty service is something that contributes to the level of trust in the apps listed in the play store for which they charge a premium.
Less trust; less money on the line on which to base that trust equates, for me, to a reduced premium for a listing.
Because you used to give a certain % to Google for their service that includes the Security Reward Program. But now that they are shutting it down you get less for the amount you pay for the service.
wow, $30,000 relative to how much google was paying seems incredulous. curious where you all allocate this funding from internally. we consider such thing soon on our site.
The program was operated through HackerOne (at least the last time I looked at this thing back in like 2018), which does the basic due diligence to address things like this.
Unfortunately it does not work that way. They are meant to be vulnerabilities exploiting Android through the app, not backdoors in the app. It is meant to secure the Android OS, not to secure the app.
There's a separate program for bugs in the Android OS, this program did pay for finding bugs in the app to secure the app. Also the mitigation for people abusing the program is that they only pay for bugs in popular apps, it's unlikely for a major app dev to be backdooring their code just to try and scam this bounty program
In the most basic sense - they should be concerned about malicious code because they're busy advertising and distributing those apps for a cut of the profit.
If Google were to say "No more checking for vulnerabilities in FDroid... (or insert other)" I would agree with your take - that seems like common sense. Not their store, not their problem. Same for side-loaded apps.
But that's not what's happening. They're busy selling those malicious/vulnerable apps for a cut of the profit.
Now - Google can be a responsible party here without having this program (there are plenty of valid discussions around whether this was really an effective way to combat malware on their store) - but to recap...
The store doesn't get to absolve themselves of responsibility for the things it's selling.
"It's the store's responsibility not to sell me malicious/defective products". If they can't do that... maybe they shouldn't be allowed to operate that store anymore.
The money isn’t in the apps themselves. App devs pay Google to promote their apps and Google likely takes a cut of any micro transactions that go through their pay platform
It's your wall socket, it's your car, it's your organs that need surgery, therefore it's your responsibility to make sure it's electrically safe, mechanically safe, that you do your own surgery correctly, that your boat, etc. Yeah, nah.
On your iPhone, recognizing and accepting the obvious risk that a stranger on the internet is telling you to enter some weird input in your computer: pull down Spotlight and type ""::
iOS is a very buggy operating system; they polish the hell out of the top of it, but its internals are hairy and scary. That first paragraph doesn't represent a security bug, but its adjacent to many other, more serious problems iOS has had. Its about once every-other year we get some wild bug where a complete stranger can text you a specially crafted string of unicode characters and it crashes the entire OS.
It isn't fair or accurate to say that Android is less secure than iOS in 2024. They both have problems, and both will continue to have problems, but both are significantly more secure than they were 10 years ago, and its very rare for applications downloaded from their respective official app stores to do significant damage to the user. The correct lens through which to view this policy change is: It was a program which exclusively worked with "major applications", and this kind of program is a responsibility which these major applications should take on, not Google.
Android isn’t less secure but you can definitely screw up Android way more than you can iOS, there are some massive botnets that run purely on Android.
