I did try to modulate the harshness of "Come on, dude" with the rest of my comment. Like I said, sometimes we let our guard down. So it's understandable if you got fooled.

In hindsight there are more red flags in just that screenshot ("More by Develop App", obviously fake reviews to point out just two), but God knows I've clicked through installs for shit apps on iOS many times.

I think it's worth pointing out that the difficulty / impossibility of achieving that bar (at least in the general case) is one of, if not the central tenet of Christianity, ostensibly the dominant religion of the West for something like 1500 years. Regardless of one's metaphysical beliefs, it's worth remembering that arguments for the necessity of grace and slack in positive interactions have a long historical precedent, and I find we ignore them at our peril.

I still can't believe myself I fell for this, as said I have 2FA on all accounts and I'm normally very cautious. I guess it's a combination of all the factors here at play: Facebook allowing a fake TikTok Ads advertiser, the ad looking very legit (referring to an existing ad credit program), Google allowing a fake TikTok Ads app with fake reviews, and not getting any notifications until the amount was charged from my PayPal account.

Bad spelling and grammar used to be a great indicator of something being amiss, but the volume of it in legit business these days has made me so desensitized that I didn't even blink at this one.

I bet many thousands of people on HN would have done the same thing.

I think it's an issue with reading comprehension. In general, comprehension seems to have plummeted in the last five to ten years. I send people e-mails asking two questions, and only get the first one answered. People read a headline and think it means something other than what it says. Flamewars erupt online over something that nobody actually wrote, but someone thinks they saw.

It seems to be rooted in the fact that these days people skim text, rather than read what is written. I don't know if it's because of general information overload, or a lack of attention to detail, or if the mindless scrolling of phone apps has trained us that visual impressions of words are good enough.

Or, if I can put on my old man hat, maybe it's just that people aren't as good at reading as they think, and that if people looked at a book half as often as they look at their telephones, they might get some good reading practice.

A good way to write text where you're going to ask people for stuff is to write it in a top-down manner, where first of all you mention "I want X", then you quickly summarize what exactly you want and why, and then write a more detailed paragraph on the various nuances, always making sure to cut everything down to its absolute essentials.

https://en.wikipedia.org/wiki/Inverted_pyramid_(journalism)

Blog articles, especially medium, are really bad about this. I've clicked on headlines about an interesting topic only to find the article no even mention the topic from the headline until 2/3 of the way into the article.

Heh...reminds me of a couple anecdotes from my days in school.

Sometimes as we were being handed back tests/quizzes that had some questions that required a couple sentences to answer, there'd be times where I did exactly that. I wrote only a couple sentences. Meanwhile, I glance at the person next to me to discover that they had wrote two entire paragraphs. I got marked as having a correct answer with only two sentences, so what the hell were they writing about?

Then I had a teacher who, before the final exam, said that every question is able to be answered in four sentences or less. If you write several paragraphs, you would lose points for wasting his time, even if your answer was correct.

I think it is the former. I'm perfectly capable of reading a poem or code word-for-word, but as soon as I'm in my browser something "clicks" and I'm just skimming text. It is usually completely subconscious, but while reading your comment for example, I realized I was only reading half of each sentence.

OMG, this happens to be all the time, and I don't even use email as a primary communication mechanism. It's so frustrating. I think the case is that people are reading and responding to emails on the go on their phone and so don't have/take the time to write a full response.

In the "old days" it was appropriate to answer emails by leaving a partial quote in place and responding below that for each answer. Something changed (I blame Outlook) and now that never happens.

This has been bugging me for at least 10 years, and also extends to IM. If it's IM, I ask one at a time.

If it's email, I either have to ask one at a time, form the two questions into one, or turn it into a sandwich - question 1, question 2, rephrase question 1.

What I really want to do is grab them by the shoulders and shake them, shouting "You saw the second question - yes?!?!"

One aspect is that it's a parasitic efficiency increase. The 80/20 rule applies here; you can answer 80% of the emails by skimming. If you just don't handle, or poorly handle, the 20% of the emails that take 80% of the time, you get a bunch of time back.

I also think that the overload comes from notifications, not general information. We get a crazy number of notifications from our personal devices (and many/most people check them), and during the work day that's compounded with all the systems at work that send notifications. I think that we've subconsciously taught people to work between the notifications. It can feel like if you don't respond to them in real time then you might end up with an insurmountable backlog of notifications to handle, so people have acclimated to handling them in real time. Each time someone responds to an IM, a mental timer starts, counting down how long it is until it thinks the next notification might come. Or, conversely, you're in a notification lull, and you start thinking this is your only time to get anything done towards the sprint, so you smash out fast responses to the notifications you do get, trying not to break your train of thought.

Others may have different experiences, but I get notifications from so many systems and people that it can be overwhelming. And the tools we are offered to manage it suck. Slack's notification settings are better than what I had before with Lync, but they're still lackluster. Email has the best filtering record so far, but it is also by far the most abused by tools.

Some things I would love to see in a chat system: * Chat and notification filters based on whether the user is a bot or not * A sane "handle this later" queue or some kind of integration with a task manager to let me click to create a ticket * A way to communicate busy-ness through my status. Either a level I can manually set, or a system that can guesstimate it (i.e. "curryst has 8 active private chats right now") so we can all gauge whether what we need is that important right now * Customizable options to batch notifications. I would love it if I could have Slack batch my notifications and just send me one notification per minute that says "3 new messages"

My holy grail is if they would let me write my own functions to determine whether to notify for an event, batch it into the next batched notification, or to not alert at all. Most of these desktop clients are in Electron anyways, just let me pass it a path to a Javascript file that exports functions to filter notifications.

It doesn't help that the developer name and category have the exact same visual style, I guess.

I bet that it is possible to slip through the review process however there's also a safeguard on the developer account creation. Apple wouldn't let you create a developer account using vouchers, PayPal or prepaid cards, at least not from countries where scams are commonplace. Also you would be asked to provide documentation of company registration to have an account named “Develop App”.

It is a common theme on HN to trash Apple on its "draconian restrictions" but the reality is that Apple AppStore is a safe place to be. You don't have to study the App before downloading it, you first download then decide if you want to keep it and security is never a concern. The Apple tax is something I am happy to pay for that luxury.

I am a developer and I have no idea what com.acazira.tforbusiness means. What keeps it from being com.toktik.forbusiness?

On AppStore this is something that you type it by yourself on the project configuration screen in XCode and I don't remember reading any restrictions about it, only recommendation to use reverse domain name notation to prevent conflicts.

You can never change it. This is how you get com.toyopagroup.picaboo (Snapchat) or com.yourcompany.TestWithCustomTabs (AccuWeather).

It’s such a cat and mouse game that has massive jumps in acceleration when it comes to ‘novel’ ways attackers create new exploits.

Having Apple taking it seriously even for people like me is a huge win.

What I did see a lot of though in a lot of the case studies/readings/etc, was seemingly anytime advancements were made in one area, closing off particular patterns or styles of exploitation. The energy and resources often would switch to another domain, and there's a mad scramble to solve it.

Just my two-cents, and a bit off topic.

The way I view it, it's sort of like when a player glitches themselves outside of the boundaries of the level in a video game and are able to bypass all the battles the game has in store for them and walk directly to the objective. Anomaly detection only works if they are playing inside the realm of the system but if something manages to break out of the sandbox then detection can be bypassed because it was never a condition thought possible and therefore not checked for.

For Example, you can have code to detect abnormal requests http requests, but if there is a vulnerability in a webserver's memory management of reading bytes from a socket then it allows the attacker to "breakout" of the system before you can detect it. Now you might be saying well we can detect when they breach memory but it just creates another cat and mouse game at a different level. This all assumes there are no bugs in the anomaly detection systems themselves

That's not to say Apple is perfect. Their "root"/"" login bypass zero-day was absolutely unacceptable, even compared with Microsoft's problems.

Other than that, I'd trust an Apple device over a windows device any day of the week.

Google could up its Play Store review process + not installing from outside the store would result in the exact same security advantages you're talking about, while still letting you install from third party sources if you're a power user.

But there are a ton of bad actors out there who will also use those abilities to scam and steal. You can stereotype it as only clueless users falling for that, and there's even a little truth to it, but 1. Some are quite good and nobody is perfect, you can still get scammed yourself, and 2. It seems not cool to just write off everybody who isn't a tech expert, throw them to the wolves, blame them for falling for any scams.

I get it. And I don't think the threat justifies handing complete control of our computing environments to a single corporation.

But there are a ton of bad actors out there who will also use those abilities to scam and steal.

Bad actors often set up fake websites. Should computers and phones have mandatory browser filters so you can only go to approved sites?

Well they don't, but browsers do spend an inordinate amount of effort trying to make sure that bad websites can't do anything other than show you things. I'm pretty sure that all of the browser vendors will pay 5-6 figure sums for any exploit chains that would allow a website to do things like read files without permission or execute code on the OS. And people regularly complain about the ever-tightening restrictions on what websites are allowed to do.

Facebook on the other hand should have handled it differently. I don't know how their permission screen for app authorization looks, but I guess it should have a huge red warning sign if it includes a permission to allow the app to spend your money.

With no data, if one slips through it shouldn't be up to the spam filter if I can be scammed!

edit: that was a particularly bad typo to make. I mean scammed, not spammed :)

Given that a lot of companies outsource app development to third-party companies that in many cases mostly reskin and extend an existing app that they sell to many clients, a package name that could be from a development shop likely wouldn't cause concern.

Sure Tik-Tok has a significant in-house development staff, but they're focused on the backend and client apps and Sales and Marketing may not have much access to them. It may be much easier for those departments to fully outsource that development to a vertical-market vendor, particularly if it's SaaS and the resulting app(s) aren't integrating with internal systems except via downloaded CSV files.

Maybe try to have a sip of coffee before jumping for that $3000. Let's not pretend that this is just ToS fatigue. The only reason they installed this app is for the free money.

So yes, maybe if someone is offering you thousands of dollars, you should consider that to be the time to second-guess what's happening.

Who gets together and says, "I have the perfect name for a new dev shop: Develop Apps".

Maybe this is too risky to do on the Apple App Store because you need to /pay/ for an account to publish on the app store, which means you more or less need to verify yourself. Doing something like this would make it too easy to lead back to you and get in trouble?