Your app is available on Aptoide now (in various versions going back to 1.1.2), but AFAICS it has been uploaded by other people, not you. The latest version (1.8.4) has been there for a week, but has not acquired trusted status. In fact, of the 20 or so versions on Aptoide, only version 1.6.2 has the green trusted mark.
Information about how an app acquires trusted status is on Aptiode’s blog here: Malware: Gotta catch 'em all! and here: Is Aptoide Safe?. it does make me wonder which characteristics of the app are preventing it passing Aptoide’s tests. Maybe it might be a good idea to reach out to Aptoide about this, and even creating your own official store there? It might be good for your brand image, and It would help out Google refuseniks as well
That’s right, but this link is to a 3 month-old version. The app on Google Play is currently version 1.8.4. This link will show all versions of the app on Aptoide (which are spread across three different stores): https://mondo-uk-monzo.en.aptoide.com/versions. My point is that the situation is confusing, and would be improved if Monzo took control of things, in particular ensuring that the version of the app on Aptoide that matches the one on Google Play was either:
in an Aptoide store that was clearly controlled by Monzo, or:
Assuming I was using this service, what guarantees that this app uploaded by someone else is actually the legitimate Monzo app and not some fake one ?
If there’s enough demand for an APK I guess Monzo should just host it on their main site (over HTTPS) - at least you know you’re getting the real deal and not a potentially shady one.
The advantage of using the Aptoide service over an APK download is getting notified of updates. As you say, you need to be confident that the app hasn’t been tampered with though, which is why I’m suggesting that Monzo take it in hand.
There are some people who are running their phones without Google. I think that APK over https from Monzo seems better, as it offers all people access, without distinguishing Aptoide in particular.
If Monzo app had update notification built in (like Magisk has), then app updates are visible for users too.
Seems like worth the trouble, since some people could have phones with any OS for Chinese market, where Google doesn’t exist.
This would be a good thing, and I would be happy with this solution too. I do think that it would be a worthwhile for Monzo to take control of the Aptoide situation though. The way to do it would be to create their own Monzo store on Aptoide (which could be linked to from their website) and upload the app into it. Also, do whatever it takes to get and keep trusted status for the app on Aptoide.
A lot of the newer “Android” features that Google develop are being kept in the closed-source Google Play Services, rather than the open-source Android. I think this especially applies to a lot of the mapping/location APIs.
Coming back to this thread that I started a while back, I understand the issues to some extent, but I am uneasy about the growing reliance on Google Play Services. At the moment, I am using the Monzo App without signing in to Google on my Android phone, and so far it works fine (I first got the app through Aptoide, I may soon switch to Yalp instead).
Over the coming months I will be looking seriously at SailfishOS (it runs Android apps through the Alien Dalvik runtime). If the Monzo app becomes too hard for me to run, I would rather close my Monzo account and look for alternatives than create a Google account to keep it running. I realise that this makes me an outllier, but I have my reasons
I wholly agree with this comment. There is absolutely no need for Aptoide support, and third party sources for the APK should be discouraged.
For people running android without Google, there should be an APK available from https://monzo.com/, over HTTPS and secured using DNSSEC, HSTS, and ideally also HPKP. An in-app notification for updates also solves the update issue.
Some people, including myself, think Apple and iOS are horrible. But this thread is about including Monzo on a third-party service, not whose OS is the best.
Our app relies pretty heavily on Google Play Services, which is why we’ve elected to only make the app available in the Play Store.
You can have Play Services installed but not have a Google account setup. This only means no access to the Play Store.
The idea of hosting directly on the Monzo site has its merits, but has the fatal flaw of not allowing automatic updates.
This really needs a solution. Those of us without Google accounts are stuck using older versions with no guarantee of authenticity.
For some apps this isn’t much of a problem but obviously banking app is different.
I would dearly like to see pakman’s suggestion implemented. For a bank with hundreds of thousands of customers, that is exclusively accessible via an app, it surely isn’t all that much to ask that Monzo deploy updates to somewhere other than the Play Store?!
For the tiny number of people who would use them it’s not worth monzo risking their reputation if one of those sites got a virus laden/fake version. There’s really no case for uploading an app outside the play store where there’s very careful checking both automated and manual.
The amazon app store is the only one with any reputation close to that… and it’s debateable whether it’s worth spending any time uploading to that as so few people use it.
Aptoide clearly doesn’t do any checking as they allowed a third party to upload a copy of the monzo app without permission. That’s basic. If they’re not even doing that then that’s a huge red flag to stay away. It might be unmolested this week (you have no way of verifying that)… but you’re letting this thing do automatic updates - the one tomorrow might empty your account.
On the monzo site is possible but really why? I doubt it’s even 1% of android users without a play store account.
The Google Play Store is just one app store amongst several that makes some effort to catch malicious apps. It doesn’t look to me as if Google has any special fu though:
Make sure that you read the second half of the first article for a brief round-up of this year’s Play Store malware infections. There’s plenty more discussion about all this out there. “Google Play Store malware” makes for an interesting internet search…
As for installing without a Google account, my current compromise procedure is:
Install F-Droid
From F-Droid install Yalp
Use Yalp to install apps from Google Play Store without a Google account.
Might I suggest that you take a closer look at how Aptoide works? (Including the links that I posted when I started this thread.)
Aptiode is a collection of stores: anyone can set up their own and put whatever apps they want into it. Having said that, the main Aptiode store (called “apps”) is curated by a combination of automated and manual processes: your assertion to the contrary is factually incorrect. From time to time I have requested that Aptoide upload an app from the Google Play Store, and in a couple of cases they have refused because they have identified the app as problematic in some way.
If you have any evidence that the Aptoide checks are weaker than the Google ones, please provide some references.
It is true that installing an app from an Aptoide store other than the “apps” store may be risky and should be done with caution, however Aptoide run checks on all uploaded apps to all stores, and award “Trusted” status to the ones that pass their checks.
Play store malware is pretty rare and anything that does get on there (you can’t prevent determined attackers really) is found and removed quickly. In the case of the first link, 3 days. And it won’t get back on either.
It’s actually hard to get things on the play store sometimes because the bots are really sensitive and flagging things that are otherwise innocent - the manual review process is a pain (but necessary).
Aptoide clearly didn’t do any basic checking on the Monzo app as the people who uploaded it were not monzo thus should not have been allowed to do so. They in fact allowed two different people to upload the same app without checking.
They are not a legitimate site - I give you the exhibit a: https://en.aptoide.com/store/cracked-apps-4-you - took 3 seconds to find that… apparently all their ‘automated and manual checking’ completely missed it… hmm…
