The question of how private property, intellectual property and posession/ownership should work is indeed something humanity hasn't properly figured out yet.
But if anything, regular people should have more of the cake.
We have! The only problem is a very limited amount of legal decisions accidentally paved the way for a massive dystopia. In particular, the first sale doctrine [1] solves everything immediately.
The courts assumed good faith with a licensing exception, and maybe it was. But that opened the door to essentially completely dismantle the first-sale doctrine. Get rid of that loophole and all this stupidity ends, immediately. Well that and the DMCA. Once you buy something, it's yours to do whatever you want to do with it short of replicating it for commercial benefit.
Not always. There have been car manufacturers that sold vehicles with features only enabled by a subscription. You may buy a car with heated seats, but the heated seats only work if the manufacturer enables them.
That's not what it's ever actually about. You're buying a disingenuous framing that pins blame on the bottom when all these harmful trends come from the top. This isn't to protect grandma, it's to protect Google. This is always what happens when you allow pockets of power with interests misaligned from those of most people. The pockets of power get their way, and people are worse off.
Of course it's a disingenuous framing. A certain kind of person is both attracted to power and deathly afraid of people voicing unapproved opinions "outside their kitchens".
That said, such things need a semblance of legitimacy to work. It'd be much harder to crack down on general purpose computing under the guise of safety if we had cultural antibodies agains safetyism in general.
It's just not possible to prevent mistakes while letting people color outside the lines. Most brilliant ideas look like stupidity at first. I want to live in a world that biases towards discovery over safety.
That doesn't make sense. How do meet your own needs and desires if you can't use your own property the way you want?
And isn't the point in this very situation that people simply can't buy what they want because Google and Apple are a duopoly and now Google is going to follow the path of restricting what you can do with your own property?
If I were in the 0.01%, savings wouldn't be a thing. I wouldn't even need a home. Just go around staying wherever I like for as long as I like doing whatever I want. I wouldn't really care about what google or apple does with their devices, who attacked or defeated whom and all that bs because I wouldn't be in survival mode.
At least this is probably how people in charge of enshittification think like.
If this is a thing then the solution they offer is incorrect. A big giant red screen: “warning the identity of this application developer has not been verified and this could be an application stealing your data, etc” would have worked.
What they want is to get rid of apps like YouTube Vanced that are making them lose money (and other Play Store apps)
> What they want is to get rid of apps like YouTube Vanced
I think it is also very telling where they're rolling out first. Brazil, Indonesia, Thailand, and Singapore.
It felt weird that the official press release was quoting entities from these countries, as if it should give confidence to the rest of the world. I can't imagine what these countries would want with apps that can be traced back to a government id...
Vanced and such is more of a First World/Western issue. I don't think you're wrong but I got a strong gut feeling there's other pressures in the works. Just something doesn't smell right...
In addition to the other perspectives already offered here, warning screens such as the one you propose were already shown for sideloaded apps, and these screens worked against Google in their lawsuit with Epic Games. So that's another contributing factor for the policy we're discussing.
This is something laughable that Apple does. Anytime you install something from Github it'll make you click a few extra boxes. And their tightening down of things also ends up making people look for third party software in the first place. All this really does is, like you said, teach people to ignore warnings.
The way we allow paternalistic tech companies to train the consumer to abdicate personal responsibility is going to bite us in the ass sooner or later. I'm betting on sooner.
This is really bad. I think that most people on HN will agree with that.
The problem is that most normal people (HN is not normal - mostly for the better) don't even understand what sideloading is - let alone actually care.
How can we fix this?
(aside from making people care - apathy enables so many political problems in the current age, but it's such a huge problem that this definitely isn't going to be the impetus to fix it)
This certainly won't solve the problem, but I would at least like to banish the term "side load", which is a kind of Orwellian word that takes something everyone used to do all the time and makes it sound obscure and a bit nefarious. Maybe we, the tech literate, can start calling sideloading a "free install" or something. When asked, we can clarify that the 'free' stands for both freedom, and not paying middlemen 30%.
This is a great point. Not sure if it’s possible, would be great if there was some way to reclaim the notion of installing software as a general practice, regardless of whether a computer is “mobile” or “desktop”.
Like people still download software packages from the web on Windows, MacOS, and Linux… right? Maybe hard to grasp for the kids that grew up with tablets with no notion of a file system, idk
People install games from Steam or the Epic Store on their computers without Microsoft preventing that or taking a cut all the time (not for lack of trying. I know). But somehow, in the mobile world, we went with total lockdowns and platform extortion as the rule?
Valve has managed something similar with SteamOS as well as Proton built on Wine to make Windows games run on Linux, performing as good as or often better than an actual (modern) Windows install.
I had to do some light research on Wiki, but it looks like Firefox OS was supposed to fill part of this void. Sadly, it was not successful, and the project lost funding and support from Mozilla. I think if Mozilla could not do it, it seems hard to imagine there is an open source org with more talent and money than Mozilla who can make it work.
Sailfish tried and failed. Various Linux distro also tried and failed even harder. Consumers at large just aren't interested in anything other than iOS and Android.
Users need a new feature or a new power to justify transition. Learning of new OS is not free. Someone should reuse Android UI, but upgrade the OS to full Linux.
I agree with you idealistically, but practically, creating an entirely new mobile OS with market share competitive with the existing two is an unbelievably massive challenge. It'd probably be just about as easy to get people to care about sideloading in the first place.
Remember how Android used to be an open source project and how we had Google backing AOSP? I think it's time we we maintain the latest fork and just use that instead.
Is AOSP no longer a thing? I've been using GrapheneOS for a few years and admittedly lost track of AOSP, I just assumed it was still a thing despite Google generally wanting to control more and more.
We used to have strong consumer protection advocates on both sides of the Atlantic, and those consumer protection advocates used to influence laws and regulation which forced corporations to stop doing anti-consumer stuff like this. Those days can return with enough organized labor and solidarity among the working classes.
This is also no long term solution. GrapheneOS can't diverge from Google android to much, otherwise modern apps stop working. And Google will definitely go for alternative roms next.
I agree that this is a horrible step in the wrong direction but in terms of the solution I have a different take.
I don't think that making "normal" people "care" about sideloading is the answer, because a) it's impossible and b) political change doesn't happen through "normal" people anyway, all political and regulatory change is driven via smaller and motivated groups of people.
The problem is fundamentally that there's a duopoly on mobile OSes that has tons of market power and if they want to dictate a change like "you can no longer install unapproved software," they can just do it.
The solution is to walk away from that duopoly, to suck it up and just stop using their products. We fortunately are able to do this (for now) on desktop and running Linux in 2025 is better than it's ever been, and more people are doing it.
To get Linux or some alternative on phones is a big task, and if you make the switch you're going to lose a lot. But most of what has no desktop equivalent is addictive social media garbage that you should get rid of anyway. The biggest thing I'm concerned about is the state of banking and OTP/2FA.
I think we need to fight for universal electronic access to the financial system as a right without a need for gatekeepers like Apple or Google. In some countries it's already the case that at many businesses you must use your phone to make payments, cash is gone, cards are dying, and you must therefore agree to Apple or Google's rules to use your phone. This is truly how freedom and democracy will die if we allow it. This is way bigger for "normal" people than technical concepts like sideloading. People on the left should inherently understand the importance to liberty of having the right as an individual to buy and sell without some megacorp's permission. For people on the right, well, remember the Bible's "Mark of the beast..."
Secondarily we need to fight for the enforcement of anti-trust laws, which half of HN doesn't seem to even know exist, or feels are in some way unfair, even though they are the cause of these problems. Government needs to reach in and rearrange markets that are dominated by one or two players, it needs to forcefully restructure those companies so that they lose their market power and can no longer force citizens to obey their will. We've done it before, such as ending company towns where you were forced to use the company's scrip at the company's shop to buy living essentials. It's worked, we need to do it again.
I can do banking and otp at home with a 100 Euro phone that I use only for that. FB, TikTok, Instagram, etc, neve ever installed them on my devices.
The problem is that I want to make calls, SMSes, use WhatsApp and Telegram, Maps and OSMAnd, NewPipe, VLC, Syncthing and a few others on the phone I carry with me.
And to make matters worse I don't want a huge, thick and heavy brick like every Linux phone I read about. I'm on a Samsung A40 now and it's not easy to find a replacement with similar size and weight.
Telegram's clients are open-source, and there's plenty of non-official ones, but for other proprietary messengers you're SOL.
Hard to believe at this point that these messengers used to use open standard protocols, and you could send messages from Google Talk to Facebook once.
> most normal people... don't even understand what sideloading is
Actually, they understand it just fine. The concept is very simple too.
Before this change you could install Android apps without registering your passport/driving license with Google.
After this change you will have to tell Google your real name and home address to install anything on your Android device. This is all. It can take a convoluted form of registering Google account or a more direct form of sending Google your identity documents to confirm "developer privileges". But you will no longer be able to use non-hacked Android devices to install anything without doing those steps.
P.S. I recall that some people still believe that they can create Google account without giving Google your personal details, phone etc. This is simply a self-delusion. If Google does not immediately demand you to cough up a phone numbers under pretense of "suspicious activity", that's because they already know who you are (you probably told them yourself by registering another account elsewhere).
No, "burner SIM cards" aren't real. This is just another form of self-delusion, — this time architected by US security agencies. You don't become anonymous by using those, you become watched.
Define "normal people".
Due to Chinese phones and sanctions and other geopolitical bullshit a significant part of the world is forced to use alternative app stores already. Yes, these people are very aware of "sideloading". (Due to Google's own previous moronic foot-shooting policy.)
turn people onto sideloaded apps. show them Revanced and NewPipe, show them system-wide ad blockers and bloatware removal and every other thing Google doesn't want plebs to use.
people don't care about "apk side-loading," they care about apps. hook them on forbidden apps, and they'll raise hell when they can't side-load them anymore.
Personally...we all know the Play Store is chock full of malicious garbage, so the verification requirements there don't do jack to protect users. The way I see it, this is nothing but a power grab, a way for Google to kill apps like Revanced for good. They'll just find some bullshit reason to suspend your developer account if you do something they don't like.
Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps. But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.
> we will be confirming who the developer is, not reviewing the content of their app or where it came from
This is such an odd statement. I mean, surely they have to be willing to review the contents of apps at some point (if only to suspend the accounts of developers who are actually producing malware), or else this whole affair does nothing but introduce friction.
TFA had me believing that bypassing the restriction might've been possible by disabling Play Protect, but that doesn't seem to be the case since there aren't any mentions of it in the official info we've been given.
On the flip side, that's one less platform I care about supporting with my projects. We're down to just Linux and Windows if you're not willing to sell your soul (no, I will not be making a Google account) just for the right to develop for a certain platform.
It's never about security (at least not user's security). It's like you pointed out only about power and locking in customers. They don't care if your phone gets hacked or you bank account drained. They care about the bottom line. Android is fine. Google should have 2 layers if they're worried playstore 1 has only well vetted authors and apps. playstore 2 can be the free for all (mostly) of the current store. These could be two different apps or prominent tags. Choice is good, lock down is bad. Corporate does not like employees or customers to have freedom, that's why it's our duty to fire people like the current US regime who always side with corporations over customers.
The thing is that people sideloading good non-malware apps because they want to is also a thing, and all kinds of icky apps that abuse permissions but are still verified and installed through the Play Store are also a thing. This doesn't really change what is a thing. It just moves more stuff under Google's control.
security is the "Save the Children" of technology. It's not that there isn't a theoretical thing there, it's that in the real material sense, the actual actions taken are power grabs for control and suppression.
> Attackers convincing users to side-load malware is a thing.
Sure. It’s also not Google’s problem.
It’s not Victorinox’s problem of someone uses a Swiss Army knife to cut someone else. It’s not Toyota’s problem if someone deliberately runs over a pedestrian.
Car companies do care if their cars are easy to break into and will improve the security of newer models, even if any particular theft is not their fault.
If they don't do that then their reputation will suffer and governments might take notice. So, in practice, big companies do have to care about their users, not individually but in aggregate.
That's a bad analogy. No one is complaining about Google providing Android security updates.
This is like a car manufacturer preventing the installation of all unapproved aftermarket accessories by claiming they're protecting you from a stalker installing a tracker on your car.
I don’t actually think it’s that bad. If all of a sudden we started hearing an awful lot about Android phones having viruses, to the point where almost everyone had a friend who got a virus on their android. I think the market would actually shift. We’d probably see more people moving to iPhones.
> Car companies do care if their cars are easy to break into and will improve the security of newer models, even if any particular theft is not their fault.
Didn't Kia go over a decade without caring or improving until the Kia Boys stuff?
> Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps. But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.
You've never needed the internet permission to exfiltrate data. Just send an intent to the browser app to load a page owned by the attacker with the data to be exfilled in the query parameters.
It'd launch the browser app. You can have your evil page redirect to a benign page so it just looks like Chrome randomly opened or whatever. It is not as powerful as full network access as you can only send so much information in query parameters, but if you are doing some phishing or stealing sms 2fa codes or whatever then it is plenty to send back whatever payload you wanted to.
And of course basically every app requires internet permissions for ordinary behavior. The world where an explicit internet permission would somehow get somebody to look askance at some malware that they were about to download is just not believable.
> had me believing that bypassing the restriction might've been possible by disabling Play Protect, but that doesn't seem to be the case since there aren't any mentions of it in the official info we've been given.
I don't think we can know for sure before the change is actually in place. Going through Play Protect would certainly be the easiest way of implementing this - it would be a simple change from "Play Protect rejects known malware" to "Play Protect rejects any app that isn't properly notarized". This would narrowly address the issue where the existing malware checks are made ineffective by pushing some new variant of the malicious app with a different package id.
It's a big change for the ecosystem nonetheless because it will require all existing developers to register for verification if they want to publish a "legit" app that won't be rejected by any common Android device - and the phrasing of the official announcements accurately reflects this. But this says nothing much as of yet about whether power users will be allowed to proactively disable these checks (just like they can turn off Play Protect today, even though very few people do so in practice).
There's a reason Google is targeting a few specific countries with this first. Malware from APKs downloaded from the internet is more prominent in some countries than in others. The governments themselves are asking for this because educating the public has turned out to be an impossible task for them.
Still an awful solution that will get bypassed easily, of course. But there's more to this than "Google decided to be a bunch of dicks today".
> This is such an odd statement. I mean, surely they have to be willing to review the contents of apps at some point (if only to suspend the accounts of developers who are actually producing malware), or else this whole affair does nothing but introduce friction.
Requiring company verification helps against some app pretending to be made by a legitimate institution, e.g. your bank.
Requiring public key registration for package name protects against package modification with malware. Typical issue - I want to download an app that's not on available "in my country" - because I'm on a holiday and want to try some local app, but my "play store country" is tied to my credit card and the developer only made it available in his own country thinking it would be useless for foreigners. I usually try to download it from APKMirror. APKMirror tries to do signature verification. But I may not find it on APKMirror but only on some sketchy site. The sketchy site may not do any signature verification so I can't be sure that I downloaded an original unmodified APK instead of the original APK injected with some malware.
Both of these can be done without actually scanning the package contents. They are essentially just equivalents of EV SSL certificates and DANE/TLSA from TLS world.
> Typical issue - I want to download an app that's not on available "in my country" - because I'm on a holiday and want to try some local app,
The solution here is just to get rid of artificial country limitations which make some users download APKs. None of those make sense in the online world anyways.
<< we will be confirming who the developer is, not reviewing the content of their app or where it came from
To be honest, it almost makes me wonder if the issue here is not related to security at all. I am not being sarcastic. What I mean is, maybe the issue revolves around some of the issue MS had with github ( sanctions and KYC checks ).
Google also used to show you which apps used Internet permission in Play Store. But they removed it, which makes it harder to notice which apps don't use it.
Google mostly doesn't let you deny permissions while running apps that require them; recently there's some permissions that you can pick at runtime. So it's not suprising that they don't let you deny this one, when they don't even show it in the store.
> Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps
Of that they still refuse to sandbox the play store.
It's easy to see that there's a pattern on what they are copying from GrapheneOS.
> But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.
The internet permission has nothing to do with ads? It's a hidden permission because:
1) Internet connection is so ubiquitous as to just be noise if displayed
2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar
It absolutely has to do with ads. While there are various ways to exfiltrate small amounts of data, the non-collaborative ones are rarely silent and most importantly, they won't let the app get responses (e.g. ads) back.
The main thing this permission would be used for would be blocking ads. Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?
> The main thing this permission would be used for would be blocking ads.
This permission has existed for longer than runtime permissions. You have never been able to revoke it, it was just something you agreed to when you installed the app or you didn't install the app.
It was "removed" in that era because if every app requests the same permission, then nobody cares about it anymore. When every app asks for the same thing, users stop paying attention to it. So no, it had fuck all to do with ads because that was never a thing in the first place. And ad blocking doesn't require this permission, either.
> Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?
You can still use it for this. Apps are required to declare the permission still, it's listed on the Play Store under the "permissions" section. Similarly the OS reports the same thing. Presumably F-droid or whatever else also has a list of permissions before you install, and it'll be listed there.
Although Google's own Calculator app requires Internet permission. Take that for what's it worth.
> 1) Internet connection is so ubiquitous as to just be noise if displayed
That doesn't make it any less useful.
> 2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar
I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it. But even if it is flawed, don't you think Google would be a bit more incentivized to make the Internet permission work as expected if people could disable it?
> I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it.
Uri uri = Uri.parse("https://evildomain.com/upload?data=DATA_GOES_HERE);
Intent i = new Intent(Intent.ACTION_VIEW, uri);
startActivity(i);
Happily uses the browser app to do the data send for you. Requiring apps to have all the permissions of the recipient of an Intent before being allowed to send it would be a catastrophic change to the ecosystem.
The effect of this would be to make all apps request all permissions because even if you are just using some other app for a particular feature you need, you have no control over what other permissions they might add which would suddenly break any intents you send them. The only defense would be to request everything.
You could very specifically ban ACTION_VIEW intents for web URIs from apps without an internet permission I guess. But does banning apps from linking to the web (to be opened in browsers) really seem like a good idea?
Similar changes have been done before, the security sandbox behaves differently based on the app's minimum/target API level for backwards compatibility.
That's also why there's a warning before installing really old apps, they may run with extra permissions.
I mean, I just did a quick look over the installed apps on this phone and ~1/4 of them would work perfectly well without an internet connection, things like a level or GPS speedometer that use the phone sensor or apps for Bluetooth control of devices [like 0] . Why would something like a bubble level app need internet access for anything besides telemetry or ads? I realize I have way more of these types of apps than the average user, but apps like this aren't a super-niche thing that would be on 0.1% of devices.
I just tend to give Google little benefit of the doubt here, considering where their revenue comes from. Same as when they introduced manifest v3, ostensibly for security but just conveniently happening to neuter adblocking. Disabling access to the internet permission for apps aligns with their profit motive.
There's plenty of actually problematic stuff Google does (like this change in the article), there's no need to make up whack ass conspiracy theories, too.
The internet permission is the only regular manifest permission you can't toggle in the settings. It is an obvious win for an advertising/surveillance company like Google. What is wack about it?
> The internet permission is the only regular manifest permission you can't toggle in the settings.
That's not even a little bit true? There's a ton of 'normal' permissions, almost none of which are user-overrideable. Like, say, android.permission.VIBRATE. Or android.permission.GET_PACKAGE_SIZE. Android has an obscene number of permissions ( https://developer.android.com/reference/android/Manifest.per... ) and almost none of them have a UI to control them nor any ability to be rejected
> It is an obvious win for an advertising/surveillance company like Google. What is wack about it?
How, exactly? How does Google benefit from random 3p apps having Internet access? And remember, Google has play services on every device to proxy anything it needs/wants.
Huh? Not sure how this qualifies as "whack ass". There's an internet permission built in to the OS that Google chose to not expose to the user. The parent poster was claiming there is no reason anyone would want that permission, I then pointed out a whole category of apps that don't need internet to function for anything besides ads and telemetry. All of this is factual info.
So rather than just dismissing the argument via insulting language, can you provide a reasonable alternative explanation for why this setting isn't exposed to the user?
The internet permission is exposed to the user, it just can't be revoked by the user. But that's true of like 100 other permissions, too. It's the default case that permissions are not revokable.
And I did provide 2 reasons why that's the case for Internet specifically, neither of which were even attempted to be refuted in this comment chain
I would really like to deny internet access for apps like mx player. The frequency of ads on that app once Times group bought is the worst I've seen in my entire life. One of the best video players on Android, ruined.
Some chinese skins do offer the ability to revoke internet access for apps. I wonder why the western ones don't?
The worst part is the Orwellian opening sentence they start with in their blog post [0]:
> You shouldn’t have to choose between open and secure
2+2=5
Truly the end of an era. I've spent nearly two decades buying Android phones because of a single checkbox in settings that let me have the freedom I consider essential to any computing device that I own.
In a way, it's liberating, I've missed out on a lot from the Apple ecosystem because of that checkbox. Maybe finally I can let go of it now the choice is out of my hands.
Very much my exact feelings. I had the first Android phone ever and even wrote my own APKs and enjoyed the freedom of the mobile platform that let me install my own software. But it's been close to 20 years and maybe it's time to check out the other side, as much as I despise Apple's locked down ecosystem.
I'd sooner get a Chinese phone that isn't "Google-certified" than reward this behaviour by giving $1000+ to the DRM OGs at Cupertino. Neither Apple nor Google are protecting users against the alleged data-stealing evils of Tiktok, so how exactly are they providing any kind of "user safety" by throwing up fees and red tape for small independent developers?
Just a note for readers that the Jolla C2 cellular modem only supports European bands, so if you're in the US you're out of luck on that front until they release a new model.
I used it as my first phone some 10 years. I type this message on one. I like their perseverance, but the truth is it's declining in practical usability.
Edit: In EU, so (lack of) bands are not an issue for me.
Yes, I was checking this out! Sailfish with Android compat seems very compelling. The videos I saw on youtube showed a bit less polish than I'd prefer, but I'd be OK with that. But then I read up on the manufacturer they partnered with. Reeder, I believe? I ended up looking up some other devices they made and there seems to be build quality problems...I haven't seen reports like this for the Jolla C2, though, so I still might be tempted to purchase one just to see how it drives. Thanks for the recommendation!
For what conceivable reason would they make the users go on desktop, considering mobile is in the process of being fully locked down?
If anything, they'd eventually deny access from desktop, forcing everyone to login via the fully manages mobile devices without any user freedom.
Some banks are already getting there btw, as their preferred 2fa is a companion app... One small step away from making that the only option, effectively denying access to anyone without a locked down mobile device.
It's already that way in my country. The few banks that still have the web version only support it for their business clients, and it's only something like two or three banks. If you're a regular client, there's not a single bank left that you can still use without a smartphone (unless you're ready to visit a branch for every little thing — so pretty much daily).
My bank’s app doesn’t even work or even install on my phone because the bank considers my phone too old. So if they suddenly required the app to log in, I simply wouldn’t be able to bank with them. So they would lose my checking, investment, and HSA business when I move to another bank.
I think they worded that poorly, but didn't mean what you got from it: the point I'd take isn't that they will require you to have a desktop, but that even desktop will also have the same restrictions, so it isn't just a mobile problem.
What gp is saying is that to access banking form desktop will require an approved OS and attestation just like on mobile.
The current state of affairs is that an approved OS and attestation are only required on mobile but not on desktop
Actually my bank already requires me to use the phone app for any operation on the website. When I want to login from my laptop I need to use my phone with their app to approve the login, same for almost any operation.
Ah, and it can only be installed in one device at the same time :D Don't have your phone available? Bad luck for you
> can only be installed in one device at the same time
I neither like nor understand this restriction. It makes device failure / loss / theft a much more difficult experience to recover from than it would otherwise be. The device should be throwaway. I specifically keep old phones in case something happens to the new one.
WhatsApp is probably the stupidest example of only being able to be on a single device (but I'm forced to use WhatsApp for one specific purpose, so I already resent it). Signal does the same thing, so maybe it's related to the E2EE that WhatsApp licensed from Signal...
I use the Signal fork Molly to get messages on multiple phones. One remains the primary and the others linked, but I get messages even if the primary is off.
I have a huge problem with companies using their own apps for 2FA.
Google started doing this for Gmail. To use Gmail on my laptop, I need to approve it with Gmail on my phone. I never signed up for this. I’m now afraid if I delete the Gmail app from my phone that I’ll lose access to my email.
I hate the direction “security” is taking us. It’s done in the name of security, but it feels more like blackmail to get and keep the company app on your phone.
Is that a thing Google logins can be set to require? I _can_ use the Gmail app on a device for 2FA, I can also press "try another method" and use any 2FA app.
i do like how many apps are starting to play nice with 3rd party authenticators. i use ms authenticator for a bunch of things. Although knowing MS it has some massive license fee for them to support.
De facto, this is already the case - you can use your computer as a display but to actually authorize a login or transaction you need your phone with said attestation.
True for PayPal though. I just recently had to jump through seven different hoops to verify my ID (with creepy, creepy face scans) and they absolutely refused to even start the process on desktop. Eventually got the stupid thing to work on my iPad; Android+Firefox was a no go, and it's stock Pixel 5a with Google OS.
Thankfully I don't actually rely on PayPal for anything serious, but there are artists whose commission I like to pay, and being able to actually pay them would be nice. :/
For logins, at least, they support passkeys on the desktop as well, so long as the browser does it. Which basically means Win11 or macOS, either some Blink-based browser or Safari.
I'll just have to disable it and choose a banking app that works on the browser. Tonnes of my apps are sideloaded. Quite a few are on the playstore or the dev might upload their details.
I never really got into "phone" progrmaming, always waiting for the shenanigans to die down. But somehow the shanigans have gotten worse and for a significant chunk of the world population, the phone is the only computation device they have at all.
I never got into it because I was convinced developers would refuse to give up control over distribution when Apple started doing it. I wish I was right, but here we are.
Developers sometimes seem to be as in control as farmers are of the distribution of their produce. There's no absolute rule that gives the owners of large scale distribution networks power over both producer and consumer. It's just laws of convenience. It's easier for everyone to go through a few or just a single common broker.
There's no law against a more democratic way to implement the broker either but it requires interesting methods of coordination and/or decision making that doesn't seem to exist yet?
It limits choice. I don’t have any experience building mobile apps because I didn’t want to buy into an unfair ecosystem. That means fewer mobile apps even if distribution networks change tomorrow.
> I don’t have any experience building mobile apps because I didn’t want to buy into an unfair ecosystem
Seems like it wouldn't be much of a stretch to compare that statement to not starting a business because the economy is unfair. People indeed don't start businesses when the bureaucratic or tax overhead outweighs the financial benefit, but nobody loses sleep over an individual's hypothetical missed opportunity to learn a new skill but them. Doesn't matter to the platform owners unless it also stops being profitable, so it's their job to maintain the profitability for their ecosystem despite whatever barriers they put up.
> There's no law against a more democratic way to implement the broker either but it requires interesting methods of coordination and/or decision making that doesn't seem to exist yet?
It's not enough to not have a law against it, we need to have and enforce laws requiring it.
Some developers did. Others, who didn't care so much, got into the app store instead, and got rich off it. Users didn't care about such principles and mobile-first has been a viable strategy for a long time now. Not having something of an app is a problem if you want to stay in many markets.
Developers want a stable, secure platform where they can reach customers that trust the platform and are willing to transact. Everything is downstream of that, including any philosophy around control.
Developers are businesses and the economics need to work. For that, safety and security is much more important than openness.
Oh! Classic Survivorship bias. You're only looking at the devs who went into business in the phone ecosystem in the first place. I'm thinking that they're there despite the barriers to entry ('shenanigans'), and the ones you encounter happen to be those who happen to place a higher value on 'other values'. As the ecosystem gets locked down more, this effect becomes stronger.
Meanwhile, you're not looking at those who left, or those who decided to never enter a broken market dominated by players convicted of monopolistic practices.
This seems much more intuitive than a hypothesis where somehow people would prefer to enter a closed market over a fair and open market with no barriers to entry.
Remember, monopolists succeed because they are distorting the market, not because they are in fact the most efficient competitor.
You now need to have an online account to setup and login on a Windows desktop. It's obvious what the trend is and it's not allowing consumers control over their stuff.
Just look up how to skip the "OOTB (out of the box) experience" and you can still bypass having to set up a cloud account on Windows 11 and can just set up a local account like normal. :)
I have been a computer user, developer and a system administrator for longer than I care to recount. I don't like Windows and I don't use it at work or home. But I do encounter it from time to time, and the experience is worse each time. The last time it happened, I couldn't figure out the way to skip/bypass the cloud account set up. Would it have been possible if I tried harder, starting with a web search? Perhaps. But there is no way an average system user is going to have the patience or often the skill necessary to do it. I'm not challenging their intelligence. But people have other priorities than to jump through a dozen hoops just to preserve privacy. I would do the same if I had to set up a Windows system for urgent work.
These sorts of hurdles exist to push more and more users to their favorite workflow until the dissenting voice is too feeble to notice when they finally pull the plug on the straightforward method. The intent is certainly there, since they are quite evidently boiling the frog. Just wait for the fine day when you wake up in the morning to see an HN story just like this one about Windows login as well.
The Nazis were initially quite squeamish about taking the lives of innocent civilians. It was in 1939 that a Nazi supporter wrote to Hitler requesting permission to euthanize his severely disabled infant son [1], who he described as 'a monster'. Hitler send his personal physician Karl Brandt to Leipzig to assess the situation. Upon confirmation, Hitler personally authorized Brandt to arrange the euthanasia, with the promise to protect him legally. Don't forget that these were the Nazis, the original.
Once that happened, they gradually tried the idea with other disabled children, eventually progressing to deceiving the parents to get the permission. Then it got extended to teenagers and eventually adults, including disabled war veterans. Then there was a backlash and it stopped for a while. But it reappeared eventually, this time on an industrialized scale - the final solution. Disabilities were not the limit anymore. Arguably the worst genocide in human history started with the reluctant murder of a 5 month old infant, just 6 years before reaching its peak at the end of the war.
This is the classic example of a slippery slope. One hesitant misstep is the beginning. But as they realize its benefits (to them), they double down and gradually expand the scope until nothing is exempted. The consumer electronics industry and the software industry are certainly no exceptions to this. Is it too dramatic and hyperbolic to compare them to the Nazis? Admittedly, a bit. But perhaps it's not a bad idea to shame them like that, because clearly nothing else is working (with all due respects to the victims of the original). And it's not like they hesitate to shame us when it suits them.
Personally: the idea that a "slippery slope" is a logical fallacy has always seemed like bulllshit to me. The vast majority of reasoning for why the judiciary makes the decisions it does is because of "precedent". Slippery slope is how the world operates. It surfaces everywhere, and when the slope we're sliding down matters, like this one, we have to fight back with fervor. Google isn't doing this in a vacuum; they're doing this because there's precedent for it, and because all they want is to assert more power over the world.
Google's behavior is utterly and entirely disgusting, unacceptable, despicable, and dishonorable. Everyone who even glances near this decision should feel overwhelming shame. If you have a shred of political power to fight this internally, you are a failure to yourself, your customers, and the world if you choose to stay silent. They'll read comments like these and think "we're right, we're being brave", because they have convinced themselves that there is bravery in wielding overwhelming power against their users.
> Personally: the idea that a "slippery slope" is a logical fallacy has always seemed like bulllshit to me.
I don't know if I got this wrong, but the 'slippery slope' argument by itself never appeared to be a logical fallacy to me. There are numerous valid examples of it, and that's the context of its use in my previous reply. There certainly is a 'slippery slope' logical fallacy, but I thought it meant that you are misapplying/misusing the slippery slope argument where it isn't valid or doesn't apply.
> Google's behavior is utterly and entirely disgusting, unacceptable, despicable, and dishonorable.
I was going to apply the Nazi label on them everyone else who use such sleazy tactics. I hesitated because a lot of people are still emotional about the holocaust (it has been 80 years) and object to equating anything with Nazism. But I sometimes wonder if the objection is meant only to silence the critics. While their actions haven't yet reached the magnitude of atrocities committed by the Nazis, their actions certainly are consistent with the Nazi tactics. Besides, it's not as if they had any qualms labeling ordinary people 'Pirates' for sharing media. Therefore I feel it's quite appropriate to apply to them and promote the label of 'Supply Side Nazis'.
i made and released some apps in the early days. Got tired of it and got tired of the reminders from google to add banners, screenshots, submitting icons to support multiple resolutions.. notifications that apps i haven't touched in decade are no longer compatible etc.
so much extra work involved that isn't building the app.
Got tired of this with a few extensions I made too. It felt like every year or so they'd completely break some API and I'd have to go switch to the new one, then they wanted a privacy policy, then justification for permissions, etc etc. Wasn't worth the trouble eventually and I just let them die.
Even aside from the privacy implications (which aren't trivial themselves,)
Doesn't this make it prohibitively difficult to do local builds of open source projects? It's been a long time since I've done this, but my recollection was that the process to do this was essentially you would build someone else's (the project's) package/namespace up through signing, but sign it locally with your own dev keys. A glance at the docs they've shared makes it sound like the package name essentially gets bound to an identity and you then can't sign it with another key. Am a I misremembering and/or has something changed in this process? Am I missing something?
Not just difficult - it becomes impossible. You can no longer develop any android app without Google's approval, just like iOS. The official emulators might not even work.
A repo is just files in a directory, so the namespace can be changed, but the whole thing stinks. Having to setup Android signing keys and needing to provide ID is not fun.
It means you won't easily be able to run builds on Google certified Android devices that aren't from "approved" people.
That's where the "prohibitively difficult" part comes in... surely they don't expect every developer on every open source app in the world to have their own app registration/package name for the same app, do they? Feels like an N * M problem, if so.
They have the ecosystem by the balls. Phone manufacturers in recent years have been making unlocking & modifying their devices more and more difficult, google and app developers have been cracking down harder on modded devices by implementing TPM equivalents in the hardware to sign and verify that your system is a google-appproved one, and alternatives still are decades behind in terms of app ecosystem.
> and alternatives still are decades behind in terms of app ecosystem.
That's if they're available at all. In my country, only cell phones certified by the telecommunications government agency (ANATEL) can be imported, so the alternatives (Jolla, PinePhone, Fairphone) simply don't exist.
It's incredibly obnoxious when people type "in my country" as if we're all supposed to just... know where they live. It's also incredibly common. Why do people do this?
Asking where somebody's from and having them respond with the state is not unreasonable -- you can already tell they’re American from the accent. The US is huge, about half of its states have more land area than half of the countries in the world. Asking where someone is from and receiving "the US" in response is about as informative as someone from Europe replying "Europe". Like yeah, obviously, I could tell by your accent, but where in Europe?
Funny thing is that americans do that all the time, even in international settings like a coworking space full of expats. Everybody introducing themselves with a "hi, I'm from this country", except americans telling their state or city. Are they expecting us to be familiar with their geography, or just unaware of alternative geographical frames of reference?
I'd think passive recognition of a fair few states would be a pretty low bar for relatively educated, English-speaking people. It's a pretty low bar, just placing a region with its country. People also regularly just assume that level of knowledge for globally- or culturally-relevant cities.
Maybe I think too highly of people, but I'd also imagine most would be able to get say... 6/10 right, for which countries the following list is from:
Yeah, I'll just ditch Google over this. The only reason I put up with their crap is because I can actually just install software on my phone. If they take that away, there's no motivation to stay.
If I can't run F-Droid and termux and all that, I have no need for Android supposed freedom. I'll just use an iPhone (it would be the first time!), minimize my use of mobile platforms to the maximum extent I can and stick with Linux laptops.
I'm currently researching Android alternatives, including Librem and Jolla C2, and I'm skeptical that those will be compelling. It's just so sad.
If both phone OS's are going to be the exact same on user choice then you might as well compare the two on their merits and this is not a comparison Android wins.
I rely on fdroid and am not sure what I'll do with this pixel 6a. I sometimes root, sometimes don't but I may have to get on the lineageos program full time. And I'm hoping for a rumored last batch of pinephone pro phones to be available later this month although I have no illusions about it being a real daily driver.
fdroid is based in the EU and the Cyber Resilience Act was already going to force them to either make their filters more strict (absolutely prohibit anything with any sort of "monetization"), or start collecting this data.
If they have anything on the platform that is subject to the CRA, they are a distributer:
Use an iPhone, minimize my use of it. Continue to emphasize Linux on all my other devices. Move away from Google and Apple services to as much self-hosting as possible. Leverage TailScale to make my services accessible, globally, without actually exposing them on the internet. I'm just assuming that I will have to have some kind of attested device in order to run banking and payment apps and that might as well be a locked down device like an iPhone.
An unofficial build of Android, like Grapheneos. It likely won't be able to install apps from the Play Store, but at that point it might be a blessing.
I would say this is a bold choice for a company whose existing restrictions around third party apps and stores and in-app purchases has already been found illegal. While it doesn't look like they're pushing for it right now, forcing Google to sell Android was something the DOJ has considered as a penalty.
I'm not sure Google still has the ecosystem by the balls. It's very possible whatever Googlers who made this decision are the type of folks who don't comprehend they work for a monopoly that like actually can't do things like this anymore.
They're also the best equipped to tell if you've done so, and restrict access from critical functionality needed by many in their day-to-day lives if you've done so.
The intentions behind all the security hardware they introduced in pixel phones first, and is now required by play integrity to function might've been well-meaning, but that doesn't really matter in the end. Security features that the user can't control and bypass aren't security features - they're digital handcuffs.
true, and recently they deserved a lot of credit for publicly releasing their device trees and drivers. unfortunately, with the 10 series pixels they no longer will be releasing device trees, which makes it much more difficult to maintain custom ROMs
If this is enforced via Play Protect, then the whole mechanism can likely be disabled with:
adb shell settings put global package_verifier_user_consent -1
This does not require root access and prevents Android from invoking Play Protect in the first place. (This is what AOSP's own test suite does, along with other test suites in eg. Unreal Engine, etc.)
I personally won't be doing this verification for my open-source apps. I have no interest in any kind of business relationship with anyone just to publish an .apk. If that limits those who can install it to people who disable Play Protect globally, then oh well.
I really hope this ends up being possible! Play Protect seems to jump up every so often and try to scare me into turning it on. Very annoying. I've wanted to disable Play Protect permanently, but never did the query to learn how, so thank you.
There could of course be side effects in the future when this restriction is rolled out, as in your device's Play Integrity status could be affected and your banking app/phone wallet might not let you perform app-based payments from that device.
The reason I chose the Android ecosystem over the Apple ecosystem, once I found out that the Maemo/Meego ecosystem was a dead end and the Openmoko ecosystem was a non-starter, is that the Android ecosystem allowed me to develop and install my own apps on my own devices whenever I wanted to, without arbitrary limitations like having to periodically plug the phone into my computer to renew some authorization. Additionally, there was even for some devices the possibility of rebuilding the whole operating system with any changes I desired.
If I'm not allowed to develop and install my own apps on my own phone, what advantage does Android have over Apple?
> without arbitrary limitations like having to periodically plug the phone into my computer to renew some authorization
I find it easier to do a git commit once every 89 days and see my app auto refreshed through Testflight for me and anyone else I care to let use it.
If you look at the build system SaaS pricing or even IDE pricing on Show HNs here, the Xcode cloud build and distribution ecosystem is an absolute steal at $9 a month. Private Testflight (with no review) can be more convenient than that desktop cable.
Makes sense why they had to get rid of the "don't be evil" motto. They've been on a roll.
I've seen a lot of similar sentiment on this thread, but the reason I use Android is because it gives me more control than iOS by allowing full-on painless sideloading, and custom distributions like GrapheneOS. They're doing everything they can to turn themselves into a worse Apple. All of the downsides of Apple, but none of the upsides. Apple beats them in every aspect that isn't "openness".
When will the straw break the camel's back? I'm shocked we've let it get to this point with no realistic alternatives. There's no reason a competitive Linux-based smartphone can't exist (no, I'm not counting Android in that).
> There's no reason a competitive Linux-based smartphone can't exist (no, I'm not counting Android in that).
Yes there is. You all don't understand that they will use remote attestation to force everyone to use approved devices with signed apps on signed OSes only
You won't be able to bank, call a cab, write a chat message, watch a youtube video or do anything relevant on a device anymore that isn't signed, approved and controlled by google. They've made us cattle and now they are going to milk us dry.
> There's no reason a competitive Linux-based smartphone can't exist
There is; it's the "phone" part of "smartphone". Being a phone makes the device subject to a lot more requirements (for an obvious example, emergency dialing must always be available and work, and at the same time the phone must never accidentally dial the emergency number).
In my country, only cell phones certified by the government telecommunications agency (Anatel) can be imported, so I can't for instance go to the Jolla or PinePhone store and buy a Linux-based smartphone; if I tried, it would be sent back the moment the package entered the country. (See https://www.gov.br/anatel/pt-br/regulado/certificacao-de-pro... for details.)
> There is; it's the "phone" part of "smartphone". Being a phone makes the device subject to a lot more requirements (for an obvious example, emergency dialing must always be available and work, and at the same time the phone must never accidentally dial the emergency number).
Funnily, Google is one the few phone manufacturers who can’t make emergency calls to work. (e.g. search Pixel problems)
Oh, yes... Actually I remember: it was a long slow series of accepting small artificial restrictions. I remember people laughing at me at the time. They said it won't matter, they didn't care, that I was paranoid...
Unless this is used to block TikTok or ChatGPT users still won’t care and people will still laugh at us for caring, or think wanting privacy or control of your computers is suspicious or ungood.
and don't forget all the people with the dismissive remarks about how it didn't affect them on their Graphene or Calyx phones. We're all downstream of something. The real product of Android for us was always the interoperability with the normal world for the tinkerer.
We had no part in this. The blame lies squarely with Google and its employees, who trade away user freedom for profit and career gain. Many who are smart enough to know better but instead compromise their principles. It's just another symptom of late-stage capitalism.
If your businesses idea doesn't work without you being evil, you deserve to go bankrupt. I perceive a tendency to assume it is necessary for a company like Google to maintain full control over our ecosystem to further our progress and maintain order. However, we should know by know that this isn't the case. You don't have to be evil to be useful. See GNOME, GrapheneOS, Steam, KDE, Wikipedia, Linux or Mozilla (previously). Tricking us of their inevitability is their greatest success.
Thank you, all HNers at Google, for continuing to work there.
And yes, before you ask, I have personally quit a job that paid 3x what I was able to get elsewhere over ethics. And no, I'm not rich, probably bottom 5% in terms of assets among my colleagues, coming from a lower-class background.
Their own store has a dozen "AI Photo Editor Pro 2026" and "Turbo Deluxe Ultra VPN Secure Pro" apps that are "approved" and yet for sure have malware at worst and at best steals your data and serves nonstop pop up ads
Don't get me started. Every single app I search for on the play store gets a first sponsored result that is a completely different app. It is so utterly broken by design.
This is the same direction that Microsoft is taking Windows. Smart App Control is already rolling out to some regions - no .exe will run without a code signing certificate.
It requires a code signing certificate from one of the trusted central authorities, and generally as an individual you must have your legal name on the code signing certificate. It's not pseudonymous.
I really wish Microsoft made it cheaper to get a certificate. With Apple you pay $100 a year for any number of certs. Last I looked into it a cert for a single Windows app costs $400+ per year and requires a hardware token.
The setup is the most insane stupid stuff I've dealt with in a while. I am currently waiting for them to agree that my DUNS number is real, and they made me remove the WHOIS privacy from my domain name to verify that my address is associated with it. The billing receipts from my host were insufficient for reasons they couldn't explain. Had to upgrade to the $30/mo and then the $100/mo support plan just to speak to someone and it's been 4 weeks without movement. But hopefully it will be worth it in the end, the EV certs are crazy expensive and don't even remove smartscreen warnings anymore.
Ugh, sorry to hear that, yeah the whole setup process is just so insanely frustrating. I'm really dreading having to re-validate my identity documents once they expire.
For what it's worth, in my experience it was even worse with EV certs though - all the same steps including removing WHOIS privacy, plus some extra ones like voice phone number validation that had to be repeated every single year.
And then there were extra WTFs with the EV cert expiration being 365 days after an issue date which is several days before you actually receive the hardware token. Or one year they sent the hardware token fairly promptly, but forget to send the password needed to use it, and it took a week to get a response from support etc. Then again, Azure Trusted Signing has similar ridiculousness with billing being based on calendar months, with no proration for your first month even if you started at the end of the month... I mean it's just $10 but it really adds insult to injury after that signup gauntlet.
Anyway, I've heard that if your Azure Trusted Signing process gets stuck in limbo, it can be best to submit a different document, but I'm not sure if there's any alternative permitted for the DUNS step. That's especially annoying because trying to update outdated info with Dun & Bradstreet is problematic in my experience, i.e. their web forms just plain did not function properly.
I've grown increasingly hateful towards both my Android and iOS devices over the last decade. The platforms themselves are increasingly user-hostile, and their appstores are crammed full of shitty, privacy-invading, telemetry-hoovering, dopamine-triggering, ad-filled, lipstick-covered apps that are often garbage compared to the pioneering days of mobile. I miss the days of my old Palm Pilot.
Is anyone working on fixing this? We can do so much better.
Side note, I read that GrapheneOS project is having some challenges recently.. between [0]the Android kernel drivers no longer having their Git history of changes being released (only a code dump with no history) - and [1]one of Graphene's two core contributors being detained/conscripted into a war.
If an alternative, privacy-focused OS like Graphene can support contactless payments (universal, like Google Wallet does it, not having to install an app per bank or card), and can 100% reliably get around apps requiring SafetyNet (or whatever they call it now) attestation, then I'd start using it.
I'd also need an alternate, safe source for common apps like Uber, Lyft, Slack, Kindle, Doordash, my banking/credit card apps, and a host of others that I use regularly. (And, no, "just use their website" is not acceptable; their website experiences are mostly crap.)
Way long ago I used to run CyanogenMod on my Android phones, and it was trivially easy to get every single app I needed working. Now it's a huge slog to get everything working on a non-Google-blessed OS, and I expect some things I use regularly just won't work. I hate hate hate this state of affairs. It makes me feel like I don't actually own my phone. But I've gotten so used to using these apps and features that it would reduce my quality of life (I know that sounds dramatic, but I'm lacking a better way to put it) to do without.
For those watching this stuff, there are two other promising paths using ZK-proofs which might disarm the tradeoff situation we've been stuck in. Banking apps etc aren't willing to eat the liability of devices that are rooted or running alternate OSes, and Google's been banking on the exclusivity that brings from being both hardware and security provider.
Path 1: a ZK-proof attestation certificate marketplace implemented by GrapheneOS (or similar) to prove safety in a privacy-securing way enough for 3rd party liability insurance markets to buy in. Banks etc can be indifferent, and wouldn't ignore the market if it got big enough. This would mean we could root any device with aggressive hacking and then apologize for it with ZK-proof certs that prove it's still in good hands - and banking apps don't need to care. No need for hard chains of custody like the Google security model.
Path 2: Don't even worry too hard about 3rd party devices or full OSes, we just need to make the option viable enough to shame Google into adopting the same ZK certificate schemes defensively. If they're reading all user data through ZK-proof certs instead of just downloading EVERYTHING then they're significantly neutered as a Big Brother force and for once we're able to actually trust them. They'd still have app marketplace centrality, but if and when phones are being subdivided with ZK-proof security it would make 3rd party monitoring of the dynamics of how those decisions get made very public (we'd see the same things google sees), so we could similarly shame them via alternatives into adopting reasonable default behaviors. Similar to Linux/Windows - Windows woulda been a lot more evil without the alternative next door.
All of my bank apps work fine on graphene. I'd switch banks if their app stopped working, not stop using graphene. I stopped using Google wallet, I don't miss it enough to justify using stock android. For other apps, I just put them in a separate profile that has good play installed/configured. It really wasn't bad. The worst part is wiping your phone to install graphene the first time, I prefer just to get a new device for it so I can move stuff over
"Many other devices are supported by GrapheneOS at a source level, and it can be built for them without modifications to the existing GrapheneOS source tree."
How do you access banking and other sensitive apps? If the answer is, you don't, well, you can see how that's a non starter for the vast majority of people.
This is a good start! I think we need something like a ProtonDB for this sort of thing, but that covers all apps, not just banking apps.
I do see five banking apps I use listed there as working, which is great. But -- and maybe I'm being unnecessarily overly worried about this -- what about the future? What if I've been using Graphene for a year or two, and one of the ones that's critical for me changes how they operate, and Graphene no longer passes muster as a platform it will run on. I'm not afraid of this happening at all running Google's stock OS image, but once I do my own thing, I get to keep the pieces when it breaks.
I love how so many of the responses in this thread are "it works for my particular bank" or "my bank's website is good enough" or "I'd only need it to deposit checks, but I never need to do that"... as if those are actually helpful responses to this general problem.
Many many people have banking apps that will not work on non-Google-blessed devices, use banks that have mobile websites that are terrible, and need to do mobile check deposits (which is usually only available in the app, and not the mobile website, if the bank even has one). And no, we're not going to "change our bank".
The reality is that there are so many things that break, sometimes in subtle ways, when you try to use an alternative Android OS. Some people may not have any problems, and that's great! But many -- I would dare to say most -- will.
And there's also a ton of uncertainty: I don't really want to wipe my phone, install GrapheneOS, spend hours messing with it and setting it up, only to find that something critical doesn't work, and now I have to flash back to the stock OS, and hope I can restore everything the way it was.
There's bound to be tradeoffs between scrappy open source communities and trillion dollar industry behemoths. The fact that it's this close of a call is pretty amazing. And really you can blame your bank for not making a usable mobile site. A lot of businesses like to force users into apps because it helps with engagement metrics, not because there's any functional benefit.
This is quickly disappearing as an option as well. I need my bank app to authenticate even when using a web browser on desktop. Luckily my banks app still works on GrapheneOS, but I suspect it's only a matter of time before they disable that because of "security" reasons.
What bank is this? No bank I know /requires/ you to use a mobile app for anything; the web is enough. 2FA can usually be done via email, SMS, or a google-authenticator-compatible app.
They have a nice web app, but you must use their mobile app to login on the web version. The app takes a video of a QR code on the web page during login. Web login completes as soon as the mobile app notifies the server. There's no 2FA code to enter, and no alternative.
I asked them about this, by phone call, when my phone screen broke and I urgently needed to make a transaction. Surely there as an alternative? Or could I do the transaction by phone call?
They told me that indeed there is no other option. Despite having phone customer support, they had no phone or web banking service at all which could be used without a registered mobile device. The only phone service they could perform was to register a new mobile device, which I didn't have. I had a tablet, but it was too old.
So I had no good choice. The Android phone I'm using right now was bought in a hurry just so I could be allowed to make a bank transaction.
It wasn't my first choice of phone. I didn't have time to investigate alternative devices, let alone weigh up open alternatives. I ended up buying a mid-range device under pressure that seemed ok and was available in a store without waiting. (It was a brand new Samsung, and despite the IP rating it got water damaged and stopped working entirely after a few splashes a year or so later, but I was able to get it repaired.)
I should say that I'm not from the US, so that might be why you haven't heard of it.
There is also an alternative for now, but nothing as simple as SMS or authenticator app. They give you a special credit card shaped card with a card reader that you can use to authenticate with using your PIN, which is mostly considered legacy now with the bank app. It's also not realistic to be carrying this thing around everywhere either as it's bigger than my phone.
There is also a national ID app that is used everywhere that I'm worried will stop working on GrapheneOS... Because without it I won't even be able to access online government services like healthcare, taxes, etc.
I don't know the bank they are referring to, but I can cite an example for me: RBC Royal Bank of Canada requires the mobile app. There is nothing you can do on their website without first 2FA via their specific mobile app, and even then only in limited transaction sizes. If you want "full access" (e.g. up to $10k daily transfer via e-transfer) then you MUST use biometrics and the mobile app.
Unfortunately I have checks to deposit every couple months. And my bank has no physical presence, so the only way I can do it is through the mobile app. (They also accept deposits by mail, but I'm a little wary of that; a lost check would be a huge hassle.)
They don't all work, though: too many crank up the settings on google's various 'integrity' checks and will fail on anything that isn't 100% google-blessed. (Which is insane, because that's all that's required: on a previous phone of mine, it worked fine with a stock ROM with a bluetooth-based RCE, but upgrading to a custom ROM would have meant it was 'insecure')
Is that a jab at grapheneOS ? Because thats just another thing that google is borking up. And a little bit more so the banks themselves.
GrapheneOS is the way that all phone operating systems SHOULD be made. Layers and segregation between your banking apps and all the privacy breaking trash and malware you can get off the app store.
It is the banks and google making weird rootkit shit to try and lock down things that is the problem here.
My credit union app already wants 24x7 GPS tracking of my location and full access to my camera at all times and full access to my collection of photos, so the app is already dead to me anyway. Demanding that I use it on a locked down device isn't going to change anything for me, I'm already actively not using it. I use the website on a desktop, I rarely need to access my CU at all much less access it remotely.
Given the large amount of battery and bandwidth already used to track my every move, I wish there was something like "Docker for phones" where I could enable and disable 24x7 full access to my every action IRL.
How is GrapheneOS / SeedVault looking these days in terms of being able to capture reliable backups and restore them to another device (without using the cloud)?
I gather the introduction of the android:allowBackup="false" manifest flag complicated things somewhat... I thought I read since then that a Device-to-Device (D2D) impersonation mode was implemented, and would love to hear if that helped?
I tried to screenshot some app on my android the other day and got an error toast reading some bullshit like "this action has been blocked by the admin." Uh I'm the admin and this is my hardware... The sketchy app was trying to prevent screenshots.
The crazy thing is this is all under the pretense of preventing malware. And I constantly hear this argument that the app stores protect people, even from developers.
I truly don't get it. Are these people from 2009? Have they seen the apps on the current app stores? If you're lucky your highest rated flashlight app will only have a few Fullscreen ads and a subscription less than $10/mo. The recipe sites from content farms are less bloated and way less scammy.
It's certainly not about preventing scams. It's about preventing competition in the scamming business.
> According to its own survey, Google says that more than 50 times more malware came through internet-sideloaded sources compared with Google Play, where it has required developer verification since 2023.
50:1 is not preventing. It is just "well, we are better than nothing"
I'm pretty sure there can be other curated stores that can serve the customer¹
[1] customer: owner of phone, not advertisers, data merchants, etc
I regard Google highly in many domains, but this needs independent research. There is just waay too much opportunity to misuse data to paint a picture of themselves as the protectors. Especially curious about their definition of malware, because to me the app stores seem worse than browser toolbars from the 2000s.
Vollo from German is one https://volla.online/. They sell a nice set of devices that run either a custom Android or Ubuntu Touch. Their custom Android has a nice bunch of UI and privacy features.
Another one is https://murena.com/ which (IIRC) is based in France. They don't have their own hardware though, they sell partner phones with their ROM preinstalled.
For once Fairphone never updating their phones will work in our favor! If Google roll sthis out in early 2026, anyone with a Fairphone can rest easy that they won't receive that version of the operating system until mid-2028 at least.
I have Android 15 on my work phone and 10 in private. I don't really see the difference besides that they've made it more annoying to turn wifi off (requires an extra tap now, first the general internet menu and then a small slider for wifi or mobile data). Genuinely not seeing any significant changes from a user point of view (I'm sure there's lots of new SDKs for the developers, but while I've made apps before, I'm not a mobile dev keeping up with the latest things)
That Fairphone has 13 just tells me they don't waste employee time in their small business on useless upgrades just for the sake of it. Their point is fair wages and ethical mineral mining: better that they have a workable phone without even more fluff, it seems to be tricky enough already in this world :(
Fairphones are also LineageOS and postmarketOS compatible, both options are without tracking and without Google's mandated policies.
LineageOS without gapps is really usable if you set aside the "big" social media apps. WhatsApp can be sourced from their website as an APK. The social apps like facebook, instagram, snap, tiktok and others all require Google Play's tracking services (aka gapps).
For YouTube there's multiple better alternative open source apps available, and mastodon, amethyst and the fediverse apps on f-droid are far superior in terms of performance to the Google Store alternatives.
The entire developer experience was fantastic and the thing that killed it was a lack of desire from the upper leadership when it felt like they couldn't compete with the duopoly.
Did you have a wince app? Too bad, throw away all that and rebuild for wp7.
Do you want do anything useful? Actually, you better wait for wp7.5.
Oh look, we have a totally new thing with WP8. Upgrade to the newest framework so you can use the WP8 features... Oh, but you still need to build for the old framework for WP7. Hey, how about WP8.1, kind of the same deal.
My personal favorite though was WM10; you now need to build a Universal app that only runs on the very small number of WM10 phones... If you want to run on WP7 and WP8 which still have more sales, a universal app doesn't run there. Also, even though we said WP8 phones would be able to upgrade, either we changed our mind, or the experience is so bad most people won't. And the cherry on top... Users who upgrade from 8 to 10 might need to delete and reinstall the app, otherwise it will just show the loading dots.
Did we mention, we decided we didn't need engineers in Test in the run up to WM10? Couldn't possibly be why the release was terrible.
It's incredible that by the end of it, the WM rollercoaster made us actually miss WinCE. If you had have told us that initially none of us would have believed you. WM had so much potential and was just totally botched.
Start complaining to your government about every shitty thing the apps and OSes do, and tell your friends to do it too, eventually we may get some action on it.
We are all mildly annoyed and therefore mildly motivated to fix the problem. Apple and Google are extremely highly motivated to retain the status quo. I still try to vote with my wallet but it's going to be hard to counter their well-funded lobbyists.
I think before we can fix all that we need to revert the renting of software via subscriptions and go back to one-time-payment. But people are too greedy for that.
I cut my teeth on commercial b2c & b2b app dev/sales on Palm OS from the age of 14. It was sad but now I'm a full-time bootstrapped iOS dev thanks to that experience.
I'm right there with you. These platforms are cancer. There's a small but growing movement away from smart phones. It'll probably never go mainstream, though.
Heh, I've always done this. Maybe if every mobile dev made sure I could find text like I can in a browser I'd be less strident. But really, I need a very good reason to install stuff.
It's also super nice to take notes on the fly for OpenStreetMap with StreetComplete, for holding the device up to the sky and it tells you what planet is so bright in the sky, for navigation... These things don't work on a laptop. Even if you want to carry a full-sized system in place of a smartphone, or use Ubuntu Touch, I'm not aware of software to do these things in the convenient way that Android apps let you
Of course, that's a software support issue and not a constraint imposed by the OS. Someone could make Stellarium desktop work with an orientation sensor. It's just that nobody has done that particular thing, as well as a million other things that work super well on mobile
So is it second-class, or is it just a way that is optimised for output rather than input? You get the turn instructions presented to you, you can watch videos and listen to music, note-taking is optimised to work with a few taps and is reduced to the essentials you need. You can work them out later on computer if you have time at home over of course, but at least you can contribute that way with ease
> Google notes “supportive initial feedback” from government authorities and other parties:
Ah, then I guess everything is fine. I'm sure they aren't in favour because it gives governments greater control over what apps we're allowed to have on our phones. That would be absurd.
I feel like that makes the most sense. That this isn't something Google thought up but something that the EU wanted to ensure its government ID app was "safe". Google does benefit but the timing seems to line up.
It makes total sense to the average person. There has been a constant stream of “yet another Android user got scammed out of their life savings because of Android side loading; iPhone users not affected”
It’s an inconvenient fact for power users, but side loading makes users significantly more vulnerable to scams and restricting side loading is both a predictable and reasonable response to that fact.
If you don’t like this, you need a better argument than “my desire to run any app I want is more important than pensioners losing their life savings” because that is not a winning argument with the average person, with governments, or with Google/Apple.
> As I’ve mentioned here before, sideloading is a genuine security concern, not merely an excuse for Apple to exert control. There is a never-ending stream of people losing their life savings. It happens on Android and not iOS because Android allows sideloading and iOS doesn’t. There is a very real human cost to this.
> Police warn new Android malware scam can factory reset phones; over S$10 million lost in first half of 2023
> There have been more than 750 cases of victims downloading the malware into their phones in the first half of 2023, with losses of at least S$10 million (US$7.3 million).
> 74-year-old man loses $70k after downloading third-party app to buy Peking duck
> “I couldn’t believe the news. I thought: Why am I so stupid? I was so angry at myself for being cheated of my life savings. My family is frustrated and I ended up quarrelling with my wife,” said Mr Loh, who has three children.
> Singapore Android users to be blocked from installing certain unverified apps as part of anti-scam trial
> "Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 per cent of installations came from internet-sideloading sources," it added.
> Android users in Singapore tried to install unverified apps nearly 900,000 times in past 6 months
> These attempts were blocked by a security feature rolled out by Google six months ago as part of a trial to better protect users against malware scams, which led to at least S$34.1 million (US$25.8 million) in losses last year with about 1,900 cases reported.
All of those links 404s for me. Can you explain how the malware works? You are aware that it's not the app store that protects you, but the sandboxing? Are these impersonation vectors, ie phishing?
I didn’t notice that Hacker News had truncated the URLs for display. You can get to the articles by following the links in the original comment.
> You are aware that it's not the app store that protects you, but the sandboxing?
Both protect you.
> Are these impersonation vectors, ie phishing?
It’s a variety of things. Some use accessibility hooks to act as key loggers. Some seem to use exploits. Some are phishing by impersonating other apps.
I know the situation in Singapore and Thailand and I was curious if there would be anyone mentioning it in this discussion. Thank you for your comment, you should be upvoted.
They saw Apple getting away with notarization under the DMA so they're doing the same.
I must admit the mass demotivation strategy is working really well. Seeing this kind of news every single day, affecting you directly and not even being able to do anything
Yep. I feel powerless, and I don't know what to do. I don't think there is anything I can do, except for watch all of technology get locked down to the point that you need a monopolist's or a government's permission before you do anything with it.
It's so fundamentally depressing, and completely at odds with how I grew up viewing tech.
I predict Windows will end up going this route before Google backtracks on it.
This is the future; partially fuelled by malware, partially fuelled by the desire for platform control, and partially fuelled by government regulation.
As an example of government regulation driving this change, see [1].
This regulation of NSW, Australia considers rooted devices with extra non-Google/non-Apple approved security features such as a duress/wipe PIN (a standard feature of GrapheneOS[2]) as a "dedicated encrypted criminal communication device". How the device is being used doesn't matter. It's how it _could_ be used.
I don't know that it's that simple. Further down that section (1920) in reference [1] reads
"(3) A dedicated encrypted criminal communication device does not include--
(a) a device if--
(i) the device has been designed, modified or equipped with software or security features, and
(ii) a reasonable person would consider the software or security features have been applied for a primary purpose other than facilitating communication between persons involved in criminal activity to defeat law enforcement detection,"
It's not automatic: depending on what a reasonable person thinks and the definition of criminal activity.
> applied for a primary purpose other than facilitating communication between persons involved in criminal activity to defeat law enforcement detection
Does the jurisdiction matter? For example, if an activist was using a device to do things in another country that would be legal in Australia but were crimes in the other country.
I mean, in my country, it's increasingly unclear to me whether things like "loudly criticizing the executive branch" are now considered criminal. Recent executive branch statements on this issue seem to indicate that they may consider some critics criminal just for being critics. But it's hard to be sure. And so far, every critic they've threatened to arrest has also been accused of committing other crimes.
So "the government only considers a duress PIN illegal if it is used to facilitate crime" seems like a potentially tricky standard to apply.
At the pace of regulations we have, one day everything will be forbidden and we will all be criminals just for protecting our own wealth or security from these... yes, from these mafias.
I could use a knife to chop meat, not people; I could use a car to commute, not as a high speed bullet; I could use a gun to eliminate pests, not to kill people. Just because I can use something to do something nefarious doesn't mean it should be banned, of we should not use Internet at all because it facilitates scammers.
It is always the human mind that dictates the action, not the tool. It is futile to try and ban the tool, and I bet 100% they knew that.
This is uncanny and worryingly specific, and I'm not a lawyer, but if you're not already under suspicion of being a criminal, then installing graphene doesn't match this definition I think
Suspect, they wrote, and that happens all the time. If you go into a store on the way home from work, and 99 days this works fine but the 100th day they want to look in your bag, but you can't show them confidential drawings of the Google Pixel 14 Max that you carry as part of your work, now they'll think you really did steal something and you went from no suspicion (spot check) to definitely a suspect and new things start to apply to you, e.g. if you leave without resolving the suspicion the police might have grounds to enter your house or search you when you walk out next time. The suspicion is based on being a suspect, not on any actual evidence (nobody saw you put anything in your bag)
I mean, you don't really have to speculate about what this is for, it's for an authority providing for lawful search, it seems pretty well-scoped, and similar to any old search warrant, which is not a new thing, really https://classic.austlii.edu.au/au/legis/nsw/consol_act/deccd...
Basically, they're not really setting up for a blanket ban on personal security features, that interpretation is obviously catastrophizing. Not that there aren't hamfisted laws somewhere like this, but NSWs implementation seems OK I guess
Microsoft mismanaged it but there was a potential parallel universe where they were successful at that plan and consumer versions of Windows would be locked to the Microsoft store.
They did a bunch of terrible inept rollouts with confusing technology for both users and developers and effectively shot themselves in the foot. But it did not have to go down that way.
Yep. They fumbled the ball on step 1 of demand aggregation and we got lucky there was nothing of value for the 99% of users that will blindly take the easy path.
> there was a potential parallel universe where they were successful at that plan and consumer versions of Windows would be locked to the Microsoft store.
Sounds like a nightmare universe.
I've got a hobby app in kotlin multiplatform with iOS/Android/Windows/WASM builds and while I have no issues with Apple's App Store or Google Play, I've had nothing but problems trying to support Windows Store.
The MSIX installer format is horrendous to deal with and the certification process for new releases on Windows Store is always far too long and in the cases they do find issues the reports of the issue that they log are entirely worthless.
I ended up just pulling the app off the Windows Store entirely and making it a downloadable *.msi installer. While the extra layer of presumed integrity of the app being on the Microsoft Store would be nice it wasn't remotely worth the effort for the tiny amount of people who were using the Windows version in the first place, especially given the app is free.
> Microsoft has way too much of legacy software people use, banning it all overnight will not go well at all.
A lot of legacy software was killed off with the move to 64-bit Windows. Consumers survived that and for businesses registering their software with MS isn't a problem. They're already handing Microsoft all of their company email, their documents, their spreadsheets, etc. and paying Microsoft for the privilege. MS doesn't care at all about consumers.
They can just require hash of legacy binaries sent to Microsoft and rubberstamped back. Eventually they'll have a near comprehensive list of legacy binaries in common use, and move to block unknown binaries in circulation as "malware".
The malware excuse is just a palatable false pretense. "We have to protect granny!" Of course, she is getting fleeced by plain scam calls, not somehow sideloading apks onto her idevice, but the truth doesn't help advance their narrative.
Imagine that metaphorical granny that in an instant catches fire and turns into ash if the governments and large corporations don't have complete control over our lives.
To put the strongest face on it, by "cracked" youtube, you mean a version that shows the cracker's ads and maybe somehow generates extra clicks (or whatever) so they can get money out of it?
Cracked spotify? In my mind that's just like YouTube, almost entirely server-side. I guess you're talking about hijacking ads here, too? I feel like a "real" crack of Spotify would let you listen to music for free, but that should be impossible (unless their SWE's are incompetent).
You are approaching as is the malicious developer was trying to add useful features for the users.
But in practice, these “apps that lookalike popular apps” are not intended to just be adware-less versions of the popular apps. They are frequently “hide the ads, inject the malware with more permissions” Trojan horses.
I think there is likely a dual motive from Google where they both want to stop malware _and_ stop people blocking youtube ads. The malware problem is real though.
Those "cracked" versions often require extra permissions.
My favorite was a local "discover which on your contacts is on the leaked Covid quarantine list[1]" scam app. It claimed that the extra permission dialogs are just fearmongering by Google, who is in cahoots with big pharma, and wants covid to spread to sell more medications.
[1] In fact, no such leak has ever taken place, its existence was just part of the setup for the scam.
Did she ever get anything side loaded like that? I have downloaded malware by mistake before. Not once were they allowed to proceed with installation. The only way I got anything side loaded was if I installed the first one (which is always Fdroid) deliberately via ADB after I enabled the developer mode.
No I'm not. I asked if anyone likes Windows. These people presumably have no opinion, it's just a means to an end. The closest thing I think you'll get is "I liked Windows 7" or something like that.
Malware is the excuse. Control is the goal. Extracting as much money from people while providing less actual value.
The saddest part is this is to the detriment of literally everyone except a couple rich owners of those companies. And everyone has the right to vote. But western democracy is so indirect the people who understand and care have no way to change the law because their signal is lost in all the noise by those who don't know or don't care.
If the vote came down to people in favor of walled gardens or in favor of forcing companies to open their platforms, with everyone else not voting, it would be a landslide. But there's no way to vote on it this way.
“western democracy is so indirect the people who understand and care have no way to change the law because their signal is lost in all the noise by those who don't know or don't care”
Wow, how fix (WITHOUT intelligence tests as voting requirement) :(
> This is the future; partially fuelled by malware, partially fuelled by the desire for platform control, and partially fuelled by government regulation.
I would say it’s really 50% platform control, 50% government regulation.
Malware is the excuse. I went, without super skill, 40 years while only contracting two viruses ever (one was Kakworm, the other was inert at the time because I was an Amiga user who kept a copy of Scorched Earth on a floppy, which never infected my Amiga).
> I predict Windows will end up going this route before Google backtracks on it.
It will not happen in the next 10 years. Right now people would just make generic launchers and then use them to manually load and execute any binary they please. Options include just writing your thingy in a scripting language and run it in node.exe, python.exe, or compile it to WASM, use native bindings of a scripting language, abuse a random verified electron app, ship with and use a random vulnerably driver, etc etc.
Even remotely getting to the point where locking Windows down to that degree would be possible is going to take MS a long time, fighting friction from users all the way. The whole ecosystem would have to change drastically for that sort of control to even be possible and make sense.
The holes aren't really there because it would be so hard to close them in a vacuum, they're there because decades of software people use rely things working the old way. People aren't going to switch to a new OS on which almost nothing works anymore.
This is a monopoly with annual gross revenues bigger than all but 42 countries behaving this way.
They have conspired to control the web, browsers, mobile computing, and soon AI. It's sickening how much bad behavior they get away with.
They were able to use YouTube to bludgeon Windows Phone to death and become the de-facto mobile duopoly. Then they were able to get their shitty search engine on all the panes of glass, didn't care one iota about search quality (just ads), but were able to leverage their browser engine control to remove adblocking capabilities.
I hope the DOJ/FTC split Google into a dozen companies.
Yeah, it is so weird to read comments based on a belief that the current government is aimed at some goal of justice. I guess they're just still drinking the Kool-aid?
Trump was a breath of fresh air talking about frustrations with the status quo that other politicians wouldn't acknowledge. But the only reason he was bringing them up was for use as a cudgel to shake down companies to enrich himself. He will very most certainly go after big tech monopolies and break them up... iff those big tech monopolies don't put bribes into his pocket. As long as his pockets get fatter, then the status quo is just peachy. It's called "making a deal".
DO NOT UPLOAD YOUR ID/INFO TO GOOGLE. I put my game on their app store some years ago, and they doxxed me right on the app store. Google posted my name and home address right on the game page. Not great when I was already receiving death threats! Later on, had a rando show up at 3AM one night and had to call the cops out. I moved after that. Google is absolutely not to be trusted to keep this data confidential. If Google demands I do anything with them, I'll just tell my fans to install lineageos or whatever instead -- no way in hell I'm having ANYTHING to do with google ever again. GFY google!
If you are having random people try to attack you while you are at your home, you need to be prepared. Strengthen your door jambs with nine inch screws to replace the screws your door is mounted to and use metal plates to strengthen the locks (there are kits available at home improvement stores), install adherent plastic frosting on your windows that will slow down break ins by making the window much more annoying to break through, and install surveillence cameras outdoors. On the offensive front, you can consider OC/CS grenades you can throw down the hallway to avoid exposing yourself and handheld pepper spray for non-lethal deterrence at moderate range. Finally, if all else fails, keep a loaded handgun in a easy to use but hard for kids to unlock gun box under your drawer next to your bed. An under barrel flash light severely blinds invaders and makes them think twice about charging you, maximizing the chances that you nobody will get hurt. The door jamb upgrade is the most important one. I have returned home to a severely beaten door with my shattered iron door knocker on the ground laying in front of the door in pieces but the house was impenetrable to the burglar(s) who weren't willing to break through the glass. It also doesn't hurt to install fake $5 security dome cameras around the property.
If your app is monetized, the contact details of your "business" are shown in the play store. For many smaller developers, this will just be their home address.
That's why you have to have a business address, and get all your business admin ducks in a row, even if it's your first real monetized app. Your future self will always thank you!
I had to do a government ID upload and a live face scan to install my banking app on a new phone even though I had other devices I could have used to authorize it. It made me want to switch banks, but where do you go?
For what it's worth, Venmo will not get access to your biometrics data, it's a black box in which you specify a desired level of authentication and the OS just returns ok/not ok.
It is, however, to make you use Venmo more easily, thus more often, thus spend more money through them.
> developers will have the same freedom to distribute their apps directly to users through sideloading or to use any app store they prefer. We believe this is how an open system should work—by preserving choice while enhancing security for everyone
I guess words don't don't have meaning anymore, how can you claim to have an open system in an announcement about closing it down?
It's also telling that the big supporters of this are apparently corporations and governments. Admittedly I don't know what "Developer's Alliance" is but they don't seem to care about developers very much, and I wouldn't surprised if they were just a "pay us to say what you're doing is good for devs" kind of thing
> developers will have the same freedom to distribute their apps directly to users
You have here Google making a statement it can't actually fulfill and one that it knows it can't fulfill. So Google is willfully lying here.
The minute Google has a technical capability to control what applications run on Android it's out of their hands. It is in the hands of courts, governments, dictators and authoritarians. That's just the nature of the world - Google has to obey the law and Google doesn't make the laws.
I guess it sounds hysterical, but in that sense, this is an absolutely massive loss of freedom for the entire planet as communication power that rested with individual choice is now transferred wholesale back to governments by this decision.
The Developer's Alliance address is a coworking space in Washington DC, if you want to rate the likelihood it's just an astroturf for public tech policy wonks.
I'm thinking it's time for a 2nd phone (in my case old one from cupboard) to become the regular daily GrapheneOS enabled driver and then keep a modern Google(tm) updated one at home for all the "official crap" whenever needed. That way I can also separate banking / paypal / etc. from my carry phone with all it's various apps that I trust to varying degrees.
This was the first thing that crossed my mind. If it’s not too much money and hassle I could buy a second device for GrapheneOS and tether to the cheapest phone I can get for the official ecosystem.
Really though, it doesn’t have enough impact for consumers. If I get unfairly banned as a developer, no one even notices because that’s nothing more than an opportunity for another developer to step in.
Those are the moments I am starting to fantasize about starting a customer protection group that is sufficiently committed to follow through on organizing boycotts. Naturally, reality hits once you see average human on the road ( on a highway, full speed ). We might be lost a species.
I wonder if you could keep your "snitch" android phone home by instrumentalizing it, enabling you to access it remotely on your main linux/degoogled android phone. It might not even be that outrageous of an idea since there are tons of botfarms that are essentially stacks and stacks of legit phones being remotely controlled... the tech might be there already, just need to adapt if for something good...
How likely is it for google to deny access to all or most of the apis that makes this possible? Then you need to point a camera to the screen, mike the speakers and so on...
Not for me at least, 3DS requires approval in an app on my phone. I'd love if the banks just used TOTP instead but no, I have to use their app, some of which don't work with an unlocked bootloader, so I have to have stock android
I just got a letter from my bank stating this. Website is going away, app only access. It's very disappointing, for security I never have any banking access on my mobile devices
I cannot resist the urge to point out that we wouldn't have had this problem if people actually sticked to free software instead of "commercial use friendly" open source licensing
Such a shame that the Free Software Foundation has been such an awful steward of the GPL. The fact that the GPLv3 didn't close the network hole is a decision made either out of myopia or abject cowardice, you shouldn't need a separate license (AGPLv3) to ensure true freedom of the codebase.
That's fair, but a more pervasive Free Software ecosystem might have possibly avoided this outcome entirely. And that failure is something we can lay directly at the feet of the FSF.
If RMS was going to piss off the entire industry with a new version of the GPL, the least he could do was close the network hole. What we got instead is a half measure that satisfies nobody.
More importantly, he completely missed the boat on App Stores. Why was there never any watered down version of copyleft that could be used as a wedge to try and pry open app stores over time? They did it for libraries with the LGPL, but apparently app stores werent worth specials casing.
In practice we see the reverse and GPL projects being rewritten as more permissive.
The busybox/toybox case looks especially relevant and interesting:
> In January 2012 the proposal of creating a BSD license alternative to the GPL licensed BusyBox project drew harsh criticism (…). Rob Landley, who had started the BusyBox-based lawsuits, responded that this was intentional, explaining that the lawsuits had not benefited the project but that they had led to corporate avoidance, expressing a desire to stop the lawsuits "in whatever way I see fit".
Free choice in the market is a lie anyhow. You are limited by what is actually been made available in the marketplace in sufficient quantity. "You can have any color you want, so long as it is black." - some old racist industrialist.
An interesting idea. But who would have to "stick" to such software? The users?
It seems to me that most of the users do not care much about what kind of software their phone runs, unfortunately. As long as it works with Instagram or whatever other big brand social media is trending these days, they are happy. Which is I think understandable.
The companies developing the apps are in my opinion driving this cultural shift. And they are doing it mostly because it brings them commercial advantages. Which is, I think, also understandable.
Everyone involved seems to to what appears to be in their best interest. And yet, collectively, we as a society get a worse outcome overall. This phenomenon perhaps has a name.
In order to break out of it, I think that the incentives on both sides need to be adjusted. It needs to be in the companies' interest to produce apps as open source. And the users need to want them.
The only way I can think of to achieve that kind of a change is when the open source apps and products become just inherently better than their proprietary alternatives. In all categories. Then, the people would want them. And then the companies will start to produce them.
It is a very tough goal. The commercial apps do not have to be better in all categories to retain their users. They can use vendor locks or other business strategies which restrict the users' ability to leave them.
Open source apps cannot do such things. The only fair ground on which they can compete is their quality.
So people from countries US has sanctioned can't even develop and use mobile apps anymore. This will change millions of innocent lives. So unfair and racist. The reason my people are in this mess in the first place is a US coup.
I don't blame Goggle. Apple escaped anti-trust by simply not allowing anyone except themselves to put software on iPhones. Seriously, Apple doesn't allow competitors so it can't be anti-competitive according to the case.
Totally brain damaged ruling, the judge must have been molested by an Android phone at some point, but here we are, and google is now moving closer to an Apple model.
A few years from now: After reviewing the usage of the approved sideloading feature, we discovered no more than 0.01% of users ever sideload an application. For security, sideloading is now disabled on all devices forever.
Time for a Steam Phone. Or FirefoxOS reloaded. The general purpose mobile computing market must be sizeable. I cannot believe everybody just puts up with these increasingly draconic restrictions.
I think a big problem is that the users have been trained to accept the status quo. I mean back in the Feature phone days we would share Java phone games at school via Bluetooth. I’d assume kids these days generally don’t anymore.
Also, due to the cost of physical media piracy was rampant even amongst boomers. People knew and had the option to buy a dvd player that could play video cd because that’s how movies were ripped.
Even during the early iPhones we were so stripped of even basic features that a jailbreak was 100% required if you wanted to even basic things like taking videos or changing the Home Screen background.
None of this is necessary anymore. The users gets the phone and it just works from their perspective at least.
So who is going to try to run a business off of nerds like us who want to have this sort of control over our devices (I’d call it freedom but the average user doesn’t feel unfree)?
> we would share Java phone games at school via Bluetooth. I’d assume kids these days generally don’t anymore.
I am both happy (from a user-friendliness point of view) and sad (from a "works offline" perspective) that F-Droid's share button now shares a link that will show them info about the app with an option to install the software, instead of the share button directly giving you an APK file with no way to link someone to the 'store' page. I'd personally still know how to send people APKs via hotspot or bluetooth (such as for peer-to-peer voice/message apps) but a lot of people won't
This move from sending each other software to sending each other links to centralized platforms has been long ongoing. Most messaging systems don't allow you to send executable (.exe, .apk, .sh, etc.) files anymore. And I believe that virtually all of them individually do it for your own good, but the combined result is a societal shift
You paid for the phone with the OS as a contributing factor (alongside the hardware) to the purchase no doubt, so the OS in itself must be compelling to you for some reason.
You didn't fund the development of the OS, contribute to it (presumably), you didn't market it or position it alongside your brand.
I'd agree with you if you said you have a right to run anything on the hardware under a different OS, but you have no god given right to run whatever you want on the OS.
Looking at what's been going on in the E.U. vs. the U.S., it seems pretty clear that one of the only things companies this big, with this much control over the markets fear is regulation.
Maybe people live in a country where adding new regulations is difficult at the moment. In that case, push at for it at the state or province level. Push for it wherever you can. Suddenly these companies have to figure out how to work around 50 different state level laws? Painful. Good. Make it hurt to be evil.
People need to come together and push for regulatory roadblocks to things like this at every level. I think that's part of how you keep control of your own property and stand up against it.
It's actually your telco's phone. They're the one that has the license to run the baseband computer and RF transceiver. The 'pad' computer device is sort of yours. But there's no legal way to have ownership of a cell phone unless you yourself bid for and get the RF spectrum and set up your network in a way that accomplishes the FCC coverage and timing requirements. Then run your own telco for your phone. Basically, impossible.
Smart phones try to limit and firewall the interface between the two but tight integration is required for energy efficiency. So a smart phone, or a cell phone, can never be yours. They aren't good choices for doing computing and this legal reality is becoming more and more obvious with time.
As a developer of android apps that get distributed outside of the Play store, a Google identity verification system sounds like a nightmare. What if I'm deemed to be politically incorrect? Will Google brand safety exclude me?
Yeah... They just want to ban NewPipe. It's sad to see Android getting locked down, also with the source closing of the development branches, etc. I can as well buy Apple then, it doesn't matter anymore.
So where do we complain? (Aside from shaming Google on social media or writing to politicians.)
If I look through Google's contact links, it's all oriented around getting help with a problem rather than letting them know I'm going to move to something else if they go through with this. (And yes, even if Apple has the same types of restrictions on app store, if a more open alternative OS didn't work out for me, I'd move to them to punish the one dropping freedom of use.)
I'm wondering the same thing in the US. Aside from writing Google and complaining, and purchasing a phone with a different OS (GrapheneOS or PureOS, for example), I'm not sure what else to do.
The issue with that 2nd solution is, "purchasing a phone with GrapheneOS" only registers from Google's perspective as "we just sold an additional Pixel, so we're doing good right now"
> The requirement will go into effect in September 2026 for users in Brazil, Indonesia, Singapore, and Thailand. Google notes how these countries have been “specifically impacted by these forms of fraudulent app scams.” Verification will then apply globally from 2027 onwards.
At least most of the world has until 2027 to install LineageOS or GrapheneOS.
Apps are increasingly failing to run on grapheneos because Google is pushing for the play integrity verification. More and more apps, some critical like banking apps, some not at all, require your device to be running an official rom signed by Google.
So I will go back to carry two devices, I guess. Like when I had a Jolla Phone and an Android phone. Or before that with a Palm PDA and a dumbphone. It is convenient to have everything combined in a single device, but guess that turned out to be just a temporary luxury.
Great for you. What about the normies ? You know the people that protest and make things change, how they are going to organize themselves when their government gets authoritarian and apple/google obeys to governments request to forbid some app. You know like what happened during Hong Kong protest with Apple App Store.
I’m not saying I have a solution but looking at yourself and pretending it’s all fine because you’re 10 times more tech savvy than the average citizen isn’t a viable answer. That kind of issue must be solved by regulation, hopefully Europe gets to bring back on earth whoever at Google agreed on that idea.
It's not "all fine", but realistically it's the best that you can hope to achieve.
The "normies" won't protest because it mostly doesn't affect them, at least not in any direct and obvious way that would trigger a pushback.
Regulation is unlikely to give you what you want. For one thing, regulators love centralization in general because it makes it much easier to regulate - when there are only a few large players, you can write the laws around them, effectively forcing them to be the enforcers. A large and diverse field where users can install whatever apps from wherever is much harder to regulate wrt things like banning porn or violent games or whatever it is that "normies" feel upset and demand that SOMEONE DO SOMETHING ABOUT IT!!!1! today.
This isn't to say that you shouldn't try to use political tools. Just be very clear that what you're trying to achieve is a minority take, and therefore you're unlikely to actually reach the goal in a democracy; at best, you will move the needle very slightly.
So, if you want to actually enjoy freedom in the meantime, learn how to be a criminal.
So I guess now is the time to decide whether Pixel is actually something I would want to purchase from Google ( and support the decision they just made with cash money ) or.. what exactly. I am not a Apple fan either.
I wasn't aware of obtainium. Thank you. I was thinking of something more like Google Chrome mobile edition but for APKs. So more focus around the search interface.
I knew this was coming thanks to the nincompoops bankers and IMDA together with horny uncles who fall for love/job scams here in Singapore. The reason I use android over iOS is that I can load apps for personal automation. I think the current scenario where bank apps refuse to run on phones with sideloaded apps is far more acceptable. Im not sure scammers will not find a way around this. I can still be able pin web apps.
FWIW I'd rather not use my phone for critical transactions its making authorities lazy. The number of times Ive had to fight thanks to "buggy" payment code that deducts money is not funny and banks are getting worse at customer support day by day.
Also what the fuck are the governments doing with tax payer money, instead of going after criminals, we go after citizens.
This is how macOS works, without a signature they will tell you they can't guarantee it doesn't have malware and you need to go to settings and choose to run anyway (and most people don't even know about it).
Microsoft would love to do that too, but it just has too much of legacy software to introduce such a major hurdle.
> This is how macOS works, without a signature they will tell you they can't guarantee it doesn't have malware
Even with a signature they can't guarantee it doesn't have malware. The fact that signed malware exists should be enough to put an end to the argument that it's for our own good.
If you had to give away your privacy to use one and could only use helmets authorized by your motorcycle dealer you might have a point. We accept impositions on our freedom all the time when what we get in return is worth the sacrifice. If signed binaries actually delivered on their promise of keeping people safe there'd be a discussion that could be had on whether or not it'd be worthwhile, but since they don't actually protect people we'd be giving up our privacy for nothing.
"the argument that it's for our own good." is their instance that we should accept this loss of our freedom to run the software we want because it protects us. It doesn't actually protect us though, so it isn't worth it and we shouldn't accept it.
My original statement had nothing to do with motorcycle helmets, but if using them required us to give up enough of our freedoms they could also become unacceptable for the level or protection they provide (or fail to provide) us.
The only silver lining I see is if it allows you to bypass this by enabling dev mode on your phone. If you can't sideload unverified apps even in dev mode, that would be insanely bad.
IF that is the case, I'm actually willing to be slightly inclined to see this as a positive? We should normalize installing apps outside of Google Play, but that means malware becomes a serious issue with people downloading and installing random APKs.
e.g., this may normalize people hosting downloadable APKs whilst also reducing malware risk for "normies", which idealistically could weaken the "monopoly" of Google Play on android.
It's starting to look like I may end up with two phones. One with Lineage and most of my apps, hopefully, and another one with Play Protect which hopefully will be just my bank app. Google has become way too powerful and is encroaching step by step on our freedom, it's terrible. Tt's been going on for a long time. It's the IT equivalant of authoritarianism!!
Yeah, I think I will do that strategy as well. I will probably put Graphene on my next phone, and if any apps don't work I will keep them on another phone.
Taking the article at face value, they'll have to register with google and have their apps be signed. Presumably this is subject to less review than the play store (eg. you don't have to justify your permissions list or whatever[1]), but there's no guarantees that developers will bother with the hassle. A lot of developers are willing to put some release up on github, but not dox themselves to google.
Time to move to a dumb phone, I guess. Android is slowly becoming worst of both worlds, none of the privacy features of iOS yet walls of the garden keeps getting higher.
If you maintain it as a hard fork, why not? New phones technical specifications improvements are diminishing last few years anyway. As long as it works, it can last for many years to come. The question is only in the project budget, I think.
This is crazy, this means 10 years from now only terrorists will distribute software. Unacceptable! How many platforms now allow one to build and distribute a binary?
Only Linux, BSD and other operating systems that are entirely Open Source.
Even Windows has scary warnings now that pop up unless you pay several hundred dollars a year plus you have to go through a completely unreasonable process (that often requires being shipped a physical USB device) just to sign your application.
If you think about it, the only thing that keeps this OS vendor in this duopolistic position is the fact that people rely on a certain proprietary apps. We need ways to do things like messaging and banking in a universal way, just like we can do with email, calls, texts and web. Banking and messaging should be fully universal so we don't rely on specific apps only available on specific app stores. That would take all power away from this satanic US companies!!!
Hmm this is weird. I've recently been considering switch back to Android because of how locked down ios is and it sounds like Google's now gonna do the same thing? Will there be a way to deactivate this?
This was probably the reason Nokia died. Symbian development, already cumbersome and app deployment required some such procedure. I remember there was an joint effort in a china based forum and many of us got a cert and a key for our phones. I was reading Nokia obituaries from its executives and the sorry state of Symbian development and app deployment was not considered as a cause. So here it, is young executives repeating a simplistic and destructive strategy. ibm, xerox, nokia and intel will be very proud.
One of the reasons I switched to Android was the freedom to make apks for my phone and not dealing with certificates, expiry dates, Google's approval, etc.
This is a depressing change if they follow through with this.
And "in the name of security" doesn't pass the smell test if there is no way to opt out.
Before quickly running to dismiss this move, please at least do your research with regards to the situation in the countries mentioned in the article, especially Singapore and Thailand.
Side-loaded malware has been an epidemic in SE Asia, and there are MILLIONS of dollars stolen (mostly from pensioners!) via side-loaded malware disguised as gambling apps - the local population is particularly suspectible to gambling, especially the older generations that are not so tech-savvy.
Private app companies should be and are doing more to protect against malware.
Banking apps in Malaysia are required to include malware detection software [0]. Companies should have better fraud and trust teams to identity and block fraud activities.
The rest of the world shouldn't suffer because a handful of banking companies refuse to offer basic fraud protections for their users.
The requirement per Google's post is rolling out globally though in a couple years. There was nothing stopping per country governments that this may disproportionately affect from requiring this for Play Protect/GMS certified Android devices sold in their region but enforcing it worldwide for such non-AOSP devices I don't find surprising to be controversial.
Brave of you to say this. Yeah, in my humble opinion, agree with you, android and ios devices target the mainstream users more than say a PC or Mac's, and should be more locked down. We can keep PC's and Mac's relative open (although they are getting more secure too, which might be good?), but for devices that truly target the masses, secure them as much as possible (why would typical users like my parent's need to install a remote access server on their phone?).
Yeah, my Dad got hacked only a month ago, through a tech-support phishing phone-call. He uses a windows PC which makes him vulnerable, and the scammers did install tons of evil crap. He really should be using an android or ios tablet, to reduce his chances of being hacked like this. I know these devices are still vulnerable, but they do seem more secure based on how much more locked down they are.
One thing that annoys me is that a lot of F-Droid apps are obviously naive ports with overbroad permissions like "can read the entirety of storage", but that's still better than the all-consuming Goo.
The are apk's floating around from the Ice Cream Sundae days where the developer went out of business and is no longer on Play Store and this is literally the only way to run the app.
I have a Concept2 rower with the old PM3 monitor which is no longer supported by their ErgData app and the only way to connect my phone to my rower is by sideloading the ancient version of the app that supports it. So that's going to break now?
Why even run Android at that point anymore? iOS devices get security updates for longer and have much less data collection than stock Android.
GrapheneOS won't survive the next generation of devices because bootloader unlocking will also go away (https://news.ycombinator.com/item?id=44765939), and without kernel security updates that OS can't continue.
Now there's also no more sideloading, so what purpose does Android even serve anymore?
>GrapheneOS won't survive the next generation of devices because bootloader unlocking will also go away (https://news.ycombinator.com/item?id=44765939), and without kernel security updates that OS can't continue.
The comment in the thread you linked directly contradicts the claim that "bootloader unlocking will also go away".
Exactly, the only reason to be a weirdo and have android in the first place was because there's so many good apps available outside the play store, if they lock it down just like Apple then what's the point?
Can you download, build, and install a basic Android system these days without touching a single piece of closed code? Absolutely. Will it be able to do much without closed binaries? No.
Android isn't GNU/Linux where there's a general ethos of making everything in userland FOSS if at all possible. Rather, it's a free OS that both Google and manufacturers can do anything they want with, including shove a ton of spy and bloatware on it, then make it to where you can't get rid of those things, at least not easily.
The optimism from 15 years ago surrounding FOSS in the mobile space is on its deathbed.
> iOS devices [..] have much less data collection than stock Android
iOS does a tremendous amount of data collection including for the usage of ads as per Apple's privacy policy. All the same types of data that stock Android collects, even.
You may believe Apple is a generally better steward of that data than Google, but using iOS does not reduce the amount of data being hoovered up in any meaningful capacity.
> Now there's also no more sideloading, so what purpose does Android even serve anymore?
I hate this change, but I still prefer Android. iOS is hardly perfect nor does it do everything better...
> Why even run Android at that point anymore? iOS devices get security updates for longer and have much less data collection than stock Android.
Because Google-free AOSP-derived Android distributions are far more versatile, offer far more freedom, impose far fewer restrictions and tend to end up being far less expensive than whatever the fruit factory decides their dedicants have to use today. If Google goes the way of the fruit folks and AOSP no longer offers these freedoms the next step is not to surrender to the Church of Apple but to find a way to evade those restrictions.
Well that sucks. So basically all the money weve had taken from us for our play store apps is now "just" going to be spent on administering the registration details of 800 million chinese developers and 6 billion bot accounts.
The desire for people to keep using their currently working devices just got much bigger, and yet another good reason to root.
The infamous Franklin quote always comes to mind when I see things like this happening. Choose freedom over security while you still can, or you'll soon not even have the freedom to choose.
It's also worth reading Stallman's "Right to Read" again, to see how scarily prescient he was.
Android is getting more closed and iOS more open, I expect more people dissatisfied from both camps. We’ll have less choice overall as they gravitate towards a common middle ground.
Never heard of DUNS. It seems to be a US company *Dun & Bradstreet) that provides business intelligence.
It seems kind of odd to me to rely on some kind of external hidden "credit agency"-style company for this? And why would DUNS want to know about some kid in their basement in Bangledesh making (non-malicious) apps, and why would the kid want Dun & Bradstreet to know about them? It makes no sense at all.
They're trying to control malware. Tying apps that may be malicious to an identity that takes some degree of cost and effort to establish seems sensible in that light.
It's not that the identity prevents malware/abuse, but publishing any malware to the store burns the identity and establishing another is harder than simply coming up with a new email address. It's not necessarily the best scheme out of there, but it makes sense given their apparent goal.
Yeah, basically this is the rise of computer-credit agencies.
Youc an see the zeitgeist forming around corporations wanting to lock out any small unlicensed company from working on phones.
The key is mostly fascism in the guise of "security". Witness stuff like the ICE tracker app. Google would love a way to freeze out both it's appearance on the app store and any developer who'd program similar.
FWIW I got a DUNS number through apple as a single developer for a corp. It was super easy. If you've already gone through the trouble of setting up a corp, getting the DUNS is trivial by comparison.
Yes. You gotta pay your 100 bucks, but I don't remember feeling like my privacy was being invaded when getting a developer account. I assume the best reason they have for this is that they can nuke the account, effectively killing the install base of an app is reported to be malicious. Unless someone tells me why I should, I don't have a huge issue with this.
For me the difference is that Android is an open-source operating system. It sold itself and differentiated itself to users, developers and phone manufacturers as an open ecosystem built on open-source foundations.
Over the years, it seems Google has been trying to have their cake and eat it too, by basically subsuming others to use Android through this appeal of a more free and open operating system ecosystem, but have tried to slowly close and close it down now that it has won the other half of the market on that promise.
This feels more sly, because it's kind of a bait and switch. Apple never made such claim and was always upfront, so while I don't like it, I never bought into it in the first place for them to have the rug pulled under me after giving them my money as Google might be doing.
Most Android apps are crapware anyways. The only respectful apps that I know are open-source, and are being kicked out the of play store progressively.
I saw this coming a mile away. Everyone said you could install whatever you wanted on Android, but you were always jumping through some crazy hoops to do so. (compared to a general propose computer)
These companies need to be destroyed by antitrust violations. I am so tired of these tech companies abusing their market position. I want the FTC to stop being toothless and useless and just absolutely crush these companies. The amount of disdain I have for these companies can't even be properly expressed.
These companies are in bed with the government, you're not going to be saved by any legislation. Many people on this site supported Google censoring the Covid anti-vax idiots, but it should have made it very clear that Google was working at the behest of the government. They're in bed together; the government gets to do an end-run around the constitution, and Google gets to rely on special government privileges and protection. Win-win.
These corpos are part of the government, more or less, and they simply implement the edict to get rid of privacy. Not only in America. Smartphones have become eyes of the govs, while the Internet - something akin to their neural system. What's more interesting is why the govs feel so paranoidal and insecure recently? What are they afraid of?
This would affect a lot apps that are not on the Play Store for multiple reasons... and if I'm going to be stuck with what Google thinks I should be allowed to use, then why not use iOS instead? At least software updates would be better and the overall experience more polished.
"A recent analysis by the company found that there are “over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.”
Ok, but what's the real damage? In other words, how many installs and how much money siphoned from users and legit apps?
Apple and Google are now competing on being more closed, rather than on being more open. Perhaps because we gave Apple a free pass on curbing our freedoms, and even defended its actions as needed for 'security'
He was unable to suggest any pragmatic alternatives. He just said "I don't own a smartphone", ignoring the fact that many people become very disadvantaged without one.
The real heroes are the people that facilitate alternatives, not those who talk.
Stallman is probably in the top 10 of all time in terms of people who facilitated alternatives to this. He invented the GPL and wrote and maintained a ton of tools for people running alternative software stacks to use. What more would you ask for?
>I know quite some people who live this way, and are very willing to overcome inconvenient hurdles to avoid having to use such a spying device.
This is kind of a lazy approach, and it's a good thing Stallman did not have that attitude towards personal computers.
But it's a bummer that there's no real equivalent for mobile devices. I use an Android device and I already consider it to be more locked down than Windows. Generally more irritating than Windows as well (maybe not Windows 11)
I also use it as little as possible (unfortunately more and more things require it) and try to get the smallest functional (for me) Android devices.
There are alternatives, using them involves sacrifices though, and there the modem baseband isn't replaceable yet. Take a look at GrapheneOS, F-Droid, Replicant, Purism Librem, PinePhone, PostmarketOS, PureOS, Mobian etc.
Okay, let's say you just became an enlightened person who understands that the current state of things need to be fixed.
To actually free yourself requires both commitment on your end and work on other people's end, those people who help facilitate alternatives and guide others to having more freedom and privacy. We need more of that work.
The speakers of the world have their place, of course, but that's not the most important part of the solution.
> To actually free yourself requires both commitment on your end and work on other people's end, those people who help facilitate alternatives and guide others to having more freedom and privacy. We need more of that work.
Such people both lead by example, and try to inspire others towards following their example/lifestyle. The problem rather is that most people want a different lifestyle (in the particular example of privacy and freedom "one with less radical consequences", which I consider to be rather contradictory, but this discussion shall be off topic).
To give an analogue: many vegetarians both lead by example, and inspire others to become vegetarians. But many people nevertheless don't want to become vegetarians.
When I switched from Android to iOS, this was one of the things I missed a lot: the ability to write my own app and side load it on my phone. Even more so with the advent of LLM. Oh well, now I don't have to worry about that.
Governments are scurred the internet has made everyone realize their governments are crap, their history is gibberish, and it's all being used to screw the next generation. So 60+ year olds are falling back on old tropes
TikTok is "brain rot" even though the real economy runs on physical statistics, the semantics have to be recognizable to the elders, or it's not democratic so they will force the semantics to be regurgitated as-if they are religious catechism.
The Internet is the most powerful propaganda distributing system that humanity has ever come up with. Autocracies love the Internet, or at least the ones that see the writing on the wall. We have the sum total knowledge of the entire human race within a few clicks and we mostly use it to find videos to be mad at. We are our own jailors.
It's easy. For the average user, device integrity is more valuable (by a lot) than side loading.
People that think this is unacceptable are not remotely average users. Average users benefit greatly from their pocket appliance not being a full fledged computer.
Ultimate control over devices you own should be a basic right. Apple's wanton abuse of users and developers via the control they have over their platform, and Google's nipping at their heels, should be evidence enough of that.
Fundamentally, it is a trust issue. Why should I be forced to trust Google or Apple has my best interests in mind (they don't)? That is not ensuring 'device integrity', it's ensuring that I am at the whims of a corporation which doesn't care about me and will leverage what it can to extract as much blood as it can from me. You can ensure 'device integrity' without putting any permanent trust in Google or Apple.
That was intended to be a generic 'device manufacturer', not calling out Google and Apple specifically. It's my device. I should control it, full stop. It should simply not be legal for a device manufacturer to lock me out of a device I own, post sale. In the past it wasn't _possible_, so we didn't need to worry about it. But now the tech is at the point where manufacturers can create digital locks which simply cannot be broken, and give them full control of devices they sell (ie. which they no longer own), which are being used in anti-consumer ways.
Considering market forces are against it, I believe the only practical way to accomplish this in the long term is for this to be a right that is enforced by legislation. I don't think it is even far from precedent surrounding first sale doctrine and things like Magnuson-Moss, that the user should be the ultimate one in control post-purchase, it just takes a different shape when we're talking about computing technology.
You are forced to trust Google or Apple if you want a smartphone. They own the whole market, it's a duopoly. You already have no power to install an OS without such limitations on most smartphones.
Limitations because it's not just protection - you don't get to choose which authorities you trust. Defaulting to manufacturer/OS vendor as the default authority would be ok, but there is no option to choose. Users have no power over their own device. That's not ok even if most choose to never execute it or don't know about it, it will lead to abuse of power.
Modern life without either of these OS (or like a phone number) is pretty difficult, i.e. you can't charge your car or access e-government without an app.
why do you think you have any say over others' rights? using that same logic, you know what? i think you're going to steal my phone. so do you mind if i sacrifice your rights and install a camera right in your room? wouldn't want you to plot the theft of my phone now would i
Id argue that the average user is not a good barometer. They are okay with slowly being boiled alive. See windows 11 as a good example.
What's being sacrificed in the name of security is not worth it imo.
Enabling side loading on android is not a standard setting you can flick on. Is there any data on the number of devices who have this enabled and are falling for hacked apps?
I might partially agree, but the market already has a fantastic, secure option for those users: Apple.
Android's value was always in being the open(ish) alternative. When we lose that choice and the whole world adopts one philosophy, the ecosystem becomes brittle.
We saw this with the Bell monopoly, which held up telephone innovation for three quarters of a century.
In the short term, some users are safer. In the medium term, all users suffer from the lack of competition and innovation that a duopoly of walled gardens will create.
They're happy in their walled garden, until they don't and discover there is a wall they now can't overcome and learn whose hardware it really is
I do think it is in everyone's interest to be able to run software of your choosing on hardware you bought to own. The manufacturer needn't make it easy (my microwave sure didn't expect to install extra software packages; I don't expect them to open up an interface for this) but they also don't need to actively block the device owner from doing it
Bro, you forbade exactly the reason this is good for average users. Average users get emails that say:
> you have been infected by 3 viruses, click here in the next 5 minutes or the damage will be permanent
And they believe it. Giving them the power to run any software they want, also means giving everyone else the power to make them run any software they can be tricked into installing.
I'm deeply concerned about how this will impact users like us, especially since we're such a small minority that our desires could easily be trampled by the masses, but this is a clear win for the average user.
(And don't make the perfectionist fallacy w.r.t. Google not successfully preventing 100% of malware)
Damn we should just give up on this whole computer thing outright then, seems pretty dangerous. There are plenty of other things we could strip away that would make people much safer than just installing software, that's thinking small!
Stripping away computers entirely would have significant negative impacts. For the *average user*, preventing them from side-loading unsigned apps will have no negative impact.
For now, maybe. Like all discussions on freedoms and rights it's usually not about the day to day impact or the average person, if we optimized for the average person, we'd be in a sorry state.
Two reasons: they are not educated about devices they use, desktop operating systems are still awful at security (exe from a mail attachment can have a pdf looking thumbnail, executed with two clicks, even if accidental, immediately gets access to all user files... the whole concept of antivirus software...). It has nothing to do with side loading, especially on Android, where sideloading is a very explicit action already, and then you need to allow the application to do harm.
> Giving them the power to run any software they want, also means giving everyone else the power to make them run any software they can be tricked into installing.
You are taking away people's agency. Either you get to control your bank account risking that you get scammed, or someone will control it for you.
> very explicit action already, and then you need to allow the application to do harm.
So the email they get which tells them about the 3 viruses also contains a phone number where a "nice tech support person" will walk them through the steps of side-loading the "anti-virus app". You'd be surprised at what warnings/permission boxes people will blindly accept when they think they're talking to someone from Microsoft or Google's tech support.
> You are taking away people's agency.
Agency they don't want and never use. It's taking away agency from people like us but for the average user, Google is taking away nothing they've ever cared about.
> Either you get to control your bank account risking that you get scammed, or someone will control it for you.
I was just saying a couple of days ago that we need a service for old people where any transaction above a certain configurable threshold (for example, $500 in a day) has to be approved by an employee of this service who serves as a neutral 3rd party whose sole function is to try to prevent scams. That way the old folks would still have their agency so they can go out and buy all the hot-rods and transistor radios they want but if they're about to wire money to "Microsoft" then the anti-scam-company would step in and prevent that transaction (or at least require the old person have a discussion about why its an obvious scam first before eventually allowing the transaction through depending on the client).
Whether this change actually takes control away from us remains to be seen. For example, I don't see anything in the article that suggests we wouldn't be able to install a custom ROM with the signature check removed. Personally, I already run GrapheneOS so I expect I actually won't be impacted by this at all.
Agreed. Most people don't care that they can't run "unauthorized app XYZ", as long as their bank account / vacation pics / texts don't leak.
Now, that may happen anyway, but they'll give up a TON to avoid that.
Me, I try to avoid using my phone for anything important, use a VPN under Linux at home whenever possible, ad blockers, privacy guard, etc, etc. I can't expect my non-technical family members to do that.
Bad car analogy coming up: MOST drivers benefit more from ABS than the few really, really good race car drivers who can do threshold braking and outbrake ABS - and even then, I doubt it's true for anything but the earliest ABS systems. I'll bet the newest ABS systems are better than almost any human - because they don't have an off day, don't get distracted, etc.
And I get the anger - I'm an old school Atari 800xl / ST / DOS / Linux user who tries to ditch Windows where possible. Restricting things seems heavy-handed - and I don't trust Google in the least. But I would NEVER tell anyone in my family to sideload an app, even though they're all Android users - I don't want that support burden.
And people who are financially interested in letting users side-load apps (malicious or otherwise) are good at what they do. I mean, even Russian banks that are banned from the Apple App Store are still finding ways to distribute iPhone apps.
> Average users benefit greatly from their pocket appliance not being a full fledged computer.
Why, though?
There's certainly no technical reason that a pocket appliance can't be a full fledged computer. The primary reason it isn't is because device manufacturers benefit greatly from having a tight control over their products. This is not unique to mobile devices; we see the same trend of desktop operating systems becoming increasingly user hostile as well.
The claim that these features are in the best interest of users is an inane excuse. Operating systems can certainly give users the freedom to use their devices to their full capabilities, without sacrificing their security or privacy. There are many ways that Google could implement this that doesn't involve being the global authority over which apps users are allowed to install. But, of course, they are in the advertising business, where all data that can be collected, must be collected.
Don't pretend that average users are asked, or that their opinions would matter. Or even that you have some sort of insight into the average user that other people don't have.
People who think this is unacceptable are the people who 1) understand what it is, 2) don't stand to profit from it, and 3) don't dream about locking average users into an ecosystem that they control some day.
I rely on an open source app called xDrip to manage my diabetes. It's way way way better than any of the official apps. It's not distributed on the app stores for obvious reasons. Many others rely on this app as well. Are we cooked?
It seems that it was only about time… it just feels like the pace of enshittification with big tech being able to get away with anything is crazy!
I’m hoping that projects like Precursor can take off because we’ve buried ourselves in such mountain of complexity that seems like only a billion/trillion dollar big tech company can make an OS.
But then again, some body called BS on browsers and we might have a good option soon in Ladybug!
"Google to prevent users from installing programs on Android phones."
This might do more good than harm, since I'm willing to believe that scams involving APKs are prevalent, but come on. I need your permission to install software on my phone? Are you sure it isn't just that you want more control over everyone's phones?
Everybody complaining of this is admitting they are doing nefarious actions. Those of us playing by the rules see no issue with this - In fact I welcome it!
China will push own Android OS forks into other markets even harder, if they do it fully open-source then bonus for them, users will force devs (banking apps etc) to get more support. A good example is one EU bank which publishes to Huawei's AppGallery to support non-Google certified Android phones.
making an ADB-based debloater and browser shims to use stuff like bank apps, then sharing that with others. Then again, like cutting wires, it doesn't address the root cause.
> Starting next year, Google will begin to verify the identities of developers distributing their apps on Android devices, not just those who distribute via the Play Store.
Odd little phrase, "distributing their apps on Android devices".
I think "distributing" in this context is in the sense of product distribution, not in the sense of distributed systems.
But "distributing...on" sounds a little odd, like Google is still providing a distribution service. (Contrary to all the precedent of how we've thought of installing software, other than the proprietary, captive-user app stores.)
And so, maybe "distributing...on" makes it sound more like Google is (once again) entitled to gatekeep what you can run on your device/computer.
> However, developers who appreciated the anonymity of alternative distribution methods will no longer have that option. Google says this will help to cut down on bad actors who hide their identity to distribute malware, commit financial fraud, or steal users’ personal data.
Maybe it's not "developers who appreciated the anonymity" (which we immediately try to conflate with bad actors), but that the whole point lately has been to stop the greedy proprietary lock-in app store monopolies, and not have them gatekeeping what everyone else can do.
"Distribute on" sounds odd because it's incorrect. APKs are not distributed by putting them on phones and carrying the phones from one place to another. "Distribute to" would be more correct; better yet, "develop for".
Sorry, folks, the good times are over. The future of computing is a signed, attested chain of trust from boot firmware through application code, on all platforms people are likely to use -- and remote attestation with user identification if you wish to connect to the network. End users love it because it prevents or reduces all sorts of malicious activity, from bank fraud down to online game cheating, with little to no effort on their part; platform vendors love it because it provides a moat; service providers (banks and such) love it for the assurance that their clients are uncompromised; and governments love it because it lets them surveil users and developers.
The only ones who hate it are devs. And who really cares about a bunch of nerds?
Remember, general purpose computing really boils down in security terms to "arbitrary code execution" -- a bad thing in the infosec field.
If this goes through, would it be possible to see a consumer class-action lawsuit? I imagine there is a class of people for whom the sideloading of apps is necessary and removing it renders their phone almost useless. I'd also guess that this market is much larger than Google imagines.
Personally, if I'm not allowed to run the software that I want on my phone, it almost makes more sense for me to get some old flip phone or one of those chinese blackberry knockoffs c.a. 2012. Not out of any principled stance, mind you, it's just that's the level of functionality you'd be reducing me to. Why should I pay $500 when I can find something that gives me the same features on a literal junk pile?
This will be just another boost for de-googled phones, alternative platforms and potentially Mobile Linux.
The only reason why google phones became so popular was the fact that they were much less restrictive than iPhones. Thus the platform became the biggest phone platform in the world.
Now they are asking for a new start to arise and take their place.
> Google is explicit today about how “developers will have the same freedom to distribute their apps directly to users through sideloading or to use any app store they prefer.”
« Développer will have freedom » yet they are entitled to Google’s verification.
It’s just another stone in the grave of Android and even though I shipped off this sinking ship 6 years ago to iOS, this is still concerning because ultimately apple’s IOS is in competition solely with Android.
If Android gets so bad it has all the disadvantage of iOS, some more, for instance with the embedded spyware that manufacturer are paid to include, and none of the good side of iOS, then everyone lose. Apple doesn’t have to compete anymore, they just have to not suck.
Without an apple ID you can compile an iOS app, but can only run it in an iPhone Simulator on a Mac.
With a free apple ID (no additional registration needed) you can also install your compiled iOS app on your iPhone and have it working for 7 days before you need to re-install it.
Is it really different from what Google is doing ? Not being to compile or user not being to install have the very same consequence : your app can’t be used.
It is. Notarization like Apple does is also legal. In fact the EU commission would welcome this with open arms since they can now access the personal data of every developer and can order Google to ban every app they want. This goes hand-in-hand with their new "Digital wallet" app that will be launched next year.
This is another "beginning of the end." All eyes are on this situation and how much push back it gets. If there is little resistance, others will certainly follow suit.
This phase from the last couple of years just had to come - and while it's painful to be exposed to it - it seems highly illogical for us to complain and cry about it.
- "Free" search - yay, let's all use it for everything and even make a verb out of it
- Email - such nice guys, Google - free email forever, what could go wrong if I have my 95% of all my info there
- Maps - yeah, let's all depend on these free Google maps with our lives
- Chrome - ofc, heck yes, let's all use their browser, it's the best and free - no need for anything else
- Google account login for EVERYTHING - so convenient! Google Authenticator app, Google Wallet - yes, more!
- Free mobile operating system - nice, take that, Apple!
Google has taken over a large portion of our lives, step by step - good enough services, on global scale, for free, until they became essential.
They are not evil, like they were never good - they are a company, and in the current socio-economic structure, that means having a duty to use their position to enrich their shareholders - and absolutely have no interest in people's wellbeing or morality or opinions or reputation - unless it temporarily serves to do so more / better.
I'm in no way trying to defend them. Just, with all the futility of it, pointing out how hyper-capitalism we've built/allowed to grow, has reached the stage where it's practically impossible for the "free market" to react / provide solutions that people want. Now the big players decide what people get.
In this case, you can no longer have a high quality phone of a good manufacturer and install on it what you want. Small manufacturer catering to that demographic won't get government certification, you can't have your e.g. Samsung and install a ROM anymore, and you can't install your app freely on Android unless Google lets you. That's all just in a tiny sliver of space.
Our Tetris board barely has any room left for choice and actions.
This has the potential to be disastrous for Google, but maybe not.
Personally: I don't use Apple because I like being able to whip together little apps to side-load without having to check in with a walled-garden mothership. If Google is going to move closer to Apple in that regard... Apple's UX ecosystem is better, so I have far fewer reason to keep using Android.
I suspect this won't be disastrous for Google, because where will people care about this go? Apple, who is even more restrictive? This is just another in a long series of incidents showing why we desperately need a real alternative to the mobile duopoly. I would ditch Android over this, but there's no realistic alternative available to me.
I think the only thing hat can save us is a jailbreak. Either for iOS or Android to let you sideload apps.
Alternatively, and that’s almost bullshit, the dumb phone trend continues and we might get devices like PDAs. Get a dumb phone and a small camera and then your PDA for everything that is essentially an app. Not sure what OS they’d run but I don’t see another way.
Android also allows apps that can run arbitrary code, like emulators and various other runtimes. I think iOS still doesn't? I have not written an Android app in ages, other than at work, but I often write silly little things running in the Löve 2D Loader, or TIC-80, or DOSBox, or just command-line tools running in Termux (I hear there is an X-server as well to run GUI applications from Termux?).
As long as they still allow running stuff inside of apps like that I will probably not abandon ship yet.
They recently allowed emulators, like RetroArch, to be on the app store. They still require the emulators to be written in Swift AFAIK. Still quite a bit more restrictive than Android, but they have slowly been opening up.
Dick move. Go back to "do no evil" big G. Remember how you used to be the kool kid on the block? Now you've just become the grown up you showed contempt for in your prime time.
I doubt I'll move away from Android too soon, but that definitely makes me reconsider whether any Google services have a right to CPU time on my device.
Could someone explain why the personal privacy of software developers is more important than the cybersecurity of consumers and nations please and thank you
I don't understand, when the EU announced that Apples "actually we need to sign all of these and pay us" requirement is illegal, Google was like "hold my beer"?
This combined with the 'age verification' coming to all Google properties means it is a very small step from that new world to full Google verification of everything you visit and everything on your device, at any time, for any reason with the penalty being incontestable ban from your device, apps and data.
Get ready for facebook style 'we are interrupting you for a video selfie because we have detected you are a threat' across all google properties (Android, Chrome, Gmail, Maps...).
Google is really turning into a dystopian company, destroying any goodwill their virtuous employees created in the past. It feels like they are primed to be the main turnkey tyranny facilitators.
has anyone had to help any elderly relative with the million scams they've downloaded from google's app store? google does not give a shit about helping regular people avoid scams, it's all just bullshit.
not even to mention the h1b indian kickback stuff that's about to hit them. couldn't happen to a nicer company.
Helping elderly with scams: Yes, today, with Google Chrome. They got tricked into allowing desktop notifications and they look super legit on Microsoft Windows, styled like antivirus notifications and everything, covering the browser UI to get to the settings. I don't see how using closed software helps here
That might be one of the reasons. Get rid of competition by legal means.
In my case I keep a copy of K9 Mail 5.6 with the original UI (the reason I choose K9) and I sideload it to every device of mine. I'm afraid that I'll have to register an account and what, claim that that K9 is mine?
TL;DR
If you're not using Linux by now, do yourself a favor and start. You could do worse than starting with Linux Mint or PopOS, but whatever you do, get ahead of the curve and transition to these user-friendly open sourced OSes. The alternative is far, far worse at the moment.
aren't there braille terminals that work with linux? I don't know how you would make a rigorous blind UX other than working with a text interface first.
Anyone even remotely privacy or security conscious needs to vote with their wallet in protest and stop buying Android phones, otherwise it's only a matter of time 'til Google bans side-loading and it becomes impossible to buy a phone that can run any kind of anonymous or end-to-end encrypted communication software.
Stop buying Android and what? Buy an iPhone that's even more locked down or live like an outcast that can't access essential services? Because those are the realistic options.
For years I've been buying middle-of-the-road Android phones because they provide pretty good bang for the buck, but if I can't use a computer I paid for however the fuck I want, I'm just going to start getting the cheapest crap I can get away with and use it as little as possible. "Vote with your wallet" doesn't have to mean total abstinence.
I think getting a flagship device that's a few years old probably makes for a better experience. I check the LineageOS supported devices list, then search eBay for something from there.
Flip phones can access essential services just fine, if some business or government office is only allowing something to be done via smartphone app, that’s a problem.
Do you not have to use a 2FA app for things like banking? In Singapore, they are phasing out 2FA options other than the banking app. The banking apps only work on iPhones and Google-approved Android phones. It's pretty bad.
in all things. I would encourage you and everyone who reads this post to stare down this option with realistic consideration. In a society this broken, it is the solution to more and more things. To checkout, to accept the hard mode because to pick the path of convenience is to be exploited.
I respect at least your choice but I'm not growing tofu on the farm. Veganism is one of those protests that while i appreciate going after factory farms, you're only enabled to do so by large corporations.
In your country, maybe. Over here you're dead in the water without a smartphone — can't access banking except by going to the branch and standing in the queue for an hour or two, can't access most government services. Limit your selection of goods (like electronics, but not only that) by something like 90% (and also increase prices by 30-50%) because brick and mortar shops sell old crap at much higher cost than it was ever worth, and the only real solution is buying from a major marketplace which is only available as a mobile application.
This concept originated in China and is spreading. Beware.
@achrono (I cannot reply to the other post, I don't know why). Yes, you can use just a web browser.
> Mobile Payments
They work with a card, no smartphone required. Moreover, cash didn't cease to exist.
> Navigation
Again, physical maps are a thing. Google Maps or OpenStreetMap are accessible by browser. Having a physical map and having to follow road signs can be a beautiful experience. If one is addicted to a machine that tells them where to go, navigators are still a thing (no smartphone required)
>All manner of IoT devices
Don't put an IoT device in your house if you don't know what it does and how it works. If the only way to interface to it is via an app... then you don't know what it does and how it works. Don't put it in your house.
>Wearables
I don't even know what are wearables: if I write it on Firefox it underlines it in red. By doing a quick search, I can see images of watches. Watches can work without an app. Moreover, watches that work without an app are usually less expensive than the other kind.
>Digital versions of ID (Mobile Passport Control)
Don't. I know that some governments are pushing this crap thinking it's the future. Simply don't. Imagine you're at the airport and you accidentally drop your passport. You pick it up, nothing lost. Imagine you drop your phone and it stops working. You lost:
- Your documents
- Your money (if you rely on your phone for paying and don't have cash with you, which seems a growing trend among people I know)
- All your ways to contact people for help
Instead:
- Your wallet is stolen: you lost all your money and your cards, but you have your documents (at least the passport because it surely does not fit a wallet).
- Your phone is stolen: you lost all the ways to contact people, but you can buy another one
- Your passport is stolen: you can contact your embassy.
Smartphones are becoming a SPOF (Single Point Of Failure) for our lives.
Are you for real? I'm totally on board with using free and open alternatives, but if you're not going on a mountain trail then a physical map is going to be drastically worse than any navigation software.
Also FWIW I have a card-sized passport that I can easily get stolen with my wallet.
But, and I hesitate to point it out, because I am finding that people think it is somehow minimal entry stakes, one does not need any of those things..
You wouldn't get very far without WeChat and AliPay in China. Last time a good friend of mine was there, many merchants simply refused to accept cash. The few that did had made it known how much they were inconvenienced by doing that.
Same for basically every interaction with locals, for accessing government services, or even just using the public transportation.
It's pretty similar for locals AFAIK.
And before anyone replies that he didn't have to travel there — no, he did, unless he was willing to look for another job (which are very sparse here, you hold on to a good job for dear life).
He's talking about concert tickets and similar entertainment events, where several of the major providers no longer provide PDF tickets and instead only send them to a phone app. It is possible to make enough of a stink and collect tickets on the day, but that option is increasingly difficult to find.
Buy Apple; the point is to hurt Google. If enough people do it, Google might reconsider. Show them that the open ecosystem is the only value Android added, and if they refuse to bring back the open ecosystem then their platform will slowly die. Won't be long until Google's as locked-down as Apple at this rate, so all Android gives you is a power-hungry OS that protect your privacy even less than iOS does.
Buying closed stuff to show we want an open ecosystem?
At this point, I believe the most effective ways one can help with this is:
(1) advocacy - it's slow and difficult, but having people at least agree / be familiar with the idea that closed stuff is bad is a good first step.
Open ecosystems can't work for the general public if it's trapped in closed networks that won't work on anything else than the two big mobile operating systems, so making people start using open chat apps and such will help a lot. It'll take years, but so be it. It's worth it I think.
(2) helping improve the more open stuff.
I think Linux mobile for instance is a potentially viable alternative in the medium term for at least the basic use cases: Calls, SMS, GPS / Maps, Signal, photos. All this has no reason not to work with some polish. I daily drove Linux mobile 4 years ago for a year. The main thing I'm missing is good hardware for it, and a lot of polish but nothing impossible. Yeah, indeed, no payment with the phone (Google Pay / Apple Pay). But it's still possible to use the physical cards and not use the phone for this.
You've got to be kidding. Doesn't work, Apple is even more locked down than what this article announces. No sideloading whatsoever, signature checks ala Play Protect are mandatory and cannot be switched off, no alternative app stores, etc.
Not sure why this is downvoted. The entire value proposition of Android is the semi-open OS. For things you can’t do with Apple devices, you use the myriad of Android devices out there.
Yet most of the world runs Android. Its main value proposition was always wide selection of hardware for however much money you're willing to spend, not its relative openness.
I make relatively decent money by our standards, and I wouldn't even think about dropping $700-1000 on a phone (which isn't even officially sold or supported over here). For the vast majority of people it's their whole income over 2-4 months. I don't know or care how much you make, let's say it's $10k per month. Imagine if you had to pay $20-40k for a phone which is good for maybe 5-8 years.
I'm curious if GrapheneOS or other custom Android builds would be able to avoid these restrictions reasonably.
Obviously this is going to impact the supply of apps, since the market share of custom Android is smaller than even the market share of people willing to sideload or use an alternative store on a mainstream Android phone. Many developers might quit the game.
The problem with custom ROMs is that many government, banking, and similar apps don't run on them without workarounds. Some of those apps also consider this as a TOS violation as well.
When Microsoft first proposed a remote attestation scheme for PCs under the name Palladium, it was widely seen as a nightmare scenario. Even the mainstream press was critical[0]. There was barely a whimper when Google introduced Safetynet a decade later.
It wasn't OK in 2003. It wasn't OK in 2014. It isn't OK now. I'm just not sure what anybody can do about it.
What changed is that the vast majority of users in 2025 are retarded normies that have never even considered trying to understand how their pocket computers work. And now that they are the majority, the voice of people that have even a remote understanding of how any of this works get drowned in the noise of social media divisiveness. Divide and Conquer. Oldest play in the book.
There are many third-party money apps that login to your online banking that are a violation of ToS. That doesn't stop people using them. In fact, when they get really big, they can be legitimised by banks. For example, to get my mortgage, I had to use a third party service that logs in to my online banking account and ingests all my transactions to show that I saved for my deposit legitimately.
Then I won't run those apps. Seriously. I know not everyone has this option, but it's been my experience that a lot of processes do in fact have workarounds when you show them the cryptic error their poorly behaved app throws.
I don’t use any utility apps (identity, banking, services etc) on my phone and stick to the desktop web. And don’t use services that do require me to have a Google or apple account and phone. (Spoiler: I do)
I hope my tiny datapoint shows up in some aggregated stats somewhere.
GrapheneOS is a beautiful stop-gap, but there are real bona-fide Linux smartphones out there. To be clear, there are not many, the hardware often isn't great, the software often isn't great. PinePhone and Librem come to mind.
Cell carriers will just start requiring the attestation as well. And eventually, even an internet connection will - wifi routers will have to attest to ISP equipment, etc.
The final phase is "AI" monitoring everything you do on your devices. Eventually it won't just be passive, either, but likely active: able to change books you read and audio you listen to on-the-fly without your consent. It will be argued that this ok because the program is "objective".
At this point, I would stop using commercial cell carriers and ISP-provided equipment altogether, even if that means setting up mesh networks with an underground community. User control or bust.
I've been keeping an eye on FuriLabs (Furiphone). They maintain FuriOS - Debian with an Android kernel. Has a container for running Android apps. Price is reasonable though I don't know how it'll be affected by tariffs in the US. It's tempting.
Pretty sure Bunnie named it “precursor” because the plan is to make the actual phone (with a cellular modem) next. If I had the cash to support him and buy a Precursor I would.
Android is decades ahead of that in security, functionality, utility, devex, and design. It's a fools errand to try and modernize that, over building on top of AOSP.
The alternative is just Apple; if Google loses enough users they might reconsider. Essentially the only real advantage Android had over Apple was being a more free platform/ecosystem; if they're going to do away with that, then they should be shown that this means they'll lose a lot of users.
Banking apps, messaging apps, streaming apps, even video games all want locked down devices. They will use hardware cryptography to discriminate against us and refuse service if they can't cryprographically prove we're using a corporate owned device.
Naughty user. Looks like you've been tampering with your device, installing unauthorized software and whatnot. Only money laundering drug trafficking child molesting terrorists do that. I'm gonna have to deny your request to log you into your bank account.
Every day we stray farther from the premise that we should be allowed to install / modify software on the computers we own.
Will once again re-up the concept of a “right to root access”, to prevent big corps from pulling this bs over and over again: https://medhir.com/blog/right-to-root-access
The question really isn't whether we should be able to modify computers we own, its whether we own them at all.
The question of how private property, intellectual property and posession/ownership should work is indeed something humanity hasn't properly figured out yet.
But if anything, regular people should have more of the cake.
We have! The only problem is a very limited amount of legal decisions accidentally paved the way for a massive dystopia. In particular, the first sale doctrine [1] solves everything immediately.
The courts assumed good faith with a licensing exception, and maybe it was. But that opened the door to essentially completely dismantle the first-sale doctrine. Get rid of that loophole and all this stupidity ends, immediately. Well that and the DMCA. Once you buy something, it's yours to do whatever you want to do with it short of replicating it for commercial benefit.
[1] - https://en.wikipedia.org/wiki/First-sale_doctrine
Throwing your hat in the political ring?
regardless of what the corporations say we do own the devices we purchase.
Not always. There have been car manufacturers that sold vehicles with features only enabled by a subscription. You may buy a car with heated seats, but the heated seats only work if the manufacturer enables them.
And there should be no law against enabling the heated seats in the car you own without interacting with the manufacturer.
Too bad there is one.
https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_A...
Laws can be interpreted in such a way that invites robber barons to pound sand, or repealed.
The contention point will be whether you purchased the device or not.
Root access on your phone isn't enough: there's layers below root.
I accidentally read this as "there's lawyers below root" and I'm not sure I'm wrong.
No matter what runlevel you’re on, judges are lower still.
https://en.wikipedia.org/wiki/Runlevel
It's amazing how often we hamper the majority of society by protecting the bottom quintile from the consequences of their own mistakes.
That's not what it's ever actually about. You're buying a disingenuous framing that pins blame on the bottom when all these harmful trends come from the top. This isn't to protect grandma, it's to protect Google. This is always what happens when you allow pockets of power with interests misaligned from those of most people. The pockets of power get their way, and people are worse off.
> You're buying a disingenuous framing
Of course it's a disingenuous framing. A certain kind of person is both attracted to power and deathly afraid of people voicing unapproved opinions "outside their kitchens".
That said, such things need a semblance of legitimacy to work. It'd be much harder to crack down on general purpose computing under the guise of safety if we had cultural antibodies agains safetyism in general.
s/the bottom quintile from the consequences of their own mistakes/the top centile from antitrust law/g
Everyone makes mistakes
Protecting the bottom quintile from consequences of thier mistakes also protects everyone else if they ever make those mistakes in a momentary lapse
Maybe society shouldn't be structured in such a way that people have to be constantly hyper vigilant to avoid mistakes with high consequences
It's just not possible to prevent mistakes while letting people color outside the lines. Most brilliant ideas look like stupidity at first. I want to live in a world that biases towards discovery over safety.
> Every day we stray farther from the premise that we should be allowed to install / modify software on the computers we own.
I’ve never agreed with this premise.
I buy things that mostly meet my needs and desires in every other walk of life. I’m personally OK with extending this to computers as well.
That doesn't make sense. How do meet your own needs and desires if you can't use your own property the way you want?
And isn't the point in this very situation that people simply can't buy what they want because Google and Apple are a duopoly and now Google is going to follow the path of restricting what you can do with your own property?
If I were in the 0.01%, savings wouldn't be a thing. I wouldn't even need a home. Just go around staying wherever I like for as long as I like doing whatever I want. I wouldn't really care about what google or apple does with their devices, who attacked or defeated whom and all that bs because I wouldn't be in survival mode.
At least this is probably how people in charge of enshittification think like.
Ok I'll bite. Tell me what you find appealing about losing authority? Is this some kind of emotional response for not wanting to take responsibility?
Are you intentionally defending a rent-economy or just ignorantly?
If this is a thing then the solution they offer is incorrect. A big giant red screen: “warning the identity of this application developer has not been verified and this could be an application stealing your data, etc” would have worked.
What they want is to get rid of apps like YouTube Vanced that are making them lose money (and other Play Store apps)
It felt weird that the official press release was quoting entities from these countries, as if it should give confidence to the rest of the world. I can't imagine what these countries would want with apps that can be traced back to a government id...
Vanced and such is more of a First World/Western issue. I don't think you're wrong but I got a strong gut feeling there's other pressures in the works. Just something doesn't smell right...
In addition to the other perspectives already offered here, warning screens such as the one you propose were already shown for sideloaded apps, and these screens worked against Google in their lawsuit with Epic Games. So that's another contributing factor for the policy we're discussing.
That was never the real reason. Security and "think of the children" to take away rights are the two oldest plays in the playbook.
It won't work because of too many false positives. People are already trained to ignore warnings, like how they blindly accept T&C without reading.
This is something laughable that Apple does. Anytime you install something from Github it'll make you click a few extra boxes. And their tightening down of things also ends up making people look for third party software in the first place. All this really does is, like you said, teach people to ignore warnings.
Is it possible to install stuff from GitHub on iOS? I thought it was completely impossible on apple devices.
The way we allow paternalistic tech companies to train the consumer to abdicate personal responsibility is going to bite us in the ass sooner or later. I'm betting on sooner.
I've often lamented at work that we lose freedom at the guise of "security".
Security and Intellectual Property (IP) protection could both be true. Google has a big enough reason to make it happen now.
In a perverse way it's not that protecting Google's IP is making us safer. Yet it, strangely is.
Do you like losing money?
> Do you like losing money?
what about us losing control over our own devices? do you like losing control over devices you paid for?
This is really bad. I think that most people on HN will agree with that.
The problem is that most normal people (HN is not normal - mostly for the better) don't even understand what sideloading is - let alone actually care.
How can we fix this?
(aside from making people care - apathy enables so many political problems in the current age, but it's such a huge problem that this definitely isn't going to be the impetus to fix it)
This certainly won't solve the problem, but I would at least like to banish the term "side load", which is a kind of Orwellian word that takes something everyone used to do all the time and makes it sound obscure and a bit nefarious. Maybe we, the tech literate, can start calling sideloading a "free install" or something. When asked, we can clarify that the 'free' stands for both freedom, and not paying middlemen 30%.
This is a great point. Not sure if it’s possible, would be great if there was some way to reclaim the notion of installing software as a general practice, regardless of whether a computer is “mobile” or “desktop”.
Like people still download software packages from the web on Windows, MacOS, and Linux… right? Maybe hard to grasp for the kids that grew up with tablets with no notion of a file system, idk
I call it "direct install" personally. It's how you are supposed to be able to install programs, directly from the source.
If anything, it's the playstore and appstore which are side channels.
This is a good term, as it avoids the libre/gratis confusion as well.
People install games from Steam or the Epic Store on their computers without Microsoft preventing that or taking a cut all the time (not for lack of trying. I know). But somehow, in the mobile world, we went with total lockdowns and platform extortion as the rule?
The irony of that iconic Apple 1984 add .
We need another os in the market. A duopoly just isn't competitive enough. Too bad the cost of entry is so high.
Valve has managed something similar with SteamOS as well as Proton built on Wine to make Windows games run on Linux, performing as good as or often better than an actual (modern) Windows install.
SteamOS isn’t too far from a mobile OS.
I had to do some light research on Wiki, but it looks like Firefox OS was supposed to fill part of this void. Sadly, it was not successful, and the project lost funding and support from Mozilla. I think if Mozilla could not do it, it seems hard to imagine there is an open source org with more talent and money than Mozilla who can make it work.
Sailfish tried and failed. Various Linux distro also tried and failed even harder. Consumers at large just aren't interested in anything other than iOS and Android.
Users need a new feature or a new power to justify transition. Learning of new OS is not free. Someone should reuse Android UI, but upgrade the OS to full Linux.
I agree with you idealistically, but practically, creating an entirely new mobile OS with market share competitive with the existing two is an unbelievably massive challenge. It'd probably be just about as easy to get people to care about sideloading in the first place.
Remember how Android used to be an open source project and how we had Google backing AOSP? I think it's time we we maintain the latest fork and just use that instead.
Is AOSP no longer a thing? I've been using GrapheneOS for a few years and admittedly lost track of AOSP, I just assumed it was still a thing despite Google generally wanting to control more and more.
The problem is moves like this will keep happening, since people don’t have much choice. Unless we bring up a societal trend of dumb phones.
We used to have strong consumer protection advocates on both sides of the Atlantic, and those consumer protection advocates used to influence laws and regulation which forced corporations to stop doing anti-consumer stuff like this. Those days can return with enough organized labor and solidarity among the working classes.
use a fork. GrapheneOS is amazing. I feel like I own my phone, I trust my phone, and it obeys me, for the first time in a decade.
unlock. flash. spread the word. use the fork, Luke.
This is also no long term solution. GrapheneOS can't diverge from Google android to much, otherwise modern apps stop working. And Google will definitely go for alternative roms next.
I agree that this is a horrible step in the wrong direction but in terms of the solution I have a different take.
I don't think that making "normal" people "care" about sideloading is the answer, because a) it's impossible and b) political change doesn't happen through "normal" people anyway, all political and regulatory change is driven via smaller and motivated groups of people.
The problem is fundamentally that there's a duopoly on mobile OSes that has tons of market power and if they want to dictate a change like "you can no longer install unapproved software," they can just do it.
The solution is to walk away from that duopoly, to suck it up and just stop using their products. We fortunately are able to do this (for now) on desktop and running Linux in 2025 is better than it's ever been, and more people are doing it.
To get Linux or some alternative on phones is a big task, and if you make the switch you're going to lose a lot. But most of what has no desktop equivalent is addictive social media garbage that you should get rid of anyway. The biggest thing I'm concerned about is the state of banking and OTP/2FA.
I think we need to fight for universal electronic access to the financial system as a right without a need for gatekeepers like Apple or Google. In some countries it's already the case that at many businesses you must use your phone to make payments, cash is gone, cards are dying, and you must therefore agree to Apple or Google's rules to use your phone. This is truly how freedom and democracy will die if we allow it. This is way bigger for "normal" people than technical concepts like sideloading. People on the left should inherently understand the importance to liberty of having the right as an individual to buy and sell without some megacorp's permission. For people on the right, well, remember the Bible's "Mark of the beast..."
Secondarily we need to fight for the enforcement of anti-trust laws, which half of HN doesn't seem to even know exist, or feels are in some way unfair, even though they are the cause of these problems. Government needs to reach in and rearrange markets that are dominated by one or two players, it needs to forcefully restructure those companies so that they lose their market power and can no longer force citizens to obey their will. We've done it before, such as ending company towns where you were forced to use the company's scrip at the company's shop to buy living essentials. It's worked, we need to do it again.
I can do banking and otp at home with a 100 Euro phone that I use only for that. FB, TikTok, Instagram, etc, neve ever installed them on my devices.
The problem is that I want to make calls, SMSes, use WhatsApp and Telegram, Maps and OSMAnd, NewPipe, VLC, Syncthing and a few others on the phone I carry with me.
And to make matters worse I don't want a huge, thick and heavy brick like every Linux phone I read about. I'm on a Samsung A40 now and it's not easy to find a replacement with similar size and weight.
Telegram's clients are open-source, and there's plenty of non-official ones, but for other proprietary messengers you're SOL.
Hard to believe at this point that these messengers used to use open standard protocols, and you could send messages from Google Talk to Facebook once.
> most normal people... don't even understand what sideloading is
Actually, they understand it just fine. The concept is very simple too.
Before this change you could install Android apps without registering your passport/driving license with Google.
After this change you will have to tell Google your real name and home address to install anything on your Android device. This is all. It can take a convoluted form of registering Google account or a more direct form of sending Google your identity documents to confirm "developer privileges". But you will no longer be able to use non-hacked Android devices to install anything without doing those steps.
P.S. I recall that some people still believe that they can create Google account without giving Google your personal details, phone etc. This is simply a self-delusion. If Google does not immediately demand you to cough up a phone numbers under pretense of "suspicious activity", that's because they already know who you are (you probably told them yourself by registering another account elsewhere).
No, "burner SIM cards" aren't real. This is just another form of self-delusion, — this time architected by US security agencies. You don't become anonymous by using those, you become watched.
Define "normal people". Due to Chinese phones and sanctions and other geopolitical bullshit a significant part of the world is forced to use alternative app stores already. Yes, these people are very aware of "sideloading". (Due to Google's own previous moronic foot-shooting policy.)
> How can we fix this?
turn people onto sideloaded apps. show them Revanced and NewPipe, show them system-wide ad blockers and bloatware removal and every other thing Google doesn't want plebs to use.
people don't care about "apk side-loading," they care about apps. hook them on forbidden apps, and they'll raise hell when they can't side-load them anymore.
Official announcement: https://android-developers.googleblog.com/2025/08/elevating-...
More info:
https://developer.android.com/developer-verification
https://support.google.com/googleplay/android-developer/answ...
Personally...we all know the Play Store is chock full of malicious garbage, so the verification requirements there don't do jack to protect users. The way I see it, this is nothing but a power grab, a way for Google to kill apps like Revanced for good. They'll just find some bullshit reason to suspend your developer account if you do something they don't like.
Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps. But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.
> we will be confirming who the developer is, not reviewing the content of their app or where it came from
This is such an odd statement. I mean, surely they have to be willing to review the contents of apps at some point (if only to suspend the accounts of developers who are actually producing malware), or else this whole affair does nothing but introduce friction.
TFA had me believing that bypassing the restriction might've been possible by disabling Play Protect, but that doesn't seem to be the case since there aren't any mentions of it in the official info we've been given.
On the flip side, that's one less platform I care about supporting with my projects. We're down to just Linux and Windows if you're not willing to sell your soul (no, I will not be making a Google account) just for the right to develop for a certain platform.
It's never about security (at least not user's security). It's like you pointed out only about power and locking in customers. They don't care if your phone gets hacked or you bank account drained. They care about the bottom line. Android is fine. Google should have 2 layers if they're worried playstore 1 has only well vetted authors and apps. playstore 2 can be the free for all (mostly) of the current store. These could be two different apps or prominent tags. Choice is good, lock down is bad. Corporate does not like employees or customers to have freedom, that's why it's our duty to fire people like the current US regime who always side with corporations over customers.
This is a drastic response, but they didn't make up the security threat. Attackers convincing users to side-load malware is a thing.
https://www.bitdefender.com/en-us/blog/hotforsecurity/hacker...
The thing is that people sideloading good non-malware apps because they want to is also a thing, and all kinds of icky apps that abuse permissions but are still verified and installed through the Play Store are also a thing. This doesn't really change what is a thing. It just moves more stuff under Google's control.
security is the "Save the Children" of technology. It's not that there isn't a theoretical thing there, it's that in the real material sense, the actual actions taken are power grabs for control and suppression.
> Attackers convincing users to side-load malware is a thing.
Sure. It’s also not Google’s problem.
It’s not Victorinox’s problem of someone uses a Swiss Army knife to cut someone else. It’s not Toyota’s problem if someone deliberately runs over a pedestrian.
Car companies do care if their cars are easy to break into and will improve the security of newer models, even if any particular theft is not their fault.
If they don't do that then their reputation will suffer and governments might take notice. So, in practice, big companies do have to care about their users, not individually but in aggregate.
That's a bad analogy. No one is complaining about Google providing Android security updates.
This is like a car manufacturer preventing the installation of all unapproved aftermarket accessories by claiming they're protecting you from a stalker installing a tracker on your car.
I don’t actually think it’s that bad. If all of a sudden we started hearing an awful lot about Android phones having viruses, to the point where almost everyone had a friend who got a virus on their android. I think the market would actually shift. We’d probably see more people moving to iPhones.
> Car companies do care if their cars are easy to break into and will improve the security of newer models, even if any particular theft is not their fault.
Didn't Kia go over a decade without caring or improving until the Kia Boys stuff?
> Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps. But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.
You've never needed the internet permission to exfiltrate data. Just send an intent to the browser app to load a page owned by the attacker with the data to be exfilled in the query parameters.
The ability to launch other apps can be put behind a permission screen too.
Wouldn't that launch the browser app and bring it to the foreground? I wouldn't compare that to having full network access.
It'd launch the browser app. You can have your evil page redirect to a benign page so it just looks like Chrome randomly opened or whatever. It is not as powerful as full network access as you can only send so much information in query parameters, but if you are doing some phishing or stealing sms 2fa codes or whatever then it is plenty to send back whatever payload you wanted to.
And of course basically every app requires internet permissions for ordinary behavior. The world where an explicit internet permission would somehow get somebody to look askance at some malware that they were about to download is just not believable.
> had me believing that bypassing the restriction might've been possible by disabling Play Protect, but that doesn't seem to be the case since there aren't any mentions of it in the official info we've been given.
I don't think we can know for sure before the change is actually in place. Going through Play Protect would certainly be the easiest way of implementing this - it would be a simple change from "Play Protect rejects known malware" to "Play Protect rejects any app that isn't properly notarized". This would narrowly address the issue where the existing malware checks are made ineffective by pushing some new variant of the malicious app with a different package id.
It's a big change for the ecosystem nonetheless because it will require all existing developers to register for verification if they want to publish a "legit" app that won't be rejected by any common Android device - and the phrasing of the official announcements accurately reflects this. But this says nothing much as of yet about whether power users will be allowed to proactively disable these checks (just like they can turn off Play Protect today, even though very few people do so in practice).
There's a reason Google is targeting a few specific countries with this first. Malware from APKs downloaded from the internet is more prominent in some countries than in others. The governments themselves are asking for this because educating the public has turned out to be an impossible task for them.
Still an awful solution that will get bypassed easily, of course. But there's more to this than "Google decided to be a bunch of dicks today".
The malware makers will use fake or stolen IDs.
> This is such an odd statement. I mean, surely they have to be willing to review the contents of apps at some point (if only to suspend the accounts of developers who are actually producing malware), or else this whole affair does nothing but introduce friction.
Requiring company verification helps against some app pretending to be made by a legitimate institution, e.g. your bank.
Requiring public key registration for package name protects against package modification with malware. Typical issue - I want to download an app that's not on available "in my country" - because I'm on a holiday and want to try some local app, but my "play store country" is tied to my credit card and the developer only made it available in his own country thinking it would be useless for foreigners. I usually try to download it from APKMirror. APKMirror tries to do signature verification. But I may not find it on APKMirror but only on some sketchy site. The sketchy site may not do any signature verification so I can't be sure that I downloaded an original unmodified APK instead of the original APK injected with some malware.
Both of these can be done without actually scanning the package contents. They are essentially just equivalents of EV SSL certificates and DANE/TLSA from TLS world.
> Typical issue - I want to download an app that's not on available "in my country" - because I'm on a holiday and want to try some local app,
The solution here is just to get rid of artificial country limitations which make some users download APKs. None of those make sense in the online world anyways.
Play Protect is just spyware to monitor app usage & exploitation. It doesn't prevent or protect anything.
<< we will be confirming who the developer is, not reviewing the content of their app or where it came from
To be honest, it almost makes me wonder if the issue here is not related to security at all. I am not being sarcastic. What I mean is, maybe the issue revolves around some of the issue MS had with github ( sanctions and KYC checks ).
So KYC but C is “competition”.
And K is "kill".
Can you elaborate a little bit about this hidden internet access control setting?
<uses-permission android:name="android.permission.INTERNET" />
It's been there since Android 1.0.
What's missing is a way for the user to deny it.
Google also used to show you which apps used Internet permission in Play Store. But they removed it, which makes it harder to notice which apps don't use it.
Google mostly doesn't let you deny permissions while running apps that require them; recently there's some permissions that you can pick at runtime. So it's not suprising that they don't let you deny this one, when they don't even show it in the store.
You can deny it on Graphene OS.
Interesting, you can't deny it on stock Android? TIL. You can on LineageOS.
Even device owner (MDM) apps can't revoke that permission.
"Hidden" isn't exactly right. It's completely inaccessible, unless you use a custom ROM like LineageOS. But it is a real permission:
https://developer.android.com/develop/connectivity/network-o...
Force enabled, more like
> Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps
Of that they still refuse to sandbox the play store.
It's easy to see that there's a pattern on what they are copying from GrapheneOS.
> But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.
The internet permission has nothing to do with ads? It's a hidden permission because:
1) Internet connection is so ubiquitous as to just be noise if displayed
2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar
It absolutely has to do with ads. While there are various ways to exfiltrate small amounts of data, the non-collaborative ones are rarely silent and most importantly, they won't let the app get responses (e.g. ads) back.
The main thing this permission would be used for would be blocking ads. Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?
> The main thing this permission would be used for would be blocking ads.
This permission has existed for longer than runtime permissions. You have never been able to revoke it, it was just something you agreed to when you installed the app or you didn't install the app.
It was "removed" in that era because if every app requests the same permission, then nobody cares about it anymore. When every app asks for the same thing, users stop paying attention to it. So no, it had fuck all to do with ads because that was never a thing in the first place. And ad blocking doesn't require this permission, either.
> Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?
You can still use it for this. Apps are required to declare the permission still, it's listed on the Play Store under the "permissions" section. Similarly the OS reports the same thing. Presumably F-droid or whatever else also has a list of permissions before you install, and it'll be listed there.
Although Google's own Calculator app requires Internet permission. Take that for what's it worth.
> 1) Internet connection is so ubiquitous as to just be noise if displayed
That doesn't make it any less useful.
> 2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar
I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it. But even if it is flawed, don't you think Google would be a bit more incentivized to make the Internet permission work as expected if people could disable it?
> I've never managed to find even a single PoC bypassing it
Because it is obvious. Just open a web browser.
More details here: https://old.reddit.com/r/androiddev/comments/ci4tdq/were_on_...
> I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it.
Happily uses the browser app to do the data send for you. Requiring apps to have all the permissions of the recipient of an Intent before being allowed to send it would be a catastrophic change to the ecosystem.> would be a catastrophic change to the ecosystem.
Hey we were already on board with this, you don't have to convince us.
The effect of this would be to make all apps request all permissions because even if you are just using some other app for a particular feature you need, you have no control over what other permissions they might add which would suddenly break any intents you send them. The only defense would be to request everything.
You could very specifically ban ACTION_VIEW intents for web URIs from apps without an internet permission I guess. But does banning apps from linking to the web (to be opened in browsers) really seem like a good idea?
Similar changes have been done before, the security sandbox behaves differently based on the app's minimum/target API level for backwards compatibility.
That's also why there's a warning before installing really old apps, they may run with extra permissions.
so? pop up a permission prompt. have the user confirm.
and isn't it immediately apparent that the app is leaking data if your calculator is popping a webview?
I mean, I just did a quick look over the installed apps on this phone and ~1/4 of them would work perfectly well without an internet connection, things like a level or GPS speedometer that use the phone sensor or apps for Bluetooth control of devices [like 0] . Why would something like a bubble level app need internet access for anything besides telemetry or ads? I realize I have way more of these types of apps than the average user, but apps like this aren't a super-niche thing that would be on 0.1% of devices.
I just tend to give Google little benefit of the doubt here, considering where their revenue comes from. Same as when they introduced manifest v3, ostensibly for security but just conveniently happening to neuter adblocking. Disabling access to the internet permission for apps aligns with their profit motive.
There's plenty of actually problematic stuff Google does (like this change in the article), there's no need to make up whack ass conspiracy theories, too.
The internet permission is the only regular manifest permission you can't toggle in the settings. It is an obvious win for an advertising/surveillance company like Google. What is wack about it?
> The internet permission is the only regular manifest permission you can't toggle in the settings.
That's not even a little bit true? There's a ton of 'normal' permissions, almost none of which are user-overrideable. Like, say, android.permission.VIBRATE. Or android.permission.GET_PACKAGE_SIZE. Android has an obscene number of permissions ( https://developer.android.com/reference/android/Manifest.per... ) and almost none of them have a UI to control them nor any ability to be rejected
> It is an obvious win for an advertising/surveillance company like Google. What is wack about it?
How, exactly? How does Google benefit from random 3p apps having Internet access? And remember, Google has play services on every device to proxy anything it needs/wants.
Huh? Not sure how this qualifies as "whack ass". There's an internet permission built in to the OS that Google chose to not expose to the user. The parent poster was claiming there is no reason anyone would want that permission, I then pointed out a whole category of apps that don't need internet to function for anything besides ads and telemetry. All of this is factual info.
So rather than just dismissing the argument via insulting language, can you provide a reasonable alternative explanation for why this setting isn't exposed to the user?
The internet permission is exposed to the user, it just can't be revoked by the user. But that's true of like 100 other permissions, too. It's the default case that permissions are not revokable.
And I did provide 2 reasons why that's the case for Internet specifically, neither of which were even attempted to be refuted in this comment chain
I would really like to deny internet access for apps like mx player. The frequency of ads on that app once Times group bought is the worst I've seen in my entire life. One of the best video players on Android, ruined.
Some chinese skins do offer the ability to revoke internet access for apps. I wonder why the western ones don't?
The worst part is the Orwellian opening sentence they start with in their blog post [0]:
> You shouldn’t have to choose between open and secure
2+2=5
Truly the end of an era. I've spent nearly two decades buying Android phones because of a single checkbox in settings that let me have the freedom I consider essential to any computing device that I own.
In a way, it's liberating, I've missed out on a lot from the Apple ecosystem because of that checkbox. Maybe finally I can let go of it now the choice is out of my hands.
[0] https://android-developers.googleblog.com/2025/08/elevating-...
Very much my exact feelings. I had the first Android phone ever and even wrote my own APKs and enjoyed the freedom of the mobile platform that let me install my own software. But it's been close to 20 years and maybe it's time to check out the other side, as much as I despise Apple's locked down ecosystem.
I'd sooner get a Chinese phone that isn't "Google-certified" than reward this behaviour by giving $1000+ to the DRM OGs at Cupertino. Neither Apple nor Google are protecting users against the alleged data-stealing evils of Tiktok, so how exactly are they providing any kind of "user safety" by throwing up fees and red tape for small independent developers?
I'm also completely open to this. Google just made being not Google-certified a feature.
Maybe it is time to try Jolla as next phone:
https://jolla.com/
Just a note for readers that the Jolla C2 cellular modem only supports European bands, so if you're in the US you're out of luck on that front until they release a new model.
Oh... I somehow missed this reading for 15 minutes through the site. Thank you!
I used it as my first phone some 10 years. I type this message on one. I like their perseverance, but the truth is it's declining in practical usability.
Edit: In EU, so (lack of) bands are not an issue for me.
Yes, I was checking this out! Sailfish with Android compat seems very compelling. The videos I saw on youtube showed a bit less polish than I'd prefer, but I'd be OK with that. But then I read up on the manufacturer they partnered with. Reeder, I believe? I ended up looking up some other devices they made and there seems to be build quality problems...I haven't seen reports like this for the Jolla C2, though, so I still might be tempted to purchase one just to see how it drives. Thanks for the recommendation!
So that's it then.
If this actually goes through, there will be no option in the mobile OS market for an OS that both:
a) allows the installation of apps without any contractual relationship with any party, and
b) allows the use of mainstream and secure apps like banking
In time, you will only be able to access banking from your desktop using an approved OS and browser with attestation...
For what conceivable reason would they make the users go on desktop, considering mobile is in the process of being fully locked down?
If anything, they'd eventually deny access from desktop, forcing everyone to login via the fully manages mobile devices without any user freedom.
Some banks are already getting there btw, as their preferred 2fa is a companion app... One small step away from making that the only option, effectively denying access to anyone without a locked down mobile device.
A recent real life example:
You can apply for an HSBC Global Money Account if you have: […] The HSBC UK Mobile Banking app (Global Money is only available via the app)
From https://www.hsbc.co.uk/current-accounts/products/global-mone...
It's already that way in my country. The few banks that still have the web version only support it for their business clients, and it's only something like two or three banks. If you're a regular client, there's not a single bank left that you can still use without a smartphone (unless you're ready to visit a branch for every little thing — so pretty much daily).
My bank’s app doesn’t even work or even install on my phone because the bank considers my phone too old. So if they suddenly required the app to log in, I simply wouldn’t be able to bank with them. So they would lose my checking, investment, and HSA business when I move to another bank.
I think they worded that poorly, but didn't mean what you got from it: the point I'd take isn't that they will require you to have a desktop, but that even desktop will also have the same restrictions, so it isn't just a mobile problem.
What gp is saying is that to access banking form desktop will require an approved OS and attestation just like on mobile. The current state of affairs is that an approved OS and attestation are only required on mobile but not on desktop
Actually my bank already requires me to use the phone app for any operation on the website. When I want to login from my laptop I need to use my phone with their app to approve the login, same for almost any operation.
Ah, and it can only be installed in one device at the same time :D Don't have your phone available? Bad luck for you
> can only be installed in one device at the same time
I neither like nor understand this restriction. It makes device failure / loss / theft a much more difficult experience to recover from than it would otherwise be. The device should be throwaway. I specifically keep old phones in case something happens to the new one.
WhatsApp is probably the stupidest example of only being able to be on a single device (but I'm forced to use WhatsApp for one specific purpose, so I already resent it). Signal does the same thing, so maybe it's related to the E2EE that WhatsApp licensed from Signal...
I use the Signal fork Molly to get messages on multiple phones. One remains the primary and the others linked, but I get messages even if the primary is off.
I have a huge problem with companies using their own apps for 2FA.
Google started doing this for Gmail. To use Gmail on my laptop, I need to approve it with Gmail on my phone. I never signed up for this. I’m now afraid if I delete the Gmail app from my phone that I’ll lose access to my email.
I hate the direction “security” is taking us. It’s done in the name of security, but it feels more like blackmail to get and keep the company app on your phone.
Is that a thing Google logins can be set to require? I _can_ use the Gmail app on a device for 2FA, I can also press "try another method" and use any 2FA app.
i do like how many apps are starting to play nice with 3rd party authenticators. i use ms authenticator for a bunch of things. Although knowing MS it has some massive license fee for them to support.
De facto, this is already the case - you can use your computer as a display but to actually authorize a login or transaction you need your phone with said attestation.
Not true for either my AIB or Wise account.
True for PayPal though. I just recently had to jump through seven different hoops to verify my ID (with creepy, creepy face scans) and they absolutely refused to even start the process on desktop. Eventually got the stupid thing to work on my iPad; Android+Firefox was a no go, and it's stock Pixel 5a with Google OS.
Thankfully I don't actually rely on PayPal for anything serious, but there are artists whose commission I like to pay, and being able to actually pay them would be nice. :/
For logins, at least, they support passkeys on the desktop as well, so long as the browser does it. Which basically means Win11 or macOS, either some Blink-based browser or Safari.
I mean, I'm sure it's true for some banks or financial services, but that's not really the same thing.
A dedicated app on a locked down OS is vastly more controllable than something like a browser that can do virtually whatever it wants.
Controllable by whom? I don't do any banking on my phone exactly because I don't trust my phone to keep anything I do on my phone private.
I'll just have to disable it and choose a banking app that works on the browser. Tonnes of my apps are sideloaded. Quite a few are on the playstore or the dev might upload their details.
Is it confirmed that we will even be able to disable this?
I never really got into "phone" progrmaming, always waiting for the shenanigans to die down. But somehow the shanigans have gotten worse and for a significant chunk of the world population, the phone is the only computation device they have at all.
I never got into it because I was convinced developers would refuse to give up control over distribution when Apple started doing it. I wish I was right, but here we are.
Developers sometimes seem to be as in control as farmers are of the distribution of their produce. There's no absolute rule that gives the owners of large scale distribution networks power over both producer and consumer. It's just laws of convenience. It's easier for everyone to go through a few or just a single common broker.
There's no law against a more democratic way to implement the broker either but it requires interesting methods of coordination and/or decision making that doesn't seem to exist yet?
It limits choice. I don’t have any experience building mobile apps because I didn’t want to buy into an unfair ecosystem. That means fewer mobile apps even if distribution networks change tomorrow.
> I don’t have any experience building mobile apps because I didn’t want to buy into an unfair ecosystem
Seems like it wouldn't be much of a stretch to compare that statement to not starting a business because the economy is unfair. People indeed don't start businesses when the bureaucratic or tax overhead outweighs the financial benefit, but nobody loses sleep over an individual's hypothetical missed opportunity to learn a new skill but them. Doesn't matter to the platform owners unless it also stops being profitable, so it's their job to maintain the profitability for their ecosystem despite whatever barriers they put up.
> There's no law against a more democratic way to implement the broker either but it requires interesting methods of coordination and/or decision making that doesn't seem to exist yet?
It's not enough to not have a law against it, we need to have and enforce laws requiring it.
Some developers did. Others, who didn't care so much, got into the app store instead, and got rich off it. Users didn't care about such principles and mobile-first has been a viable strategy for a long time now. Not having something of an app is a problem if you want to stay in many markets.
Money is a powerful motivator. For better or worse.
Developers want a stable, secure platform where they can reach customers that trust the platform and are willing to transact. Everything is downstream of that, including any philosophy around control.
Developers are businesses and the economics need to work. For that, safety and security is much more important than openness.
Oh! Classic Survivorship bias. You're only looking at the devs who went into business in the phone ecosystem in the first place. I'm thinking that they're there despite the barriers to entry ('shenanigans'), and the ones you encounter happen to be those who happen to place a higher value on 'other values'. As the ecosystem gets locked down more, this effect becomes stronger.
Meanwhile, you're not looking at those who left, or those who decided to never enter a broken market dominated by players convicted of monopolistic practices.
This seems much more intuitive than a hypothesis where somehow people would prefer to enter a closed market over a fair and open market with no barriers to entry.
Remember, monopolists succeed because they are distorting the market, not because they are in fact the most efficient competitor.
* https://en.wikipedia.org/wiki/Survivorship_bias
You now need to have an online account to setup and login on a Windows desktop. It's obvious what the trend is and it's not allowing consumers control over their stuff.
Not related to the OP, but no you don't.
Just look up how to skip the "OOTB (out of the box) experience" and you can still bypass having to set up a cloud account on Windows 11 and can just set up a local account like normal. :)
I have been a computer user, developer and a system administrator for longer than I care to recount. I don't like Windows and I don't use it at work or home. But I do encounter it from time to time, and the experience is worse each time. The last time it happened, I couldn't figure out the way to skip/bypass the cloud account set up. Would it have been possible if I tried harder, starting with a web search? Perhaps. But there is no way an average system user is going to have the patience or often the skill necessary to do it. I'm not challenging their intelligence. But people have other priorities than to jump through a dozen hoops just to preserve privacy. I would do the same if I had to set up a Windows system for urgent work.
These sorts of hurdles exist to push more and more users to their favorite workflow until the dissenting voice is too feeble to notice when they finally pull the plug on the straightforward method. The intent is certainly there, since they are quite evidently boiling the frog. Just wait for the fine day when you wake up in the morning to see an HN story just like this one about Windows login as well.
Last I checked, Microsoft was trying to get rid of it.
https://www.tomshardware.com/software/windows/microsoft-elim...
It's still possible to set up using only a local account, but who knows for how long.
A stepping stone on a path.
Have a login. Pin features to a login. Mandate a login but w/ backdoor. Close the back door. "It's a backdoor, why not use the front door?"
For now. History has shown that workarounds for defaults tend to stop working at some point.
Software distribution control didn't start with phones, it started with game consoles.
The Nazis were initially quite squeamish about taking the lives of innocent civilians. It was in 1939 that a Nazi supporter wrote to Hitler requesting permission to euthanize his severely disabled infant son [1], who he described as 'a monster'. Hitler send his personal physician Karl Brandt to Leipzig to assess the situation. Upon confirmation, Hitler personally authorized Brandt to arrange the euthanasia, with the promise to protect him legally. Don't forget that these were the Nazis, the original.
Once that happened, they gradually tried the idea with other disabled children, eventually progressing to deceiving the parents to get the permission. Then it got extended to teenagers and eventually adults, including disabled war veterans. Then there was a backlash and it stopped for a while. But it reappeared eventually, this time on an industrialized scale - the final solution. Disabilities were not the limit anymore. Arguably the worst genocide in human history started with the reluctant murder of a 5 month old infant, just 6 years before reaching its peak at the end of the war.
This is the classic example of a slippery slope. One hesitant misstep is the beginning. But as they realize its benefits (to them), they double down and gradually expand the scope until nothing is exempted. The consumer electronics industry and the software industry are certainly no exceptions to this. Is it too dramatic and hyperbolic to compare them to the Nazis? Admittedly, a bit. But perhaps it's not a bad idea to shame them like that, because clearly nothing else is working (with all due respects to the victims of the original). And it's not like they hesitate to shame us when it suits them.
[1] Gerhard Herbert Kretschmar (20 February 1939 – 25 July 1939): https://en.wikipedia.org/wiki/Gerhard_Kretschmar
Personally: the idea that a "slippery slope" is a logical fallacy has always seemed like bulllshit to me. The vast majority of reasoning for why the judiciary makes the decisions it does is because of "precedent". Slippery slope is how the world operates. It surfaces everywhere, and when the slope we're sliding down matters, like this one, we have to fight back with fervor. Google isn't doing this in a vacuum; they're doing this because there's precedent for it, and because all they want is to assert more power over the world.
Google's behavior is utterly and entirely disgusting, unacceptable, despicable, and dishonorable. Everyone who even glances near this decision should feel overwhelming shame. If you have a shred of political power to fight this internally, you are a failure to yourself, your customers, and the world if you choose to stay silent. They'll read comments like these and think "we're right, we're being brave", because they have convinced themselves that there is bravery in wielding overwhelming power against their users.
> Personally: the idea that a "slippery slope" is a logical fallacy has always seemed like bulllshit to me.
I don't know if I got this wrong, but the 'slippery slope' argument by itself never appeared to be a logical fallacy to me. There are numerous valid examples of it, and that's the context of its use in my previous reply. There certainly is a 'slippery slope' logical fallacy, but I thought it meant that you are misapplying/misusing the slippery slope argument where it isn't valid or doesn't apply.
> Google's behavior is utterly and entirely disgusting, unacceptable, despicable, and dishonorable.
I was going to apply the Nazi label on them everyone else who use such sleazy tactics. I hesitated because a lot of people are still emotional about the holocaust (it has been 80 years) and object to equating anything with Nazism. But I sometimes wonder if the objection is meant only to silence the critics. While their actions haven't yet reached the magnitude of atrocities committed by the Nazis, their actions certainly are consistent with the Nazi tactics. Besides, it's not as if they had any qualms labeling ordinary people 'Pirates' for sharing media. Therefore I feel it's quite appropriate to apply to them and promote the label of 'Supply Side Nazis'.
I got into it then got out. Everything about the Apple ecosystem was infuriating. I don't even care about the ideology here, just the annoyance.
i made and released some apps in the early days. Got tired of it and got tired of the reminders from google to add banners, screenshots, submitting icons to support multiple resolutions.. notifications that apps i haven't touched in decade are no longer compatible etc.
so much extra work involved that isn't building the app.
I worry how this will affect fdroid etc.
Got tired of this with a few extensions I made too. It felt like every year or so they'd completely break some API and I'd have to go switch to the new one, then they wanted a privacy policy, then justification for permissions, etc etc. Wasn't worth the trouble eventually and I just let them die.
Even aside from the privacy implications (which aren't trivial themselves,)
Doesn't this make it prohibitively difficult to do local builds of open source projects? It's been a long time since I've done this, but my recollection was that the process to do this was essentially you would build someone else's (the project's) package/namespace up through signing, but sign it locally with your own dev keys. A glance at the docs they've shared makes it sound like the package name essentially gets bound to an identity and you then can't sign it with another key. Am a I misremembering and/or has something changed in this process? Am I missing something?
Not just difficult - it becomes impossible. You can no longer develop any android app without Google's approval, just like iOS. The official emulators might not even work.
A repo is just files in a directory, so the namespace can be changed, but the whole thing stinks. Having to setup Android signing keys and needing to provide ID is not fun. It means you won't easily be able to run builds on Google certified Android devices that aren't from "approved" people.
That's where the "prohibitively difficult" part comes in... surely they don't expect every developer on every open source app in the world to have their own app registration/package name for the same app, do they? Feels like an N * M problem, if so.
Get rid of those pesky open source guys, keep the merchants who want $$$ and can pay $ to Google.
They are namespacing, like it or not, and clearly they don't care about open-source that much.
They have the ecosystem by the balls. Phone manufacturers in recent years have been making unlocking & modifying their devices more and more difficult, google and app developers have been cracking down harder on modded devices by implementing TPM equivalents in the hardware to sign and verify that your system is a google-appproved one, and alternatives still are decades behind in terms of app ecosystem.
I think they might just get away with it.
> and alternatives still are decades behind in terms of app ecosystem.
That's if they're available at all. In my country, only cell phones certified by the telecommunications government agency (ANATEL) can be imported, so the alternatives (Jolla, PinePhone, Fairphone) simply don't exist.
If you don't mind sharing, which country is that?
It takes less time to search and find that Anatel is the Brazilian telecom agency than it does to type that comment.
They do marvellous things like mandate weird Brazilian Android games on the phone I bought in Brazil.
It's incredibly obnoxious when people type "in my country" as if we're all supposed to just... know where they live. It's also incredibly common. Why do people do this?
Image asking someone where they’re from only to be told a US state, and only the state.
Apart from Georgia, I don't see how this could be a problem
Asking where somebody's from and having them respond with the state is not unreasonable -- you can already tell they’re American from the accent. The US is huge, about half of its states have more land area than half of the countries in the world. Asking where someone is from and receiving "the US" in response is about as informative as someone from Europe replying "Europe". Like yeah, obviously, I could tell by your accent, but where in Europe?
Funny thing is that americans do that all the time, even in international settings like a coworking space full of expats. Everybody introducing themselves with a "hi, I'm from this country", except americans telling their state or city. Are they expecting us to be familiar with their geography, or just unaware of alternative geographical frames of reference?
Do you assume everybody is able to recognize Americans or Europeans "from their accent" ?
Americans? Honestly, yes. If not, what good is this cultural imperialism after all?
I'd think passive recognition of a fair few states would be a pretty low bar for relatively educated, English-speaking people. It's a pretty low bar, just placing a region with its country. People also regularly just assume that level of knowledge for globally- or culturally-relevant cities.
Maybe I think too highly of people, but I'd also imagine most would be able to get say... 6/10 right, for which countries the following list is from:
- Flanders
- Nova Scotia
- Brandenburg
- Guangzhou
- Tasmania
- Minas Gerais
- Catalonia
- Chechnya
- West Bengal
- Bali
> Image asking someone where they’re from only to be told a US state, and only the state.
Atlanta or Tbilisi?
> mandate weird Brazilian Android games on the phone I bought in Brazil.
Uhm, this sounds more like something from the Ministry of Culture, maybe some tax incentive for manufacturers promoting local productions.
I could be wrong though. Curious to know if Anatel has issued any ordinance in this regard, just did a quick search but could find nothing so far.
When I google ANATEL, it comes up as Brazil
Don’t worry though, the TPM requirements in everything are for your protection.
Unless they give F-Droid access, the antitrust prosecution will double.
Yeah, I'll just ditch Google over this. The only reason I put up with their crap is because I can actually just install software on my phone. If they take that away, there's no motivation to stay.
And go where? IOS is worse as far as openness and controlling your own hardware. And the Linux phones are not exactly practical for normal use.
If I can't run F-Droid and termux and all that, I have no need for Android supposed freedom. I'll just use an iPhone (it would be the first time!), minimize my use of mobile platforms to the maximum extent I can and stick with Linux laptops.
I'm currently researching Android alternatives, including Librem and Jolla C2, and I'm skeptical that those will be compelling. It's just so sad.
I suspect that many developers publishing on F-Droid, and the F-Droid itself, may obtain registration, and continue to be available, termux and all.
But not every developer, of course, would agree to register.
There are so many apps which just work and don't need updates.
All of those will disappear also on F-Droid because of that.
If both phone OS's are going to be the exact same on user choice then you might as well compare the two on their merits and this is not a comparison Android wins.
You forgot "IMO"
I rely on fdroid and am not sure what I'll do with this pixel 6a. I sometimes root, sometimes don't but I may have to get on the lineageos program full time. And I'm hoping for a rumored last batch of pinephone pro phones to be available later this month although I have no illusions about it being a real daily driver.
LineageOS currently says that it won't install over the latest update on the 6a.
You can try it, but don't cry if it bricks.
The newish one I bought got GrapheneOS instead. That worked without a hitch, but it's got more than a few problems.
What problems are you running into on Graphene OS? Maybe we have different workflows, but it works just fine for my purposes.
fdroid is based in the EU and the Cyber Resilience Act was already going to force them to either make their filters more strict (absolutely prohibit anything with any sort of "monetization"), or start collecting this data.
If they have anything on the platform that is subject to the CRA, they are a distributer:
https://www.cyberresilienceact.eu/cra-guide-for-importers-di...
Ditch Google for what?
I responded elsewhere, but to summarize:
Use an iPhone, minimize my use of it. Continue to emphasize Linux on all my other devices. Move away from Google and Apple services to as much self-hosting as possible. Leverage TailScale to make my services accessible, globally, without actually exposing them on the internet. I'm just assuming that I will have to have some kind of attested device in order to run banking and payment apps and that might as well be a locked down device like an iPhone.
An unofficial build of Android, like Grapheneos. It likely won't be able to install apps from the Play Store, but at that point it might be a blessing.
> the antitrust prosecution will double.
In Brazil? In Malaysia? In Singapore? I highly doubt it.
I would say this is a bold choice for a company whose existing restrictions around third party apps and stores and in-app purchases has already been found illegal. While it doesn't look like they're pushing for it right now, forcing Google to sell Android was something the DOJ has considered as a penalty.
I'm not sure Google still has the ecosystem by the balls. It's very possible whatever Googlers who made this decision are the type of folks who don't comprehend they work for a monopoly that like actually can't do things like this anymore.
Maybe they gave a political donation?
It may also help to push things one way to prevent them from going the other way.
I don't think Google can be blamed for this - their own phones are one of the last which can still be unlocked.
They're also the best equipped to tell if you've done so, and restrict access from critical functionality needed by many in their day-to-day lives if you've done so.
The intentions behind all the security hardware they introduced in pixel phones first, and is now required by play integrity to function might've been well-meaning, but that doesn't really matter in the end. Security features that the user can't control and bypass aren't security features - they're digital handcuffs.
true, and recently they deserved a lot of credit for publicly releasing their device trees and drivers. unfortunately, with the 10 series pixels they no longer will be releasing device trees, which makes it much more difficult to maintain custom ROMs
If this is enforced via Play Protect, then the whole mechanism can likely be disabled with:
This does not require root access and prevents Android from invoking Play Protect in the first place. (This is what AOSP's own test suite does, along with other test suites in eg. Unreal Engine, etc.)I personally won't be doing this verification for my open-source apps. I have no interest in any kind of business relationship with anyone just to publish an .apk. If that limits those who can install it to people who disable Play Protect globally, then oh well.
How long until Google decides to lock it down because "scammers" can "abuse" it?
I really hope this ends up being possible! Play Protect seems to jump up every so often and try to scare me into turning it on. Very annoying. I've wanted to disable Play Protect permanently, but never did the query to learn how, so thank you.
What does this break?
There shouldn't be any side effects other than rendering Play Protect inert. No other AOSP component relies on this setting.
There could of course be side effects in the future when this restriction is rolled out, as in your device's Play Integrity status could be affected and your banking app/phone wallet might not let you perform app-based payments from that device.
Some bank apps and payment processor already check if you have developer mode on and refuses to run.
Oh so that's why my bank app said it thought my old device was rooted when it wasn't...
The reason I chose the Android ecosystem over the Apple ecosystem, once I found out that the Maemo/Meego ecosystem was a dead end and the Openmoko ecosystem was a non-starter, is that the Android ecosystem allowed me to develop and install my own apps on my own devices whenever I wanted to, without arbitrary limitations like having to periodically plug the phone into my computer to renew some authorization. Additionally, there was even for some devices the possibility of rebuilding the whole operating system with any changes I desired.
If I'm not allowed to develop and install my own apps on my own phone, what advantage does Android have over Apple?
> without arbitrary limitations like having to periodically plug the phone into my computer to renew some authorization
I find it easier to do a git commit once every 89 days and see my app auto refreshed through Testflight for me and anyone else I care to let use it.
If you look at the build system SaaS pricing or even IDE pricing on Show HNs here, the Xcode cloud build and distribution ecosystem is an absolute steal at $9 a month. Private Testflight (with no review) can be more convenient than that desktop cable.
Makes sense why they had to get rid of the "don't be evil" motto. They've been on a roll.
I've seen a lot of similar sentiment on this thread, but the reason I use Android is because it gives me more control than iOS by allowing full-on painless sideloading, and custom distributions like GrapheneOS. They're doing everything they can to turn themselves into a worse Apple. All of the downsides of Apple, but none of the upsides. Apple beats them in every aspect that isn't "openness".
When will the straw break the camel's back? I'm shocked we've let it get to this point with no realistic alternatives. There's no reason a competitive Linux-based smartphone can't exist (no, I'm not counting Android in that).
> There's no reason a competitive Linux-based smartphone can't exist (no, I'm not counting Android in that).
Yes there is. You all don't understand that they will use remote attestation to force everyone to use approved devices with signed apps on signed OSes only
You won't be able to bank, call a cab, write a chat message, watch a youtube video or do anything relevant on a device anymore that isn't signed, approved and controlled by google. They've made us cattle and now they are going to milk us dry.
> There's no reason a competitive Linux-based smartphone can't exist
There is; it's the "phone" part of "smartphone". Being a phone makes the device subject to a lot more requirements (for an obvious example, emergency dialing must always be available and work, and at the same time the phone must never accidentally dial the emergency number).
In my country, only cell phones certified by the government telecommunications agency (Anatel) can be imported, so I can't for instance go to the Jolla or PinePhone store and buy a Linux-based smartphone; if I tried, it would be sent back the moment the package entered the country. (See https://www.gov.br/anatel/pt-br/regulado/certificacao-de-pro... for details.)
> There is; it's the "phone" part of "smartphone". Being a phone makes the device subject to a lot more requirements (for an obvious example, emergency dialing must always be available and work, and at the same time the phone must never accidentally dial the emergency number).
Funnily, Google is one the few phone manufacturers who can’t make emergency calls to work. (e.g. search Pixel problems)
How did we let this happen?
Oh, yes... Actually I remember: it was a long slow series of accepting small artificial restrictions. I remember people laughing at me at the time. They said it won't matter, they didn't care, that I was paranoid...
Now... Here we are.
Unless this is used to block TikTok or ChatGPT users still won’t care and people will still laugh at us for caring, or think wanting privacy or control of your computers is suspicious or ungood.
and don't forget all the people with the dismissive remarks about how it didn't affect them on their Graphene or Calyx phones. We're all downstream of something. The real product of Android for us was always the interoperability with the normal world for the tinkerer.
We had no part in this. The blame lies squarely with Google and its employees, who trade away user freedom for profit and career gain. Many who are smart enough to know better but instead compromise their principles. It's just another symptom of late-stage capitalism.
eternal september
If your businesses idea doesn't work without you being evil, you deserve to go bankrupt. I perceive a tendency to assume it is necessary for a company like Google to maintain full control over our ecosystem to further our progress and maintain order. However, we should know by know that this isn't the case. You don't have to be evil to be useful. See GNOME, GrapheneOS, Steam, KDE, Wikipedia, Linux or Mozilla (previously). Tricking us of their inevitability is their greatest success.
Thank you, all HNers at Google, for continuing to work there.
And yes, before you ask, I have personally quit a job that paid 3x what I was able to get elsewhere over ethics. And no, I'm not rich, probably bottom 5% in terms of assets among my colleagues, coming from a lower-class background.
We shouldn't accept "sideloading" as a term. It's meant to make "installing an app without monopolist approval" seem like a dirty/weird/niche trick.
> Google wants to combat “convincing fake apps”
Google can't even stop the scam ai companion apps on the play store that all use the same same backend full of characters...
Google also can't stop the huge wave of scam Bitcoin ads impersonating Canadian media outlets, with ai generated pictures and videos of politicians.
Get real Google.
Their own store has a dozen "AI Photo Editor Pro 2026" and "Turbo Deluxe Ultra VPN Secure Pro" apps that are "approved" and yet for sure have malware at worst and at best steals your data and serves nonstop pop up ads
Don't get me started. Every single app I search for on the play store gets a first sponsored result that is a completely different app. It is so utterly broken by design.
This is the same direction that Microsoft is taking Windows. Smart App Control is already rolling out to some regions - no .exe will run without a code signing certificate.
https://learn.microsoft.com/en-us/windows/apps/develop/smart...
Code signing by pseudonymous key is different that requirement to cede personal data to central registry
It requires a code signing certificate from one of the trusted central authorities, and generally as an individual you must have your legal name on the code signing certificate. It's not pseudonymous.
Code signing is somewhat OK as I can get code signing cert using provider in my country that I can go to physically and show their employee my ID.
If google does that then it’s not the worst.
Worst is having to get my ID and all details scanned and processed by Google.
I really wish Microsoft made it cheaper to get a certificate. With Apple you pay $100 a year for any number of certs. Last I looked into it a cert for a single Windows app costs $400+ per year and requires a hardware token.
They greatly improved the situation over the past couple years. Azure Trusted Signing is only $10/month and provides cloud-based signing.
It's a huge pain to set up initially, but it's smooth sailing after that. There's a good tutorial at https://melatonin.dev/blog/code-signing-on-windows-with-azur...
The setup is the most insane stupid stuff I've dealt with in a while. I am currently waiting for them to agree that my DUNS number is real, and they made me remove the WHOIS privacy from my domain name to verify that my address is associated with it. The billing receipts from my host were insufficient for reasons they couldn't explain. Had to upgrade to the $30/mo and then the $100/mo support plan just to speak to someone and it's been 4 weeks without movement. But hopefully it will be worth it in the end, the EV certs are crazy expensive and don't even remove smartscreen warnings anymore.
Ugh, sorry to hear that, yeah the whole setup process is just so insanely frustrating. I'm really dreading having to re-validate my identity documents once they expire.
For what it's worth, in my experience it was even worse with EV certs though - all the same steps including removing WHOIS privacy, plus some extra ones like voice phone number validation that had to be repeated every single year.
And then there were extra WTFs with the EV cert expiration being 365 days after an issue date which is several days before you actually receive the hardware token. Or one year they sent the hardware token fairly promptly, but forget to send the password needed to use it, and it took a week to get a response from support etc. Then again, Azure Trusted Signing has similar ridiculousness with billing being based on calendar months, with no proration for your first month even if you started at the end of the month... I mean it's just $10 but it really adds insult to injury after that signup gauntlet.
Anyway, I've heard that if your Azure Trusted Signing process gets stuck in limbo, it can be best to submit a different document, but I'm not sure if there's any alternative permitted for the DUNS step. That's especially annoying because trying to update outdated info with Dun & Bradstreet is problematic in my experience, i.e. their web forms just plain did not function properly.
Only available to US and Canadian businesses who have more than 3 years of tax history. Weird limitation.
Nice, thanks, I'll take another look!
I've grown increasingly hateful towards both my Android and iOS devices over the last decade. The platforms themselves are increasingly user-hostile, and their appstores are crammed full of shitty, privacy-invading, telemetry-hoovering, dopamine-triggering, ad-filled, lipstick-covered apps that are often garbage compared to the pioneering days of mobile. I miss the days of my old Palm Pilot.
Is anyone working on fixing this? We can do so much better.
GrapheneOS + F-Droid is a joy to use, for me. I'm kinda shocked when I use anyone else's phone, now.
If they start selling their own devices, I will buy one and (assuming it turns out how I hope it will) recommend it strongly.
Side note, I read that GrapheneOS project is having some challenges recently.. between [0]the Android kernel drivers no longer having their Git history of changes being released (only a code dump with no history) - and [1]one of Graphene's two core contributors being detained/conscripted into a war.
[0] https://grapheneos.social/@GrapheneOS/114665558894105287
[1] https://grapheneos.social/@GrapheneOS/114359660453627718
If an alternative, privacy-focused OS like Graphene can support contactless payments (universal, like Google Wallet does it, not having to install an app per bank or card), and can 100% reliably get around apps requiring SafetyNet (or whatever they call it now) attestation, then I'd start using it.
I'd also need an alternate, safe source for common apps like Uber, Lyft, Slack, Kindle, Doordash, my banking/credit card apps, and a host of others that I use regularly. (And, no, "just use their website" is not acceptable; their website experiences are mostly crap.)
Way long ago I used to run CyanogenMod on my Android phones, and it was trivially easy to get every single app I needed working. Now it's a huge slog to get everything working on a non-Google-blessed OS, and I expect some things I use regularly just won't work. I hate hate hate this state of affairs. It makes me feel like I don't actually own my phone. But I've gotten so used to using these apps and features that it would reduce my quality of life (I know that sounds dramatic, but I'm lacking a better way to put it) to do without.
For those watching this stuff, there are two other promising paths using ZK-proofs which might disarm the tradeoff situation we've been stuck in. Banking apps etc aren't willing to eat the liability of devices that are rooted or running alternate OSes, and Google's been banking on the exclusivity that brings from being both hardware and security provider.
Path 1: a ZK-proof attestation certificate marketplace implemented by GrapheneOS (or similar) to prove safety in a privacy-securing way enough for 3rd party liability insurance markets to buy in. Banks etc can be indifferent, and wouldn't ignore the market if it got big enough. This would mean we could root any device with aggressive hacking and then apologize for it with ZK-proof certs that prove it's still in good hands - and banking apps don't need to care. No need for hard chains of custody like the Google security model.
Path 2: Don't even worry too hard about 3rd party devices or full OSes, we just need to make the option viable enough to shame Google into adopting the same ZK certificate schemes defensively. If they're reading all user data through ZK-proof certs instead of just downloading EVERYTHING then they're significantly neutered as a Big Brother force and for once we're able to actually trust them. They'd still have app marketplace centrality, but if and when phones are being subdivided with ZK-proof security it would make 3rd party monitoring of the dynamics of how those decisions get made very public (we'd see the same things google sees), so we could similarly shame them via alternatives into adopting reasonable default behaviors. Similar to Linux/Windows - Windows woulda been a lot more evil without the alternative next door.
Longer discussion (opinion not sourced from AI though): https://chatgpt.com/share/68ad1084-eb74-8003-8f10-ca324b5ea8...
All of my bank apps work fine on graphene. I'd switch banks if their app stopped working, not stop using graphene. I stopped using Google wallet, I don't miss it enough to justify using stock android. For other apps, I just put them in a separate profile that has good play installed/configured. It really wasn't bad. The worst part is wiping your phone to install graphene the first time, I prefer just to get a new device for it so I can move stuff over
GrapheneOS can only be installed on Pixel devices, no? Hard to see Google not putting in a way to block that on their own hardware.
I've never done it but
"Many other devices are supported by GrapheneOS at a source level, and it can be built for them without modifications to the existing GrapheneOS source tree."
https://grapheneos.org/faq#supported-devices
How do you access banking and other sensitive apps? If the answer is, you don't, well, you can see how that's a non starter for the vast majority of people.
My banking app works fine on GrapheneOS. There is a crowd-sourced list here with current status for many of them: https://privsec.dev/posts/android/banking-applications-compa...
This is a good start! I think we need something like a ProtonDB for this sort of thing, but that covers all apps, not just banking apps.
I do see five banking apps I use listed there as working, which is great. But -- and maybe I'm being unnecessarily overly worried about this -- what about the future? What if I've been using Graphene for a year or two, and one of the ones that's critical for me changes how they operate, and Graphene no longer passes muster as a platform it will run on. I'm not afraid of this happening at all running Google's stock OS image, but once I do my own thing, I get to keep the pieces when it breaks.
I love how so many of the responses in this thread are "it works for my particular bank" or "my bank's website is good enough" or "I'd only need it to deposit checks, but I never need to do that"... as if those are actually helpful responses to this general problem.
Many many people have banking apps that will not work on non-Google-blessed devices, use banks that have mobile websites that are terrible, and need to do mobile check deposits (which is usually only available in the app, and not the mobile website, if the bank even has one). And no, we're not going to "change our bank".
The reality is that there are so many things that break, sometimes in subtle ways, when you try to use an alternative Android OS. Some people may not have any problems, and that's great! But many -- I would dare to say most -- will.
And there's also a ton of uncertainty: I don't really want to wipe my phone, install GrapheneOS, spend hours messing with it and setting it up, only to find that something critical doesn't work, and now I have to flash back to the stock OS, and hope I can restore everything the way it was.
There's bound to be tradeoffs between scrappy open source communities and trillion dollar industry behemoths. The fact that it's this close of a call is pretty amazing. And really you can blame your bank for not making a usable mobile site. A lot of businesses like to force users into apps because it helps with engagement metrics, not because there's any functional benefit.
Most banking app work, either directly or with a settings change to allow Google Play Service emulation. [1]
[1] https://grapheneos.org/usage#banking-apps
A web browser in the worst case scenario. The same way you'd do it on a computer.
This is quickly disappearing as an option as well. I need my bank app to authenticate even when using a web browser on desktop. Luckily my banks app still works on GrapheneOS, but I suspect it's only a matter of time before they disable that because of "security" reasons.
What bank is this? No bank I know /requires/ you to use a mobile app for anything; the web is enough. 2FA can usually be done via email, SMS, or a google-authenticator-compatible app.
For example, Starling Bank in the UK.
They have a nice web app, but you must use their mobile app to login on the web version. The app takes a video of a QR code on the web page during login. Web login completes as soon as the mobile app notifies the server. There's no 2FA code to enter, and no alternative.
I asked them about this, by phone call, when my phone screen broke and I urgently needed to make a transaction. Surely there as an alternative? Or could I do the transaction by phone call?
They told me that indeed there is no other option. Despite having phone customer support, they had no phone or web banking service at all which could be used without a registered mobile device. The only phone service they could perform was to register a new mobile device, which I didn't have. I had a tablet, but it was too old.
So I had no good choice. The Android phone I'm using right now was bought in a hurry just so I could be allowed to make a bank transaction.
It wasn't my first choice of phone. I didn't have time to investigate alternative devices, let alone weigh up open alternatives. I ended up buying a mid-range device under pressure that seemed ok and was available in a store without waiting. (It was a brand new Samsung, and despite the IP rating it got water damaged and stopped working entirely after a few splashes a year or so later, but I was able to get it repaired.)
I should say that I'm not from the US, so that might be why you haven't heard of it.
There is also an alternative for now, but nothing as simple as SMS or authenticator app. They give you a special credit card shaped card with a card reader that you can use to authenticate with using your PIN, which is mostly considered legacy now with the bank app. It's also not realistic to be carrying this thing around everywhere either as it's bigger than my phone.
There is also a national ID app that is used everywhere that I'm worried will stop working on GrapheneOS... Because without it I won't even be able to access online government services like healthcare, taxes, etc.
You still haven't answered their question.
Which bank?
I don't know the bank they are referring to, but I can cite an example for me: RBC Royal Bank of Canada requires the mobile app. There is nothing you can do on their website without first 2FA via their specific mobile app, and even then only in limited transaction sizes. If you want "full access" (e.g. up to $10k daily transfer via e-transfer) then you MUST use biometrics and the mobile app.
I don't want to reveal where I'm from so I can't say which bank specifically.
I am quite sure Starling Bank requires an app if you still wanted an example.
Android apps will be the IE6 activeX controls of the future.
What's wrong with their web apps? The only real shortcoming I can think of is depositing checks digitally but I haven't had to do that in years.
Unfortunately I have checks to deposit every couple months. And my bank has no physical presence, so the only way I can do it is through the mobile app. (They also accept deposits by mail, but I'm a little wary of that; a lost check would be a huge hassle.)
As a GrapheneOS user, the way I access my banking app is by downloading it from the Google Play store just like everyone else.
They don't all work, though: too many crank up the settings on google's various 'integrity' checks and will fail on anything that isn't 100% google-blessed. (Which is insane, because that's all that's required: on a previous phone of mine, it worked fine with a stock ROM with a bluetooth-based RCE, but upgrading to a custom ROM would have meant it was 'insecure')
Second phone for all official business apps, banking, etc. Never leaves home and it's used only for this purpose
Then use a laptop instead? Or you have one of those "modern" banks that's app only?
Is that a jab at grapheneOS ? Because thats just another thing that google is borking up. And a little bit more so the banks themselves.
GrapheneOS is the way that all phone operating systems SHOULD be made. Layers and segregation between your banking apps and all the privacy breaking trash and malware you can get off the app store.
It is the banks and google making weird rootkit shit to try and lock down things that is the problem here.
My credit union app already wants 24x7 GPS tracking of my location and full access to my camera at all times and full access to my collection of photos, so the app is already dead to me anyway. Demanding that I use it on a locked down device isn't going to change anything for me, I'm already actively not using it. I use the website on a desktop, I rarely need to access my CU at all much less access it remotely. Given the large amount of battery and bandwidth already used to track my every move, I wish there was something like "Docker for phones" where I could enable and disable 24x7 full access to my every action IRL.
This is absolutely insane. If you block access, does the app stop working?
Uh, my bank has a pretty good mobile website, personally.
How is GrapheneOS / SeedVault looking these days in terms of being able to capture reliable backups and restore them to another device (without using the cloud)?
I gather the introduction of the android:allowBackup="false" manifest flag complicated things somewhat... I thought I read since then that a Device-to-Device (D2D) impersonation mode was implemented, and would love to hear if that helped?
(I posted a couple years ago about this topic, admittedly it was a bit ranty: https://news.ycombinator.com/item?id=37774254)
I tried to screenshot some app on my android the other day and got an error toast reading some bullshit like "this action has been blocked by the admin." Uh I'm the admin and this is my hardware... The sketchy app was trying to prevent screenshots.
The crazy thing is this is all under the pretense of preventing malware. And I constantly hear this argument that the app stores protect people, even from developers.
I truly don't get it. Are these people from 2009? Have they seen the apps on the current app stores? If you're lucky your highest rated flashlight app will only have a few Fullscreen ads and a subscription less than $10/mo. The recipe sites from content farms are less bloated and way less scammy.
It's certainly not about preventing scams. It's about preventing competition in the scamming business.
I happen to know the situation in some of the countries mentioned in the article.
There are millions of $ stolen via side-loaded malware.
It's good they decided to do something about it.
from the techcrunch article:
> According to its own survey, Google says that more than 50 times more malware came through internet-sideloaded sources compared with Google Play, where it has required developer verification since 2023.
50:1 is not preventing. It is just "well, we are better than nothing"
I'm pretty sure there can be other curated stores that can serve the customer¹
[1] customer: owner of phone, not advertisers, data merchants, etc
I regard Google highly in many domains, but this needs independent research. There is just waay too much opportunity to misuse data to paint a picture of themselves as the protectors. Especially curious about their definition of malware, because to me the app stores seem worse than browser toolbars from the 2000s.
Vollo from German is one https://volla.online/. They sell a nice set of devices that run either a custom Android or Ubuntu Touch. Their custom Android has a nice bunch of UI and privacy features.
Fairphone from the Netherlands is another https://www.fairphone.com/
Another one is https://murena.com/ which (IIRC) is based in France. They don't have their own hardware though, they sell partner phones with their ROM preinstalled.
For once Fairphone never updating their phones will work in our favor! If Google roll sthis out in early 2026, anyone with a Fairphone can rest easy that they won't receive that version of the operating system until mid-2028 at least.
> Fairphone never updating their phones
I have a Fairphone and i get updates pretty frequently so not sure what you mean?
What major version of Android are you on? Last I checked (a few months ago) all Fairphones were still on Android 13.
Ah, you mean that. Yeah it's still 13.
I have Android 15 on my work phone and 10 in private. I don't really see the difference besides that they've made it more annoying to turn wifi off (requires an extra tap now, first the general internet menu and then a small slider for wifi or mobile data). Genuinely not seeing any significant changes from a user point of view (I'm sure there's lots of new SDKs for the developers, but while I've made apps before, I'm not a mobile dev keeping up with the latest things)
That Fairphone has 13 just tells me they don't waste employee time in their small business on useless upgrades just for the sake of it. Their point is fair wages and ethical mineral mining: better that they have a workable phone without even more fluff, it seems to be tricky enough already in this world :(
Android 15 has things like native satellite communications. It's not just UI changes, the backend OS is more capable.
Fairphones are also LineageOS and postmarketOS compatible, both options are without tracking and without Google's mandated policies.
LineageOS without gapps is really usable if you set aside the "big" social media apps. WhatsApp can be sourced from their website as an APK. The social apps like facebook, instagram, snap, tiktok and others all require Google Play's tracking services (aka gapps).
For YouTube there's multiple better alternative open source apps available, and mastodon, amethyst and the fediverse apps on f-droid are far superior in terms of performance to the Google Store alternatives.
The Linux Experiment podcast has a nice review of the Vollo phone https://www.youtube.com/watch?v=Dh-rIxrGXFU
Windows 10 Mobile was good.
The entire developer experience was fantastic and the thing that killed it was a lack of desire from the upper leadership when it felt like they couldn't compete with the duopoly.
The developer experience was trash.
Did you have a wince app? Too bad, throw away all that and rebuild for wp7.
Do you want do anything useful? Actually, you better wait for wp7.5.
Oh look, we have a totally new thing with WP8. Upgrade to the newest framework so you can use the WP8 features... Oh, but you still need to build for the old framework for WP7. Hey, how about WP8.1, kind of the same deal.
My personal favorite though was WM10; you now need to build a Universal app that only runs on the very small number of WM10 phones... If you want to run on WP7 and WP8 which still have more sales, a universal app doesn't run there. Also, even though we said WP8 phones would be able to upgrade, either we changed our mind, or the experience is so bad most people won't. And the cherry on top... Users who upgrade from 8 to 10 might need to delete and reinstall the app, otherwise it will just show the loading dots.
Did we mention, we decided we didn't need engineers in Test in the run up to WM10? Couldn't possibly be why the release was terrible.
It's incredible that by the end of it, the WM rollercoaster made us actually miss WinCE. If you had have told us that initially none of us would have believed you. WM had so much potential and was just totally botched.
Start complaining to your government about every shitty thing the apps and OSes do, and tell your friends to do it too, eventually we may get some action on it.
We are all mildly annoyed and therefore mildly motivated to fix the problem. Apple and Google are extremely highly motivated to retain the status quo. I still try to vote with my wallet but it's going to be hard to counter their well-funded lobbyists.
You can enjoy “good old days” from what you remember of iOS and android. I also say enjoy the LLM good new days while they last.
I think before we can fix all that we need to revert the renting of software via subscriptions and go back to one-time-payment. But people are too greedy for that.
I too miss Palm. I had a Pilot, then a Treo, and finally a Pixie. When HP bought Palm, I switched to iPhone. It was a sad day.
I cut my teeth on commercial b2c & b2b app dev/sales on Palm OS from the age of 14. It was sad but now I'm a full-time bootstrapped iOS dev thanks to that experience.
I'm right there with you. These platforms are cancer. There's a small but growing movement away from smart phones. It'll probably never go mainstream, though.
I make a point of never installing an app when there's a usable mobile site. Even if they prompt me to install every ten seconds.
Every time Reddit asks me if I want to open it up in their app, I want to do that even less.
please don't take it out on us mobile devs
Heh, I've always done this. Maybe if every mobile dev made sure I could find text like I can in a browser I'd be less strident. But really, I need a very good reason to install stuff.
Mobile in general is a second class ecosystem. You're paying to ride in a bus that most ride for free, and when you sit down it's squishy.
It's also super nice to take notes on the fly for OpenStreetMap with StreetComplete, for holding the device up to the sky and it tells you what planet is so bright in the sky, for navigation... These things don't work on a laptop. Even if you want to carry a full-sized system in place of a smartphone, or use Ubuntu Touch, I'm not aware of software to do these things in the convenient way that Android apps let you
Of course, that's a software support issue and not a constraint imposed by the OS. Someone could make Stellarium desktop work with an orientation sensor. It's just that nobody has done that particular thing, as well as a million other things that work super well on mobile
So is it second-class, or is it just a way that is optimised for output rather than input? You get the turn instructions presented to you, you can watch videos and listen to music, note-taking is optimised to work with a few taps and is reduced to the essentials you need. You can work them out later on computer if you have time at home over of course, but at least you can contribute that way with ease
Some Linux phones exist. And there is sailfishOS too.
I mean, just get a rootable phone and roll your own RoM. If you can type stuff in a terminal, its not that hard to do.
You can pretty much disable all google services. Just a fair warning though, the experience is quite degraded.
> Google notes “supportive initial feedback” from government authorities and other parties:
Ah, then I guess everything is fine. I'm sure they aren't in favour because it gives governments greater control over what apps we're allowed to have on our phones. That would be absurd.
I feel like that makes the most sense. That this isn't something Google thought up but something that the EU wanted to ensure its government ID app was "safe". Google does benefit but the timing seems to line up.
They trialled this in Singapore and I’ve been telling people on Hacker News that it’s been going to happen for a while:
> Singapore Android users to be blocked from installing certain unverified apps as part of anti-scam trial (07 Feb 2024)
— https://www.channelnewsasia.com/singapore/google-android-dev...
It makes total sense to the average person. There has been a constant stream of “yet another Android user got scammed out of their life savings because of Android side loading; iPhone users not affected”
It’s an inconvenient fact for power users, but side loading makes users significantly more vulnerable to scams and restricting side loading is both a predictable and reasonable response to that fact.
If you don’t like this, you need a better argument than “my desire to run any app I want is more important than pensioners losing their life savings” because that is not a winning argument with the average person, with governments, or with Google/Apple.
— https://news.ycombinator.com/item?id=44194034
> As I’ve mentioned here before, sideloading is a genuine security concern, not merely an excuse for Apple to exert control. There is a never-ending stream of people losing their life savings. It happens on Android and not iOS because Android allows sideloading and iOS doesn’t. There is a very real human cost to this.
> Police warn new Android malware scam can factory reset phones; over S$10 million lost in first half of 2023
> There have been more than 750 cases of victims downloading the malware into their phones in the first half of 2023, with losses of at least S$10 million (US$7.3 million).
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> DBS, UOB become latest banks to restrict access if unverified apps are found on customers' phones
> They are the latest banks in Singapore to do so – after OCBC and Citibank – amid a spate of malware scams targeting users of Android devices.
— https://www.channelnewsasia.com/singapore/dbs-uob-anti-scam-...
> 74-year-old man loses $70k after downloading third-party app to buy Peking duck
> “I couldn’t believe the news. I thought: Why am I so stupid? I was so angry at myself for being cheated of my life savings. My family is frustrated and I ended up quarrelling with my wife,” said Mr Loh, who has three children.
— https://www.straitstimes.com/singapore/74-year-old-man-loses...
> Singapore Android users to be blocked from installing certain unverified apps as part of anti-scam trial
> "Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 per cent of installations came from internet-sideloading sources," it added.
— https://www.channelnewsasia.com/business/anduril-secures-305...
> CNA Explains: Are Android devices more prone to malware and how do you protect yourself from scams?
> Why are scammers more likely to target Android users? How do you spot a fake app and what should you do if your device is infected by malware?
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> Nearly 2,000 victims fell for Android malware scams, at least S$34.1 million lost in 2023
> In 2023, about 1,899 cases of Android malware scams were reported in Singapore. The average amount lost was about S$17,960.
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> Android users in Singapore tried to install unverified apps nearly 900,000 times in past 6 months
> These attempts were blocked by a security feature rolled out by Google six months ago as part of a trial to better protect users against malware scams, which led to at least S$34.1 million (US$25.8 million) in losses last year with about 1,900 cases reported.
— https://www.channelnewsasia.com/singapore/android-users-inst...
All of those links 404s for me. Can you explain how the malware works? You are aware that it's not the app store that protects you, but the sandboxing? Are these impersonation vectors, ie phishing?
Oh, thanks for pointing that out. I copied and pasted from my previous comment here:
https://news.ycombinator.com/item?id=44194034
I didn’t notice that Hacker News had truncated the URLs for display. You can get to the articles by following the links in the original comment.
> You are aware that it's not the app store that protects you, but the sandboxing?
Both protect you.
> Are these impersonation vectors, ie phishing?
It’s a variety of things. Some use accessibility hooks to act as key loggers. Some seem to use exploits. Some are phishing by impersonating other apps.
I know the situation in Singapore and Thailand and I was curious if there would be anyone mentioning it in this discussion. Thank you for your comment, you should be upvoted.
I'd wager there will be a buried setting to manually enable specific apps along with a warning. Like how macOS does it now by blocking unsigned apps.
When people say just use Linux I can only think of what was known as far back as 2014.
> NSA: Linux Journal is an "extremist forum" and its readers get flagged for extra surveillance [0]
Looks like this is a part of the move toward Chat Control and ending E2E encryption.
[0] https://www.linuxjournal.com/content/nsa-linux-journal-extre...
They saw Apple getting away with notarization under the DMA so they're doing the same. I must admit the mass demotivation strategy is working really well. Seeing this kind of news every single day, affecting you directly and not even being able to do anything
Yep. I feel powerless, and I don't know what to do. I don't think there is anything I can do, except for watch all of technology get locked down to the point that you need a monopolist's or a government's permission before you do anything with it.
It's so fundamentally depressing, and completely at odds with how I grew up viewing tech.
I predict Windows will end up going this route before Google backtracks on it.
This is the future; partially fuelled by malware, partially fuelled by the desire for platform control, and partially fuelled by government regulation.
As an example of government regulation driving this change, see [1].
This regulation of NSW, Australia considers rooted devices with extra non-Google/non-Apple approved security features such as a duress/wipe PIN (a standard feature of GrapheneOS[2]) as a "dedicated encrypted criminal communication device". How the device is being used doesn't matter. It's how it _could_ be used.
[1] https://classic.austlii.edu.au/au/legis/nsw/consol_act/ca190...
[2] https://grapheneos.org/features#duress
I don't know that it's that simple. Further down that section (1920) in reference [1] reads
"(3) A dedicated encrypted criminal communication device does not include-- (a) a device if-- (i) the device has been designed, modified or equipped with software or security features, and (ii) a reasonable person would consider the software or security features have been applied for a primary purpose other than facilitating communication between persons involved in criminal activity to defeat law enforcement detection,"
It's not automatic: depending on what a reasonable person thinks and the definition of criminal activity.
> applied for a primary purpose other than facilitating communication between persons involved in criminal activity to defeat law enforcement detection
Does the jurisdiction matter? For example, if an activist was using a device to do things in another country that would be legal in Australia but were crimes in the other country.
I doubt a judge would interpret the law that way.
> depending on what a reasonable person thinks
But this is just legal fiction, so not a barrier to "automatic"
I mean, in my country, it's increasingly unclear to me whether things like "loudly criticizing the executive branch" are now considered criminal. Recent executive branch statements on this issue seem to indicate that they may consider some critics criminal just for being critics. But it's hard to be sure. And so far, every critic they've threatened to arrest has also been accused of committing other crimes.
So "the government only considers a duress PIN illegal if it is used to facilitate crime" seems like a potentially tricky standard to apply.
I love how this statement could apply to so many different countries right now!
At the pace of regulations we have, one day everything will be forbidden and we will all be criminals just for protecting our own wealth or security from these... yes, from these mafias.
And we will all rationalise it and believe it's normal and has always been like that.
Sad but true for so many people.
I could use a knife to chop meat, not people; I could use a car to commute, not as a high speed bullet; I could use a gun to eliminate pests, not to kill people. Just because I can use something to do something nefarious doesn't mean it should be banned, of we should not use Internet at all because it facilitates scammers.
It is always the human mind that dictates the action, not the tool. It is futile to try and ban the tool, and I bet 100% they knew that.
This is uncanny and worryingly specific, and I'm not a lawyer, but if you're not already under suspicion of being a criminal, then installing graphene doesn't match this definition I think
"This regulation will only apply to people who are already criminals" is a line that has never held
Suspect, they wrote, and that happens all the time. If you go into a store on the way home from work, and 99 days this works fine but the 100th day they want to look in your bag, but you can't show them confidential drawings of the Google Pixel 14 Max that you carry as part of your work, now they'll think you really did steal something and you went from no suspicion (spot check) to definitely a suspect and new things start to apply to you, e.g. if you leave without resolving the suspicion the police might have grounds to enter your house or search you when you walk out next time. The suspicion is based on being a suspect, not on any actual evidence (nobody saw you put anything in your bag)
I mean, you don't really have to speculate about what this is for, it's for an authority providing for lawful search, it seems pretty well-scoped, and similar to any old search warrant, which is not a new thing, really https://classic.austlii.edu.au/au/legis/nsw/consol_act/deccd...
Basically, they're not really setting up for a blanket ban on personal security features, that interpretation is obviously catastrophizing. Not that there aren't hamfisted laws somewhere like this, but NSWs implementation seems OK I guess
We have mass surveillance already in all 5 eyes countries that assumes that anyone can be a criminal at all times.
Microsoft has way too much of legacy software people use, banning it all overnight will not go well at all. They understand that as well.
They tried to pull a similar move with WinRT/UWP, but nobody wanted it, so now you can continue with Win32.
They would love to do so, but legacy compatibility is a major business advantage.
Microsoft mismanaged it but there was a potential parallel universe where they were successful at that plan and consumer versions of Windows would be locked to the Microsoft store.
They did a bunch of terrible inept rollouts with confusing technology for both users and developers and effectively shot themselves in the foot. But it did not have to go down that way.
Yep. They fumbled the ball on step 1 of demand aggregation and we got lucky there was nothing of value for the 99% of users that will blindly take the easy path.
> there was a potential parallel universe where they were successful at that plan and consumer versions of Windows would be locked to the Microsoft store.
Sounds like a nightmare universe.
I've got a hobby app in kotlin multiplatform with iOS/Android/Windows/WASM builds and while I have no issues with Apple's App Store or Google Play, I've had nothing but problems trying to support Windows Store.
The MSIX installer format is horrendous to deal with and the certification process for new releases on Windows Store is always far too long and in the cases they do find issues the reports of the issue that they log are entirely worthless.
I ended up just pulling the app off the Windows Store entirely and making it a downloadable *.msi installer. While the extra layer of presumed integrity of the app being on the Microsoft Store would be nice it wasn't remotely worth the effort for the tiny amount of people who were using the Windows version in the first place, especially given the app is free.
That's funny because I don't presume anything on the Windows store has integrity and feel safer downloading the MSI from the official source.
this is literally just an xbox lol
> Microsoft has way too much of legacy software people use, banning it all overnight will not go well at all.
A lot of legacy software was killed off with the move to 64-bit Windows. Consumers survived that and for businesses registering their software with MS isn't a problem. They're already handing Microsoft all of their company email, their documents, their spreadsheets, etc. and paying Microsoft for the privilege. MS doesn't care at all about consumers.
Was it? WOW64 runs 32-bit software fine enough. Or are you talking about 16-bit applications?
MS is now competing against businesses that see their users as profit centers. (Google, Meta, Apple)
Windows was never going to go another way than this.
Users who care about hardware and/or software freedom should be on linux.
They can just require hash of legacy binaries sent to Microsoft and rubberstamped back. Eventually they'll have a near comprehensive list of legacy binaries in common use, and move to block unknown binaries in circulation as "malware".
Microsoft basically already has this (and has for the last ~20 years) as SmartScreen.
When was the last time you opened your start menu?
The malware excuse is just a palatable false pretense. "We have to protect granny!" Of course, she is getting fleeced by plain scam calls, not somehow sideloading apks onto her idevice, but the truth doesn't help advance their narrative.
Granny can get scammed using Anydesk, available on Google Play.
Imagine that metaphorical granny that in an instant catches fire and turns into ash if the governments and large corporations don't have complete control over our lives.
What a lovely granny that totally exists.
I suspect it's not grandma getting scammed by APKs, but people installing cracked versions of spotify/youtube/paid games.
> cracked versions of spotify/youtube/paid games
This doesn't make much sense to me.
To put the strongest face on it, by "cracked" youtube, you mean a version that shows the cracker's ads and maybe somehow generates extra clicks (or whatever) so they can get money out of it?
Cracked spotify? In my mind that's just like YouTube, almost entirely server-side. I guess you're talking about hijacking ads here, too? I feel like a "real" crack of Spotify would let you listen to music for free, but that should be impossible (unless their SWE's are incompetent).
They mean apps like SmartTube, Vanced, Instander, Spotify Premium Mod which block ads or grant other premium features for free.
You are approaching as is the malicious developer was trying to add useful features for the users.
But in practice, these “apps that lookalike popular apps” are not intended to just be adware-less versions of the popular apps. They are frequently “hide the ads, inject the malware with more permissions” Trojan horses.
I think there is likely a dual motive from Google where they both want to stop malware _and_ stop people blocking youtube ads. The malware problem is real though.
no, cracked as in the ad-free premium versions, without paying for them
Those "cracked" versions often require extra permissions.
My favorite was a local "discover which on your contacts is on the leaked Covid quarantine list[1]" scam app. It claimed that the extra permission dialogs are just fearmongering by Google, who is in cahoots with big pharma, and wants covid to spread to sell more medications.
[1] In fact, no such leak has ever taken place, its existence was just part of the setup for the scam.
My mother in law is constantly worried by some Google Ads in random apps that her phone is hacked...
Did she ever get anything side loaded like that? I have downloaded malware by mistake before. Not once were they allowed to proceed with installation. The only way I got anything side loaded was if I installed the first one (which is always Fdroid) deliberately via ADB after I enabled the developer mode.
This is the year of Linux on the Desktop!
I think the first thing Windows loses dominance in is Gaming, and that will be the beginning of the end.
Are there still people who like using Windows?
> Are there still people who like using Windows?
You are assuming that everyone knows about or ever experienced the alternatives. Windows way is the only way for many.
No I'm not. I asked if anyone likes Windows. These people presumably have no opinion, it's just a means to an end. The closest thing I think you'll get is "I liked Windows 7" or something like that.
Linux is at 5% desktop market share this year, and I gave up on running windows games without steam a decade ago.
On average my game library works much better under Linux than Windows (Mac is a distant third — probably worse than FreeBSD).
Anyway, at 1 in 20, most people probably know someone that runs Linux.
Malware is the excuse. Control is the goal. Extracting as much money from people while providing less actual value.
The saddest part is this is to the detriment of literally everyone except a couple rich owners of those companies. And everyone has the right to vote. But western democracy is so indirect the people who understand and care have no way to change the law because their signal is lost in all the noise by those who don't know or don't care.
If the vote came down to people in favor of walled gardens or in favor of forcing companies to open their platforms, with everyone else not voting, it would be a landslide. But there's no way to vote on it this way.
“western democracy is so indirect the people who understand and care have no way to change the law because their signal is lost in all the noise by those who don't know or don't care”
Wow, how fix (WITHOUT intelligence tests as voting requirement) :(
> This is the future; partially fuelled by malware, partially fuelled by the desire for platform control, and partially fuelled by government regulation. I would say it’s really 50% platform control, 50% government regulation.
Malware is the excuse. I went, without super skill, 40 years while only contracting two viruses ever (one was Kakworm, the other was inert at the time because I was an Amiga user who kept a copy of Scorched Earth on a floppy, which never infected my Amiga).
This would also mean eliminating WSL2.
> I predict Windows will end up going this route before Google backtracks on it.
It will not happen in the next 10 years. Right now people would just make generic launchers and then use them to manually load and execute any binary they please. Options include just writing your thingy in a scripting language and run it in node.exe, python.exe, or compile it to WASM, use native bindings of a scripting language, abuse a random verified electron app, ship with and use a random vulnerably driver, etc etc.
Even remotely getting to the point where locking Windows down to that degree would be possible is going to take MS a long time, fighting friction from users all the way. The whole ecosystem would have to change drastically for that sort of control to even be possible and make sense.
The holes aren't really there because it would be so hard to close them in a vacuum, they're there because decades of software people use rely things working the old way. People aren't going to switch to a new OS on which almost nothing works anymore.
I just want to say:
I am so sick of Google.
This is a monopoly with annual gross revenues bigger than all but 42 countries behaving this way.
They have conspired to control the web, browsers, mobile computing, and soon AI. It's sickening how much bad behavior they get away with.
They were able to use YouTube to bludgeon Windows Phone to death and become the de-facto mobile duopoly. Then they were able to get their shitty search engine on all the panes of glass, didn't care one iota about search quality (just ads), but were able to leverage their browser engine control to remove adblocking capabilities.
I hope the DOJ/FTC split Google into a dozen companies.
Sincerely.
> I hope the DOJ/FTC split Google into a dozen companies.
There's no chance of that under the current regime. It loves bribery and Google has the money to get whatever they want.
Yeah, it is so weird to read comments based on a belief that the current government is aimed at some goal of justice. I guess they're just still drinking the Kool-aid?
Trump was a breath of fresh air talking about frustrations with the status quo that other politicians wouldn't acknowledge. But the only reason he was bringing them up was for use as a cudgel to shake down companies to enrich himself. He will very most certainly go after big tech monopolies and break them up... iff those big tech monopolies don't put bribes into his pocket. As long as his pockets get fatter, then the status quo is just peachy. It's called "making a deal".
control=surveillance
control is the entire point of the surveillance
This whole thing is getting totally out of surveillance!
Someone should hit surveillance-alt-delete!
government unregulation
It's still government regulation. It's just that they have changed the target or regulation from commercial entities to regular individuals like you.
DO NOT UPLOAD YOUR ID/INFO TO GOOGLE. I put my game on their app store some years ago, and they doxxed me right on the app store. Google posted my name and home address right on the game page. Not great when I was already receiving death threats! Later on, had a rando show up at 3AM one night and had to call the cops out. I moved after that. Google is absolutely not to be trusted to keep this data confidential. If Google demands I do anything with them, I'll just tell my fans to install lineageos or whatever instead -- no way in hell I'm having ANYTHING to do with google ever again. GFY google!
If you are having random people try to attack you while you are at your home, you need to be prepared. Strengthen your door jambs with nine inch screws to replace the screws your door is mounted to and use metal plates to strengthen the locks (there are kits available at home improvement stores), install adherent plastic frosting on your windows that will slow down break ins by making the window much more annoying to break through, and install surveillence cameras outdoors. On the offensive front, you can consider OC/CS grenades you can throw down the hallway to avoid exposing yourself and handheld pepper spray for non-lethal deterrence at moderate range. Finally, if all else fails, keep a loaded handgun in a easy to use but hard for kids to unlock gun box under your drawer next to your bed. An under barrel flash light severely blinds invaders and makes them think twice about charging you, maximizing the chances that you nobody will get hurt. The door jamb upgrade is the most important one. I have returned home to a severely beaten door with my shattered iron door knocker on the ground laying in front of the door in pieces but the house was impenetrable to the burglar(s) who weren't willing to break through the glass. It also doesn't hurt to install fake $5 security dome cameras around the property.
Or just don't give your home address to Google.
What do you mean by "Google posted my name and address"? How? Why?
If your app is monetized, the contact details of your "business" are shown in the play store. For many smaller developers, this will just be their home address.
https://support.google.com/googleplay/android-developer/thre...
That's absolutely correct.
That's why you have to have a business address, and get all your business admin ducks in a row, even if it's your first real monetized app. Your future self will always thank you!
What was the last time there were some actually good news in big tech? For those that don't hold stocks I mean.
> What was the last time there were some actually good news in big tech?
The issue is that the good news are often incremental, while the bad news come in large steps, which makes them much more noticeable.
We're in the era of less control, more surveillance, more "security", more being treated like a child and lied to.
Just yesterday I got a venmo prompt to add biometrics for "security". F off.
"Just yesterday, an app that directly impacts my money, asked me to make it more secure" - how did you survive?
Vemno doesn't get your bio data, it just gets a true or false from the OS.
I had to do a government ID upload and a live face scan to install my banking app on a new phone even though I had other devices I could have used to authorize it. It made me want to switch banks, but where do you go?
For what it's worth, Venmo will not get access to your biometrics data, it's a black box in which you specify a desired level of authentication and the OS just returns ok/not ok.
It is, however, to make you use Venmo more easily, thus more often, thus spend more money through them.
Last week. The bags I’m holding for Intel got a little lighter. Lmao.
Nana is still not happy
> developers will have the same freedom to distribute their apps directly to users through sideloading or to use any app store they prefer. We believe this is how an open system should work—by preserving choice while enhancing security for everyone
I guess words don't don't have meaning anymore, how can you claim to have an open system in an announcement about closing it down?
It's also telling that the big supporters of this are apparently corporations and governments. Admittedly I don't know what "Developer's Alliance" is but they don't seem to care about developers very much, and I wouldn't surprised if they were just a "pay us to say what you're doing is good for devs" kind of thing
> developers will have the same freedom to distribute their apps directly to users
You have here Google making a statement it can't actually fulfill and one that it knows it can't fulfill. So Google is willfully lying here.
The minute Google has a technical capability to control what applications run on Android it's out of their hands. It is in the hands of courts, governments, dictators and authoritarians. That's just the nature of the world - Google has to obey the law and Google doesn't make the laws.
I guess it sounds hysterical, but in that sense, this is an absolutely massive loss of freedom for the entire planet as communication power that rested with individual choice is now transferred wholesale back to governments by this decision.
The Developer's Alliance address is a coworking space in Washington DC, if you want to rate the likelihood it's just an astroturf for public tech policy wonks.
This is crazy. I can't install my own apps on my own phone anymore.
I am gonna start carrying around a laptop with a 5G modem instead.
I'm thinking it's time for a 2nd phone (in my case old one from cupboard) to become the regular daily GrapheneOS enabled driver and then keep a modern Google(tm) updated one at home for all the "official crap" whenever needed. That way I can also separate banking / paypal / etc. from my carry phone with all it's various apps that I trust to varying degrees.
This was the first thing that crossed my mind. If it’s not too much money and hassle I could buy a second device for GrapheneOS and tether to the cheapest phone I can get for the official ecosystem.
Really though, it doesn’t have enough impact for consumers. If I get unfairly banned as a developer, no one even notices because that’s nothing more than an opportunity for another developer to step in.
Individually we have no power :-(
Those are the moments I am starting to fantasize about starting a customer protection group that is sufficiently committed to follow through on organizing boycotts. Naturally, reality hits once you see average human on the road ( on a highway, full speed ). We might be lost a species.
I wonder if you could keep your "snitch" android phone home by instrumentalizing it, enabling you to access it remotely on your main linux/degoogled android phone. It might not even be that outrageous of an idea since there are tons of botfarms that are essentially stacks and stacks of legit phones being remotely controlled... the tech might be there already, just need to adapt if for something good...
https://github.com/Genymobile/scrcpy
How likely is it for google to deny access to all or most of the apis that makes this possible? Then you need to point a camera to the screen, mike the speakers and so on...
If you asked me yesterday if Google would ever block sideloading, I would have said no.
All bets are off at this point.
I'm curious why you need a phone for banking at all, at home as you say. Wouldn't a laptop suffice? Granted, not all banks have a web app these days
Not for me at least, 3DS requires approval in an app on my phone. I'd love if the banks just used TOTP instead but no, I have to use their app, some of which don't work with an unlocked bootloader, so I have to have stock android
ding ding ding a second phone is the correct answer
Don't worry, they'll stop letting you access your bank without an app soon enough. Gotta protect the children and what-not.
I just got a letter from my bank stating this. Website is going away, app only access. It's very disappointing, for security I never have any banking access on my mobile devices
Time to switch banks.
That's indeed what I'm planning to do but I'll buy a Steam Deck
I have been looking into this as well. There are a few devices from GPD Win that are smaller than the Steam Deck but also have a physical keyboard.
I cannot resist the urge to point out that we wouldn't have had this problem if people actually sticked to free software instead of "commercial use friendly" open source licensing
You are 100% correct.
Such a shame that the Free Software Foundation has been such an awful steward of the GPL. The fact that the GPLv3 didn't close the network hole is a decision made either out of myopia or abject cowardice, you shouldn't need a separate license (AGPLv3) to ensure true freedom of the codebase.
Sure, but just the regular GPLv3 would have been good enough to prevent this particular abuse.
That's fair, but a more pervasive Free Software ecosystem might have possibly avoided this outcome entirely. And that failure is something we can lay directly at the feet of the FSF.
If RMS was going to piss off the entire industry with a new version of the GPL, the least he could do was close the network hole. What we got instead is a half measure that satisfies nobody.
More importantly, he completely missed the boat on App Stores. Why was there never any watered down version of copyleft that could be used as a wedge to try and pry open app stores over time? They did it for libraries with the LGPL, but apparently app stores werent worth specials casing.
In practice we see the reverse and GPL projects being rewritten as more permissive.
The busybox/toybox case looks especially relevant and interesting:
> In January 2012 the proposal of creating a BSD license alternative to the GPL licensed BusyBox project drew harsh criticism (…). Rob Landley, who had started the BusyBox-based lawsuits, responded that this was intentional, explaining that the lawsuits had not benefited the project but that they had led to corporate avoidance, expressing a desire to stop the lawsuits "in whatever way I see fit".
source: https://en.m.wikipedia.org/wiki/Toybox
Free choice in the market is a lie anyhow. You are limited by what is actually been made available in the marketplace in sufficient quantity. "You can have any color you want, so long as it is black." - some old racist industrialist.
An interesting idea. But who would have to "stick" to such software? The users?
It seems to me that most of the users do not care much about what kind of software their phone runs, unfortunately. As long as it works with Instagram or whatever other big brand social media is trending these days, they are happy. Which is I think understandable.
The companies developing the apps are in my opinion driving this cultural shift. And they are doing it mostly because it brings them commercial advantages. Which is, I think, also understandable.
Everyone involved seems to to what appears to be in their best interest. And yet, collectively, we as a society get a worse outcome overall. This phenomenon perhaps has a name.
In order to break out of it, I think that the incentives on both sides need to be adjusted. It needs to be in the companies' interest to produce apps as open source. And the users need to want them.
The only way I can think of to achieve that kind of a change is when the open source apps and products become just inherently better than their proprietary alternatives. In all categories. Then, the people would want them. And then the companies will start to produce them.
It is a very tough goal. The commercial apps do not have to be better in all categories to retain their users. They can use vendor locks or other business strategies which restrict the users' ability to leave them.
Open source apps cannot do such things. The only fair ground on which they can compete is their quality.
Except Android is based on Linux.
So people from countries US has sanctioned can't even develop and use mobile apps anymore. This will change millions of innocent lives. So unfair and racist. The reason my people are in this mess in the first place is a US coup.
Agreed!
I don't blame Goggle. Apple escaped anti-trust by simply not allowing anyone except themselves to put software on iPhones. Seriously, Apple doesn't allow competitors so it can't be anti-competitive according to the case.
Totally brain damaged ruling, the judge must have been molested by an Android phone at some point, but here we are, and google is now moving closer to an Apple model.
A few years from now: After reviewing the usage of the approved sideloading feature, we discovered no more than 0.01% of users ever sideload an application. For security, sideloading is now disabled on all devices forever.
Time for a Steam Phone. Or FirefoxOS reloaded. The general purpose mobile computing market must be sizeable. I cannot believe everybody just puts up with these increasingly draconic restrictions.
I think a big problem is that the users have been trained to accept the status quo. I mean back in the Feature phone days we would share Java phone games at school via Bluetooth. I’d assume kids these days generally don’t anymore.
Also, due to the cost of physical media piracy was rampant even amongst boomers. People knew and had the option to buy a dvd player that could play video cd because that’s how movies were ripped.
Even during the early iPhones we were so stripped of even basic features that a jailbreak was 100% required if you wanted to even basic things like taking videos or changing the Home Screen background.
None of this is necessary anymore. The users gets the phone and it just works from their perspective at least.
So who is going to try to run a business off of nerds like us who want to have this sort of control over our devices (I’d call it freedom but the average user doesn’t feel unfree)?
> we would share Java phone games at school via Bluetooth. I’d assume kids these days generally don’t anymore.
I am both happy (from a user-friendliness point of view) and sad (from a "works offline" perspective) that F-Droid's share button now shares a link that will show them info about the app with an option to install the software, instead of the share button directly giving you an APK file with no way to link someone to the 'store' page. I'd personally still know how to send people APKs via hotspot or bluetooth (such as for peer-to-peer voice/message apps) but a lot of people won't
This move from sending each other software to sending each other links to centralized platforms has been long ongoing. Most messaging systems don't allow you to send executable (.exe, .apk, .sh, etc.) files anymore. And I believe that virtually all of them individually do it for your own good, but the combined result is a societal shift
There has to be a threshold where enshittification has been pushed so far that nerd software becomes the thing cool kids boast about running.
Where a less restricted device can do cool things nobody else can do.
A linux-based phone... with an 18650 battery slot... with a keyboard... and a meshtastic radio... drool.
Phones are hard because of certification requirements.
PDAs, now... have a look at https://www.clockworkpi.com/home-uconsole
It's only a question of time till DMCA takedowns will be abused to being down every app which remotely competes with any business model.
This invalidates so many reasons to still use android.
This is completely, absolutely and totally unacceptable.
My phone is my phone, not Google’s. They have absolutely no right to prevent me from running whatever software I wish on that phone.
This must not be allowed to stand.
You paid for the phone with the OS as a contributing factor (alongside the hardware) to the purchase no doubt, so the OS in itself must be compelling to you for some reason.
You didn't fund the development of the OS, contribute to it (presumably), you didn't market it or position it alongside your brand.
I'd agree with you if you said you have a right to run anything on the hardware under a different OS, but you have no god given right to run whatever you want on the OS.
Looking at what's been going on in the E.U. vs. the U.S., it seems pretty clear that one of the only things companies this big, with this much control over the markets fear is regulation.
Maybe people live in a country where adding new regulations is difficult at the moment. In that case, push at for it at the state or province level. Push for it wherever you can. Suddenly these companies have to figure out how to work around 50 different state level laws? Painful. Good. Make it hurt to be evil.
People need to come together and push for regulatory roadblocks to things like this at every level. I think that's part of how you keep control of your own property and stand up against it.
It's actually your telco's phone. They're the one that has the license to run the baseband computer and RF transceiver. The 'pad' computer device is sort of yours. But there's no legal way to have ownership of a cell phone unless you yourself bid for and get the RF spectrum and set up your network in a way that accomplishes the FCC coverage and timing requirements. Then run your own telco for your phone. Basically, impossible.
Smart phones try to limit and firewall the interface between the two but tight integration is required for energy efficiency. So a smart phone, or a cell phone, can never be yours. They aren't good choices for doing computing and this legal reality is becoming more and more obvious with time.
As a developer of android apps that get distributed outside of the Play store, a Google identity verification system sounds like a nightmare. What if I'm deemed to be politically incorrect? Will Google brand safety exclude me?
That's exactly the goal
Yeah... They just want to ban NewPipe. It's sad to see Android getting locked down, also with the source closing of the development branches, etc. I can as well buy Apple then, it doesn't matter anymore.
So where do we complain? (Aside from shaming Google on social media or writing to politicians.)
If I look through Google's contact links, it's all oriented around getting help with a problem rather than letting them know I'm going to move to something else if they go through with this. (And yes, even if Apple has the same types of restrictions on app store, if a more open alternative OS didn't work out for me, I'd move to them to punish the one dropping freedom of use.)
Looks like Google will also be limiting each developer's number of apps and installations unless you pay them $25. https://developer.android.com/developer-verification/guides/...
That's how it's always costed
Yes, it's the same price as a Google Play Console developer account, but this is for access to the new Android Developer Console.
So what are our options (eg for EU citizens) for lobbying in terms of legislation or directly to Google to show disagreement with this?
It looks like many in this thread are against, but I don't see suggestions for action?
We need to lobby for choice at every stage. You must be able to choose which network, which phone, which OS, which app stores, which apps.
I'm wondering the same thing in the US. Aside from writing Google and complaining, and purchasing a phone with a different OS (GrapheneOS or PureOS, for example), I'm not sure what else to do.
The issue with that 2nd solution is, "purchasing a phone with GrapheneOS" only registers from Google's perspective as "we just sold an additional Pixel, so we're doing good right now"
> The requirement will go into effect in September 2026 for users in Brazil, Indonesia, Singapore, and Thailand. Google notes how these countries have been “specifically impacted by these forms of fraudulent app scams.” Verification will then apply globally from 2027 onwards.
At least most of the world has until 2027 to install LineageOS or GrapheneOS.
Apps are increasingly failing to run on grapheneos because Google is pushing for the play integrity verification. More and more apps, some critical like banking apps, some not at all, require your device to be running an official rom signed by Google.
So I will go back to carry two devices, I guess. Like when I had a Jolla Phone and an Android phone. Or before that with a Palm PDA and a dumbphone. It is convenient to have everything combined in a single device, but guess that turned out to be just a temporary luxury.
Great for you. What about the normies ? You know the people that protest and make things change, how they are going to organize themselves when their government gets authoritarian and apple/google obeys to governments request to forbid some app. You know like what happened during Hong Kong protest with Apple App Store.
I’m not saying I have a solution but looking at yourself and pretending it’s all fine because you’re 10 times more tech savvy than the average citizen isn’t a viable answer. That kind of issue must be solved by regulation, hopefully Europe gets to bring back on earth whoever at Google agreed on that idea.
It's not "all fine", but realistically it's the best that you can hope to achieve.
The "normies" won't protest because it mostly doesn't affect them, at least not in any direct and obvious way that would trigger a pushback.
Regulation is unlikely to give you what you want. For one thing, regulators love centralization in general because it makes it much easier to regulate - when there are only a few large players, you can write the laws around them, effectively forcing them to be the enforcers. A large and diverse field where users can install whatever apps from wherever is much harder to regulate wrt things like banning porn or violent games or whatever it is that "normies" feel upset and demand that SOMEONE DO SOMETHING ABOUT IT!!!1! today.
This isn't to say that you shouldn't try to use political tools. Just be very clear that what you're trying to achieve is a minority take, and therefore you're unlikely to actually reach the goal in a democracy; at best, you will move the needle very slightly.
So, if you want to actually enjoy freedom in the meantime, learn how to be a criminal.
> require your device to be running an official rom signed by Google
How exactly does the app detect this?
>At least most of the world has until 2027 to install LineageOS or GrapheneOS.
Which only work on a tiny, almost insignificant sub-set of phones. If you don't have one of those, you're screwed.
Not to mention the bootloader is getting locked down so you can't even install one of these in the first place.
Next time you buy a phone, buy a supported model. Right?
So I guess now is the time to decide whether Pixel is actually something I would want to purchase from Google ( and support the decision they just made with cash money ) or.. what exactly. I am not a Apple fan either.
This must be because of Epic's win in antitrust court.
What someone needs to do is create a "Store" browser that loads apps from random websites like https://site.tld/app.apk
You could manually parse AndroidManifest.xml and allow only apps that expose <uses-permission android:name="android.permission.INTERNET" />
I'm somewhat interested in doing this myself actually. What do people think?
How does this differ from Obtainium?
I wasn't aware of obtainium. Thank you. I was thinking of something more like Google Chrome mobile edition but for APKs. So more focus around the search interface.
Sideloading is the only reason I'm on Android. When it goes away, I will be better with an Apple device.
I knew this was coming thanks to the nincompoops bankers and IMDA together with horny uncles who fall for love/job scams here in Singapore. The reason I use android over iOS is that I can load apps for personal automation. I think the current scenario where bank apps refuse to run on phones with sideloaded apps is far more acceptable. Im not sure scammers will not find a way around this. I can still be able pin web apps.
FWIW I'd rather not use my phone for critical transactions its making authorities lazy. The number of times Ive had to fight thanks to "buggy" payment code that deducts money is not funny and banks are getting worse at customer support day by day.
Also what the fuck are the governments doing with tax payer money, instead of going after criminals, we go after citizens.
This is dangerous, they are trying to prevent people from creating apps that don't support their narrative.
This is how macOS works, without a signature they will tell you they can't guarantee it doesn't have malware and you need to go to settings and choose to run anyway (and most people don't even know about it).
Microsoft would love to do that too, but it just has too much of legacy software to introduce such a major hurdle.
> This is how macOS works, without a signature they will tell you they can't guarantee it doesn't have malware
Even with a signature they can't guarantee it doesn't have malware. The fact that signed malware exists should be enough to put an end to the argument that it's for our own good.
The fact that people die with helmets on motorcycles should put an end to the argument that it's for our own good.
If you had to give away your privacy to use one and could only use helmets authorized by your motorcycle dealer you might have a point. We accept impositions on our freedom all the time when what we get in return is worth the sacrifice. If signed binaries actually delivered on their promise of keeping people safe there'd be a discussion that could be had on whether or not it'd be worthwhile, but since they don't actually protect people we'd be giving up our privacy for nothing.
What you said had absolutely nothing to do with your original illogical statement.
"the argument that it's for our own good." is their instance that we should accept this loss of our freedom to run the software we want because it protects us. It doesn't actually protect us though, so it isn't worth it and we shouldn't accept it.
My original statement had nothing to do with motorcycle helmets, but if using them required us to give up enough of our freedoms they could also become unacceptable for the level or protection they provide (or fail to provide) us.
Is the right-click -> Open workaround not a thing any more on macOS?
Open -> Click away the error message -> Settings -> Privacy & Security -> Open Anyways -> Open Anyways -> Authenticate -> app actually opens
There's a ctrl+open shortcut, if I remember correctly, which may be what the parent comment is referring to.
Nope, they've been making it steadily more difficult with each release. The control open shortcut no longer works.
Nope, it has been removed. Also God help you if want to run something that needs system extensions..
You will need to boot to recovery mode, go through utility and enable it: https://support.apple.com/en-ca/guide/mac-help/mchl768f7291/...
Basically average users will never be able to pull this off.
As of macOS 15 (I think?), that shortcut stopped working, it will just show the same unverified software warning.
It requires a trip to a submenu in the Settings app now. You can’t do it simply or easily.
Microsoft does the same exact thing with SmartScreen, except that it has a whitelist for popular binaries.
Our only choice are 2 american companies, Google or Apple
Why did we let that happen?
The only silver lining I see is if it allows you to bypass this by enabling dev mode on your phone. If you can't sideload unverified apps even in dev mode, that would be insanely bad.
IF that is the case, I'm actually willing to be slightly inclined to see this as a positive? We should normalize installing apps outside of Google Play, but that means malware becomes a serious issue with people downloading and installing random APKs.
e.g., this may normalize people hosting downloadable APKs whilst also reducing malware risk for "normies", which idealistically could weaken the "monopoly" of Google Play on android.
The problem is that Google is the gatekeeper.
It's starting to look like I may end up with two phones. One with Lineage and most of my apps, hopefully, and another one with Play Protect which hopefully will be just my bank app. Google has become way too powerful and is encroaching step by step on our freedom, it's terrible. Tt's been going on for a long time. It's the IT equivalant of authoritarianism!!
Yeah, I think I will do that strategy as well. I will probably put Graphene on my next phone, and if any apps don't work I will keep them on another phone.
What would happen to projects like F-Droid, Termux, etc.?
Taking the article at face value, they'll have to register with google and have their apps be signed. Presumably this is subject to less review than the play store (eg. you don't have to justify your permissions list or whatever[1]), but there's no guarantees that developers will bother with the hassle. A lot of developers are willing to put some release up on github, but not dox themselves to google.
[1] https://news.ycombinator.com/item?id=41895718
Guess whether the makers of alternative YouTube clients will want to tell Google, "Hey, this is a copy of our ID card our address"...
Time to move to a dumb phone, I guess. Android is slowly becoming worst of both worlds, none of the privacy features of iOS yet walls of the garden keeps getting higher.
My son uses an android phone as a medical device with apps that are either downloaded or compiled. Hopefully this won't touch lineageOs
Gotta love when the megacorp steps in to "help".
Hopefully this increases the communal pressure to find a real alternative to android.
I think they got emboldened by EU's impotent response to Apple's Digital Markets Act (DMA) violations.
Regardless, this is extremely bad news.
Time to donate to GrapheneOS[1] and alternatives[2]. Or contribute [3].
[1] https://grapheneos.org/donate
[2] https://members.calyxinstitute.org/donate
[3] https://grapheneos.org/hiring
Will GrapheneOS even survive the fact that Google will stop publishing Pixel code and such?
If you maintain it as a hard fork, why not? New phones technical specifications improvements are diminishing last few years anyway. As long as it works, it can last for many years to come. The question is only in the project budget, I think.
This is crazy, this means 10 years from now only terrorists will distribute software. Unacceptable! How many platforms now allow one to build and distribute a binary?
Only Linux, BSD and other operating systems that are entirely Open Source.
Even Windows has scary warnings now that pop up unless you pay several hundred dollars a year plus you have to go through a completely unreasonable process (that often requires being shipped a physical USB device) just to sign your application.
This seems equivalent to Notarization on macOS. https://developer.apple.com/documentation/security/notarizin...
If you think about it, the only thing that keeps this OS vendor in this duopolistic position is the fact that people rely on a certain proprietary apps. We need ways to do things like messaging and banking in a universal way, just like we can do with email, calls, texts and web. Banking and messaging should be fully universal so we don't rely on specific apps only available on specific app stores. That would take all power away from this satanic US companies!!!
Hmm this is weird. I've recently been considering switch back to Android because of how locked down ios is and it sounds like Google's now gonna do the same thing? Will there be a way to deactivate this?
This was probably the reason Nokia died. Symbian development, already cumbersome and app deployment required some such procedure. I remember there was an joint effort in a china based forum and many of us got a cert and a key for our phones. I was reading Nokia obituaries from its executives and the sorry state of Symbian development and app deployment was not considered as a cause. So here it, is young executives repeating a simplistic and destructive strategy. ibm, xerox, nokia and intel will be very proud.
No so young, but just as short-term and thoughtless.
Welp, I was euphemistically already not a fan of the developer experience for Android, now it's straight dead to me.
No reason to ever touch another day of Kotlin.
Come to think of it, why am I even on Android now as a user?
What's the alternative?
One of the reasons I switched to Android was the freedom to make apks for my phone and not dealing with certificates, expiry dates, Google's approval, etc.
This is a depressing change if they follow through with this.
And "in the name of security" doesn't pass the smell test if there is no way to opt out.
Remind me why we keep using smart phones? They feel like a noose around our collective necks.
Before quickly running to dismiss this move, please at least do your research with regards to the situation in the countries mentioned in the article, especially Singapore and Thailand.
Side-loaded malware has been an epidemic in SE Asia, and there are MILLIONS of dollars stolen (mostly from pensioners!) via side-loaded malware disguised as gambling apps - the local population is particularly suspectible to gambling, especially the older generations that are not so tech-savvy.
It's good they decided to do something about it.
Private app companies should be and are doing more to protect against malware.
Banking apps in Malaysia are required to include malware detection software [0]. Companies should have better fraud and trust teams to identity and block fraud activities.
The rest of the world shouldn't suffer because a handful of banking companies refuse to offer basic fraud protections for their users.
[0] - https://www.abm.org.my/press-releases/banks-to-enable-malwar...
The requirement per Google's post is rolling out globally though in a couple years. There was nothing stopping per country governments that this may disproportionately affect from requiring this for Play Protect/GMS certified Android devices sold in their region but enforcing it worldwide for such non-AOSP devices I don't find surprising to be controversial.
Brave of you to say this. Yeah, in my humble opinion, agree with you, android and ios devices target the mainstream users more than say a PC or Mac's, and should be more locked down. We can keep PC's and Mac's relative open (although they are getting more secure too, which might be good?), but for devices that truly target the masses, secure them as much as possible (why would typical users like my parent's need to install a remote access server on their phone?).
Yeah, my Dad got hacked only a month ago, through a tech-support phishing phone-call. He uses a windows PC which makes him vulnerable, and the scammers did install tons of evil crap. He really should be using an android or ios tablet, to reduce his chances of being hacked like this. I know these devices are still vulnerable, but they do seem more secure based on how much more locked down they are.
Does this break F-Droid?
Would be a tragedy if it did. So many interesting and useful apps there without the obnoxious ads or nagging to upgrade.
I'm entirely on F-Droid, with no Google account and no Play Store. Losing F-Droid would force me off Android.
I'm the same. No Google account since 2012. F-Droid is an amazing community effort and has enabled me to find so many great open source applications.
Same.
One thing that annoys me is that a lot of F-Droid apps are obviously naive ports with overbroad permissions like "can read the entirety of storage", but that's still better than the all-consuming Goo.
Maybe F-Droid can sign all packages themselves? Would google let them do that?
The risk is Google could ban all F-Droid apps in one step, which will happen for sure.
"Can?" Sure.
"Would?" Google has zero incentive to do that.
The are apk's floating around from the Ice Cream Sundae days where the developer went out of business and is no longer on Play Store and this is literally the only way to run the app.
I have a Concept2 rower with the old PM3 monitor which is no longer supported by their ErgData app and the only way to connect my phone to my rower is by sideloading the ancient version of the app that supports it. So that's going to break now?
This eliminates the appeal of andoid over ios.
Why even run Android at that point anymore? iOS devices get security updates for longer and have much less data collection than stock Android.
GrapheneOS won't survive the next generation of devices because bootloader unlocking will also go away (https://news.ycombinator.com/item?id=44765939), and without kernel security updates that OS can't continue.
Now there's also no more sideloading, so what purpose does Android even serve anymore?
>GrapheneOS won't survive the next generation of devices because bootloader unlocking will also go away (https://news.ycombinator.com/item?id=44765939), and without kernel security updates that OS can't continue.
The comment in the thread you linked directly contradicts the claim that "bootloader unlocking will also go away".
Exactly, the only reason to be a weirdo and have android in the first place was because there's so many good apps available outside the play store, if they lock it down just like Apple then what's the point?
> what purpose does an open source OS have against a proprietary one
FOSS means a lot less than it used to in Android.
Can you download, build, and install a basic Android system these days without touching a single piece of closed code? Absolutely. Will it be able to do much without closed binaries? No.
Android isn't GNU/Linux where there's a general ethos of making everything in userland FOSS if at all possible. Rather, it's a free OS that both Google and manufacturers can do anything they want with, including shove a ton of spy and bloatware on it, then make it to where you can't get rid of those things, at least not easily.
The optimism from 15 years ago surrounding FOSS in the mobile space is on its deathbed.
I would argue any amount we can get is still lightyears better than not being able to replace or inspect anything at all on the system.
A phone running just the FOSS parts of Android is not super viable for the average person.
> iOS devices [..] have much less data collection than stock Android
iOS does a tremendous amount of data collection including for the usage of ads as per Apple's privacy policy. All the same types of data that stock Android collects, even.
You may believe Apple is a generally better steward of that data than Google, but using iOS does not reduce the amount of data being hoovered up in any meaningful capacity.
> Now there's also no more sideloading, so what purpose does Android even serve anymore?
I hate this change, but I still prefer Android. iOS is hardly perfect nor does it do everything better...
> Why even run Android at that point anymore? iOS devices get security updates for longer and have much less data collection than stock Android.
Because Google-free AOSP-derived Android distributions are far more versatile, offer far more freedom, impose far fewer restrictions and tend to end up being far less expensive than whatever the fruit factory decides their dedicants have to use today. If Google goes the way of the fruit folks and AOSP no longer offers these freedoms the next step is not to surrender to the Church of Apple but to find a way to evade those restrictions.
Well that sucks. So basically all the money weve had taken from us for our play store apps is now "just" going to be spent on administering the registration details of 800 million chinese developers and 6 billion bot accounts.
Whose smart idea was that.
Well, when that happens it is finally goodbye to Android from me. I am switching to iOS that day.
The desire for people to keep using their currently working devices just got much bigger, and yet another good reason to root.
The infamous Franklin quote always comes to mind when I see things like this happening. Choose freedom over security while you still can, or you'll soon not even have the freedom to choose.
It's also worth reading Stallman's "Right to Read" again, to see how scarily prescient he was.
terrible news. i dont like it a bit. wth are they doing? i know all they care about is money but this is bad for everyone.
Android is getting more closed and iOS more open, I expect more people dissatisfied from both camps. We’ll have less choice overall as they gravitate towards a common middle ground.
We really need a third alternative when it comes to mobile
This is what Apple already does, isn't it? Why wouldn't it work for Google too?
Apple requires you to get a developer account with them.
Nowhere does that require you to go and get a DUNS number, which is onerous for a single developer to do without the infrastructure of a company.
Never heard of DUNS. It seems to be a US company *Dun & Bradstreet) that provides business intelligence.
It seems kind of odd to me to rely on some kind of external hidden "credit agency"-style company for this? And why would DUNS want to know about some kid in their basement in Bangledesh making (non-malicious) apps, and why would the kid want Dun & Bradstreet to know about them? It makes no sense at all.
They're trying to control malware. Tying apps that may be malicious to an identity that takes some degree of cost and effort to establish seems sensible in that light.
It's not that the identity prevents malware/abuse, but publishing any malware to the store burns the identity and establishing another is harder than simply coming up with a new email address. It's not necessarily the best scheme out of there, but it makes sense given their apparent goal.
I've had a business get listed on DUNS; once you're on it, they resell your data forever.
It’s not just Apple, lots of federal programs in US require a DUNS number.
To be clear, Apple does not require a DUNS number for developer registration.
It does if you have an org account: https://developer.apple.com/programs/enroll/
Yeah, basically this is the rise of computer-credit agencies.
Youc an see the zeitgeist forming around corporations wanting to lock out any small unlicensed company from working on phones.
The key is mostly fascism in the guise of "security". Witness stuff like the ICE tracker app. Google would love a way to freeze out both it's appearance on the app store and any developer who'd program similar.
FWIW I got a DUNS number through apple as a single developer for a corp. It was super easy. If you've already gone through the trouble of setting up a corp, getting the DUNS is trivial by comparison.
Yes. You gotta pay your 100 bucks, but I don't remember feeling like my privacy was being invaded when getting a developer account. I assume the best reason they have for this is that they can nuke the account, effectively killing the install base of an app is reported to be malicious. Unless someone tells me why I should, I don't have a huge issue with this.
While the linked article notes that organizations require a DUNS number seemingly as an aside, personal accounts do not.
Which is exactly the same policy as Apple.
For me the difference is that Android is an open-source operating system. It sold itself and differentiated itself to users, developers and phone manufacturers as an open ecosystem built on open-source foundations.
Over the years, it seems Google has been trying to have their cake and eat it too, by basically subsuming others to use Android through this appeal of a more free and open operating system ecosystem, but have tried to slowly close and close it down now that it has won the other half of the market on that promise.
This feels more sly, because it's kind of a bait and switch. Apple never made such claim and was always upfront, so while I don't like it, I never bought into it in the first place for them to have the rug pulled under me after giving them my money as Google might be doing.
> For me the difference is that Android is an open-source operating system
Google Play is not open source. You're still free to sideload on phone that use vanilla open-source android like the Fairphone.
Most Android apps are crapware anyways. The only respectful apps that I know are open-source, and are being kicked out the of play store progressively.
I'm cancelling my Pixel 10 preorder.
I saw this coming a mile away. Everyone said you could install whatever you wanted on Android, but you were always jumping through some crazy hoops to do so. (compared to a general propose computer)
These companies need to be destroyed by antitrust violations. I am so tired of these tech companies abusing their market position. I want the FTC to stop being toothless and useless and just absolutely crush these companies. The amount of disdain I have for these companies can't even be properly expressed.
These companies are in bed with the government, you're not going to be saved by any legislation. Many people on this site supported Google censoring the Covid anti-vax idiots, but it should have made it very clear that Google was working at the behest of the government. They're in bed together; the government gets to do an end-run around the constitution, and Google gets to rely on special government privileges and protection. Win-win.
These corpos are part of the government, more or less, and they simply implement the edict to get rid of privacy. Not only in America. Smartphones have become eyes of the govs, while the Internet - something akin to their neural system. What's more interesting is why the govs feel so paranoidal and insecure recently? What are they afraid of?
I see how this is developing. First going more or less close source and then reeling in the freedom - they are not going so much Microsoft but Apple.
Maybe we need phone sized open source computers.
The only saving grace is you can always import a Chinese phone without the play store at all, and then you can install what you want.
One step closer to The Right to Read: https://www.gnu.org/philosophy/right-to-read.html
This would affect a lot apps that are not on the Play Store for multiple reasons... and if I'm going to be stuck with what Google thinks I should be allowed to use, then why not use iOS instead? At least software updates would be better and the overall experience more polished.
Will this be what finally leads to the success of a fully open-source Android fork such as CalyxOS or GrapheneOS?
CalyxOS is already dead. GrapheneOS is the only hope.
https://calyxos.org/news/2025/08/01/a-letter-to-our-communit...
Guess I'm getting an iPhone. If both are locked down, I may as well have the one that has a decent watch.
Are there any competing phone OS'es still around? Maybe there is something in China I dont have a view on?
https://en.wikipedia.org/wiki/HarmonyOS
It does have an Android subsystem stuck on, but it's not necessary.
https://puri.sm/products/
Can Google do something like this for entities wishing to advertise on their platform?
It feels as if that would provide far more of a public service than this... whatever this is.
Are there stats on whether more malware and financial scams come from installed apps or from advertising?
"A recent analysis by the company found that there are “over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.”
Ok, but what's the real damage? In other words, how many installs and how much money siphoned from users and legit apps?
Apple and Google are now competing on being more closed, rather than on being more open. Perhaps because we gave Apple a free pass on curbing our freedoms, and even defended its actions as needed for 'security'
Remind me again why we can't use HTTPS certificates to sign code that is linked with a domain?
"Monopolies" gonna monopolize, all for our safety, of course
Stallman warned us.
https://www.gnu.org/philosophy/right-to-read.en.html
He was unable to suggest any pragmatic alternatives. He just said "I don't own a smartphone", ignoring the fact that many people become very disadvantaged without one.
The real heroes are the people that facilitate alternatives, not those who talk.
Stallman is probably in the top 10 of all time in terms of people who facilitated alternatives to this. He invented the GPL and wrote and maintained a ton of tools for people running alternative software stacks to use. What more would you ask for?
No, you're right. He deserves more credits than that. But still, the idea that you can just expect people to not use a smartphone is wrong.
I've edited my post to not claim that all Stallman did was talk, which would've been wrong.
> He just said "I don't own a smartphone", ignoring the fact that many people become very disadvantaged without one.
I know quite some people who live this way, and are very willing to overcome inconvenient hurdles to avoid having to use such a spying device.
>I know quite some people who live this way, and are very willing to overcome inconvenient hurdles to avoid having to use such a spying device.
This is kind of a lazy approach, and it's a good thing Stallman did not have that attitude towards personal computers.
But it's a bummer that there's no real equivalent for mobile devices. I use an Android device and I already consider it to be more locked down than Windows. Generally more irritating than Windows as well (maybe not Windows 11)
I also use it as little as possible (unfortunately more and more things require it) and try to get the smallest functional (for me) Android devices.
There are alternatives, using them involves sacrifices though, and there the modem baseband isn't replaceable yet. Take a look at GrapheneOS, F-Droid, Replicant, Purism Librem, PinePhone, PostmarketOS, PureOS, Mobian etc.
https://wiki.debian.org/Mobile
Okay, let's say you just became an enlightened person who understands that the current state of things need to be fixed.
To actually free yourself requires both commitment on your end and work on other people's end, those people who help facilitate alternatives and guide others to having more freedom and privacy. We need more of that work.
The speakers of the world have their place, of course, but that's not the most important part of the solution.
> To actually free yourself requires both commitment on your end and work on other people's end, those people who help facilitate alternatives and guide others to having more freedom and privacy. We need more of that work.
Such people both lead by example, and try to inspire others towards following their example/lifestyle. The problem rather is that most people want a different lifestyle (in the particular example of privacy and freedom "one with less radical consequences", which I consider to be rather contradictory, but this discussion shall be off topic).
To give an analogue: many vegetarians both lead by example, and inspire others to become vegetarians. But many people nevertheless don't want to become vegetarians.
> The real heroes are the people that facilitate alternatives, not those who talk, and Stallman was of the talking variety.
Like GNU?
When I switched from Android to iOS, this was one of the things I missed a lot: the ability to write my own app and side load it on my phone. Even more so with the advent of LLM. Oh well, now I don't have to worry about that.
The problem here is that the EU, which would normally be the only hope to put a stop to bullshit like this, seems to like this.
Governments are scurred the internet has made everyone realize their governments are crap, their history is gibberish, and it's all being used to screw the next generation. So 60+ year olds are falling back on old tropes
https://www.bbc.com/news/magazine-26328105
https://en.wikipedia.org/wiki/Parents_Music_Resource_Center
https://en.wikipedia.org/wiki/Seduction_of_the_Innocent
https://www.nytimes.com/1997/02/27/business/job-insecurity-o...
Yanking the leash of the proletariat
TikTok is "brain rot" even though the real economy runs on physical statistics, the semantics have to be recognizable to the elders, or it's not democratic so they will force the semantics to be regurgitated as-if they are religious catechism.
The Internet is the most powerful propaganda distributing system that humanity has ever come up with. Autocracies love the Internet, or at least the ones that see the writing on the wall. We have the sum total knowledge of the entire human race within a few clicks and we mostly use it to find videos to be mad at. We are our own jailors.
It's easy. For the average user, device integrity is more valuable (by a lot) than side loading.
People that think this is unacceptable are not remotely average users. Average users benefit greatly from their pocket appliance not being a full fledged computer.
Ultimate control over devices you own should be a basic right. Apple's wanton abuse of users and developers via the control they have over their platform, and Google's nipping at their heels, should be evidence enough of that.
Fundamentally, it is a trust issue. Why should I be forced to trust Google or Apple has my best interests in mind (they don't)? That is not ensuring 'device integrity', it's ensuring that I am at the whims of a corporation which doesn't care about me and will leverage what it can to extract as much blood as it can from me. You can ensure 'device integrity' without putting any permanent trust in Google or Apple.
Why should I be forced to trust Google or Apple.
You are not.
It's certainly convenient in this modern world to pay for and use one of their devices though.
That was intended to be a generic 'device manufacturer', not calling out Google and Apple specifically. It's my device. I should control it, full stop. It should simply not be legal for a device manufacturer to lock me out of a device I own, post sale. In the past it wasn't _possible_, so we didn't need to worry about it. But now the tech is at the point where manufacturers can create digital locks which simply cannot be broken, and give them full control of devices they sell (ie. which they no longer own), which are being used in anti-consumer ways.
Considering market forces are against it, I believe the only practical way to accomplish this in the long term is for this to be a right that is enforced by legislation. I don't think it is even far from precedent surrounding first sale doctrine and things like Magnuson-Moss, that the user should be the ultimate one in control post-purchase, it just takes a different shape when we're talking about computing technology.
It's my device. I should control it, full stop.
No one is forcing you to buy a particular device.
You are forced to trust Google or Apple if you want a smartphone. They own the whole market, it's a duopoly. You already have no power to install an OS without such limitations on most smartphones.
Limitations because it's not just protection - you don't get to choose which authorities you trust. Defaulting to manufacturer/OS vendor as the default authority would be ok, but there is no option to choose. Users have no power over their own device. That's not ok even if most choose to never execute it or don't know about it, it will lead to abuse of power.
Modern life without either of these OS (or like a phone number) is pretty difficult, i.e. you can't charge your car or access e-government without an app.
Time to support open source mobile OS's then.
I’m willing to sacrifice your rights if it means that there’s less incentive to steal my phone
why do you think you have any say over others' rights? using that same logic, you know what? i think you're going to steal my phone. so do you mind if i sacrifice your rights and install a camera right in your room? wouldn't want you to plot the theft of my phone now would i
Id argue that the average user is not a good barometer. They are okay with slowly being boiled alive. See windows 11 as a good example.
What's being sacrificed in the name of security is not worth it imo.
Enabling side loading on android is not a standard setting you can flick on. Is there any data on the number of devices who have this enabled and are falling for hacked apps?
I might partially agree, but the market already has a fantastic, secure option for those users: Apple.
Android's value was always in being the open(ish) alternative. When we lose that choice and the whole world adopts one philosophy, the ecosystem becomes brittle.
We saw this with the Bell monopoly, which held up telephone innovation for three quarters of a century.
In the short term, some users are safer. In the medium term, all users suffer from the lack of competition and innovation that a duopoly of walled gardens will create.
They're happy in their walled garden, until they don't and discover there is a wall they now can't overcome and learn whose hardware it really is
I do think it is in everyone's interest to be able to run software of your choosing on hardware you bought to own. The manufacturer needn't make it easy (my microwave sure didn't expect to install extra software packages; I don't expect them to open up an interface for this) but they also don't need to actively block the device owner from doing it
> Average users benefit greatly from their pocket appliance not being a full fledged computer.
In what way? Seriously, what benefit is there? (And don't say security...)
Not having social media?
The world would be a much better place if we only had calls and direct messages.
Bro, you forbade exactly the reason this is good for average users. Average users get emails that say:
> you have been infected by 3 viruses, click here in the next 5 minutes or the damage will be permanent
And they believe it. Giving them the power to run any software they want, also means giving everyone else the power to make them run any software they can be tricked into installing.
I'm deeply concerned about how this will impact users like us, especially since we're such a small minority that our desires could easily be trampled by the masses, but this is a clear win for the average user.
(And don't make the perfectionist fallacy w.r.t. Google not successfully preventing 100% of malware)
Damn we should just give up on this whole computer thing outright then, seems pretty dangerous. There are plenty of other things we could strip away that would make people much safer than just installing software, that's thinking small!
Stripping away computers entirely would have significant negative impacts. For the *average user*, preventing them from side-loading unsigned apps will have no negative impact.
For now, maybe. Like all discussions on freedoms and rights it's usually not about the day to day impact or the average person, if we optimized for the average person, we'd be in a sorry state.
> And they believe it.
Two reasons: they are not educated about devices they use, desktop operating systems are still awful at security (exe from a mail attachment can have a pdf looking thumbnail, executed with two clicks, even if accidental, immediately gets access to all user files... the whole concept of antivirus software...). It has nothing to do with side loading, especially on Android, where sideloading is a very explicit action already, and then you need to allow the application to do harm.
> Giving them the power to run any software they want, also means giving everyone else the power to make them run any software they can be tricked into installing.
You are taking away people's agency. Either you get to control your bank account risking that you get scammed, or someone will control it for you.
> very explicit action already, and then you need to allow the application to do harm.
So the email they get which tells them about the 3 viruses also contains a phone number where a "nice tech support person" will walk them through the steps of side-loading the "anti-virus app". You'd be surprised at what warnings/permission boxes people will blindly accept when they think they're talking to someone from Microsoft or Google's tech support.
> You are taking away people's agency.
Agency they don't want and never use. It's taking away agency from people like us but for the average user, Google is taking away nothing they've ever cared about.
> Either you get to control your bank account risking that you get scammed, or someone will control it for you.
I was just saying a couple of days ago that we need a service for old people where any transaction above a certain configurable threshold (for example, $500 in a day) has to be approved by an employee of this service who serves as a neutral 3rd party whose sole function is to try to prevent scams. That way the old folks would still have their agency so they can go out and buy all the hot-rods and transistor radios they want but if they're about to wire money to "Microsoft" then the anti-scam-company would step in and prevent that transaction (or at least require the old person have a discussion about why its an obvious scam first before eventually allowing the transaction through depending on the client).
Whether this change actually takes control away from us remains to be seen. For example, I don't see anything in the article that suggests we wouldn't be able to install a custom ROM with the signature check removed. Personally, I already run GrapheneOS so I expect I actually won't be impacted by this at all.
> For the average user, device integrity is more valuable (by a lot) than side loading.
Right until their devices start to act against their will.
The device integrity is are talking about it integral only to Google and Apple. Not to you.
But this is not about device integrity.
I'm all for code signing and integrity verification. We need both technologies on pretty much all devices.
You are just conflating two different issues - side loading has nothing to do with device integrity.
Agreed. Most people don't care that they can't run "unauthorized app XYZ", as long as their bank account / vacation pics / texts don't leak.
Now, that may happen anyway, but they'll give up a TON to avoid that.
Me, I try to avoid using my phone for anything important, use a VPN under Linux at home whenever possible, ad blockers, privacy guard, etc, etc. I can't expect my non-technical family members to do that.
Bad car analogy coming up: MOST drivers benefit more from ABS than the few really, really good race car drivers who can do threshold braking and outbrake ABS - and even then, I doubt it's true for anything but the earliest ABS systems. I'll bet the newest ABS systems are better than almost any human - because they don't have an off day, don't get distracted, etc.
And I get the anger - I'm an old school Atari 800xl / ST / DOS / Linux user who tries to ditch Windows where possible. Restricting things seems heavy-handed - and I don't trust Google in the least. But I would NEVER tell anyone in my family to sideload an app, even though they're all Android users - I don't want that support burden.
Then they should go buy a boomerphone that can make calls and text and nothing else and stop screwing things up for the rest of us.
Average users also benefit from restricting their ability to purchase alcohol or tobacco, but I don’t see anyone suggesting that…
And people who are financially interested in letting users side-load apps (malicious or otherwise) are good at what they do. I mean, even Russian banks that are banned from the Apple App Store are still finding ways to distribute iPhone apps.
Most users are oblivious around those issues, how can they possibly make an informed choice here?
> Average users benefit greatly from their pocket appliance not being a full fledged computer.
Why, though?
There's certainly no technical reason that a pocket appliance can't be a full fledged computer. The primary reason it isn't is because device manufacturers benefit greatly from having a tight control over their products. This is not unique to mobile devices; we see the same trend of desktop operating systems becoming increasingly user hostile as well.
The claim that these features are in the best interest of users is an inane excuse. Operating systems can certainly give users the freedom to use their devices to their full capabilities, without sacrificing their security or privacy. There are many ways that Google could implement this that doesn't involve being the global authority over which apps users are allowed to install. But, of course, they are in the advertising business, where all data that can be collected, must be collected.
Don't pretend that average users are asked, or that their opinions would matter. Or even that you have some sort of insight into the average user that other people don't have.
People who think this is unacceptable are the people who 1) understand what it is, 2) don't stand to profit from it, and 3) don't dream about locking average users into an ecosystem that they control some day.
You say this as if the widespread embrace of Apple/locked down Android phones is meaningless, fully a bamboozle with no user choice reflected at all.
The EU is some kind of Jekyll and Hyde entity, you can never be sure which way it will go next.
EU loves regulation. And it's much easier to regulate things when there are a few large providers that can be mandated to enforce your laws.
How does this affect installing an APK to an offline device?
Will there be a local override?
>However, developers who appreciated the anonymity of alternative distribution methods will no longer have that option.
Don't be evil Google!
I rely on an open source app called xDrip to manage my diabetes. It's way way way better than any of the official apps. It's not distributed on the app stores for obvious reasons. Many others rely on this app as well. Are we cooked?
It seems that it was only about time… it just feels like the pace of enshittification with big tech being able to get away with anything is crazy!
I’m hoping that projects like Precursor can take off because we’ve buried ourselves in such mountain of complexity that seems like only a billion/trillion dollar big tech company can make an OS.
But then again, some body called BS on browsers and we might have a good option soon in Ladybug!
https://www.crowdsupply.com/sutajio-kosagi/precursor
So that's how they kill newpipe.
They want to stop adblocking YouTube apps
The day this happens is the day I stop using "certified Android devices."
So Google won't even offer a system toggle to let users install an app they've made or copied?
Google don't even expose a per-app toggle for app Internet access, why am I surprised?
This is disgusting.
Freedom died a little bit more today.
Why is end-user choice and consent not considered?
It's really disturbing that the EU and Google would do this.
I can't recommend Android or iPhone because of this nonsense.
> Why is end-user choice and consent not considered?
The elimination of user choice was very much considered. In fact, it's the primary goal.
"Google to prevent users from installing programs on Android phones."
This might do more good than harm, since I'm willing to believe that scams involving APKs are prevalent, but come on. I need your permission to install software on my phone? Are you sure it isn't just that you want more control over everyone's phones?
Maybe its time to stop using an OS developed by an advertising company.
wow that rather fast [https://ibb.co.com/8LF8qdxm]
I already got popup in dashboard this morning
GrapheneOS.
Anyone else remembers “don’t be evil”?
Will this affect GrapheneOS users who have Play Protect / Services disabled? Wondering how they intend to do the verification.
With more and more things like this, we need to back to making native apps on desktops and laptops where we as the users are in control.
I'm waiting for this with chromium too. Microsoft Edge most removed uBlock Origin on me today.
https://www.gnu.org/philosophy/right-to-read.en.html
It is funny how true this becomes with passing day.
This aligns with their AOSP recent changes.
Everybody complaining of this is admitting they are doing nefarious actions. Those of us playing by the rules see no issue with this - In fact I welcome it!
I'm curious what is going to happen to all those Chinese ROMs and third-party Chinese app stores.
China will push own Android OS forks into other markets even harder, if they do it fully open-source then bonus for them, users will force devs (banking apps etc) to get more support. A good example is one EU bank which publishes to Huawei's AppGallery to support non-Google certified Android phones.
This means that for example I will not be able to side load Popcorn Time for Android [1] anymore?
[1] https://github.com/popcorn-official/popcorn-android
You know how folks in the UK are cutting the surveillance cameras, what is the equivalent here?
making an ADB-based debloater and browser shims to use stuff like bank apps, then sharing that with others. Then again, like cutting wires, it doesn't address the root cause.
Not updating Android I guess
Great. I suspect this will push more developers to publish web apps.
Time for Linux phones with Android emulation
Yeah if this goes ahead I'm going back to my feature phone
Tech like f-droid will be important for the future of free Android
Imagine you develop a VPN app that specifically helps people evade government censorship.
Everyone can figure out what's going to happen next.
I see... I guess it's just... web apps then?
This is actually good if it hopefully paves way for breaking them up
Well I guess that's good bye Pixel and Android for me then.
This is the final nail in the coffin for personal computing
It's a blow, but this is over dramatic.
(Responding to https://techcrunch.com/2025/08/25/google-will-require-develo... )
> Starting next year, Google will begin to verify the identities of developers distributing their apps on Android devices, not just those who distribute via the Play Store.
Odd little phrase, "distributing their apps on Android devices".
I think "distributing" in this context is in the sense of product distribution, not in the sense of distributed systems.
But "distributing...on" sounds a little odd, like Google is still providing a distribution service. (Contrary to all the precedent of how we've thought of installing software, other than the proprietary, captive-user app stores.)
And so, maybe "distributing...on" makes it sound more like Google is (once again) entitled to gatekeep what you can run on your device/computer.
> However, developers who appreciated the anonymity of alternative distribution methods will no longer have that option. Google says this will help to cut down on bad actors who hide their identity to distribute malware, commit financial fraud, or steal users’ personal data.
Maybe it's not "developers who appreciated the anonymity" (which we immediately try to conflate with bad actors), but that the whole point lately has been to stop the greedy proprietary lock-in app store monopolies, and not have them gatekeeping what everyone else can do.
"Distribute on" sounds odd because it's incorrect. APKs are not distributed by putting them on phones and carrying the phones from one place to another. "Distribute to" would be more correct; better yet, "develop for".
Google welcome to Apple 10 years ago
Sorry, folks, the good times are over. The future of computing is a signed, attested chain of trust from boot firmware through application code, on all platforms people are likely to use -- and remote attestation with user identification if you wish to connect to the network. End users love it because it prevents or reduces all sorts of malicious activity, from bank fraud down to online game cheating, with little to no effort on their part; platform vendors love it because it provides a moat; service providers (banks and such) love it for the assurance that their clients are uncompromised; and governments love it because it lets them surveil users and developers.
The only ones who hate it are devs. And who really cares about a bunch of nerds?
Remember, general purpose computing really boils down in security terms to "arbitrary code execution" -- a bad thing in the infosec field.
What the hell is a verified developer lol
This doesn't seem to be going over well.
Only developers care. The users don't even know what sideloading is. This will successfully kill off the single remaining freedom users have.
If this goes through, would it be possible to see a consumer class-action lawsuit? I imagine there is a class of people for whom the sideloading of apps is necessary and removing it renders their phone almost useless. I'd also guess that this market is much larger than Google imagines.
Personally, if I'm not allowed to run the software that I want on my phone, it almost makes more sense for me to get some old flip phone or one of those chinese blackberry knockoffs c.a. 2012. Not out of any principled stance, mind you, it's just that's the level of functionality you'd be reducing me to. Why should I pay $500 when I can find something that gives me the same features on a literal junk pile?
This will be just another boost for de-googled phones, alternative platforms and potentially Mobile Linux.
The only reason why google phones became so popular was the fact that they were much less restrictive than iPhones. Thus the platform became the biggest phone platform in the world.
Now they are asking for a new start to arise and take their place.
> Google is explicit today about how “developers will have the same freedom to distribute their apps directly to users through sideloading or to use any app store they prefer.”
« Développer will have freedom » yet they are entitled to Google’s verification.
It’s just another stone in the grave of Android and even though I shipped off this sinking ship 6 years ago to iOS, this is still concerning because ultimately apple’s IOS is in competition solely with Android.
If Android gets so bad it has all the disadvantage of iOS, some more, for instance with the embedded spyware that manufacturer are paid to include, and none of the good side of iOS, then everyone lose. Apple doesn’t have to compete anymore, they just have to not suck.
Can you even compile an iOS app without registering with apple?
Without an apple ID you can compile an iOS app, but can only run it in an iPhone Simulator on a Mac.
With a free apple ID (no additional registration needed) you can also install your compiled iOS app on your iPhone and have it working for 7 days before you need to re-install it.
Is it really different from what Google is doing ? Not being to compile or user not being to install have the very same consequence : your app can’t be used.
From the announcement
> our recent analysis found over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.
I will believe this when we stop seeing brazen malware in marquee app store apps, e.g. https://www.tracesecurity.com/blog/articles/meta-pixel-and-t...
This isn't legal in the EU is it?
It is. Notarization like Apple does is also legal. In fact the EU commission would welcome this with open arms since they can now access the personal data of every developer and can order Google to ban every app they want. This goes hand-in-hand with their new "Digital wallet" app that will be launched next year.
Of course they will. It started with Play Integrity and hardware remote attestation. Soon Android will be nothing but a shittier version of iOS.
Oh how I wish I could buy a Nokia N900 16 Pro Max and use Maemo 13
The N900. The best mobile device I've ever owned.
This is another "beginning of the end." All eyes are on this situation and how much push back it gets. If there is little resistance, others will certainly follow suit.
Squeeze, Raban. Squeeze hard.
How will this affect GrapheneOS?
This phase from the last couple of years just had to come - and while it's painful to be exposed to it - it seems highly illogical for us to complain and cry about it.
- "Free" search - yay, let's all use it for everything and even make a verb out of it
- Email - such nice guys, Google - free email forever, what could go wrong if I have my 95% of all my info there
- Maps - yeah, let's all depend on these free Google maps with our lives
- Chrome - ofc, heck yes, let's all use their browser, it's the best and free - no need for anything else
- Google account login for EVERYTHING - so convenient! Google Authenticator app, Google Wallet - yes, more!
- Free mobile operating system - nice, take that, Apple!
Google has taken over a large portion of our lives, step by step - good enough services, on global scale, for free, until they became essential.
They are not evil, like they were never good - they are a company, and in the current socio-economic structure, that means having a duty to use their position to enrich their shareholders - and absolutely have no interest in people's wellbeing or morality or opinions or reputation - unless it temporarily serves to do so more / better.
I'm in no way trying to defend them. Just, with all the futility of it, pointing out how hyper-capitalism we've built/allowed to grow, has reached the stage where it's practically impossible for the "free market" to react / provide solutions that people want. Now the big players decide what people get.
In this case, you can no longer have a high quality phone of a good manufacturer and install on it what you want. Small manufacturer catering to that demographic won't get government certification, you can't have your e.g. Samsung and install a ROM anymore, and you can't install your app freely on Android unless Google lets you. That's all just in a tiny sliver of space.
Our Tetris board barely has any room left for choice and actions.
This has the potential to be disastrous for Google, but maybe not.
Personally: I don't use Apple because I like being able to whip together little apps to side-load without having to check in with a walled-garden mothership. If Google is going to move closer to Apple in that regard... Apple's UX ecosystem is better, so I have far fewer reason to keep using Android.
I suspect this won't be disastrous for Google, because where will people care about this go? Apple, who is even more restrictive? This is just another in a long series of incidents showing why we desperately need a real alternative to the mobile duopoly. I would ditch Android over this, but there's no realistic alternative available to me.
Damn the future sucks ass.
I think the only thing hat can save us is a jailbreak. Either for iOS or Android to let you sideload apps.
Alternatively, and that’s almost bullshit, the dumb phone trend continues and we might get devices like PDAs. Get a dumb phone and a small camera and then your PDA for everything that is essentially an app. Not sure what OS they’d run but I don’t see another way.
Android also allows apps that can run arbitrary code, like emulators and various other runtimes. I think iOS still doesn't? I have not written an Android app in ages, other than at work, but I often write silly little things running in the Löve 2D Loader, or TIC-80, or DOSBox, or just command-line tools running in Termux (I hear there is an X-server as well to run GUI applications from Termux?).
As long as they still allow running stuff inside of apps like that I will probably not abandon ship yet.
They recently allowed emulators, like RetroArch, to be on the app store. They still require the emulators to be written in Swift AFAIK. Still quite a bit more restrictive than Android, but they have slowly been opening up.
No, fuck you. Absolutely not.
Relevant as always: https://youtu.be/ntICHMV-WMA?t=38
shameful
was a reason I bought Android. will they be sending me a refund?
I wonder, how hard is it to build an app on the phone from source?
Dick move. Go back to "do no evil" big G. Remember how you used to be the kool kid on the block? Now you've just become the grown up you showed contempt for in your prime time.
I doubt I'll move away from Android too soon, but that definitely makes me reconsider whether any Google services have a right to CPU time on my device.
Absolutely disgusting. No reason to keep using Android then.
iOS is a closed jail even worse. The real solution is to buy uncertified Chinese devices then.
China offering more freedom than the supposed free world
Source: https://android-developers.googleblog.com/2025/08/elevating-... (https://news.ycombinator.com/item?id=45016602)
I can’t say I’m surprised; but I am disappointed.
Could someone explain why the personal privacy of software developers is more important than the cybersecurity of consumers and nations please and thank you
I don't understand, when the EU announced that Apples "actually we need to sign all of these and pay us" requirement is illegal, Google was like "hold my beer"?
Break them up already, it's getting old.
So, now there will be a single kill switch where a malicious government can legally compel Google to annihilate apps not of their liking.
I find it hard to state how contemptible this is. How stupid. Everyone who worked on this has blood on their hands.
Fuck google.
This combined with the 'age verification' coming to all Google properties means it is a very small step from that new world to full Google verification of everything you visit and everything on your device, at any time, for any reason with the penalty being incontestable ban from your device, apps and data.
Get ready for facebook style 'we are interrupting you for a video selfie because we have detected you are a threat' across all google properties (Android, Chrome, Gmail, Maps...).
Move to linux phones, now.
Google is really turning into a dystopian company, destroying any goodwill their virtuous employees created in the past. It feels like they are primed to be the main turnkey tyranny facilitators.
Google was always dystopian and evil. They just wore good mask for some time in the beginning.
Keep your phone. All you have to do is say no to digital for:
- money - tickets - identification
They cannot force everyone to own and buy a phone.
Gives me another reason to use Custom ROM
has anyone had to help any elderly relative with the million scams they've downloaded from google's app store? google does not give a shit about helping regular people avoid scams, it's all just bullshit.
not even to mention the h1b indian kickback stuff that's about to hit them. couldn't happen to a nicer company.
Helping elderly with scams: Yes, today, with Google Chrome. They got tricked into allowing desktop notifications and they look super legit on Microsoft Windows, styled like antivirus notifications and everything, covering the browser UI to get to the settings. I don't see how using closed software helps here
Sorry, we're getting rid of Revanced, Newpipe, Xmanager, etc. for your own good. Just like how Manifest v3 was for security. /s
That might be one of the reasons. Get rid of competition by legal means.
In my case I keep a copy of K9 Mail 5.6 with the original UI (the reason I choose K9) and I sideload it to every device of mine. I'm afraid that I'll have to register an account and what, claim that that K9 is mine?
TL;DR If you're not using Linux by now, do yourself a favor and start. You could do worse than starting with Linux Mint or PopOS, but whatever you do, get ahead of the curve and transition to these user-friendly open sourced OSes. The alternative is far, far worse at the moment.
Well time to make sure mobile Linux is accessible so the blind users aren't the only ones left when all the world switches to Linux /s
aren't there braille terminals that work with linux? I don't know how you would make a rigorous blind UX other than working with a text interface first.
Year of mobile Linux OS? /s
Maybe Elon Musk can save us /s
He won’t.
But China does, and not tomorrow, not in the future, but today already, by selling unrestricted devices
Anyone even remotely privacy or security conscious needs to vote with their wallet in protest and stop buying Android phones, otherwise it's only a matter of time 'til Google bans side-loading and it becomes impossible to buy a phone that can run any kind of anonymous or end-to-end encrypted communication software.
Stop buying Android and what? Buy an iPhone that's even more locked down or live like an outcast that can't access essential services? Because those are the realistic options.
For years I've been buying middle-of-the-road Android phones because they provide pretty good bang for the buck, but if I can't use a computer I paid for however the fuck I want, I'm just going to start getting the cheapest crap I can get away with and use it as little as possible. "Vote with your wallet" doesn't have to mean total abstinence.
I think getting a flagship device that's a few years old probably makes for a better experience. I check the LineageOS supported devices list, then search eBay for something from there.
Flip phones can access essential services just fine, if some business or government office is only allowing something to be done via smartphone app, that’s a problem.
A problem for who? Go ahead and raise it, I’m sure the government office will get right on fixing it.
>live like an outcast that can't access essential services?
I don't own a smartphone and I am happy as ever. I used to own one a while back, but it wasn't worth the effort and the rage when it was slow.
If a service can be accessed only with a smartphone, I complain (which is of little use).
Do you not have to use a 2FA app for things like banking? In Singapore, they are phasing out 2FA options other than the banking app. The banking apps only work on iPhones and Google-approved Android phones. It's pretty bad.
It's kind of stupid when you consider the number of people who don't have screen locks (or else have easily guessable ones) on their phones.
It really isn't that bad. I've never owned a smartphone, and can do everything I need through websites and the occasional phone call.
> live like an outcast
in all things. I would encourage you and everyone who reads this post to stare down this option with realistic consideration. In a society this broken, it is the solution to more and more things. To checkout, to accept the hard mode because to pick the path of convenience is to be exploited.
Again, and again, and again.
I've been doing it. That's why I'm vegan.
I'm sorry, this is such a funny follow up comment, I literally lol-ed when I got to it.
Eating on hard-mode is what we do.
I respect at least your choice but I'm not growing tofu on the farm. Veganism is one of those protests that while i appreciate going after factory farms, you're only enabled to do so by large corporations.
You've never tried growing tofu? It pops out of the ground in little cubes. Super easy, barely an inconvenience.
> _I'm not growing tofu on the farm_
What else are you growing?
What if people stopped buying brand new Android phones and instead bought used ones and then installed alternative Android versions and app stores.
Can't access banks, ticket systems etc. unfortunately we are in the era of tightened screws, the freedom is running out :(
Lol all these things work via the web. You just log on via the browswer. Not everything needs an app.
In your country, maybe. Over here you're dead in the water without a smartphone — can't access banking except by going to the branch and standing in the queue for an hour or two, can't access most government services. Limit your selection of goods (like electronics, but not only that) by something like 90% (and also increase prices by 30-50%) because brick and mortar shops sell old crap at much higher cost than it was ever worth, and the only real solution is buying from a major marketplace which is only available as a mobile application.
This concept originated in China and is spreading. Beware.
Can I ask which country? You said originated in China but is it China or another east Asia country?
@achrono (I cannot reply to the other post, I don't know why). Yes, you can use just a web browser.
> Mobile Payments They work with a card, no smartphone required. Moreover, cash didn't cease to exist.
> Navigation Again, physical maps are a thing. Google Maps or OpenStreetMap are accessible by browser. Having a physical map and having to follow road signs can be a beautiful experience. If one is addicted to a machine that tells them where to go, navigators are still a thing (no smartphone required)
>All manner of IoT devices
Don't put an IoT device in your house if you don't know what it does and how it works. If the only way to interface to it is via an app... then you don't know what it does and how it works. Don't put it in your house.
>Wearables
I don't even know what are wearables: if I write it on Firefox it underlines it in red. By doing a quick search, I can see images of watches. Watches can work without an app. Moreover, watches that work without an app are usually less expensive than the other kind.
>Digital versions of ID (Mobile Passport Control)
Don't. I know that some governments are pushing this crap thinking it's the future. Simply don't. Imagine you're at the airport and you accidentally drop your passport. You pick it up, nothing lost. Imagine you drop your phone and it stops working. You lost:
- Your documents - Your money (if you rely on your phone for paying and don't have cash with you, which seems a growing trend among people I know) - All your ways to contact people for help
Instead:
- Your wallet is stolen: you lost all your money and your cards, but you have your documents (at least the passport because it surely does not fit a wallet). - Your phone is stolen: you lost all the ways to contact people, but you can buy another one - Your passport is stolen: you can contact your embassy.
Smartphones are becoming a SPOF (Single Point Of Failure) for our lives.
> physical maps
Are you for real? I'm totally on board with using free and open alternatives, but if you're not going on a mountain trail then a physical map is going to be drastically worse than any navigation software.
Also FWIW I have a card-sized passport that I can easily get stolen with my wallet.
Aren't there attestation frameworks under development that they could start using too?
Other than banks & ticketing, there is a whole host of things that do in fact need an app.
* Mobile payments
* Navigation
* All manner of IoT devices
* Wearables!
* Digital versions of ID (Mobile Passport Control)
etc.
So no, you can't just use the web.
But, and I hesitate to point it out, because I am finding that people think it is somehow minimal entry stakes, one does not need any of those things..
You wouldn't get very far without WeChat and AliPay in China. Last time a good friend of mine was there, many merchants simply refused to accept cash. The few that did had made it known how much they were inconvenienced by doing that.
Same for basically every interaction with locals, for accessing government services, or even just using the public transportation.
It's pretty similar for locals AFAIK.
And before anyone replies that he didn't have to travel there — no, he did, unless he was willing to look for another job (which are very sparse here, you hold on to a good job for dear life).
The 2FAs require their mobile app sometimes.
What types of tickets are you referring to here? I’m not familiar with that restriction.
He's talking about concert tickets and similar entertainment events, where several of the major providers no longer provide PDF tickets and instead only send them to a phone app. It is possible to make enough of a stink and collect tickets on the day, but that option is increasingly difficult to find.
you can usually just use the web-interfaces for those services. less convenient, sure, but the options are there.
Buy Apple; the point is to hurt Google. If enough people do it, Google might reconsider. Show them that the open ecosystem is the only value Android added, and if they refuse to bring back the open ecosystem then their platform will slowly die. Won't be long until Google's as locked-down as Apple at this rate, so all Android gives you is a power-hungry OS that protect your privacy even less than iOS does.
Buying closed stuff to show we want an open ecosystem?
At this point, I believe the most effective ways one can help with this is:
(1) advocacy - it's slow and difficult, but having people at least agree / be familiar with the idea that closed stuff is bad is a good first step.
Open ecosystems can't work for the general public if it's trapped in closed networks that won't work on anything else than the two big mobile operating systems, so making people start using open chat apps and such will help a lot. It'll take years, but so be it. It's worth it I think.
(2) helping improve the more open stuff.
I think Linux mobile for instance is a potentially viable alternative in the medium term for at least the basic use cases: Calls, SMS, GPS / Maps, Signal, photos. All this has no reason not to work with some polish. I daily drove Linux mobile 4 years ago for a year. The main thing I'm missing is good hardware for it, and a lot of polish but nothing impossible. Yeah, indeed, no payment with the phone (Google Pay / Apple Pay). But it's still possible to use the physical cards and not use the phone for this.
You've got to be kidding. Doesn't work, Apple is even more locked down than what this article announces. No sideloading whatsoever, signature checks ala Play Protect are mandatory and cannot be switched off, no alternative app stores, etc.
You can side load three apps at a time outside the EU and unlimited inside the EU.
Not sure why this is downvoted. The entire value proposition of Android is the semi-open OS. For things you can’t do with Apple devices, you use the myriad of Android devices out there.
A locked-down Android is pointless.
Yet most of the world runs Android. Its main value proposition was always wide selection of hardware for however much money you're willing to spend, not its relative openness.
I make relatively decent money by our standards, and I wouldn't even think about dropping $700-1000 on a phone (which isn't even officially sold or supported over here). For the vast majority of people it's their whole income over 2-4 months. I don't know or care how much you make, let's say it's $10k per month. Imagine if you had to pay $20-40k for a phone which is good for maybe 5-8 years.
And most of the world is like that.
I'm curious what you think the alternative is, because Apple is definitely a lot worse, and we all know they're very much a duopoly.
BTW, all the GrapheneOS, etc. are still Android phones.
I'm curious if GrapheneOS or other custom Android builds would be able to avoid these restrictions reasonably.
Obviously this is going to impact the supply of apps, since the market share of custom Android is smaller than even the market share of people willing to sideload or use an alternative store on a mainstream Android phone. Many developers might quit the game.
The problem with custom ROMs is that many government, banking, and similar apps don't run on them without workarounds. Some of those apps also consider this as a TOS violation as well.
When Microsoft first proposed a remote attestation scheme for PCs under the name Palladium, it was widely seen as a nightmare scenario. Even the mainstream press was critical[0]. There was barely a whimper when Google introduced Safetynet a decade later.
It wasn't OK in 2003. It wasn't OK in 2014. It isn't OK now. I'm just not sure what anybody can do about it.
[0] https://www.nytimes.com/2003/06/30/business/technology-a-saf...
What changed is that the vast majority of users in 2025 are retarded normies that have never even considered trying to understand how their pocket computers work. And now that they are the majority, the voice of people that have even a remote understanding of how any of this works get drowned in the noise of social media divisiveness. Divide and Conquer. Oldest play in the book.
There are many third-party money apps that login to your online banking that are a violation of ToS. That doesn't stop people using them. In fact, when they get really big, they can be legitimised by banks. For example, to get my mortgage, I had to use a third party service that logs in to my online banking account and ingests all my transactions to show that I saved for my deposit legitimately.
Then I won't run those apps. Seriously. I know not everyone has this option, but it's been my experience that a lot of processes do in fact have workarounds when you show them the cryptic error their poorly behaved app throws.
I have been a GrapheneOS user since the Pixel 3 and have yet to encounter an app that doesn't work on GOS.
I don’t use any utility apps (identity, banking, services etc) on my phone and stick to the desktop web. And don’t use services that do require me to have a Google or apple account and phone. (Spoiler: I do)
I hope my tiny datapoint shows up in some aggregated stats somewhere.
It’s use-it-or-lose-it.
Looks like they can avoid these restrictions:
https://grapheneos.social/@GrapheneOS/115090818389369737
> "GrapheneOS doesn't include Google Mobile Services and the requirements for certification aren't relevant to us."
GrapheneOS uses a sandboxed version of Google Play Services, not the GMS certified devices they mentioned in the article.
I had a Jolla phone on my hands the other day and I must admit this…
SailfishOS is pretty nice
I might get one next
Buy Xperia 10 III while you still can. It's the best SailfishOS phone at the moment.
I have an Xperia 10 III, but it's running AOSP I built myself.
https://developer.sony.com/open-source/aosp-on-xperia-open-d...
Basically none of this new restriction will bother me, since I don't run anything but stock AOSP and get all my apps from f-droid repos.
Eventually you will need a new phone and by then probably all phones will be locked down.
It's really nice when you first use it but if you have to use it as a daily driver it's pure pain. Rather go for graphene.
GrapheneOS is a beautiful stop-gap, but there are real bona-fide Linux smartphones out there. To be clear, there are not many, the hardware often isn't great, the software often isn't great. PinePhone and Librem come to mind.
Cell carriers will just start requiring the attestation as well. And eventually, even an internet connection will - wifi routers will have to attest to ISP equipment, etc.
The final phase is "AI" monitoring everything you do on your devices. Eventually it won't just be passive, either, but likely active: able to change books you read and audio you listen to on-the-fly without your consent. It will be argued that this ok because the program is "objective".
At this point, I would stop using commercial cell carriers and ISP-provided equipment altogether, even if that means setting up mesh networks with an underground community. User control or bust.
I've been keeping an eye on FuriLabs (Furiphone). They maintain FuriOS - Debian with an Android kernel. Has a container for running Android apps. Price is reasonable though I don't know how it'll be affected by tariffs in the US. It's tempting.
https://furilabs.com/shop/flx1/
I really wanted to like Librem and almost bought a phone until I saw this video by Louis Rossmann: https://youtu.be/wKegmu0V75s?si=NzevsJgHD188bRkT
https://www.bunniestudios.com/blog/2020/introducing-precurso... This is the most secure phone that has been made recently.
Per their spec sheet it doesn't have cellular connectivity, so it's not actually a phone.
And if what you want is a PDA that runs Linux, there are many options, e.g. https://www.clockworkpi.com/home-uconsole.
Precursor is neat, but it isn't a phone.
Pretty sure Bunnie named it “precursor” because the plan is to make the actual phone (with a cellular modem) next. If I had the cash to support him and buy a Precursor I would.
Neat concept.
For anyone else failing to resolve DNS for that domain: https://archive.is/q7w0x
In addition to the PinePhone and Librem 5, you can also put postmarketOS on some faster Android phones like the OnePlus 6T.
>real bona-fide Linux
Android is decades ahead of that in security, functionality, utility, devex, and design. It's a fools errand to try and modernize that, over building on top of AOSP.
The alternative is just Apple; if Google loses enough users they might reconsider. Essentially the only real advantage Android had over Apple was being a more free platform/ecosystem; if they're going to do away with that, then they should be shown that this means they'll lose a lot of users.
Even with this change, Android is still more free than iOS by far.
Utterly pointless.
Banking apps, messaging apps, streaming apps, even video games all want locked down devices. They will use hardware cryptography to discriminate against us and refuse service if they can't cryprographically prove we're using a corporate owned device.
Naughty user. Looks like you've been tampering with your device, installing unauthorized software and whatnot. Only money laundering drug trafficking child molesting terrorists do that. I'm gonna have to deny your request to log you into your bank account.
Seems reasonable