Google will allow only apps from verified developers to be installed on Android

Banks seem to actually "want" Play Integrity. At least they act like it. I bet they would like for normal online banking on user-controlled devices to completely go away.

If play integrity went away, all mainstream Android users would suddenly experience a huge increase in captchas and other security measures.

It’s funny to see the volume of comments on HN from folks who are outraged at how AI companies ferociously scrape websites, and the comments disliking device attestation, and few comments recognizing those are two sides of the same coin.

Play integrity (and Apple’s PAT) are what allow mobile users to have less headaches than desktops. Not saying it’s a morally good thing (tech is rarely moral one way or the rather) just that it’s a capability with both upsides and downsides for both typical and power users.

This is only allowed to exist because the justice system and politicians are mostly tech illiterate.

Play Integrity is not compliant with any antitrust legislation, that's painfully obvious. The sole and only purpose of this system is to remove non-Google Android forks.

Id be more convinced that this was about malware and your security if you could turn it off.

I think this is mainly just an attempt to kill things like newpipe.

Add blocked bootloaders, remember when Huawei let you just do it if you wanted?

Most devices are just blocked and won't let you unblock. It is stuck it OS.

You can't even try alternatives.

HarmonyOS is open source (according to Wikipedia) but some of the tooling does not appear to be. I.e. can only get the simulator from mainland China.

The thing is making a smart phone is hard. You need experienced and knowledgable embedded engineers to design every aspect of the phone. You need people who are knowledgable about RF and know how to go about regulations in various countries. You need software engineers to build up a whole operating system from scratch and probably do that multiple times as the available technology changes. Not to mention create an entire production line to fabricate the parts and assemble them.

And while efforts like Pinephone are good, they don't have the VC or talent to really make that a reality anytime soon on a massive scale. Most efforts in this space are open source which is great but doesn't really pay anything. People with these skills can easily work at any phone OEM and make good money. So I think it will take a massive company to do it. Maybe Microsoft wants to give it another go haha. Amazon has tried multiple times to make this a reality but it's just cost so much money and time that they keep shutting it down.

I don't have any answers, for something to become viable is has to appeal to the average consumer and getting to that point is like crossing a mountain.

There was Firefox OS, but they ended it too soon. Now, they’re just trying to make money from ads

> easier said than done

This is true for both the engineering and business sides. Cyanogen’s failure showed that it ultimately doesn’t matter how good your software product is if your business side of things is poorly run. Same with the Pebble smartwatch - amazing product, terrible back office.

> The closest we've currently got are the various phone-targeted Linux distros out there. But they're not quite ready for serious usage for me; at least not on the Pinephone.

This isn't the closest, since we have Purism Librem 5 phone, which many people (including me) are using as a daily driver.

Is Pinephone still going? I was excited for it a few years ago, but I checked in recently and a lot of people are calling it dead. They discontinued to "pro" model and it doesn't sound like the software has much active development going on.

This is already happening. It would be nice to have a purpose-built "clean"/”lame" device that not only did networking for you, but let you run whatever super special shit that garbage banking app needs attestation for while serving it over vnc or similar to your "dirty"/"cool" device. Then the lame device could be quite small, maybe even stuck on to the cool device as a dongle something.

The end point is going to be you will only be able to connect to the Internet with a device that passes hardware attestation so people won't be able to tinker

This is really smart. It’s low friction. It’s a drag to need two devices, but it is a low compromise bridge to building up something like a pinephone/pinebook’s ecosystem without needing to keep swapping your sim card.

You make it sound like a bad thing! That's pretty much already where I'm at, and is in fact exactly what I want. My smartphone is for messaging and a handful of apps from major vendors (Google Maps, Youtube, 1Password, etc.) It shouldn't ever crash, have nagging software updates, require tinkering, etc., just like my microwave and washing machine. And for tinkering, I've got my Mac, my little Linux NAS, a variety of Linux handheld devices, etc.

Your heart is where your money. The device with the money would be the practical device for anybody except few RMS' followers.

I am already taking 4 devices with embedded batteries with me and it's pain during airport scans. I am not looking for taking 5th. :/

Microsoft pushed itself out of the sector by having a lousy mobile platform.

GNU/Linux phones already exist, although they're indeed being harmed by the duopoly.

That was before AI coding assistants.

Amazon was hopeless even with the apps, because they had their hooks into things even worse than google. They are shameless. Most other tech companies large enough to even try would be as bad or worse.

All that type of money went to llms, who is going to spend that on a phone os now? Not who should, but who actually would? They gave up on browsers, they gave up on mobile oses. There is a real risk that the next step is the US gov takes X% of google instead of enforcing antitrust in a year or two.

Linux phones will never take off because banking and media/drm apps, and by extension social media apps, will just boycott them and kill it off. The tone has been set, this comment applies to any major player trying to break into the mobile market moving forward.

This is honestly very bleak news.

I don’t even think Microsoft could. Google bullied them out last time with windows phone and the YouTube app debacle.

Until we have serious antitrust legislation against Google and Apple wielding their market power against any new entrants we are stuck with a duopoly.

At the very least, Google needs to lose Android, and probably YouTube as well.

Given the state of the Kindle and Fire TV interfaces, I hope Amazon keeps far away.

Not sure porting the apps would be such a big problem.

You could probably get away with porting only a tiny fraction of all apps.

I only use ~10-20 apps. If I was sure those work reliably I'd not hesitate to move.

Here's a list for anyone who's interested:

* Firefox * Money / bank * Identity * Maps * Email / calendar * Public transport * Chat (Whatsapp, signal, telegram, Facebook messenger, hangout, slack, discord..) * Camera * Music * Podcasts * YouTube * Taxi * Renting bikes * Parking * Digital "postbox" (not email) * Gym * 2FA * Calculator * Phone/SMS * Google Drive

Open source is a relative thing. Compared to iOS, Android is "incredibly open source!"

A GNU/Linux phone is dead on arrival unless it provides features that the masses consider a benefit. It's been attempted countless times, and every time it fails to gain adoption because the benefits rarely outweigh the downsides (yes, I know I will get at least one free software maximalist disagree, but in general, adoption rates support my point: these phones are used by such a small minority they're effectively a measurement error in the data).

If anyone wants to give it a shot again, don't start with a GNU/Linux phone, start with something the masses actually will care about. Reverse-engineered, adversarially-interoperable social media apps for all the mainstream networks with no ads/dark patterns? Cool. Adblocking by default? Sure thing. Built-in support for a wide range of cloud providers (including standard protocols such as SFTP/S3/etc). And so on.

Address actual pain points that people have. "GNU/Linux" by itself does not address anything. The non-technical majority don't even know what that is or means, and even for technical people it isn't a perk by itself - sure, you can run whatever software you want... but you (or someone else) still need to write said software to begin with... or you could just trade a bit of money and "freedom" and buy an iPhone which doesn't have any of those problems.

There were crowdfunding efforts like: Purism Librem, Liberux NEXX, /e/ foundation, eelo, Ubuntu Edge, Jolla phone. But none were really successful. The closest was probably Mozilla with Firefox OS, now Kai OS. I still own an Alcatel OT Fire phone, it's HTML5 all the way!

But I think Sailfish OS has a mature ecosystem, they are well recognized in the EU and based on GNU/Linux. I use it daily, after moving from UBports, and it serves me well. Hopefully SfOS gains more popularity.

> [...] someone with serious name recognition like Linus Torvalds starts to lead that kind of effort [...]

Linus is a kernel hacker, and already busy tending to his own project.

"GNU/Linux" is effectively a committee of communities, with sometimes conflicting goals. It took Canonical and Valve to put things into shape on the desktop, and that's mostly because desktop was becoming less relevant.

I see two ways for things to change here:

- A massive, for-profit corporation, someone willing and able to challenge Google and Apple on an even ground, is hell-bent on making a Linux-based phone (Microsoft failed even after acquiring Nokia);

- Another platform shift happens, making smartphones irrelevant in comparison (think: when smartphones displaced desktops).

It only matters if you treat phones as a development environment.

It's tempting to have full control over everything OSS style, but the reality is you can only tenably have that for very specific parts of life.

"Years ago I loved tinkering with the devices but then I wasn't able to use my bank and it was getting more and more annoying so at one point I just stopped..."

Until now I've steadfastly refused to use banking on my smartphones because of these problems (and I usually use rooted phones).

The trouble is it's becoming more and more difficult to avoid phone payments/banking. My solution is to get a small phone specifically dedicated for the purpose and use it for no other purpose (it's a pain but the best compromise). That way I don't have to worry about my main smartphone.

Of course, the best solution would be for governments to regulate for banks to accept multiple access/payment system of which there are a number. Standardized and regulated protocols would solve many of these problems but that's a too bigger subject to address here.

Ah yes, sailfish is actually pretty usable. (Unlike Ubuntu Touch, tbh). I've used it in the past on my Nexus5 for some years. However, they are still not 100% open source and they're too much into the AI-Hype as of recently (Mind2). Also, I'd like to have more official ports. It's such a hassle to be dependent on that one guy who maintains that port for your device...

Ok, how do I as a developer from Croatia get in touch with a legal representative from Google? And I don't mean 5 layers of indirection through AI chatbots and chatbots, forms and canned responses?

...that makes it worse though. It's just intrusion from more legacy states.

The whole point here is that this requirement is a vector by which states and state-like corporations can exert control over the internet. And the "inter" in internet is weakened by this.

Only if you want to use the age verification app.

The EU has different parts. This probably violates a constraint imposed by a different part, which the part pushing this hasn't noticed yet.

Graphene can run the Play Store, can't it?

"Alas, no distinction is made between (a) a computer owner that wants to write software to run on their computer versus (b) an "app developer" who wants to write "mobile apps" and distribute then to others for financial gain."

I could be wrong:

https://developer.android.com/developer-verification

"For student and hobbyist developers

We're committed to keeping Android an open platform for you to learn, experiment, and build for fun. We recognize that your needs are different from commercial developers, so we're working on a separate type of Android Developer Console account for you. We'll share more information in the coming months."

Will "verification" also be required for "hobbyists", otherwise known as computer owners, or "ad targets" in Google's framing of the www. Who knows

Putting restrictions on distributing bad software ("malware") to others is one thing. It makes sense, But putting restrictions on computer owners ("hobbyists") who write, compile and run software on their own computers is another thing entirely

It's not about consumer trust, it's the chicken-and-egg problems of users and app devs.

App devs only care about platforms with enough users, users only care about platform with enough 3rd party devs support.

Because it's the only bank that doesn't require a mailing address and I don't have a mailing address.

> While I used Graphene myself for a solid 6 months, the features you have to give up on using or find some obtuse workaround for aren't appealing to the "normies" who just want their phone to do what they want

Did you use GrapheneOS with the Play Services? Sounds like you didn't. Of course if you don't use the Play Services, you lose... the Play Services. But GrapheneOS allows you to run them in the sandbox.

> Throw in how Google starting with Android 16 is not releasing updated drivers with AOSP and Graphene probably doesn't have much life left in it, either.

This sounds incorrect. Google decided to stop sending the device tree of the Pixel devices in AOSP. And GrapheneOS is still fine, though it will take more effort because they won't get the device tree from Google.

That's not really going to fix anything here.

The reason a big company can do this is because they can absorb big liability risk and insure it appropriately.

A standard can't do that.

Yes. The 2FA via either biometrics or some other means requires us to have the bank's own app - even in small local branches - where said app is only available through one of the app stores.

In my case, the website is equal or superior to the app in every aspect except one: you cannot deposit scanned paper checks via the website, only via the app.

Web channel traffic is typically a tiny fraction of mobile traffic for banks. In some banks its like single digit share.

> in the end I can access my bank from a web browser.

If your bank allows you to access all features from a browser, consider yourself lucky. Mine requires the app to authorize any online transaction.

> access my bank from a web browser

Unless you get SMS or some normal TOTP app as 2FA, using the web page usually requires the bank's proprietary app to authorize. So you circle back to the the same issue.

My bank doesn't allow me to deposit checks digitally without the stupid app. Almost everything else is available on the website.

> They’ll try again, with big business and governments cheering on them.

No doubt. They only have to win once. We have to keep defending our own freedoms against non-stop assault until the end of time.

I'm so tired and disillusioned.

Government in EU will want it once they introduce the Chat Control legislation and observe that it is trivial to circumvent by either modifying clients to not scan or using free open source alternatives. Logical next step is to lock down all devices and thereby also ensure total and utter surrender of all our digital infrastructure to the current duopoly in the mobile device market (Apple and Google).

The question of how private property, intellectual property and posession/ownership should work is indeed something humanity hasn't properly figured out yet.

But if anything, regular people should have more of the cake.

And the answer is we don't. If we can't run our own software, then we do not own the computer. To run software of our choosing we need the cryptographic keys to the machine and we sure as hell don't own those keys.

regardless of what the corporations say we do own the devices we purchase.

The thing is most people do not want to mess with computers. They are terrified they are going to break them. Frankly they are not wrong. I spent yesterday just trying to get a div tag to flow correctly with all the objects around it, a whole day down the drain. I have a pretty good idea what I am doing. However, for others these things we call computers are inscrutable devices that just 'decide' to do something wrong. We have built this https://xkcd.com/2347/ and expect everyone to be cool with it. Most people most certainly are not, and are willing to give away whatever just to make it easier to use, and not randomly screw up. Apple and Google can take whatever they gave away now because well most people really do not care. The rest of us can pound sand for all they care. We effectively have a duopoly and they are acting exactly in the manor of that.

Computing devices hardware and operating systems should be treated as a consumer's choice.

If a company offers some benefit at the cost of some restriction, then users should decide if that benefit is worth the cost. For most Android users, it will be - my grandma isn't interested in the freedom of indie devs to develop for her phone, she's interested in not accidentally installing malware.

I don't like that as much as you don't - for my own devices. But like anyone else who cares about that, I can root it and get past the digital nanny state.

I accidentally read this as "there's lawyers below root" and I'm not sure I'm wrong.

Yep. I don't need/want root access, as it is too much of a security risk IMO. But of course the possibility to install a `su` binary should be there.

I primarily want to be able to unlock the bootloader to install a custom de-googled Android Version (such as GrapheneOS) and then lock the bootloader again (using a custom_avb_key). This is currently possible with Google's Pixel devices, but most Android devices don't even offer this...

This. But being able to get root is a very good starting point.

I think there is also still room to legally require a common SW-layer with respective documentation to utilize features of underlying hardware (optional without the shipped OS on top, disconnecting the device from the shipped ecosystem).

This would also make sense in order to prevent e-waste and put this old hardware to better use.

It's crazy to think how much computing power is just added to a drawer or landfill every day, just because there is no reason for the vendor to allow you to repurpose it.

I would e.g. LOVE a "Browser on everything" OS which just provides a Browser OS for outdated hardware, but the only way this could work on scale would be if the device-vendor would be mandated to provide and document the lower layer...

I can buy a computer, disable secure boot, install linux and then do w/e I want.

Same can be true for phones?

This is something the folks in the Permacomputing space have been discussing on and off for years.

Maybe we can make chips at the level of a 386 but they would be freedom respecting.

Starting to sound like Stallman again.

We live in a world where the top chip makers are being shaken down by the US government to keep access to markets because embargoes and tariffs. And where software developers have to have a live feed of what every user is doing to Brussels or be arrested.

Too much capitalism isn't our problem.

>The only way to really fix it is to break up the wealth and power of individuals and corporations based on their total effective power

That simply transfers the power to the one doing the breakup, which in most cases, are the Governments, which are notoriously known to invade user's privacy under the guise of protection of children or whatever.

This is not related to malware or scams, and using that is nothing but a PR smoke screen.

While Android is vulnerable, especially to user stupidity, people mostly get scammed by fake credit card charges or by giving access to their notifications and contacts allowing for spam.

And yes, while there are "infected" APK's for popular apps , this again isn't the case here.

The real case here is money.

Apple earns $27B from commision on apps, while Google earns about $3B. Why?

Because Android users are "less willing to pay", which includes pirated APK's and "unlocked" app versions. Eliminating the possibility of using these for 99% of the people will be enough to force them to pay for that app/service in the end, raising the Play store revenues.

Do not trust Google when it comes to "doing it for the user" - their mission is to establish as strong of a monopoly on the platforms and extract as much value as possible. They spent more money on lawyers & policy lobbyists in the last 10 years trying to keep Android closed than some S&P500 companies are worth.

> Tell that to all those assholes that are making malware and scamming society on billions.

So like Google?

Software that acts against the wishes of the user is malware, let's not forget that.

Exactly this; the vast majority of people cannot be trusted with root access. And for those that can, the majority won't need or want it.

While I do believe root access should be possible, it shouldn't be easy. Because I'm confident my dad who wants to pirate F1 instead of pay for whichever overpriced premium streaming platform bought the rights this year would root his ipad and install a dodgy stream player if it was easy.

> Tell that to all those assholes that are making malware and scamming society on billions.

And then? I don't know how many times I've downloaded APKs, including obviously malicious ones by accident. But not once has it ever been installed - not even when it was deliberate. The only way I ever 'sideloaded' anything is using 3rd party stores (just fdroid and aurora in my case), which themselves had to be installed via ADB after enabling developer mode. If you have that much skill, you're almost surely skilled enough to understand the security implications of sideloading and choose wisely.

And there are far worse malware available on play store than anything on fdroid repositories, if anything at all - anonymous or not. I hope you remember the SimpleMobileApps fiasco. People who installed it from fdroid were safe from the malicious update, but those who did it from play store were not, when the entire suite was turned into a spyware overnight. Not to mention the tea and boxscore apps scandal. Neither would have made it into fdroid. Google cares the least bit about security, if that isn't clear from the spyware tht each new android phone comes bundled with.

In all, Google's claim of security here is deceptive and farcical. The actual target is going to be the patched apps like revanced, root access software and anything else similar that allows the savvy user to escape the unfair and arbitrary limitations imposed by Google. The ultimate target is the users' pockets. This entire discussion is full of people reaffirming that conclusion. But scapegoats will be found and sacrificed regardless. Let's just not for once. Google deserves the atmost and undiluted contempt and condemnation for their greed and their willingness to erode consumer rights that underlie such dishonestly worded hostile and unilateral decisions.

To install 3rd party APKs on Android involves deliberately removing some guard rails. You need to allow it in settings, you need to enable developer mode, you need to agree to each individual source as a trusted source. If people are still blaming malware on this, when malware exists in the actual Play store, then they're delusional.

Right now, the average Joe can't click a link and install a 3rd party app. Meanwhile, you can install malware from the actual authorised sources, or even just come across a vulnerablity in chrome.

Keeping your devices up to date with security patches will save orders of magnitude more people from malicious software than stopping 3rd party app installation.

I occasionally develop Android apps for myself (mostly out of curiosity and experimentation, but sometimes out of a need for some particular functionality). I'm not going to apply for some developer permit and verification just to do this. I may as well buy a damn iPhone.

I think we should actively make the web more hostile again.

Google themselves promotes malware - take a look at the play store. Adware, adware, adware, name meant to confuse people, more adware, probably has a keyloggers, adware adware, probably steals your data, adware adware.

For fucks sake, Meta is at the point they're pulling malware tactics to sell ads.

Circumventing permissions for app to browser talking? Really? FOR ADS? Thats where we're at?

I'm over it. Anyone who thinks this has even the faintest thing to do with malware is legitimately delusional. Not misinformed, delusional.

Malware is not a huge problem that requires restructuring the entire ecosystem to be closed and authoritarian. Nobody I know has ever had problems with malware or scams on Android.

This has nothing to do with malware, and has everything to do with locking down the Android ecosystem to keep out competitors to Google's services.

Take away all these freedoms and users will still get scammed. It doesn't help and it's not the real point.

I know literally 0, 0 people who have installed malwares or had their smartphones hacked in their life times.

The very few I know that have had this happen where all computer users, and virtually all victims of social hacking such as "hey, I'm from IT department, sending you an email, could you please...". A friend of mine exposed sensible data of thousands of customers of her bank like this.

You don't have to prevent root access. You just have to inform user of the risks, void warranties if you want but let users do whatever they want with the hardware that they own.

That's not what it's ever actually about. You're buying a disingenuous framing that pins blame on the bottom when all these harmful trends come from the top. This isn't to protect grandma, it's to protect Google. This is always what happens when you allow pockets of power with interests misaligned from those of most people. The pockets of power get their way, and people are worse off.

I have a friend from college who once clicked on a link to download more RAM for his PC. He has a PhD now and deserves it - the PhD just isn’t in anything tech-adjacent. Bottom quintile is a floating signifier.

Everyone makes mistakes

Protecting the bottom quintile from consequences of thier mistakes also protects everyone else if they ever make those mistakes in a momentary lapse

Maybe society shouldn't be structured in such a way that people have to be constantly hyper vigilant to avoid mistakes with high consequences

s/the bottom quintile from the consequences of their own mistakes/the top centile from antitrust law/g

The "bottom quintile"? By what metric?

100% in alignment with this! Direct quote from the end of the post I linked:

“In the broader conversation of right to repair regulations, we also need to be thinking about a "right to root access" for computing devices.” :)

Why do we need app stores in the first place?!? No app stores => no vetting, let users download whatever apps they choose, and deal with the consequences.

Yeah on the play store, nothing wrong with enforcing standards there, but enforcing a monopoly on it changes that.

It's a tricky balance-act to secure their ecosystem.

The more measures they take to secure it while allowing the user to decide whether to participate, the more drastic this opt-out user-decision becomes.

In order to now preserve that "open ecosystem", they would have to provide the user an option to disable Google Services entirely, which would turns the device almost into a separate product

All this is unlikely to happen just for the sake of "pleasing the community", I believe we need a general legally binding definition of what functions the user owns if (and when) a device is stripped of any services on top.

If my car loses functions once it loses connection to the manufacturer, this bare set should be communicated as the purchased value ("in exchange for your money"), separately from any on-top "in exchange for your data" business-model

> they got so much

And get judged for their reactions, as is proper procedure.

Why am I reading today articles that present an apocalypse without clearly specifying if there is a "way out OS flag" (allow installation of unverified APK)?

> we will be confirming who the developer is, not reviewing the content of their app or where it came from.

What is the point of that? Then app content is the problem.

Ideally if they setup manual review then it would resolve some issues.

That doesn't make sense. How do meet your own needs and desires if you can't use your own property the way you want?

And isn't the point in this very situation that people simply can't buy what they want because Google and Apple are a duopoly and now Google is going to follow the path of restricting what you can do with your own property?

This is based on the false assumption that the free market solves every problem.

But the reality (which was correctly identified by Adam Smith himself) is that the effort required to enter a market can sometimes be so high, that we practically end up with oligopolies, see mobile OSs. They require a network effect to make sense, so the entry cost is not just developing the product, but also to somehow convince basically every other player to consider you a target platform - which is a cyclical problem that you can't just bootstrap yourself into. Even Microsoft failed at it, even though they were paying hefty sums to companies for apps working on their OS.

Ok I'll bite. Tell me what you find appealing about losing authority? Is this some kind of emotional response for not wanting to take responsibility?

My needs and desires are to have control over my tech stack.

Are you intentionally defending a rent-economy or just ignorantly?

This is a drastic response, but they didn't make up the security threat. Attackers convincing users to side-load malware is a thing.

https://www.bitdefender.com/en-us/blog/hotforsecurity/hacker...

It's the security of having happier shareholders, making more money.

That's still security, albeit an entirely different threat model.

Wouldn't that launch the browser app and bring it to the foreground? I wouldn't compare that to having full network access.

The ability to launch other apps can be put behind a permission screen too.

> Typical issue - I want to download an app that's not on available "in my country" - because I'm on a holiday and want to try some local app,

The solution here is just to get rid of artificial country limitations which make some users download APKs. None of those make sense in the online world anyways.

> Of that they still refuse to sandbox the play store.

It's absolutely essential that Google Play Services have "root" permissions and circumvent the permissions system normal apps have. How else would Google have access to all of your data? :)

<uses-permission android:name="android.permission.INTERNET" />

It's been there since Android 1.0.

What's missing is a way for the user to deny it.

"Hidden" isn't exactly right. It's completely inaccessible, unless you use a custom ROM like LineageOS. But it is a real permission:

https://developer.android.com/develop/connectivity/network-o...

You can deny internet to any specific app.

And K is "kill".

You can install unsigned apps on Windows just fine, maybe with one extra nag screen. Plenty of large open source projects don't sign their installers - VLC being one big example that many normal people use.

It absolutely has to do with ads. While there are various ways to exfiltrate small amounts of data, the non-collaborative ones are rarely silent and most importantly, they won't let the app get responses (e.g. ads) back.

The main thing this permission would be used for would be blocking ads. Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?

> 1) Internet connection is so ubiquitous as to just be noise if displayed

That doesn't make it any less useful.

> 2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar

I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it. But even if it is flawed, don't you think Google would be a bit more incentivized to make the Internet permission work as expected if people could disable it?

I mean, I just did a quick look over the installed apps on this phone and ~1/4 of them would work perfectly well without an internet connection, things like a level or GPS speedometer that use the phone sensor or apps for Bluetooth control of devices [like 0] . Why would something like a bubble level app need internet access for anything besides telemetry or ads? I realize I have way more of these types of apps than the average user, but apps like this aren't a super-niche thing that would be on 0.1% of devices.

I just tend to give Google little benefit of the doubt here, considering where their revenue comes from. Same as when they introduced manifest v3, ostensibly for security but just conveniently happening to neuter adblocking. Disabling access to the internet permission for apps aligns with their profit motive.

No you can’t enable it, nowadays developer just declare if they want internet permission. Before, user could say « no, I don’t want you to have internet access ».

It’s something possible only on grapheneos as far as I know.

The malware makers will use fake or stolen IDs.

I used to 100% feel the same, but at some point I realized the problem was me, not him, in not viscerally understanding his goals. His stated goals are very clear, but the audience usually has somewhat overlapping, but nevertheless distinct goals. This is indeed at the very core of Open Source-Free Software feud. The base is almost entirely the same people, yet the ideologies are not the same, and in a very interesting way: the differences are critical to RMS's ideology, but minute to the other side. Thus, the other side thinks of a crazy guy ruining the whole thing for nothing or very little, and evaluates him as net negative for "the cause." Well, it is absolutely true, for their cause, not his.

I think his take on what compromises are valid and what aren't makes this clear: https://www.gnu.org/philosophy/compromise.en.html

In fact, this particular incident, re Android, a seemingly "open" system, is a perfect example of the importance of his PoV in particular, as it illustrates that Open Source ideology would not have been enough to ensure the user is in control.

It's inconvenient to have to recognise that we are being f**ed in the ass by corporations like Amazon, but that doesn't make it any the less true unfortunately.

It's also a damn shame that the majority of the people who are skilled at communicating messages effectively are working for these corporations; because without them, the unfiltered message of people like Stallman is all we've got.

Stallman's mannerisms are one of the only reason FOSS is still standing.

First of all, from a public image point of view, it really doesn't matter at all whether he ate something off his foot or whether he says "Amazon swindle", because Stallman isn't the gateway into free softward anymore.

To an order of magnitude, no one in the last 15 years has heard of Stallman then free software.

The real role of Stallman is to avoid the movement being co-opted by soulless and/or corporate interests. As long as Stallman is here, you can't make free software corporate and well-mannered, which essentially means you can't absorb it into a marketing strategy for your next brand of phones unless you actually plan to deliver.

I was always somewhat put off by his extreme vigilance over the word free. Stallmans usage of free software is exactly the same as the rest of the worlds open source. We also have “source available” for software that is license encumbered but distributes the source.

So much time and effort wasted on a fruitless effort to redefine words that already have well established meanings.

Yeah, let's be nice and polished. No blood, no foot eating, just nice people talking in nice settings (castles, maybe?) around a warm cup of tea.

That's how revolutions succeed, historically.

> Stallman actively hurts the cause with his behaviour.

People arguing this should realize that actors fighting oh the other side of the war might act kind and use politically correct wording, but they're still eroding our freedom little by little.

Arguments like this ("his behaviour") really mean that people care about policing other people's behaviour more than they care about the actual topic being discussed.

Downvote me if you want, I don't care:

- Stallman, singlehandedly, did more than anybody else for freedom in the computing industry.

- People pushing those arguments a huge part of the problem.

- People like Stallman are a huge part of the solution.

To put my thoughts into one sentence: You can't fight the system within the system.

Calling the kindle the "swindle" hurt open software?

Listen to yourself.

I will forever call it the Amazon Swindle now, that's hilarious

Frankly I find it refreshing in a world where everyone is obedient to the corporate overlords to have someone who just doesn't give a shit and calls it out exactly the way he sees it.

We don't need more polished people.

Why would someone use Kindle?

Well if they are too stupid and ignorant to consider the meaningful content of what someone says and get so fixated on how they are disgusting (although it is obvious that he is doing that to attract attention and make what he says memorable), perhaps it is fitting that they lose all their freedoms.

Language matters. I actually really like what Stallman does. You need this kind of thing to counteract repeated exposure to marketing material. It's similar to the Dave Ramsey situation IMO. Dave Ramsey's advice is objectively bad but you need something to be repeated as an alternative to the credit ads people hear multiple times a day.

These simple repeated ideas slowly absorb into people's subconscious.

[flagged]

It is possible, sure, but I have a feeling it goes unrecognized how prophetic and precise his concerns were, and that this is very similar to his original issue with the closed-source printer software he was not allowed to fix, and he does not get credit for his predictions, as people simply pass by, and not connect it to the Free Software issue, when issues like this happen; meanwhile he takes all the downsides of being brash and anti-corporate, which is taken advantage of by the Corporate Open Source crowd.

It's easy to piss on the individual.

Ask yourself how come free software is everywhere, with licenses for various stuff neatly tucked away out of sight unless you're trying to find it, not to mention all the giant clusters of Linux machines in data centers running Samba, PostgreSQL, and all sorts of free software, and at the same time the FSF still has just a small appartment on the 5th floor of a building in Boston?

Here, take a look: https://www.fsf.org/about/contact/tour-2010

Having spoken to Stallman over the years many times. One of the most difficult people to talk to, but completely spot on with his ideas.

Who is doing a better job?

Because I see A LOT of “open source” advocates these days, and more and more “source available”.

But the old school Free Software hippies(that started with BSD, NOT GNU, IMNHO) are slowly dying out and being replaced with?

Millennial here. I took up educating masses in my country about all this. I quickly realized that people just do not care.

Millenials here. We did. A lot of a lot. And nobody cared.

Even today on HN most use chrome instead of firefox and mac instead of linux and. If you can't even convince the biggest nerds that supporting alternatives is important, what chances do you have?

Plenty of Gen Z caring about freedom, but unfortunately lot of them being deported from the U.S. for defending Palestinians.

I mean - Western world is a bit tougher place for protesting than it used to be, due to capital accumulation. Free SW is admirable but a pretty first world problem, unfortunately, low on the list of priorities.

> but Stallman is an extremest

No, he isn't, https://news.ycombinator.com/item?id=45025116

I don't think I can come up with a worse reason to build an opinion on someone than not following the orthodoxy in the extremely stupid context of culture wars.

I think his proposal to use "per" instead of "they" actually makes a lot of sense, because "they" is very confusing in a lot of contexts, because it's a word already used for another function. I don't see how you perceive that as something negative.

The quote about pedophilia is concerning indeed, but I think that rather stems from ignorance about the issues than promoting pedophelia. It's easy to shit on such things and wokely dismiss someone's entire opinion, which I find a bit weak.

Stallman was smeared for being uncompromisingly rigorous and objective: https://stallmansupport.org/explaining-events-that-led-to-st...

It was all witch hunt from there.

I can understand Defending bad people. He is railing against freedom of injustice. I understand being abusive. He is feeling hopeless. I haven’t seen Harassment so I don’t know what to make of it.

He seems to walk the path of purity of ideas. And may come off as aggressive. As a by product, he may also be aloof from the career ladder. His trust in being nice to people is broken (autism?).

He has some good civil rights stuff https://www.stallman.org/

is it really worse than losing your freedoms?

Hm, not sure about that. I know from browser add-ons that markets like Brazil do suffer from increased scams, especially banking scams. I could see that this is also an issue for scam apps.

Firefox for instance does not allow you to install unsigned extensions. You don't need to list them on their storefront, but they want to perform automated tests and have the ability to block extensions through this signing requirement.

So in principle I can see them wanting to address a legitimate issue, but the way they are going about this is way to centralized. IMO they should do something like we have for web certificates, where vendors can add more root authorities than just the one from Google, and users should be able to add their own root certificates if they want to side load apps.

Vance is just as big if not bigger problem there.

>Vanced and such is more of a First World/Western issue

What? I'm from Brazil and Vanced is as big, if not bigger here. In fact, most of my 'first world' friends just pay for YouTube Premium (or whatever it is called), and these kinds of workarounds are mostly used in countries with less purchasing power.

If a giant red warning saying 'THIS APP MAY BE MALWARE' doesn't stop someone, then they've either made an informed choice to proceed or it's willful negligence. In other words, users aren't 'trained' to ignore warnings; they're simply being willfully negligent.

There aren't too many false positives, it's just that most modern android software is malware.

Saying "this will steal your data" is probably correct.

So what were actually asking users is to install some malware, if it's provided by a big enough tech company, but not other malware. Of course users get confused.

Just stop downloading apps altogether and run the web views in the original web view - the web browser.

Will Google, Meta et al. do that and abandon their apps? Of course not, they need to install malware.

The way we allow paternalistic tech companies to train the consumer to abdicate personal responsibility is going to bite us in the ass sooner or later. I'm betting on sooner.

Then make the false positives lower. The problem is they aren't incentivized to improve such features because, where's the money in that?

How about requiring the user to type into a text box "App Foo might be malware. I want to install it anyways."? And disable copy and paste for that box.

Maybe they shouldn't offer a "OK" button that the stupid user can blindly click. They could tell you, "this app is dangerous, go to system settings to enabled" and a "Dismiss" button.

This is something laughable that Apple does. Anytime you install something from Github it'll make you click a few extra boxes. And their tightening down of things also ends up making people look for third party software in the first place. All this really does is, like you said, teach people to ignore warnings.

So what's wrong with that? You get warned, you ignore the warning and get hacked, that's on you for being dumb enough to download stuff from some shady website. Plus, Android is supposed to have decent isolation and permission controls, unlike desktop OSs like Windows or Linux (not counting Snap/Flatpak) where software can read your entire disk or any arbitrary file and send it via the internet.

Plus, you are not required to do that, you can just stick to Google Play and trust what Google approves there. But no need to lock down others because of your recklessness.

You just have a flawed definition of success.

By allowing people to shoot themselves in the foot after ignoring a unmistakable warning, you are helping teach the foolish to be more careful in the future. Making mistakes is the best way to learn something.

Fuck em. If you ignore a warning, let nature take its course. We don't need to child-proof everyone's home.

[dead]

> Do you like losing money?

what about us losing control over our own devices? do you like losing control over devices you paid for?

Of course i care that i lose money.

I dont care that google loses money.

Let's see for how long this remains true. Every step they get closer to making you watch what they want, instead of what you want, it becomes more likely they will try to even prevent you from viewing videos when you use uBlock Origin.

I'd sooner get a Chinese phone that isn't "Google-certified" than reward this behaviour by giving $1000+ to the DRM OGs at Cupertino. Neither Apple nor Google are protecting users against the alleged data-stealing evils of Tiktok, so how exactly are they providing any kind of "user safety" by throwing up fees and red tape for small independent developers?

Maybe it is time to try Jolla as next phone:

https://jolla.com/

GrapheneOS are living on the mercy of Google by the way.

"Which devices are supported?"

follows: list of Google devices - great, but I don't have Stockholm syndrome

I really don't understand this war on language that is so prevalent in tech circles. There's a bunch of these like switching git branches from "master" to "main" or "blacklist"/"whitelist" to "allowlist"/"denylist" and I have yet to see a single problem that all of this term shuffling has actually solved.

This is a great point. Not sure if it’s possible, would be great if there was some way to reclaim the notion of installing software as a general practice, regardless of whether a computer is “mobile” or “desktop”.

Like people still download software packages from the web on Windows, MacOS, and Linux… right? Maybe hard to grasp for the kids that grew up with tablets with no notion of a file system, idk

I call it "direct install" personally. It's how you are supposed to be able to install programs, directly from the source.

If anything, it's the playstore and appstore which are side channels.

> When asked, we can clarify that the 'free' stands for both freedom, and not paying middlemen 30%.

Every time you have to clarify, it’s another opportunity to lose the asker. It’s not a good strategy to use a term we have to keep defining or that people may misunderstand. Stallman and the FSF continue to make that mistake and we have had decades to understand that’s a bad approach.

Call it something else, like a “direct install” or something better. You can still have a deeper meaning to it (“direct because it bypasses the App Store middleman”) but make it something people can understand fast. You can’t fight marketing with ideology alone, you have to beat them at their own game.

I propose "load" or "install".

And while we are at it, "Application"

I'm so used to installing via F-Droid or straight APKs, installing something using the Play store feels weird and hack-y. If anyone's doing the "side loading" I think it's Google :P

> People install games from Steam or the Epic Store on their computers without Microsoft preventing that

microsoft wishes they could have the level of platform control that google/apple on mobiles have.

It's pure luck that the IBM-compatible PC was not locked down and restricted, because at the time IBM had not thought of it as being important. When it became clear that it was a lost profit opportunity, the cat was already out of the bag and so IBM had no choice.

Microsoft repeated the same "mistake". But apple learnt, and google also from apple.

That's also because Microsoft has their own game / app store and video game monetization scheme in the form of xbox live, which is integrated into Windows installations.

I don't know if it's actually used much much on windows, but iirc xbox live is pretty popular.

Wrong analogy, as you need to register at Steam to sell a product. To share an executable for Windows, you don't. It's also not about taking a cut.

Do you know that Proton is developed as a countermeasure against Microsoft's possibility of vendor locking? It is already anticipated that little or more Microsoft will want that cut.

We're at late stage capitalism, where enshittification occurs at alarming rate.

I can do banking and otp at home with a 100 Euro phone that I use only for that. FB, TikTok, Instagram, etc, neve ever installed them on my devices.

The problem is that I want to make calls, SMSes, use WhatsApp and Telegram, Maps and OSMAnd, NewPipe, VLC, Syncthing and a few others on the phone I carry with me.

And to make matters worse I don't want a huge, thick and heavy brick like every Linux phone I read about. I'm on a Samsung A40 now and it's not easy to find a replacement with similar size and weight.

I agree with this take. Desktop Linux is better than ever and I can do just about 100% of what I need on my Linux PC. I still use macOS regularly and even Windows sometimes, but I’m not too worried about Apple or Microsoft locking things down. The more they do, the more I’ll just use Fedora where the same apps I need are available.

The most critical apps for me on mobile are banking, payments, transportation, and messaging. Banking I can’t do much about. Payments I can still handle with physical cards. Messaging is getting better thanks to people adapting proprietary services to Matrix, so with some effort you can use one open source client to reach them all.

Transportation is the area I’ve been working on. I’ve been getting MapLibre (an open source map rendering library) running on Compose Multiplatform, including Compose Desktop (so map apps built in Jetpack Compose could extend to Linux based phones like Librem) and also on Huawei’s HarmonyOS. If I can cover my everyday needs with open tools, then walking away from the Google/Apple duopoly stops being a thought experiment and starts being a real option for me.

I agree with you idealistically, but practically, creating an entirely new mobile OS with market share competitive with the existing two is an unbelievably massive challenge. It'd probably be just about as easy to get people to care about sideloading in the first place.

I had to do some light research on Wiki, but it looks like Firefox OS was supposed to fill part of this void. Sadly, it was not successful, and the project lost funding and support from Mozilla. I think if Mozilla could not do it, it seems hard to imagine there is an open source org with more talent and money than Mozilla who can make it work.

Sailfish tried and failed. Various Linux distro also tried and failed even harder. Consumers at large just aren't interested in anything other than iOS and Android.

Valve has managed something similar with SteamOS as well as Proton built on Wine to make Windows games run on Linux, performing as good as or often better than an actual (modern) Windows install.

SteamOS isn’t too far from a mobile OS.

  A duopoly just isn't competitive enough. Too bad the cost of entry is so high.

I've heard this one before.. given the apt political analogy , I wouldn't hold out hope.

There's already open source OSes that run on phones that aren't based on Android.

Off the top of my head there's a Debian based one, a Fedora based one, webOS, PostmarketOS, probably others. Wouldn't be that difficult but yeah, the cost of entry is still probably tens of millions.

It’s like uber, doordash or carvana, you can’t fund a huge project like this without free money. ZIRP is the moat.

use a fork. GrapheneOS is amazing. I feel like I own my phone, I trust my phone, and it obeys me, for the first time in a decade.

unlock. flash. spread the word. use the fork, Luke.

I don't see anywhere in the official announcement that you will be required to "tell Google your real name and home address to install anything on your Android device". The announcement is about developer verification, not user verification.

4. The majority of users don't know or care what sideloading is, so this has a marginal effect on userbase

This is the solution.

It's like napster and torrenting. People dont care about the tech behind it - they care about the outcome.

It's just that the majority of normies dont even know it is possible (and didnt think an alternative exists to sideload).

For what conceivable reason would they make the users go on desktop, considering mobile is in the process of being fully locked down?

If anything, they'd eventually deny access from desktop, forcing everyone to login via the fully manages mobile devices without any user freedom.

Some banks are already getting there btw, as their preferred 2fa is a companion app... One small step away from making that the only option, effectively denying access to anyone without a locked down mobile device.

Actually my bank already requires me to use the phone app for any operation on the website. When I want to login from my laptop I need to use my phone with their app to approve the login, same for almost any operation.

Ah, and it can only be installed in one device at the same time :D Don't have your phone available? Bad luck for you

De facto, this is already the case - you can use your computer as a display but to actually authorize a login or transaction you need your phone with said attestation.

A dedicated app on a locked down OS is vastly more controllable than something like a browser that can do virtually whatever it wants.

How it generally works iso low risk operations have no restrictions, but if you want to send a large amount of money to a new contact, the banks make you approve the transaction on the phone app.

Phone apps are generally significantly more trusted because of the fact you can’t install malware that steals the session token, and they can do a Face ID check before any risky operations.

Is it confirmed that we will even be able to disable this?

How will you login to the banking app in the browser without a locked down phone? In Germany, MFA is enforced and with many banks the only allowed second factor is an app on a phone.

That's where the "prohibitively difficult" part comes in... surely they don't expect every developer on every open source app in the world to have their own app registration/package name for the same app, do they? Feels like an N * M problem, if so.

And thus accelerates Google's push away from APKs, preferring instead for all developers to embrace their proprietary App Bundle format. Complete with ad hoc signing performed by the Google Play store at time of download. The bundle is also customized to the device, meaning an .aab file ripped off a device won't necessarily be loadable on another device since it could have different configurations/hardware that happen to limit it.

I think anyone who works as a dev knew this was Google's endgame the moment they started circling the wagons with the app bundle stuff. It was already getting weird before that, but it was uncharacteristically out of step with historic Android.

Nope, you could, given that no Google libraries is used.

You could always run the APK on a stock AOSP build, or any fork of it in the internet.

That's the blackpilled take. The whitepill is that sticking up for yourself hasn't ever been easy, but it's always been an option.

> There is; it's the "phone" part of "smartphone". Being a phone makes the device subject to a lot more requirements (for an obvious example, emergency dialing must always be available and work, and at the same time the phone must never accidentally dial the emergency number).

Funnily, Google is one the few phone manufacturers who can’t make emergency calls to work. (e.g. search Pixel problems)

> for an obvious example, emergency dialing must always be available and work, and at the same time the phone must never accidentally dial the emergency number

Why are Pixel phones allowed to be sold then? Google broke emergency calling on a least three different models, and at least once across models.

> They stated their reasons they think this change is good.

Right, because someone doing something evil would say outright what they're doing is evil.

> It's straight up false, it's still in their code of conduct

This is news to me. I think it's interesting that they removed it from the opening and put it at the end though.

There shouldn't be any side effects other than rendering Play Protect inert. No other AOSP component relies on this setting.

Ironic that Google's supposed concern for avoiding malware will cause people to turn off their malware scanner.

> the Xcode cloud build and distribution ecosystem is an absolute steal at $9 a month. Private Testflight (with no review) can be more convenient than that desktop cable.

I genuinely can't tell whether this is sarcasm or not. Are you seriously comparing a 9$ per month plan Vs simply plugging your phone or syncing an app file wirelessly?

Are you being intentionally obtuse?

Developers sometimes seem to be as in control as farmers are of the distribution of their produce. There's no absolute rule that gives the owners of large scale distribution networks power over both producer and consumer. It's just laws of convenience. It's easier for everyone to go through a few or just a single common broker.

There's no law against a more democratic way to implement the broker either but it requires interesting methods of coordination and/or decision making that doesn't seem to exist yet?

Some developers did. Others, who didn't care so much, got into the app store instead, and got rich off it. Users didn't care about such principles and mobile-first has been a viable strategy for a long time now. Not having something of an app is a problem if you want to stay in many markets.

Developers want a stable, secure platform where they can reach customers that trust the platform and are willing to transact. Everything is downstream of that, including any philosophy around control.

Developers are businesses and the economics need to work. For that, safety and security is much more important than openness.

Money is a powerful motivator. For better or worse.

Not related to the OP, but no you don't.

Just look up how to skip the "OOTB (out of the box) experience" and you can still bypass having to set up a cloud account on Windows 11 and can just set up a local account like normal. :)

Not quite yet - install Windows 11 IoT LTSC with Rufus and you get a perfect version of Windows with no ads, account requirements, etc.

But I agree about the trend. Microsoft will probably block this workaround eventually.

[flagged]

Got tired of this with a few extensions I made too. It felt like every year or so they'd completely break some API and I'd have to go switch to the new one, then they wanted a privacy policy, then justification for permissions, etc etc. Wasn't worth the trouble eventually and I just let them die.

>But they're gradually working their way there just like Google and Apple.

imagine microsoft having the moral high ground for once

Aside from the prospect of bad press and user protest - There are still non Play Protect certified Android phones being released, including a few rare phones that skip the Play Store altogether (including the Fire phones). So they could lose at least a little bit of ground in this area. In a sense, they are in competition with their open source offering, even though they have a lot of control over it these days.

It could also make jailbreaking more commonplace, which on the Android side has died down in recent years because sideloading is enough for most users.

Android forks. AOSP, GrapheneOS, LineageOS, CalyxOS.

we need more OEM unlockable phones, though. GOS is looking at getting one made, I'm planning to throw money at them to make it happen.

I'm going to be buying Apple from now on. If I have no choice and I have to be in a walled garden, I'm going with the best dammed walled garden on the market.

This isn't even going to be some sort of an ideological decision. It's simply the intelligent choice.

China has a whole slew of more advaced phones than we have here. They just can't export them to us because 'IP' and other 'security' restrictions.

> Isn't it basically the same requirement as Apple enforces for iOS?

Yes, which is why it's bad.

It's not illegal to not release your software on a platform. But the mobile market is so top-heavy on both the apps and the games side, that without a few key developers - Meta, ByteDance, Tencent, etc your union is dead in the water - and the top 1% of developers would very much like to more friction for new developers, not less.

Why would they do something to hurt the customers that stick with them, just to spite the ones that don't?

Android has like 70-80% global market share.

I think google has incentive to get that data for themselves so they won’t give that up.

One of those would be in corrupt countries you don’t have the „trusted 3rd party”

While this did funnel countless FOSS and commercial developers to pay MS for certificates, it didn't close even 50% of loopholes. You can still execute third party software from your own (e.g. Steam launching games you install with it). You can also use interpreters, JVM and other ways to disregard the requirement.

If fact, the reason why MS can charge for "nearly mandatory" executable signing is because it is not mandatory at all. If they really were forced to close loopholes, they would have made it free for everyone, — just like Let's Encrypt was made free of charge to establish mandatory encryption across the Web.

Yeah, it's like we've given up. Between third-party doctrine, border enforcement being excluded from 4th amendment protections, and 100-mile zones around international airports being considered "the border", it's like there's no place left where the constitution applies. How did we forget why we made these rules in the first place? It's not like the risks are smaller today than they were 250 years ago...

  The US considers airports “constitution free zones”

And the rest of the country as well now. The highest authority is threatening municipalities with military takeover.

Corporations are reading the room and pulling out any hostile tactic they've kept in their back pocket waiting for an occasion like this.

This is only the beginning with digital IDs. It's absolutely going to get worse and all of human history is available as evidence to what occurs with unchecked power.

I mean if you want to avoid smartscreen BS you already need to sign your Windows executables with EV code signing cert that is not cheap and issued only to registered businesses sooo...

Microsoft is trillionaire company and still failed to do that

lets that sink it on how hard to make ecosystem

> Come on. Go back to a flip phone, or make your own smartphone ecosystem. The entitlement is outrageous.

This response is unreasonable. If I'm purchasing a piece of hardware, it's not outrageous that I want to be able to compile and run software on it without asking for permission. Suggesting that I instead create my own smartphone ecosystem is absurd.

Just build your own smartphone empire lol

The wild west is on the play store and the app store right now, Google and Apple get most of their money from casino game apps stealing from users.

And both companies don't do anything about it because they are loaded with money from those scams.

Give me a break, it's never been about security.

>Come on. Go back to a flip phone, or make your own smartphone ecosystem. The entitlement is outrageous.

No it isn't. It's perfectly reasonable. It's my device, bought with my money, earned on my time. I didn't agree to a social contract. I bought a tool. And you're a fool if you think

>but it's the current year!

is an argument. This isn't happening because the technological cosmos demands it. It's happening because google is winding up for a monopolistic hold of the market. They seek to manipulate it for their private benefit at the expense of everyone else. If they actually push through with this, they will be broken up.

Sounds like you haven't used an Android. What Windows does is the exact same as what Android currently does, showing lots of warning screens. Which is very different from banning them altogether.

Can you explain in what way Windows already does this?

It's always so rich to see comment sections on here when there's an article about a place like Palantir when the likes of Google and Meta play an even so much bigger role in enabling mass surveillance. I'm sure they'll tell themselves "well but I for one am working on something good like Waymo, or as innocuous as Google Sheets! And we don't kill people!! (please don't look at who provides the underlying services that defense runs on)". While the exact same is said by most employees at those companies they criticize so hard.

Sure, no one's perfect, and you have to draw a line somewhere. But if you're at somewhere like Google or Meta, or have been in the last decade and left for other reasons than these, you really don't have a leg to stand on in these discussions.

Nothing apparently. We've stopped caring. If it's not about getting rich right now in this lifetime then it's not worth doing. I'm also convinced governments have realised monopolies are good for them. You don't need a big government if you control the few massive corporations everyone has to use.

But my Grandma might install the wrong extensions. Please think of her.

>Google is - imho obviously - in contact with governments. anonymous data isnt worth anything near as much as personalised data.

Maybe they gave a political donation?

If you don't mind sharing, which country is that?

Yeah, I'll just ditch Google over this. The only reason I put up with their crap is because I can actually just install software on my phone. If they take that away, there's no motivation to stay.

> the antitrust prosecution will double.

In Brazil? In Malaysia? In Singapore? I highly doubt it.

They're also the best equipped to tell if you've done so, and restrict access from critical functionality needed by many in their day-to-day lives if you've done so.

The intentions behind all the security hardware they introduced in pixel phones first, and is now required by play integrity to function might've been well-meaning, but that doesn't really matter in the end. Security features that the user can't control and bypass aren't security features - they're digital handcuffs.

true, and recently they deserved a lot of credit for publicly releasing their device trees and drivers. unfortunately, with the 10 series pixels they no longer will be releasing device trees, which makes it much more difficult to maintain custom ROMs

>their Graphene or Calyx phones

An important reminder: if your escape hatch is an economic irrelevancy, it might as well not exist.

See: Google search with '-ai'.

They trialled this in Singapore and I’ve been telling people on Hacker News that it’s been going to happen for a while:

> Singapore Android users to be blocked from installing certain unverified apps as part of anti-scam trial (07 Feb 2024)

— > As I’ve mentioned here before, sideloading is a genuine security concern, not merely an excuse for Apple to exert control. There is a never-ending stream of people losing their life savings. It happens on Android and not iOS because Android allows sideloading and iOS doesn’t. There is a very real human cost to this.

> Police warn new Android malware scam can factory reset phones; over S$10 million lost in first half of 2023

> There have been more than 750 cases of victims downloading the malware into their phones in the first half of 2023, with losses of at least S$10 million (US$7.3 million).

— https://www.channelnewsasia.com/singapore/android-malware-sc...

> DBS, UOB become latest banks to restrict access if unverified apps are found on customers' phones

> They are the latest banks in Singapore to do so – after OCBC and Citibank – amid a spate of malware scams targeting users of Android devices.

— https://www.channelnewsasia.com/singapore/dbs-uob-anti-scam-...

> 74-year-old man loses $70k after downloading third-party app to buy Peking duck

> “I couldn’t believe the news. I thought: Why am I so stupid? I was so angry at myself for being cheated of my life savings. My family is frustrated and I ended up quarrelling with my wife,” said Mr Loh, who has three children.

— https://www.straitstimes.com/singapore/74-year-old-man-loses...

> Singapore Android users to be blocked from installing certain unverified apps as part of anti-scam trial

> "Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 per cent of installations came from internet-sideloading sources," it added.

— https://www.channelnewsasia.com/business/anduril-secures-305...

> CNA Explains: Are Android devices more prone to malware and how do you protect yourself from scams?

> Why are scammers more likely to target Android users? How do you spot a fake app and what should you do if your device is infected by malware?

— https://www.channelnewsasia.com/singapore/android-malware-sc...

> Nearly 2,000 victims fell for Android malware scams, at least S$34.1 million lost in 2023

> In 2023, about 1,899 cases of Android malware scams were reported in Singapore. The average amount lost was about S$17,960.

— https://www.channelnewsasia.com/singapore/android-malware-sc...

> Android users in Singapore tried to install unverified apps nearly 900,000 times in past 6 months

> These attempts were blocked by a security feature rolled out by Google six months ago as part of a trial to better protect users against malware scams, which led to at least S$34.1 million (US$25.8 million) in losses last year with about 1,900 cases reported.

— 7 replies →

Google to F-Droid: "no signature for you"

Unless I misunderstood the question, this is covered in TFA

> The tech giant stresses that this does not mean developers can’t distribute outside of the Play Store through other app stores or via sideloading — Android will remain open in that regard.

Or just don't give your home address to Google.

If your app is monetized, the contact details of your "business" are shown in the play store. For many smaller developers, this will just be their home address.

https://support.google.com/googleplay/android-developer/thre...

This is a lot more complicated than that. I'm not sure how I feel about the demand for government ID. The demand for money that comes with the app stores I find to be a problem and so does the EU, that was a big point of the DMA. It remains to be seen how those regulations play out. Maybe the DMA won't do what I want. But the DMA seems to be aimed at this sort of thing, even if it actually has the same sort of requirements around government ID, it does require openness.

In this instance, quantity isn’t as important. The people it upsets are a loud bunch of a great deal of influence.

Recent precedent suggests it only takes one really angry person to get a company to reconsider its course of action. The problem is software devs are far too comfortable for such action.

[flagged]

Agree and disagree: the pressure on unity worked, and Sonos and, IIRC on Google's "federated cohorts" idea.

But often people try to project their opinions onto "the people" and predict they will rise up, and there's probably 100 predictions in comment sections that are completely spurious to every one that actually happens

So I'm not sure, but if I had to guess this one is a rare case where there may be real prospect of backlash.

If enough people internal at Google get pissed off and raise this up enough it can legitimately get rolled back.

Attestation & Play Integrity is having a good go at blocking this: lots of critical software (e.g. the app required to use your bank account) requires certified attested devices, and Google are pushing hard to get as many apps as possible to activate that for "security", making non-Google Android un fixably 2nd tier in functionality.

Most vendors, including the big ones, don't play well with that. Google just revoked open sourcing the Pixel as the reference design which was the strongest option for that. Things like newer Samsungs are black boxes and everyone is actively making it harder to do anything with devices you bought and paid for.

Soon you won't be able to do this either because most manufacturers are locking down the bootloader.

It's increasingly difficult to get current hardware for which an alternative OS is available, and which is not locked.

Right now, it seems to be fairphone or pixel, or old phones which are not easy to obtain. Samsung have announced they will lock their phones, and how long before google locks pixels?

The number of people able to do that is fewer than those willing to send in copies of overnment IDs. Phones compatible with AOSP builds are rare outside small bubbles of Pixel users as well.

My estimate is less optimistic: 99% of users won't ever be bothered with this news nor notice that anything changed, and of those who will, 90% will like it, because 'less malware' is the only thing they can work with.

The weirdest thing to me is that those people who actually care about this are most likely the ones capable of implementing this shit: developers. Us. Who else but developers (OK, and maybe their enlightened spouses) cares about this? We are digging our own graves, basically.

So, Google devels: refuse this. And tell your willing colleague that they are not welcome at your birthday party if they do it.

No, it's not similar.

There are two OS platforms for desktop/laptop usage: MacOS Windows

These both contain ways to run arbitrary compiled code from an arbitrary source -- like a computer should. Losing this feature of our smartphones should have everyone concerned.

Well it seems like the UK gave up their ridiculous "backdoor" fight with Apple, so maybe there's hope.

More people should've supported Mangione.

that's a good point. As a developer, this particular case obviously I understand much better and see the where it leads - the opposite direction of the openess that made PCs and computing so revolutionary in the last few decades.

It's also worrying that in this case it's a private corporation the one calling the shots. Naively, in the other cases you mention it's at least government dictated which means there's some sense of accountability and transparency to the process (not saying that it's perfect of course).

Yeah, I guess so. That must lead to a lot of cognitive dissonance as I am sure these are not "evil" people, they just find a way to rationalise it away.

Google engineers are among the best paid in the US.

> You think that Google's best and brightest are working on the Google Play store?

No idea, whoever they are they're still well compensated and can afford some resistance

> What makes you so sure that such a hypothetical code of ethics would promote user freedom? I think it far more likely that protecting the user from harm (i.e., not allowing the user to install malware) would appear in that code.

Maybe? Maybe not? I never said I'm sure of it, but computing is built on a history of openness and interoperability. We at somepoint agreed having open hardware and protocols was the way to go, and we were right. A lot of the world runs on open source software, we managed to built the internet, we have PCs where you can swap components and it just works. None of that is obvious if you were to re-invent it in 2025. Malware is an excuse, you can battle that without losing any of the above.

There are tons of things you can do, from spreading the word, organize politically or work on building an alternative ecosystem. Also donate to organizations like EFF.

We're being pushed a message that we're all impotent but the reality is that collectively we can change things, and apathy is exactly what these people try to push onto us.

Things get worse but there are also good laws being pushed: see for example digital markets act and GDPR. 2008 when I started using Linux, gaming on Linux was horrible. Now it's day and night, and linux, while still small, is more popular and usable than ever. Recently alternative social medias like Bluesky, and Mastodon enable more open ecosystems and they've gained a lot of traction.

Android has alternative ecosystems like F-Droid and GrapheneOS that can be built upon and hopefully we can get it to a point where we can ditch Google. We need to keep up the fight.

Sure, but just the regular GPLv3 would have been good enough to prevent this particular abuse.

"The fact that the GPLv3 didn't close the network hole is a decision made either out of myopia or abject cowardice, you shouldn't need a separate license (AGPLv3) to ensure true freedom of the codebase."

Google was successful in lobbying the FSF to have 2 licences (GPLv3 and AGPLv3) instead of 1 (GPLv3 covering web services).