Comment by plst

> Saying "the users need to be educated" doesn't solve anything. Google could start an education campaign tomorrow (...)

Of course just saying it doesn't fix anything.

I don't want Google or Apple or any other vendor to do any education campaigns (and they clearly don't even want to try), part of my point is that the issue is too deep to be solved by such technological measures. For example, not skipping such warnings (includes invalid/expired certificates in https) and basic cyber hygiene should be taught in schools. There should be more public campaigns about these issues.

So I'm not even sure if Google should be fixing that particular problem (although I can guess why they are really eager to "solve" it this particular way). I would rather they focused even more on a stronger sandbox, making sure system software on licensed phones has no vulnerabilities and making sure the users understand what power they give to an application, than pretend that this fixes much. Sideloading restrictions only barely (because it's not like they are actually going to verify the applications, nothing about that in the post) plug one way to scam people remotely, over many, many other more severe ways. The banks in many countries don't even properly verify identity of people they give loans to, why not focus on that instead? (Yes, Google won't fix this, I'm not asking them to, they shouldn't try.)

We lose more than we gain.

> Then install a custom rom. All the power you want is already available

On most phones it's not, but that's besides my point.

> Seems silly to demand Google screw over the majority of their customers because you don't want to install a custom rom.

I'm not demanding Google to screw over anyone, and the current "sideloading" situation does not screw over anyone. I just believe that the vendors should not have the sole power to decide what applications can be installed on devices they don't own. Maybe let's have multiple certification authorities besides Google, like with TLS, as a start/compromise? I see the point of actually having an expert verify if an application is legitimate, and this isn't even it.

> On the contrary, you choose when you purchase your phone.

That choice should not be made when the phone is purchased.

And also I'm not talking about what I want to do with my phone, I'm talking about what I believe people should be able to do with their phones - for example they should be able to opt out of such protections if they don't want them (and leave them on if they want them), or choose who verifies their applications. Only possible if they know what the protections do and what the risks are, going back to what I wrote about education.