> F-Droid is different. It distributes apps that have been validated to work for the user’s interests, rather than for the interests of the app’s distributors.
F-Droid's curation saved me at least once when I wanted to upgrade my Simple™ apps and couldn't find them in F-Droid anymore, which led me to learn that SimpleMobileTools was sold to a company that closed sourced the apps[1] and that there's a free fork called Fossify[2].
Had I installed these through Google Play, they wouldn't have cared about this particular change and I would've gotten whatever random upgrades the new owners pushed.
Each app store's policies have their pros and cons, but that's why it's so important to have a diversity of marketplaces.
This weekend I needed to send a few PNGs by email. They were huge, so I figured I’d just grab an image compressor from the Play Store.
I checked out five different apps, each with millions of downloads. Every single one was riddled with data collection prompts and stuffed with ads.
Fine, I thought, I’ll pay to remove the ads. But the options were:
- “Free trial” that defaults into a $5/month subscription
- Or a $19 “lifetime” purchase
It’s so clearly designed to trick people into a recurring subscription for what’s essentially nothing. These apps are just wrappers around existing Android libraries. And if you check the reviews, they’re obviously bought.
This was literally the first time in a year I tried to download something from the Play Store, and the experience was so bad I just gave up and solved it faster in the browser instead.
This is why I find the thesis that Google and Apple are good stewards hilarious if not malicious. There is absolutely nothing safe about their app stores. Certainly not more safe than something like f-droid.
Yes browser is a really good tool for utilities like this actually.
But also I suppose that f-droid doesn't have paid reviews or well, everything in f-droid is mostly open source, so I am curious if there are apps in f-droid that could've well suited your need.
I just search on whatever I want on duckduckgo,"open source X android app" or "open source alternativeto Y" or just directly trying to search it in f-droid too.
Not exactly end-user friendly, but this is exactly why I use Termux so much. I had the same image optimisation requirement so I just installed imagemagick via Termux and converted the images. Feels more easier to me to use standard Linux tools via Termux than go down a wild goose chase trying various bloated apps.
The SimpleMobileTools fiasco and the way FDroid stayed resilient against it is the perfect example case of how their 'security' argument behind the side loading ban and developer registration mandate is hollow, misleading and harmful.
I had no idea fossify was fork. Until this moment I had apps from both of them, some orange, some green, but the calendar started bugging out by opening a different date to what I clicked on. I see my phone hasn't updated it since last year. Now finally I've deleted them all in favour of the fossify ones. Thanks.
Google has a track record of turning a blind eye to malware and fraud delivered through their own channels. I like how F-Droid tackles them both - they've been my default app store for years at this point.
Thank you for this info. I had no idea why a couple weeks ago the calendar app was suddenly needing to connect to the net on startup and then doing a splash ad. Will be installing the Fossify version shortly!
Is Simple Gallery known to do anything shady now, behind the scenes? I had no idea it was sold either, and it's been my go to gallery app on all my devices for a long time. Just curious.
Simple Gallery Pro hasn't been updated since the takeover and doesn't even have the Internet Permission, so it is still perfectly safe to use. It is still superior to Fossify Gallery because of its proprietary photo/video editor (IMG.LY). Fossify's photo editor is extremely limited, and there's no video editor at all.
If you don't use the editors (or if you're using the non-Pro Simple Gallery) then you should probably switch to Fossify now.
If you do use the editors then you should probably disable automatic updates in Google Play, so you get a heads up if they ever push a shady update.
This is how I found out my preferred gallery app is crap. I've switched to Fossify Gallery. Also, it's stupid that Simple Gallery just calls itself "Gallery" when it's installed. I almost didn't check.
This sort of application acquisition game happens on ios as well and is part of the reason I am experimenting with a graphene OS phone sans any Google. I guess daddy Google is trying to come fuck me too.
> F-Droid's curation saved me at least once when I wanted to upgrade my Simple™ apps and couldn't find them in F-Droid anymore, which led me to learn that SimpleMobileTools was sold to a company that closed sourced the apps[1] and that there's a free fork called Fossify[2].
> Had I installed these through Google Play, they wouldn't have cared about this particular change and I would've gotten whatever random upgrades the new owners pushed.
sheesh. I've spent my whole mobile device life on iOS and am just now learning an Android device. While I feel I have more control over the finer details of my personal privacy and security, this ecosystem is a total minefield if you care about avoiding spyware and malware.
I'm glad I trusted my instincts and only installed F-Droid first before any apps from the Play Store. Just now found the Isolation app so I can create a Work Profile and separate personal life from the life that the relentless data vacuums are constantly trying to pull from the simplest apps these days.
Neither mobile OS is perfect, but I feel like I was correct about Apple having the user's personal privacy still much more of a priority than Google. There was never any question if those were the two options, IMO. But it does seems like now, finally, Android might be ready to deploy as a mobile operating system for the public. I'm fairly certain that this Android ecosystem that's used its users for so long as guinea pigs (not just Android, but the full unrefined and frankly unsophisticated media sphere as a whole that's been figuring out how to effectively work on us) has harmed the last generation or two beyond repair.
This became all too clear when the first thing I did on my first Android device a few weeks ago was install an offline keyboard from devs with my privacy interests in mind. Spent a few minutes thinking about what it would have been like living with this shitty keyboard system on iOS and realized that honestly, I am lucky that I stuck with iOS through all of this and feel like my mental health is much better than it would have been had I been fighting a malware-riddled Android device this whole time.
edit: I'm not saying you shouldn't use Android or that it's a bad idea, I do think that it is solid enough now (and maybe has been for a while, I don't know) that I can safely protect myself after learning. But ask yourself if all Android users would take the time to properly learn? What about kids?
We use Nara to track our baby's food intake and sleep.
A couple of months ago I noticed Little Snitch complaining about the app making new connections to malware domains. Thankfully I can run the app on macOS and noticed it.
When confronted with how this violated their Privay Policy, they gave a condescending reply. When I contacted Apple about this new update to the app, they ignored my report.
So… no, we're not safer on iOS. Perhaps the barrier to entry is a bit higher to discourage some low-hanging fruit, but Apple does very little for the 30% commission it takes.
Would you even find out if an app has been sold to another company on iOS app store? It's confusing to see all of that diatribe when it doesn't even do much (if anything it almost lulls you into a false sense of security), and you just have less options to choose from to get around being locked out of using your device for apps you want.
The topic of kids is a whole another debate - whether or not it is wise to give them an Internet-connected device - beause the same general concerns regarding the Internet exist on iOS as well.
Regardless, if I had to give them a device, it'll definitely be a Linux-based one.
I contacted the European Commission DMA team on this gross abuse of power (Google just followed Apple in this regard, who reacted to the DMA by coming out with this notarization of developers), here is they flacky answer:
"Dear citizen,
Thank you for contacting us and sharing your concerns regarding the impact of Google’s plans to introduce a developer verification process on Android. We appreciate that you have chosen to contact us, as we welcome feedback from interested parties.
As you may be aware, the Digital Markets Act (‘DMA’) obliges gatekeepers like Google to effectively allow the distribution of apps on their operating system through third party app stores or the web. At the same time, the DMA also permits Google to introduce strictly necessary and proportionate measures to ensure that third-party software apps or app stores do not endanger the integrity of the hardware or operating system or to enable end users to effectively protect security.
We have taken note of your concerns and, while we cannot comment on ongoing dialogue with gatekeepers, these considerations will form part of our assessment going forward.
Kind regards,
The DMA Team"
The DMA is in fact cementing their duopoly power, the opposite of the objective of the law.
Post author here. I've also been in various DMA enforcement workshops and consulted with EU regulators on the topic of app distribution. The "strictly necessary and proportionate measures to … not endanger the integrity of the hardware or operating system" defense comes up time and time again, and is clearly a primary talking point for those lobbying against effective enforcement.
From a developer's perspective, this stipulation is obviously intended to ensure that the existing on-device protections (sandboxing, entitlement enforcement, signature checks, etc) are not permitted to be circumvented by third-party app stores. But the anti-DMA brigades have twisted their interpretation to imply that that gatekeepers are permitted to ... keep on gatekeeping.
Apple still requires that all software be funneled through its app review (they call it "notarization", but it is the exact same thing as review: developer fees and T's&C's, arbitrary review delays, blocking apps based on policy, etc.) before it is signed, encrypted, and re-distributed to third party marketplaces like AltStore. And now Google is going to introduce its own new gatekeeping for all software on Android-certified devices, which covers 95%+ of all Android devices outside of China.
The lack of alarm has been, for me, quite alarming. Every piece of software installed on billions of mobile devices around the world is going to be gate-kept by two US companies headquartered 10 miles away from each other and with increasingly authoritarian-friendly leadership.
If you have an Android device, install F-Droid today and make it be known that you won't give up your right to free software without a fight.
Telling users that your platform will allow them to run any software they like so you can quickly gain market share, only to break your word after driving competing platforms out of the market is fraud.
I'm pretty sure fraudulent marketing is still illegal.
What are your thoughts as obviously someone with deep knowledge of the ecosystems at play on the various parental control laws that are going into effect in the US?
The one in Utah that was already signed and the one in California plus the looming federal bill? The ones that make app stores verify kids' ages and request permission from parents?
1. You cannot expect a public body to take a legal conclusion with significant financial impact on the basis of a single citizen report or in reply to that report. This takes analysis, technical and legal work, etc. So your expectation that they respond to your message eith something akin to "of course, you provide evidence of a breach. I, the single case officer responding, confirm the facts are true. Thanks for telling us we will now fine them 5 billion" is a bit unreasonable.
2. I don't see how even inadequate application and a non-committal response leads to the conclusion that this is intended to (or even just allows) to entrench the Android/IOS duopoly.
> You cannot expect a public body to take a legal conclusion with significant financial impact on the basis of a single citizen report or in reply to that report. This takes analysis, technical and legal work, etc. So your expectation that they respond to your message eith something akin to "of course, you provide evidence of a breach. I, the single case officer responding, confirm the facts are true. Thanks for telling us we will now fine them 5 billion" is a bit unreasonable.
Both judging or supporting are conclusions. The message is more supporting than necessarily required and that also can have a significant financial impact. If there is even some unclarity, they should just state that they are investigating it, while noting that DMA may allow this. Otherwise this creates foothold for Google, which is not fair either.
Regarding (1): I don't see why you cannot expect it. If the matter at hand is significant enough, all it should take is a single person spreading the awareness of something going terribly wrong, like in this case.
I find it rather infuriating, to get treated like a low rightless peasant, as if to say: "How dare you speak to us above?"
It is the difference between people doing their job and being transparent about it. An answer like: "Thank you for reporting, we currently are already looking into this and are taking your report serious. Please note, that drawing legal conclusions takes time, but that we will keep you updated, when we reach a conclusion." would already be great. To know, that one didn't just waste ones time, but that actually people there hear and look into things.
That is, assuming, that there actually is something significant at hand. If it's rubbish, then no need to get processes started.
That's not actually what the reply said, it was extremely noncommittal as you'd expect. If you contacted one of your MEPs they might have a stronger opinion they'd want to promote, but the DMA team are just not going to render judgement based on one email.
But my initial reading of F-Droid's explanation was "hang on, Google are going to get slammed for the same thing Apple got slammed for" so I hope they do come to the same conclusion and do it quickly, before F-Droid is entirely dead.
Maybe that's Google's intention - that the time lag on enforcement is going to be long enough that they achieve half the goal anyway.
> that the time lag on enforcement is going to be long enough that they achieve half the goal anyway.
This is the primary legal strategy of (1) tobacco companies, (2) investment bank pushing risky products to unknowing customers, and (3) big oil&gas' environmental policy. Regarding EU DMA laws, I feel that Apple and Google are pursuing the same strategy.
Not a lawyer, but seems to me the term "strictly necessary and proportionate" is doing a lot of work here.
I could imagine lobbyists have been trying to do a classic motte-and-bailey there, painting the picture of some poor granny whose phone is instantly taken over by a malicious third party app, because without Google's loving oversight, every dodgy candy crush clone would of course immediately get root and bootloader access.
So they managed to get in a "common sense" exception, which they're now trying to use for things that are entirely not common sense.
At least I would find it hard to argue that a measure is "strictly necessary" to ensure the "integrity of the hardware or operating system" if everything has been working without problems for decades without this measure.
I saw some new announcements about new Linux phones (other than Librem and Pine). Unfortunately I don't remember what they're called. Hopefully this is starting a new wave of Linux phones.
Of course they want them: if not one could install a modified Signal client from F-Droid and bypass the mass surveillance they want to introduce with Chat Control.
I'm considering that the UK did not take a bad decision of leaving the EU. The EU is demonstrating itself as a more and more corrupt institution that is not democratic (in the sense of doing what the people want it to do) at all.
They are also shooting themself in the foot: the USA impose to us tariffs, we make laws from which benefit 2 big American companies, instead of pushing for developing alternatives to these companies.
> The EU is demonstrating itself as a more and more corrupt institution that is not democratic (in the sense of doing what the people want it to do) at all.
While I agree that democracy could be strengthened at the EU level, representative democracy for better or for worse doesn't imply the representatives' decisions have to match the public's opinion at all times.
> I'm considering that the UK did not take a bad decision of leaving the EU.
That's ironic, given that the UK has always seemed way ahead of the EU when it comes to mass surveillance.[0]
A single email can't be expected to shake Google but it has done it's job and from the response, it seems they have included that into their discourse and it can't be ruled out that this concern comes up in not so distant future allowing free side loading of apps.
They have answered you that they have no answer to give.
Everything hinges on what "strictly necessary and proportionate measures" effectively are and the EU has yet to state if notarisation is ok. I personnaly doubt it will be considering the spirit of the law but the currently German dominated and mostly focused on German interests commission is spineless so who knows.
If you want actual change, pressure your MEP to fire Von Der Leyen and stop voting for the PPE.
When I wrote to the Commission regarding the Chrome Web Store monopoly and that Google can remove any addon that they don't like (which already happened) they told me that the Web Store isn't a gatekeeper (...of course it is, there is no other way to install Chrome Add-Ons and Chrome is designated as a gatekeeper):
>Thank you for your email in which you raise concerns that some browser extensions are not allowed by Alphabet in its Chrome Web Store or are removed as unwelcomed extensions after they have previously been available. As you may know, the European Commission has designated Alphabet as a gatekeeper for a number of its core platform services on 5 September 2023 under the Digital Markets Act (DMA), including its browser Chrome. As a result, Alphabet must comply with a set of obligations as from 7 March 2024. The Commission has not designated its online intermediation service Chrome Web Store, since it does not meet the criteria under Article 3 DMA, to be designated as a gatekeeper. We would like to thank you for the information brought to our attention and assure you that the Commission will monitor compliance of gatekeepers with the applicable obligations as well as monitor any other core platform service that may meet the criteria to be designated as a gatekeeper under Article 3 of the DMA.
So this doesn't surprise me at the slightest. DMA, DSA and GDPR only strengthen the big american companies because they have infinite money in complying with this bullshit while smaller plays get shafted. You will never be able to "just install an IPA" on an iPhone, mark my words.
The term "gatekeeper" is strictly defined in the DMA and currently doesn't cover the Chrome Web Store. Perhaps in the future it will. The DMA and DSA don't strengthen the big American companies; it rather specifically targets them. Smaller players can do whatever they want.
F-droid has been stellar in steering the alternative app store environment over the past 15 years or so, and I'd heed their call on this.
A small call to any googler on the thread - put your support towards this internally. I understand the internal dynamics, and it may seem current option is best amongst imperfect choices, but in this case F-droid is right in that closing out anonymous (but good) software is a line crossed with peril for any open ecosystem. Today it's play store, tomorrow it will be the web, and that will have a significant negative impact on Google.
> A small call to any googler on the thread - put your support towards this internally.
Post author here. This.
Google toyed with a scheme like this a few years ago and reached out to F-Droid, and they were told the chaos it would cause. They backed off. This time, no one has deigned to contact us.
Anyone who wants to talk can reach out to us (board@f-droid.org) or me directly (Signal contact in my profile).
Do you think any single one remained who cares over their payment, stock options, office perks? They care about not getting laid off with the next wave.
The context is I've worked at Google, and internally was surrounded by many who do care. I also saw other sides of controversial calls - business and other considerations which are not apparent publicly. But one thing Google does well internally way more than others is listen to it's engineers' opinion.
They still exist, I know a few. Most of them are busy protesting Google taking over Microsoft's contract to provide surveillance and targeting information in Gaza, but I can ask about this issue.
What's wrong about the current situation? Why imperfect?
I have had Android phones starting from G1, and never had any problems with them, that I could install any APK that I wished on my own hardware. There's nothing imperfect for me, as a user. What's "imperfect" is that there are apps like ReVanced and PipePipe that deprive Google of the advertising revenue. But that's imperfect for Google, and perfect for the user. Just charge me 30 bucks for Android OS instead.
Spreadsheets are a fundamentally important tool—the original "killer app" for personal computers such as cellphones, and the best way that has been found so far to put computational power in the hands of end-users. Last I checked, there was no spreadsheet in F-Droid, largely because it's a relatively small ecosystem, and most Android users still aren't using F-Droid. Instead they are subjected to the outrageously abusive apps that fill the Play Store, as described for example in https://news.ycombinator.com/item?id=45411897. And many Android phones ship with non-uninstallable malware and shovelware. Backing up an Android phone without a Google account—indeed, even activating an Android phone without a Goolge account—is challenging. From my point of view, these are imperfections.
Oh, you opened a can of worms... In terms of user experience Android is garbage. It forces on you features you cannot remove unless you break into the system (which is kinda illegal or, at a minimum, voids your warranty).
Stuff like "do not disturb" that turns on accidentally and makes me miss calls, and is impossible to remove. It's impossible to remove a bunch of trash from the lock screen, and with some workarounds sometimes only the picture is removed, but it stays interactive or affects other widgets, like the audio player, for instance. Lockscreen randomly trying to dial random numbers, especially if I don't answer an incoming call. Also, taking screenshots randomly, so after almost every run I have to spend some time deleting these screenshots.
Now, when it comes to the subject in OP, it's not really about Android, it's about Google's policies around developers and app store. The whole idea behind Android is very similar to MS Windows: oppress the user because the system provider "knows better". Make choices on user's behalf, prevent users doing from useful things jut to blanket "secure" them from some imaginary threat. Manipulate users into doing a thing that's harmful for them, but beneficial for the system provider.
So, the app store managed by Google is one example of such policies. Google doesn't have the best interest of the user in mind. They are maliciously complying with regulations that want them not to abuse their users. They check the applications submitted to the app store, but they check them for the wrong things. Just to say they did.
I ended up using an FTP server app from F-Droid and a file manager from F-Droid because the stuff that was available for the same functionality found in app store is some atrocious predatory trash. It doesn't matter if I can afford to buy an app. Whatever I tried was just garbage. Once you get used to freedom and the approach of free software after you've spent some time with eg. Linux, using Android will make your blood boil because of how hostile both the system and the programs written for it are.
I don’t think we should be framing their new rules like this. They are closing out F-Droid, which is not anonymous, due to a technicality of their implementation. At best, they are collateral damage. At worst, it is malicious compliance in response to a directive that was supposed to ensure their continued existence.
It's f-droid that's clearly calling this out. from the post:
>The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications
F-droid does not want to take responsibility for the app.
I've built a couple of tools for myself over the years, some of which includes android apps. They were never released to the public.
If we go down this path, I will stop all development on android (and at work too, as it is up to me how we deliver, coincidentally). I implore all other developers to resist this. This will completely lock down the platform forever, there will be no going back.The entire reason why android is so attractive is because we have linux in our palms and all the amazing benefits of that. If google wanted to do the right thing, they would go in the opposite direction and make it easier to gain root access on mainstream devices instead of locking it down further.
It seems the only last bastion left is Firefox, so I will be focusing on making all my tools work well on Firefox (mobile & desktop) instead of app ecosystems.
Developing for Android and iOS is already a huge pain, browser based experiences can be even better than native apps in some cases. I will also not invest any more time in developing/following these closed platforms, and try to push web based solutions as much as reasonably possible.
Seriously, HUGE pain in the psu. Javascript is a pain on web but mobile development significantly more painful, even though we have nicer languages & compilers - all the ceremony around it is just too much.
I freaking hate gradle with a passion, as every other week I have to reconfigure my ide, again. As it cannot seem to just chill out and do its work, it demands blood every week or two.
I recently explored wrapping my somewhat-popular website as an app, only to discover that Google wants apps to offer some unique functionalities that the website doesn't support, otherwise they'll reject it as spam listing.
The examples they list of such features are offline support (PWA already allows that), push notifications (browsers already support that), integration with hardware (not applicable), mobile-optimised UI (really?)... all nonsense.
I know they're not strict about this policy as I can name many local apps that are just wrappers of the web version, but I abandoned by idea immediately as it's not beneficial to me in any way to prioritise one particular platform over the others.
> browser based experiences can be even better than native apps in some cases
Not in some cases, in most cases. Clicking shared Google maps link easily opens correct spot on Web, but redirects me to the App Store for God knows reason why on iOS. If I ever need to interact with a new resource, I go check if there's a web site first. If there's no website but there's an app and I don't really need the resource I just drop it altogether without checking the app.
The only apps, besides built-in ones, that I use are chat, bank clients and some home app automation tools that would be problematic to operate as a web app.
Quite honestly, developing for Android and iOS is no longer worth it. I was planning a set of cross-platform native products using Flutter and other tools, but after a careful analysis came to the conclusion that it makes no sense. You have to distribute 5 different apps (Linux, macOS, Windows, iOS, Android) with 5 different packaging, signing, and distribution requirements and have to fight with all kinds of garbage, from Gatekeeper over expensive certificates for Windows to avoid being flagged by antivirus, to anti-competitive app store requirements by Apple and Google.
Web apps have become unavoidable. Native is beating a dead horse.
Let me unpack something: I've been building a commercial product with flutter for the past 2 years. I think after this project is "done" I will never touch cross-platform frameworks ever again - only native. Cross-platform frameworks (like xamarin, flutter, react=-native) - its all lies all the way down. The benefit of having the "one" codebase is so tiny you might as well skip it. The moment you build something more complex than a todo app, when you need reliable background services etc.. guess what, the only reliable way is to revert to kotlin/swift and call it from the framework anyway, as the community packages are truly half-baked messes, abandoned messes, anonymous messes (who is the maintainer?). So never again. Huge waste of time and effort. Then during the release build, you need multiple signing keys, multiple build servers, often multiple pipelines, so what exactly is the point?
I've stopped developing for android as I did not want my address to be public for everyone thanks to google's decisions on how to interpret the EU regulation laws. I'm definitely not surprised by their current behaviour
Would you be willing to outline this in more details. I feel like I am in the same boat but arrived at a different point. Are you building your tools as pwas that you run in Firefox? I've landed at porting my things to pure Emacs lisp but this limits me on ux to well an Emacs frame.
Firefox - you mean Mozilla with its dozens of scandals, money squandering, that is entirely dependent on Google financing (and now endorses its AI tool within the browser). There are some good Chromium and Firefox forks. There is nothing else much left.
While Google are capable of being evil all on their own I wonder if the regulatory environment companies are facing around the world is contributing. It is going to lead to increasingly restricted systems with less choice for consumers.
I recently tried to install Thunderbird email on my 17 year old's phone so he could access our self-hosted email for education, jobs, government things that young adults require. After jumping through hoops with age verification it turned out not to be allowed for his age for some unfathomable reason. Increasingly content providers, app stores, os providers etc are coming under chilling industry codes here requiring age verification and age restriction. So I used f-droid so my young adult could start making applications.
What I see as freedom might look a lot like circumvention to regulators.
As all the big commercial services step into line with government codes and turn restrictions to their commercial advantage I am not sure where that leaves those of us who use FOSS software. My apps come from Flathub, arch, debian, f-droid not Apple, Google, or Microsoft stores. My devices come OS free when possible. The volunteers involved haven't participated in the development of industry codes and aren't in a position do all the compliance stuff that governments increasingly demand from tech companies. How much longer will free and open source be tolerated?
My impression is that the order of causality is the opposite. Google and similar companies are lobbying heavily for these industry codes so that app developers have no choice but to introduce the restrictions which only allow you to operate via them.
There are some compelling reasons to regulate tech companies for the benefit of society and I often have no issue with the intention. The problem is governments invite the industry to design the regulations and it quickly turns into regulatory capture.
If vendors were to start locking out competition or further invade privacy it would upset government regulators but now they can point at another regulatory authority and claim they are forced to do these things to protect the kiddies.
It reminds me of the Calvin and Hobbes strip where the dad jokes that throwing out junk mail makes him a terrorist. Running your own software on your own device? That's hacker talk.
In F-Droid's case this is absolutely a regulatory reaction -- this is directly related to the DMA (and to some extent, the Epic lawsuits.) Google does not want third parties bypassing Google in any way -- which probably ties in to the whole AOSP thing.
> How much longer will free and open source be tolerated?
I don't think they have a choice. Imagine what would happen to Google if half their software stack was Oracle and the EU had backdoors in to all of the management and CEO's devices and private communication. Why not use Chat Control to verify that they are complying with the spirit of EU law? Turn on the remote microphones while they are at it too.
On one hand we can lament the death of open source. Yet, open source has never been healthier. There has never been more open source software available to use and in development. Even when in it comes to AI, the best open source models are actually really damn good, better than anything that existed roughly 12 months ago. As much as Google, Apple, and Microsoft want to force you in to their closed ecosystems they fear being locked in to their competitor's closed ecosystems even more!
This could be a 10 page comment, but yes, the regulatory environment is a real threat to open source and the open internet in general. Most of those threats have been coming from the EU, with things like Chat Control and PLD. Which is unfortunate, because the future of the free world will rest entirely with the United States (Also possible that the EU will be dissolved, the monetary union will have a very difficult time during the next financial crisis.)
On the other hand, software developers and users, have become too reliant on Android which is functionally a fake open source project now. I can't think of a stronger incentive to stop Android development than telling them you can't develop here without paying us.
I still haven't seen anyone discuss the issues with distributing applications containing GPLv3 components under these new rules given the clause (from the GPLv3):
> “Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.
At the moment, the workaround here is that keys can technically just be generated on the fly (with some caveats). With Google's new requirements, that's not possible.
In my interpretation, this clause is for when someone ships a user product that contains GPLv3 software. That means it would apply to the phone vendor if the phone contained GPLv3 (or anything using LGPLv3) software.
But if you're just a developer who ship software GPLv3 software for Android, you are good because any developer that want to modify your software on their phone can, as long as they register to Google to get these keys. It should therefore be respecting the licenses.
Sure, but that means that either Google or the application author would be required to give me working keys with no restrictions, which would make the entire system rather pointless.
However, now that I think about it, the fact that "unauthorized" apps can still be installed via ADB exception may cover this?
> as long as they register to Google to get these keys
As soon as e.g. an Iranian user gets access to your GPLv3 app, you've got a problem. They cannot register with Google (due to sanctions), but you are responsible for ensuring they can install and distribute their modified app just as you have.
I do think that this very much puts Google in the same boat as Apple in terms of how the GPL is deemed compatible or not for distribution to their platforms and proprietary stores.
Personally, I think that the GPL is still compatible with both platforms, as I've written about before[1]. There's plenty of GPL software on both the Play Store and App Store (Signal, Element, Wordpress, SimpleNote, Bitwarden, Mastodon, Telegram, and Proton Mail, just to name a few), but people tend to feel that iOS is a more hostile environment. The mandatory developer registration requirement may bring a more even-handed assessment of how the GPL and these app stores can live together.
We need to start treating phones differently. We're entering a world where we can't choose what we run on them. Their primary purpose is to gather data on us and serve us advertising, they're engineered for addiction, yet engaging in the world is immensely difficult without one.
Phones are as much a burden as benefit in 2025, and our behaviour towards them should reflect that. Mine is currently off and in the drawer of my desk. I'll turn it on again when I need 2FA, some service provider's app, or when I'm likely to be out of the house for an extended period. I'll turn it off again when I don't need it.
I think this is the right take. Other commenters are mourning the death of general-purpose computing, but general-purpose computing is very much alive and kicking in laptops, desktops, and servers. It's just smartphones and tablets that are being turned into limited-use appliances. The overwhelming majority of users just want a smartphone or tablet that's a limited-use appliance, and those of us on HN who want general-purpose computers are a tiny minority, and our insistence that we be allowed to make our own decisions is drowned out by those who need their hands held in this dangerous world.
My smartphone is used for interacting with systems that I expect to surveil me anyway - my bank, my navigation app, and so on. Serious work is done using serious machines.
> but general-purpose computing is very much alive and kicking in laptops, desktops, and servers.
Two words: Secure Boot.
The only reason we still can run operating systems without Microsoft's approval on these devices, is that alternative operating systems like Linux were already popular enough when Secure Boot was introduced, so to prevent the risk of antitrust enforcement Microsoft allowed (and AFAIK required) that firmware has an option to disable Secure Boot or enroll your own keys, and Microsoft also signs the bootloader of several Linux distributions (as long as they meet some stringent requirements).
But this can change, since all of that is part of Microsoft's hardware requirements for running Microsoft Windows (which hardware makers must follow if they want their devices to run Windows). And it already has, at least twice: some ARM-based laptops were shipped without that option (the hardware requirements back then were that you must be able to disable Secure Boot or enroll your own keys on x86-based hardware), and a class of devices (the so-called "Secured Core" devices) comes with the "third-party" key, which Microsoft uses to sign Linux distributions, disabled by default. Nothing prevents it from being locked down even further in newer versions of Microsoft's hardware requirements, in the name of "security".
People mourn general-purpose computing, because the writing is on the wall for future generations. The living room computer is dead, your average "normie" only has a phone, and maybe a tablet these days. What really opened my eyes to this is how kids I was teaching 3D printing design to were constantly asking if they can use a 3D printer with their phone.
Laptops, desktops and servers are becoming more and more niche, and if we don't do anything it dies with our generation (or maybe a generation after that).
You can't share an app you develop without first paying Apple and Microsoft a recurring fee and also get their explicit permission for every update to it.
At any point, for any reason, they can decide they don't like you and Gatekeeper and/or Defender will block your app from running on nearly every computer.
Open source operating systems are closer, but there are still PCs that have locked bootloaders.
All the pieces are in place, all vendors have to do is flip a bit and you'll never run anything without permission again. And it will happen because think of the children/national security/hackers/scammers/trillion dollar companies' bottom lines.
I only tolerate the piece of shit phone because of F-Droid. Most of google's apps are banned from connecting to the network (like their fucking keyboard, I don't need or want any internet-requiring options) via Rethink VPN through which all network traffic is routed.
If this goes through, I'm taking my sim card out and putting it into the cheapest dumbphone I can find, using the smartphone strictly offline for OSMAnd navigation and media, uploaded over USB cable.
I use a Nokia N95. It works well as a phone, and does have some smartphone features. I can listen to podcasts on it, and Google Maps somehow still works fine.
The "vote with your feet" argument was always specious in a duopoly. If consumer rights depend on the whims of giant corporations like Google and Apple, then consumers never had rights. "Just switch to Android if you don't like iOS lockdown" is now becoming a joke.
Consumers desperately need specific legal rights to do what we want with the electronic devices that we've purchased, rights that cannot be overridden by the decisions of any vendor.
Apologists have always said, "Apple has a right to do what it wants with its platform." Well guess what, by that principle, so does Google. Don't worry, though, because you have a "choice" between two collaborating duopolists.
what about an android fork? just take images of android for given phones and remove the app store requirements? I wonder how will they do it? on kernel level?
I'm not an expert here so please take what I say with a grain of salt.
It's my understanding that what's included in open source Android (AOSP) is FAR from a complete product and there is quite a bit of Google closed source/proprietary software that goes into the mix before it's shipped as Android (think Google Services.)
So, while you could fork AOSP and try to use that as a basis for and alternative mobile OS, it would require quite a bit of work on top of the AOSP code. This is what's done by custom ROMs like GrapheneOS (ironically Pixel devices only) or LineageOS for example.
Those are called custom ROM's and they are unaffected by this new restriction because it's a Google service which custom ROM's don't ship with. Same for older versions of HarmonyOS that run AOSP. Bigger issue there is that many major OEMs either block bootloader unlocking or make it extremely difficult. Samsung's OneUI 8 update for example turns off bootloader unlocking for all devices. There have been reports of people getting around that though. But still restricted to Exynos devices.
Other companies like Motorola require you to phone home to unlock the bootloader and we saw how well that worked out for LG where once they shut down that effectively preventing devices from running custom ROMs and having root access. The biggest hurdle is that the overwhelming majority of users don't sideload software. So they aren't concerned about this at all. So all Google has to do is hold against some power users and hope there isn't a mass exodus to LineageOS or GrapheneOS. Which is highly unlikely.
Without having in-depth knowledge of what would be required as far as baseband drivers, the corresponding network requirements, etc. I think a mobile Linux distro is a better bet. It's been done by Fairphone, PinePhone, etc. and there's no reason _why_ it can't work -- the demand just hasn't been great enough.
What a disaster this will be. The end of any really open phones. By the time I cannot sideload apps or torrent onto my device, I might as well move to an iPhone and at least get less data tracking and better security.
Consider trying Ubuntu Touch, very active community and fun if you're interested to be a developer.
Jumping from a shark to another is maybe not the solution we should aim for.
I released an app on the Ubuntu Touch store: took a minute to fill in the form and then you get people giving you feedback/help if anything doesn't work (since you can link your source code too).
What's the current state of hardware? Is there a phone that's decent at being a phone, with an OK camera and a battery that last through the day running Ubuntu?
What's the current state of Waydroid? Any chance to get my banking apps running, or at least standard fare like public transit apps?
I don't understand, what's the point of reinventing UI and apps from scratch when there is Android Open Source, with GUI and millions of apps? Wouldn't it be better to cut away all the telemetry from AOSP, add a custom wallpaper and call it a day?
i guess it would be 'trying' indeed, as per usual it would mean that i'd need multiple devices. 2FA, e-Banking, messaging, instant payment apps and more would probably be missing, right?
I'll never reward Apple with another dime. They started and normalized this. Plus whatever rights Apple takes away next, Android will likely continue to lag behind in implementing for years.
I don't believe for one second that Google is doing this because Apple does so too. They would have done so long ago. I would rather bet this has to do with recent political shifts that are also pushing for mandatory digital IDs and spying on encrypted messages (see UK and EU). This and Windows 11 depending on certain hardware are all pointing in one direction: a war on general computing.
One could argue whether Phones with the Google android were ever really open.
As for the really really open phone with alternative OS or Linux based OS, they will continue to exist as before.
Perhaps even become more popular after this?
> One could argue whether Phones with the Google android were ever really open.
In recent years, you can argue that android has no longer been open. In the early years of Android that argument would be much harder to make. To be clear, I am not talking hardcore FOSS libre open. But meaningfully open for the end user to do what they want on their device without much restriction. Early android didn't have sandboxing, had no permission system, was easy to root, etc.
Certainly with Nexus devices you had pretty much the freedom to what you wanted.
Could it have been more open? Sure, but I feel like it is almost disingenuous to say it was never if we are comparing it to the real world situation we find ourselves in today.
Doubling the number of people on a custom ROM dose not nearly balance the loss of options for those that remain on a stock ROM.
I do not want my less technical family to have to give away all the genuine (though imperfect) safety the Play Store currently provides.
But then you will have to deal with lots of shit from Apple, because they do everything they can to prevent their ecosystem to interact with open source solutions and to make it difficult for normis to get data off their phone, so that after a couple of years the phones are always full and a new one "needs to be bought".
iPhones are terrible with their link to an icloud account and their terrible repair situation with hardware component pairing.
I had an iPhone 7 for testing I bought on eBay. I had my icloud account logged into it. One day, I couldn't log in to the account despite having a correct password - "account is locked and cannot be used". It won't let me log off from the account on the device. So now I have an icloud-locked e-waste paperweight. It was an old device so I don't care much but purely on this experience I am not buying an apple device ever again.
I hope there will be more truly open devices in the future eventually... otherwise I will just start considering smartphones being 2FA/banking bullshit proprietary tracking/spying devices and avoid use them sporadically..
I was waiting for fdroid's voice about this. Google's move is as bad as I initially thought.
This makes me a bit sad honestly, android development is getting worse every year.
I wonder if the same will happen to web as well.
The EU age verification system for the web is currently planned to rely on the Android/iOS anti-tampering device controls: https://github.com/eu-digital-identity-wallet/av-doc-technic.... None of the plans to achieve China's level of internal control over communication can work without banning all user-administrated devices from the web, so I guess that's what you can expect next.
Even China doesn't rely on controlling information from the user-side, they know any devices can be hacked lol. They rely more on controlling the server-side (WeChat, Douyin, Weibo, Bilibili, etc) and infrastructure (GFW).
Well mostly, aside from some exceptions like (allegedly) Apple's AirDrop limitations.
> None of the plans to achieve China's level of internal control over communication can work without banning all user-administrated devices from the web
Not that I want that future, but it's not like China has banned all user-administrated devices from the web. Seems odd to say this is necessary when, axiomatically, China has China's level of internal control over communication.
There's a part of me that really wishes that we could have policies around things like age verification that implictly understand the existence of workarounds and accept them. If we're going to have these policies, anyways.
Australia's phase 2 industry codes build on phase 1 which was blocking csam and terrorist stuff and are into the child protection phase with age assurance and content restrictions.
There are draft documents across a range of services including search, social media and internet carriage.
The future is looking bleak for open computing and open hardware. They have gone from being a place of education, freedom and empowerment to a loophole in regulation.
This is a reference implementation, national governments are expected to make their own versions. Last I checked the longest discussion thread on there had a comment from a developer who stated it's included in the Digital Identity Wallet app (of which the AV wallet reference is a fork) simply because it's a checkmark item on OWASP Mobile.
Of course it will, given how many every day help Google take over the Web, using features that are effectively ChromeOS Platform, complaining when Firefox and Safari refuse to adopt such features (they are holding Web back!), and shipping Electron crap.
Sadly, our current age of computing is getting locked in devices.
Not only most computing today is SoC with closed drivers but it's actively locking the user.
Ironically it all started with Cydia and "hacking" the iPhone until executives understood they can make a cut.
The EU did help to some extent by requesting Apple to enable non-appstore apps. but sadly, instead of doing the right thing of simply having a user switch that allows me to decide if I want to put my device at risk, they went with provisioning that seems to be agreed.
So now, we're getting the same slap from Google/Android which I must say very strangely gets blessing from very specific governments:
> The requirement goes into effect in Brazil, Indonesia, Singapore, and Thailand. At this point, any app installed on a certified device in these regions must be registered by a verified developer.
wait i live in singapore. this sucks, i loved using fdroid and didnt want to take the risk of rooting + flashing a custom rom. i felt the impact of the 'security' the moment i switched from my oneplus nord ce to 13r, i lost access to most android/data folders even with shizuku
this is just so annoying in general for me, i might have to go the custom rom route then
I agree with the first point! On the second- how do you access apps tied to services like banking, utilities, transport, etc?
This is one of the main things keeping me tied to the Google ecosystem, a lot of services require me to have an app that's only available on the play store.
I install MicroG (on my LineageOS on Pixel) which allows me to install my UK banking apps and Google Maps, etc. MicroG just reimplemented the Google APIs:
> microG GmsCore is a free software reimplementation of Google's Play Services. It allows applications calling proprietary Google APIs to run on AOSP-based ROMs like LineageOS, acting as a free replacement for the non-free, proprietary Google Play Services (sometimes referred to as the more generic term "GApps"). It is a powerful tool to reclaim your privacy and freedom while enjoying Android core features (although apps you use that take advantage of it may still be using proprietary libraries to communicate with microG, just as they do when communicating with the actual Google Play Services).
Also, I download apps (like my UK banks) from official Play store using Aurora Store, which connects to Google servers directly to download the APKs, keep them updated, etc. No need to use those dodgy APK websites. Aurora Store is itself also available on F-Droid too.
The Aurora Store lets you access Play Store apps without having a Google account by using their shared accounts, it is recommended on GrapheneOS (a privacy/security Android fork).
Of course government, banking, McDonalds and other apps ban non-Google versions of Android, so you might be stuck with either Google or Apple until lawmakers catch up with this situation.
bank through a web browser, works for me, every new phone gets de guggled right out of the box, turning off the notifications requires loadeing alternate phone apps, which for some reason de-grayout's the notifiction/harsments from guggle
on everything else
currently gathering all of the alternate OS phone info I can find, and will start a thread when things get hotter
My bank provides the APK of their app directly on their website, and it supports updating itself after that. Actually a surprising amount of apps do this!
Other proprietary stuff I either get from RuStore (Russia-specific), or occasionally from APK mirrors / Aurora. At the moment I have no such apps (they're usually for some specific thing, e.g. an airline app that I need for a day or two).
I do banking, bill paying, etc from a laptop. I have the minimum number of apps on phone, mostly from Fdroid, plus Uber (my location turned off except the rare occasions when I need to call uber).
I turned on "Advanced Protection" a couple weeks ago, and promptly turned it off the other day when it blocked f-droid updates. What a scam android has become.
Samsung [^1] has an autoblocker. I have no idea what it does exactly. I always need to turn it off while installing or updating anything from F-droid. Then I enable it again in the naive hope it might prevent dome drive-by attack.
[^1]: My employer paid for it. I never would pay for the crapware full of uninstallable stuff I don't want. Is Pure Android still a thing if you don't want to pay The Evil Company?
Interestingly, I read in a recent article on upcoming features for OneUI 8.5 (based on a leaked build) is the "Ability to temporarily disable Auto Blocker" [1]. This is specifically to allow the sideloading of apps. That really makes me wonder why Samsung would have such an option in an upcoming version if they were aware that Google is planning to block all unverified sideloading in the very near future.
It will be a long tough uphill battle, but digital freedom is possible.
Purism is for example providing the Librem 5 phone with PureOS. Closing the app gap is big challenge, but I use the Librem 5 as my daily phone. Yes, I may have some inconvenience, but I have freedom, and the software is getting better and better.
You got to take a small toll on comfort if you want anything not backed by a huge evil corporation to have a chance.
Before it was Linux and now it's Ubuntu Touch, sure it's not perfect but it's a very much usable system which needs more people to try it out as their daily driver. I made the shift a month or so ago because I don't want to have to choose between two evils.
> 800$ for 720p screen and 3GBs of RAM
> Can't even use a bank app with it
I'm sorry, but this will never see adoption wide enough to be useful.
I can't imagine paying 800 and still having to carry a "backup" phone for payments, public transit and such.
At that cost I'd think more about seeking out a second hand phone that's survived and has good parts availability/repairability to keep it going. It would seem with both you're in the situation where google doesn't about you but at least the phone would be semi-smart enough to do some tasks and less drain on the wallet.
i read the exact same comments about the Librem 5 on HN back in about 2017/18. hope they'll continue with progress but it is giving, "This year is the year of the Linux [phone, desktop]!"
Purism is a shit company. It took 6 years to get a refund for my Libem 5 order (it was ready to ship after 3 years). I had to file a complaint with my credit card company.
Other people who paid over $1,000 got their shit out of date phones before me! Fuck Purism. They can go die in a fucking cesspit.
This whole situation sucks. I enjoy F-Droid exactly. Because I can use stores like F-Droid or just download a package from github and be able to run it on my phone. That going away for corporation and governmental greed is just... Sigh.
Reminds me of Nokia/Symbian. To install a `.sis(x)` with any useful capabilities (permissions in Android) one needed to sign it with Nokia's keys; which they normally couldn't, at least with non-business email addresses. Until someone found a way to hack the roms and it became a Tom&Jerry struggle between hackers & Nokia who wanted to suffocate them by patching those loopholes.
Then came Android. The freedom to sideload any `.apk` on any device was magical. And now we've come full circle.
Except that Symbian wasn't source-available, so there was a bigger hope for a successful rebelion.
Why do you need a banking app, do you want to share your contact list and geolocation with the bank so badly? Do you need a bank app's antivirus to scan your phone and flag you as a suspicious user? Are you missing notifications offering a credit card with 45% yearly rate? Do you want to make investments while riding on a train while several suspiciously looking beggars carefully look at the numbers? Do you want to allow anyone who has a Linux kernel exploit to access your bank account?
F-Droid is great. It's a stark and sad outlook that the only path forward suggested by F-droid is to contact your representative. Effectively, this means there's nothing we can do. Expecting our representatives to go to war with Google on this somehow doesn't seem too plausible. I think it's more likely there will always be a way to sideload apps, or if not, maybe the degoogled OS alternatives will find their moment to shine.
F-Droid apps have enabled me to more-or-less DeGoogle my tablet and populate the device with some truly exceptional software, much of which just isn't available on Google's Play Store. I've also made sure to pay/donate where possible: we can't afford to lose this resource!
"You may also need to upload official government ID."
That would be illegal in Germany, and probably also in other EU countries.
Only the gouvernment and banks are allowed to make copies of IDs.
Alle others aren't. Can get you in serious legal trouble.
Not that a data hog like Google would care.
Forget the legality altogether. The fact that they need real world validation of any form should be alarming in itself. Never forget how hard it is to resolve any issue - even falsely flagged ones - resolved with Google's support. Do you really need such a gatekeeper?
So we could send them a MR to fix the footnotes (cause mentioned in sibling response). If it has not been fixed already. Not me anymore, well past midnight an a long trip in front of me tomorrow.
Yes. It's sad because this is an otherwise well-written and important article that needs to be widely distributed and taken seriously. But people will be put off by the formatting errors.
It looks like 8 out of 17 footnotes didn't become footnotes properly. Every second footnote is displayed in the middle of the text, with a name tag like [^regappid] instead of getting a number.
I think we have reached the point when AppStore / Google Play must be spun off from Apple / Google and made to work as a separate companies, and have access to Android / iOS platforms on equal terms with other vendors.
We have a great example of such approach on desktop: while some people decry Steam for being a monopoly, it is totally different. Users aren't forced to use it, but choose to use it, and nobody prevents them from installing epic store or whatever. This will stop monopolistic anti-user abuse in their tracks and greatly improve conditions for everybody (except Google and Apple, but after all these years, they kinda deserve it).
Signal (Open Whispers) is likely CIA funded. It's like TOR (made by the Navy/DARPA): make something that works so your own operatives can hide behind it too
Because then you get a fight. Signal moves to F-Droid and F-Droid gets a huge mindshare increase and much harder to kill.
Signal is today's thing the security state in Europe & the US clearly hate and want to backdoor and destroy. So let's speculate they'd rather be able to make sure that no app, for any purpose that they don't control can survive or succeed?
Unfortunately the fight seems to be enormous. It's not just this little slice of computing freedom, it's all the random bullshit that various world governments get up to that I keep seeing in EFF newsletters: big tech enforcing government censorship or ratting you out to your government that's having a play at fascism, or making you verify your identity to access services, or trying to get access to your encrypted communications, but on top of that it's also: weaponizing copyright law to get you in trouble for repairing things you bought, choking out small businesses that might compete with regulatory capture or copyright shenanigans, shadowbanning your content if it doesn't look nice next to coca-cola ads (everyone putting little stars on sui*ide or whatever other nonsense), adding fees on all your payments or completely un-humaning you if you don't pay to play (credit card companies; UK allowing "CC only" shops).
Not to be the strings on the pegboard guy, but, it's all looking to be connected, and it's all looking to be the natural outcome of organizing our societal value systems around profit motive and letting gigantic inhuman profit-seeking algorithms (corporations) run rampant and allowing capital to be transferable to political power.
Walkaway by Cory Doctorow seems the most feasible path forward for people that are tired of this sort of society. Modern society seems too prepared to be able to overcome with widespread revolution, and in any case such an overthrow seems too vulnerable to co-opting by bad, authoritarian actors.
It is connected, but not in the "man behind the mirror" sense. It just happens to be the result of important governments across the world shifting politically right simultaneously and pushing/tolerating agendas that value government-enforced security over personal freedom.
It is, but the longer the general public plays ostrich in the sand and prefers losing their tail feathers one by one to unburying their eyes and admitting where all this has been going, the more enormous it will be.
I managed to get around with apps only from F-Droid. No ads, no popups, no notifications, work without Internet access, better than Google Play apps in every aspect. The only thing left is to make a ROM without preinstalled garbage apps from the vendor.
I don't believe that regulation these days can stand against corporate interests. I have seen this happen many times already. So what can I as a consumer do? The two practical options seem to be either Apple or Google.
I've messed around with funky phones, and after having an emergency call fail on two different ones, I've decided not to mess about with them anymore (GrapheneOS on some random pixel and a funky e-ink phone). Maybe it works great on whatever linux phone you mean but my path forward has looked more like just always using secondhand androids until I can install fdroid anymore, and then just using a linux phone tethered to a dumbphone that can hotspot. Finding out you can't call emergency services when you really super duper need to is something I never want to risk happening to me again.
I see a lot of comments here talking about "end of free computing" and similar stuff. However, I'm trying to find ways to be somewhat optimistic.
There are already companies that attempt to make smartphones that actually try to preserve our freedoms (Fairphone and PinePhone come to mind, I'm sure there are more).
So even if mass-market smartphones become locked-down completely, we will still have alternatives. Sure, in some ways these alternatives might be less convenient, and they might be expensive - but if you can put a price tag on your freedom then you might not need it too much in the end.
> So even if mass-market smartphones become locked-down completely, we will still have alternatives. [...] (Fairphone and PinePhone come to mind, I'm sure there are more)
You're not looking far ahead enough. Use of these alternatives will be banned.
I already cannot use any of these alternatives: all cell phones must be certified to be imported into Brazil, and so far I could find none of these alternatives certified by ANATEL. My only options are Android, Apple, or non-smartphone "feature phones" (they still exist). Yes, Brazil is one of the first countries on the list for this change from Google, and Apple already does something similar.
That sounds quite dystopian. I did consider this possibility, but thought that it was sufficiently far in the future. Sad that this future already arrived :(
But can you elaborate on how this is enforced? Probably by requiring IMEI registration? (supposedly with a carve-out for tourists, something like "a new IMEI can be used for two weeks without registration, after that it stops working")
If it's IMEI-based, then probably you can still have an alternative phone that will use WiFi hotspot from the "certified" one. Speaking from experience here - we had a problem in Indonesia where we were unable to register a phone due to bureaucratic shortcomings, and so we bought a cheap phone to serve as a hotspot.
Inconvenient, true, but still workable.
Also, I don't know how IMEIs are implemented at hardware/software level. Maybe there are ways to spoof them somehow?
I've got this covered :) I use a separate phone for these apps. So I have a "normal" phone that I use regularly and can do whatever I want with it, and a "certified" phone that has these pesky apps - and nothing else.
I was looking at Shiftphone but haven't been able to identify a single advantage over Fairphone. More vendors isn't bad, but it's so niche, I think more people actively use F-Droid (and that's already niche) than know the name Shiftphone! They'd stand stronger and be a more realistic option if they collaborated on some level
I'm curious if you know of any reason to buy Shift besides specifically supporting German economy instead of the Dutch one
And would you know why they don't work together? At least on the software side that's easy to do remotely. I know Fairphone has been struggling to catch up with the machine learning and other services other vendors are adding on top of e.g. the camera sensor to get good photos. They seem to be doing better now but Shift seems to still have a lot of software bugs, eyeing their forums
Thanks for the info! They do look nice and the prices are very affordable.
I'm a bit worried by their lack of focus, though - looks like they are spreading themselves a bit thin, they are trying to build a lot of different gadgets all at once (keyboards, speakers, laptops, headphones, etc). Building a phone is hard enough, trying to build all other things might dilute the valuable development resources.
I'm glad fdroid is voicing its concerns and asking people to act.
This is not just another technical challenge. If your country is ever in the crosshairs of "American interests" and bears the brunt of its sanctions, it is possible that you cannot install apps from your fellow citizens i.e. your own local government, bank and store apps.
Countries that are likely to face sanctions are also likely to be predominantly Android users, so it affects them disproportionately. Good luck teaching your fellow citizens to root phones their phones(which is getting hard and outright impossible on certain phones) if that happens.
This is a real challenge that countries need to think and plan for.
Lineageos has probably the most compatibility among the android-compatible opensource and open (not vendor-locked) phone OSes. However the list of compatible phones is too small. There's almost devices one can go and buy (except Pixels, but I would not use Google's Pixels just to avoid feeding the wolves).
If Google really goes through with this I might seriously consider GrapheneOS. At least Pixel hardware ought to still support unlocking the bootloader. But for how long...
GrapheneOS will help with being able to install F-Droid, apps from it and sideload other apps, but it means you will be blocked from installing government/other apps, so you will need a second phone with an Apple/Google OS.
I already use 2 Android phones. One for main usage without the evil company. Another one with 2 apps from Playstore installed; it would cost me significant money not to use one of the duopolists there. I really hate having to pay the Google/Apple tax. The only choice I have is to decide which bad actor receives it.
(Typing this on my 3rd phone, Sailfish OS. Unfortunately the software lacks sufficient maintenance efforts and the hardware does not suit me for primary phone use)
This isn't just a competition between app stores; it's a struggle for choice and dignity
Your phone shouldn't be a cage carefully constructed by others, but an extension of your own will. Allowing apps like F-Droid to exist preserves an enclave of freedom, transparency, and trust in the digital world.
It protects not a particular platform, but our fundamental dignity as digital citizens: my device, my choice
I wonder what would happen if F droid signed all software under their keys even though they aren't the developer? Make Google ban them instead of just giving up?
This is addressed in the article as well, and while there's no technical reason they couldn't do this, it would break the licensing of the apps as well as the dangers of centralizations mentioned by a sibling reply.
> The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.
Oh... this makes things much clearer to me actually. The issue is that you don't want apps that impersonate other apps showing up. For example, if someone put an app in another market that could sideload to impersonate Facebook's intents and do evil-maid type things. In the new system it would become very difficult to install a fake Facebook that is able to convince other apps that it is in fact Facebook's own app. Google's announcement can be seen as them operating essentially like DNS for app ids and intents and making things safer for a multi-app-store universe.
For example, there is an annoyance that happens sometimes with apps that are distributed in both F-Droid and Play Store related to updates. F-Droid and Play Store will think they both can update the app (they have the same tld.what.ever identifier) but the signing keys only match the store they were installed from. I think F-Droid is now a bit more careful about this and only tries ones it has specifically installed. This is different... but somewhat related.
F-Droid in general is a model good actor as far third-party app stores go, but from the perspective that malicious app stores might exist you would want to try and isolate apps from each other (and prevent unauthorized re-distribution of tampered versions etc). I think what Google is doing forces apps in each store to be cleanly namespaced from each other and prevent collisions (accidental or otherwise). This lets each app store tend and be responsible for its own walled garden.
Maybe users could provide their own keys into the F-Droid app and the F-Droid installer swaps keys as part of the download and install. At the end of the day we're just talking about a signature.
- there is no escape from digital techno feudalism
- you will have to obey corporations
- sooner or later everything will work using digital ID, or some other IDs
- sooner or later phones, PCs, browsers, will be locked in
- majority of populations will have no problems about that, aka golden cage
- I do not such a future exists when it will not look like this
- I am uncertain what is the future of open source. I think it also will be regulated by accounts, digital IDs. You will not be able to participate in open source without verification
Open source on a large scale is a double edged sword because it is at odds with an economic reasoning that it prevents the realization of monetary value provided by this software as profit. A crackdown on OSS would be devastating, but also not totally surprising to me in the current political landscape.
I still don't understand a lot of the specifics of the signing. So they're going to force through this change with a Google Play Services update? This will affect even old devices - like ones running some kiosk app?
How does this work with Chinese ROMs - that don't come with Google Play Services? How do it affect secondary app stores? A developer releases their app on Vivo's app store - and he has to register with Google's ID procedure?
If you're running some old Android version and you block Google Play Services from updating, will the Play Services stop working entirely and brick the kiosk phone/tablet?
If this was a change required in the next version of Android, then I could kind of understand. You buy a new phone and this is the Faustian bargain you choose to accept. Google's search ad cash cow is dieing. Time to milk all their assets. Google obviously doesn't want people making money off of their Android work - to me this was inevitable. But the fact they're forcing this down the throats of existing users.. this seems messed up and maybe illegal?
LineageOS and company aren't Certified Android Devices. However, I think for instance a Vivo OriginOS device is. They will have a separate Play Service for Chinese-bound devices?
I wonder if Google actually makes a profit on Pixels, or if the idea is to sell at / below cost and make up for it through advertising the sale of user tracking data from the device.
If it's the latter, buying a pixel to run Graphene might be a particularly solid counter.
Doesn't this issue get solved by reproducible builds?
Using reproducible builds allows developers to publish apps on F-Droid using their own signing keys [1]. Those signing keys can then be verified by Google.
In 2023 already, 2 out of 3 new apps used this approach [2].
With this in mind, F-Droid should be able to continue functioning after this change by mandating reproducible builds.
I expected one person to step up, do the verification, and F-Droid can use that signing key to distribute apps to phones with facism mode enabled. They just need to pick an app ID that isn't already in use, could even be sequential under org.fdroid.*
It's quite scary that there's no such idea being floated in the post. Apparently they're ready for F-Droid to be relegated to the realms of Google-free devices that nobody, outside of a few hardcore privacy activists, is currently willing to use. Maybe that'll change, but I doubt significantly enough for governments to reconsider which OSes and third-party stores they need to support
And again, to quote Benjamin Franklin, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety".
I want to take something from this article which deeply fascinated me.
The Right to Run
If you own a computer, you should have the right to run whatever programs you want on it.
I always thought that this was something natural yet Google is doing the developer registration and spotify is dmca'ing/suing? revanced team just for skipping some lines of code.
it is my computer and if I want to run a open source software from f-droid, I should be able to without one of the largest companies in the world meddling in the way.
If I want to run spotify in revanced, the developers shouldn't be sued for just skipping some lines of code. Theoretically it breaches on my rights to run software.
Its my computer,my phone, my devices and I want to run whatever I want with it. I paid for it completely and I want to use it completely.
Yet more and more, its becoming as if your device is becoming something similar to license, like they are making us think that we haven't bought a phone, we have licensed it and there is a big difference.
They might want to slowly extract into even more of our rights to somehow sell a phone as a subscription even after buying it and what not, god.
Imagine google packages up a developer service where for 5 bucks we could side load the apps, that WE ONCE COULD DIRECTLY.
This isn't far off. But we have made almost our hardware like a service and that saddens me/violates my rights and I want to fight against them. Fuck big corpos. Fuck google.
Its my damn computer and none of your damn business saying what I have to do with my own computer. I paid for it completely and I am gonna use it completely.
I'd say the difficulty now is how online services are integrated as part of being able to function in many tasks we're now asking phones (or mobile computers) to do. If you're only doing local stuff then you can probably get by, but so much of the world prioritizes online and having secure payments if your phone doesn't respond correctly to those services then there's a risk of exclusion or a time/money cost to use them in a less convenient way.
>I always thought that this was something natural yet Google is doing the developer registration and spotify is dmca'ing/suing? revanced team just for skipping some lines of code.
And how does Google enforce this? With the very same copyright laws they ignore to train their AI.
don't you know that its official that laws only apply to us small guys and not the big guys, this has been a open secret for so long.(maybe? satirical) /s
They are just gonna be given a fine and does crime just suddenly become legal of sorts as it maybe bucket change for these companies.
That is a very very weird spot that I would be limited to.
I can have my phone right now which has f-droid and download apps directly without requiring any other device anywhere as long as I have internet access to download the apk or I have the apk
With adb, I would need to have another specific device with me which can get real uncomfortable/ be a real breaker for a lot of times.
On top of my mind, I see myself being in the metro downloading games on f-droid to see the state of open source games, I couldn't imagine myself having a laptop in that time, and neither did I have a laptop. I just had a pc back then.
Also a huge % of people who are using f-droid right now would just not do things like adb etc. which are a huge breaker I suppose and in the end it is a huge net negative for the community/ecosystem/still goes against the right to run as I had mentioned.
But I also didn't know that adb was still enabled, I had actually thought that you genuinely couldn't run any app except google's developer registration AT ALL.
but this is also a slippery slope and what prevents them from blocking that too. unless we fight against this, it sets a really really bad precedent for them to follow/essentially dictate my hardware in the future.
I live for the day when regulators sat Android (and iOS) should not ship with a default store, and should allow users the choice. Break the platform monopoly.
In the meantime, I guess it is time to return to degoogled Android, for me at least.
Another good example of Google's worst instincts, though: backups. The backup API can only be implemented by things which are included at build time, so apart from e/OS/ I've never seen an option except Drive. (e/OS/ supports nextcloud as a target)
The thing that bothers me the most is government apps. How can a government require me to use a certain os or browser to use something.
What are someways that we can be active about this and have support for these apps everywhere. I'm in Europe
.
For banking apps, sure ok, I can still go tho the bank but what if that becomes unavailable for me to do. Our countries can't build software based on evil companies like Google.
I see this degradation of the developer and customer experience on mobile as an opportunity for better PWA/web application development. Many things done as an app today could be a PWA, including banking apps. WASM ensures the performance and the browsers have most of the capabilities to do this. I'm sure both Google and Apple will change course when they discover no one does apps anymore.
I don't thing Google will enforce this verification as an option that cannot be disabled. Not because they care about open-source, but because there are contexts where Android is used where the device doesn't have an internet connection to contact Google services to verify apps that are installed by whatever deployment method is used. I talk about all the industrial contexts where the devices (terminals that operators use) doesn't connect to the internet but to a local network that is only used to communicate internally with the server the application is using.
By the way, if that is truly implemented and not bypassable using some methods such as some developer option, I think that I will return to running a custom ROM (hoping that they would not start restricting also the possibility to unlock the bootloader, fortunately that is up to the manufacturer and you would still find phones with unlockable bootloader, or just get an older phone).
It probably doesn't require a network connection for basic checking, as the signed key can be cryptographically checked even when offline as long as Google preloads their public keys to the phones
> It probably doesn't require a network connection for basic checking, as the signed key can be cryptographically checked even when offline as long as Google preloads their public keys to the phones
Here is a sample email template you can use to send to your congressperson if that is helpful:
Dear <Congressperson>,
I am writing to you out of deep concern regarding Google’s recent decision to require all Android developers worldwide to register directly with Google by providing personal government identification and other sensitive details as a condition for distributing their applications. While this policy may appear to be framed as a security measure, its consequences would be far-reaching and detrimental to digital freedom, competition, and privacy.
For over a decade, the F-Droid project has demonstrated that safe, secure, and privacy-respecting app distribution is possible without central corporate gatekeeping. F-Droid and similar open-source platforms provide verifiable builds, transparent review processes, and applications free of hidden trackers or predatory monetization schemes. By contrast, Google Play has repeatedly hosted malicious apps, showing that centralization is not the same as security.
The new registration decree effectively forces independent developers to surrender their personal identities to Google, erecting unnecessary barriers to participation in the software ecosystem. Worse, it would prevent alternative app stores like F-Droid from continuing to operate, depriving millions of users of trusted open-source applications and their ability to freely choose how they use their own devices.
This is not only a matter of consumer choice, but of civil liberties. Forcing creators to register their identities with a single corporate gatekeeper in order to distribute software is analogous to requiring authors or artists to register with a private company in order to publish their works. It strikes at the heart of free expression and innovation.
I respectfully urge you to take action to prevent this consolidation of control. Whether through competition oversight, digital rights protections, or support for open-source distribution, Congress has a role to play in ensuring that security justifications are not abused to restrict user freedom and entrench monopolistic power.
Please help preserve a healthy, competitive ecosystem where developers can create freely and users can choose openly — without unnecessary corporate barriers.
Thank you for your attention to this urgent matter, and for your continued service to our district and the nation.
Maybe a sufficient number off hackers are offended enough now and contribute to really free platforms, like PostmarketOS or Mobian. There has been great work there in the last years. I think we are not very far away from a really usable free phone, we need device drivers and android emulation / f-droid as long as native apps did not catch up.
I demand some degree of freedom as an end-user. If all of the possible alternatives strip that basic freedom from me, I will simply fall back to the option which has the most features, which means moving to Apple.
(Also, losing to competition seems to be the only way companies nowadays can perceive loss of users' trust)
Wait. Is the same freedom available on iOS at all? Don't you need a developer license there as well? Forget the fact that side loading and alternate stores are not possible at all.
Can anyone using GrapheneOS report if Firebase notifications come in consistently and reliably via sandboxed Play Services?
I'm in the market for a new phone, and I'm going to buy a Pixel 9a this week for GrapheneOS if I can reliably get notifications on it. (I already have an A05 for banking apps)
I'd be happy to check for you, but will need concrete steps. Signal working reliably is pretty much all I can confirm, since I don't use any others apps on that device that would give me notifications. Signal afaik uses this Google Cloud Messaging thing or whatever their TCP connection marketed as push service is called. Maybe that's now called Firebase?
But Signal can also fall back to websockets, which I use on my personal phone and that's working great without any battery loss so I don't know how to tell the difference
Yes, all notifications work fine with sandboxed Play Services installed. All my banking apps also work fine. I haven't really had any problems with app support or any other problems for the many years I've run GrapheneOS as my daily driver.
If you live in the EU please complain about Google's developer registration (and other anti-competitive stuff such as Google Play Integrity) here. The EU is asking for people's feedback regarding the Digital Fairness Act.
https://ec.europa.eu/info/law/better-regulation/have-your-sa...
Isn't it an editor, an app store or the FSF that would start an antitrust litigation against Google? I would easily do a donation to a fund to do that.
In my opinion, Google is doing that to keep control as there is now the European regulation that said that they can't force manufacturer to install exclusively what Google asks them to "to be certified".
So, in theory there could have been big brand smartphones with only the vendor or alternative app store by default anytime soon without this change.
This confuses me. Google uses their closed source apps as leverage in the certification process. If they are no longer able to enforce bundling, then what?
Thinking that you can litigate every matter of user freedom against two ultra-wealthy co-monopolies of mobile OSes is frankly short sighted, if not misguided. They throw around lots of money to lawyers, lobbyists and politicians on every case. They may not win every case. But they don't need to. Each case they win is a step forward for their ambitions of total device control and indefinite money grab. On the other hand, we need to win every case with meager resources to keep our freedoms. At best, this will slightly delay our inevitable surrender to corporate greed.
We really need to get off these abusive rent-seeking spyware platforms and go for something similar to how Linux distros or various BSDs work. The main hurdles are the hardware, drivers and essential applications like banking and transportation. The hardware is an even bigger problem than the OS platform itself. But this is getting desperate. We really have to start moving in that direction before we're left with nothing else.
Stupid question but does this mess up using alternative OSes? I have a rooted 7" nexus from 2013 that I out lineage on and use for carplay when rentals don't have it installed and have been thinking about upgrading. Will this mess up doing that in the future, and should I just upgrade now? Also open to tablet recs to put carplay on, no familiarity with android tablets aside from the one I own
> every app is free and open source, the code can be audited by anyone, the build process and logs are public, and reproducible builds ensure that what is published matches the source code exactly. This transparency and accountability..
That might be transparent, but where is the "accountability"? There's no identification of who is involved, how are they held to account?
Trust has to exist somewhere, and these days everyone seems to be a target. If you have a bitcoin wallet on your phone, well you're a target, and have been for some time now. You might trust F-Droid today, but the reality is if leverage has been manufactured against them, there's no canary to tell you to uninstall F-Droid.
The days of two phones are here. Use the more "secure" no nonsense low spec device (e.g. the cheapest iPhone) for banking/govt stuff and a main phone (e.g. grapheneOS or lineageOS) for daily driver. Definitely inconvenient but maybe a blessing in disguise considering the malware/phishing risks.
Yeah I think ADB based solutions will be the way to bypass Google's Play store app developer registration and app ID registration crap that will kill F-Droid. Even now I grab a bunch of APKs and then have a script that wirelessly updates my devices... F-Droid ADB mode!
I have a way to get app distribution totally out of the hands of the app stores AND the browser but with any native OS UI you want ON any OS you want to any user within the TOS. Will share soon.
"When contrasted with the commercial app stores - of which the Google Play store is the most prominent - the differences are stark: they are hotbeds of spyware and scams, blatantly promoting apps that prey on their users through attempts to monetize their attention and mine their intimate information through any means necessary, including trickery and dark patterns."
Silicon Valley's so-called "tech" companies, e.g., Alphabet's Google LLC, also "prey on users through attempts to monetize their attention and and mine their intimate information through any means necessary, including trickery and dark patterns."
There is ample evidence of this behavior from a long litany of litigation where Google unsuccessfully attempted, or did not attempt at all, to rebut the evidence
It seems that app developers producing "malware"^1 would be in direct competition with these Silicon Valley companies such as Google
1. What is "malware". It could be defined as software that works against the user's interests. If so defined, the definition could vary from user to user, depending on each user's particular interests. Certainly "malware" can vary in terms of possible criminality and severity. Not all "malware" is criminal in nature, nor does all "malware" pose the same level of threat
"Do you want a weather app that doesn't transmit your every movement to a shadowy data broker? Or a scheduling assistant that doesn't siphon your intimate details into an advertisement network?"
If using "Google Apps" that come pre-installed into Android, then one can be assured that Google is using them in its round-the-clock efforts to collect such information
Google, too, is an "app developer"". For some users, Google's surveillance and data collection may be in competition with other "malware"^2
2. Using the definition of "malware" above, i.e., "software acting against the interests of the user" as F-Droid puts it, we are assuming there are users who interested in avoiding surveillance and data collection
"While directly installing - or "sideloading"[^sideloading] - software can be construed as carrying some inherent risk, it is false to claim that centralized app stores are the only safe option for software distribution."
When evaluating Google's strategy to allegedly "protect users from malware", one could ask, "Is there another way to do it?" The answer of course is yes
"We do not believe that developer registration is motivated by security. We believe it is about consolidating power and tightening control over a formerly open ecosystem."
By identifying app developers and forcing them to pay fees (consideration), these developers are entering into legally enforceable contracts with Google. Consider that the app developer, as stated above, may be in competition with Google for user attention and data collection. With few exceptions, the relative bargaining power of the parties, app developer versus Google, is overwhelmingly one-sided
Like "YouTube creators", the app developer becomes essentially an unpaid independent contractor. Payment, if any, is not in return for the contractor's work (the software). And any payment comes from advertisers. Google is only an intermediary (middleman) that takes a cut
From a user perspective, where the user is interested in avoiding targeted surveillance, data collection and advertising, is the threat of "malware" from non-Google app developers greater than the threat of malware from app developer Google. Avoiding Google's surveillance and data collection is considerably more difficult than avoiding surveillance and data collection by non-Google app developers^3
By using open source apps from F-Droid a user can easily avoid surveillance and data collection by non-Google apps. Using an app from F-Droid such as NetGuard it is trivial to avoid unwanted remote connections, surveillance and data collection initiated by non-Google apps.
Arguably app developer Google poses the greatest threat in terms of surveillance and data collection. This is in part because app developer Google also controls the operating system, the DNS settings, endpoints used by apps, major websites that most users visit, in some cases the user's hardware, and so on
AIUI, the law puts restrictions on "traders", ie businesses, people making a revenue, integrating ads etc.
A free FLOSS app would be exempt from these requirements under the DSA. Apple and Google don't make a difference betwren commercial and non-commercial publishers, so in this sense they both do malicious compliance.
In theory. In practice Germany requires your private non-commercial web page to have Impressum and there is an army of legal trolls who would destroy you for not having one.
Fdroid owning the signing keys for the apps of other developers was always a security mistake. This announcement should make them realize this instead of doubling down on it.
Fdroid need to build the apps themselves to ensure they match the upstream source. They've moved away from owning the keys by recommending reproducible builds, however reproducible builds are hard and many app authors don't do it
Register your apps: You'll need to prove you own your apps by providing your app package name and app signing keys.
Couldn't this also be verified with a challenge-response signing, using the key? Why should Google have the ability to sign apps of the developer, instead of it being an end-to-end deal? Perhaps they need to have the ability to slip in some additional code if the government so wishes?
Or perhaps there is actually a legit reason for Google to have those keys or I have a misunderstanding of the requirement?
Maybe F-Droid could relax that requirement if it were feasible to do reproducible builds. Then the developer could just deliver the package to F-Droid, F-Droid would check that it matches what they have, and then publish it. But that's probably not going to happen. Alternatively some deeper proof-based certificate could be devised, but that's even less likely to happpen..
> Select your key: Choose your public SHA-256 fingerprint certificate from a list of eligible keys.
> Complete a cryptographic challenge: You must sign a dummy APK with the corresponding private key and upload it to Android Developer Console. This formally verifies your ownership of the key used to sign your existing Android app.
Play Store on the other hand does require you to share keys, so they can optimize your APK for each device. And maybe inject some state malware if you want to be snarky.
The main benefits is that Google is able to optimize downloads for individual devices. It also makes the situation where the developer loses a private key and then they can no longer push anymore updates to their app no longer possible. I'm not a fan of this approach of essentially allowing Google free reign to use your key for deploying jpdates.
It is, but Linux distros are not the pinnacle of security. They use a security model decades out of date, so they are not something you should try and copy off of.
Can someone explain the issue with developer registration and how it results the terrible outcomes described in the article. A lot of things have changed for the worse since the beginning of the century but even back in the good old days developers were not anonymous. Every free software I have seen has the name of the developer alongside the copyright. Often it lists multiple contributors as each copyright has to be retained according to the license.
I understand sending your ID to Google is more invasive but the anonymity aspect of it is moot. Is Google going to charge developers for this service and hence hinder free software development? Is the issue that younger devs will be unable to complete the verification?
And why can’t F-Droid just distribute the binary signed by the developer who has confirmed their identity?
Other than that, all concerns expressed in the article are quickly becoming major issues. The web is still open for now but many banks and other institutions have broken websites, forcing you to use their apps or become “unbanked”. Once you download their apps you find out they run only on “certified” OS, forcing you to have Apple or Google owned and controlled software on the hardware you paid for.
The issue with this is that taking many small steps towards an edge of a cliff without any reconsideration of the direction results in falling from it.
> F-Droid is different. It distributes apps that have been validated to work for the user’s interests, rather than for the interests of the app’s distributors.
F-Droid's curation saved me at least once when I wanted to upgrade my Simple™ apps and couldn't find them in F-Droid anymore, which led me to learn that SimpleMobileTools was sold to a company that closed sourced the apps[1] and that there's a free fork called Fossify[2].
Had I installed these through Google Play, they wouldn't have cared about this particular change and I would've gotten whatever random upgrades the new owners pushed.
Each app store's policies have their pros and cons, but that's why it's so important to have a diversity of marketplaces.
[1] https://github.com/SimpleMobileTools/General-Discussion/issu...
[2] https://github.com/FossifyOrg
This weekend I needed to send a few PNGs by email. They were huge, so I figured I’d just grab an image compressor from the Play Store.
I checked out five different apps, each with millions of downloads. Every single one was riddled with data collection prompts and stuffed with ads.
Fine, I thought, I’ll pay to remove the ads. But the options were:
- “Free trial” that defaults into a $5/month subscription
- Or a $19 “lifetime” purchase
It’s so clearly designed to trick people into a recurring subscription for what’s essentially nothing. These apps are just wrappers around existing Android libraries. And if you check the reviews, they’re obviously bought.
This was literally the first time in a year I tried to download something from the Play Store, and the experience was so bad I just gave up and solved it faster in the browser instead.
These apps do exactly that, but are not easy to find from the F-Droid app (I had to use a search engine to find the first one):
https://f-droid.org/packages/mobi.omegacentauri.SendReduced
https://f-droid.org/packages/com.caydey.ffshare
Oh, and also, specifically for PNG optimization: https://f-droid.org/packages/com.wrmndfzzy.atomize
2 replies →
This is why I find the thesis that Google and Apple are good stewards hilarious if not malicious. There is absolutely nothing safe about their app stores. Certainly not more safe than something like f-droid.
9 replies →
Yes browser is a really good tool for utilities like this actually.
But also I suppose that f-droid doesn't have paid reviews or well, everything in f-droid is mostly open source, so I am curious if there are apps in f-droid that could've well suited your need.
I just search on whatever I want on duckduckgo,"open source X android app" or "open source alternativeto Y" or just directly trying to search it in f-droid too.
Not exactly end-user friendly, but this is exactly why I use Termux so much. I had the same image optimisation requirement so I just installed imagemagick via Termux and converted the images. Feels more easier to me to use standard Linux tools via Termux than go down a wild goose chase trying various bloated apps.
1 reply →
Next time you can also use magic wormhole.
2 replies →
The SimpleMobileTools fiasco and the way FDroid stayed resilient against it is the perfect example case of how their 'security' argument behind the side loading ban and developer registration mandate is hollow, misleading and harmful.
please fix your ambiguous use of "their"... you mean google and apple, don't you?
2 replies →
I used Simple apps in the past but lost track of them. Now i know why. Thanks for bringing it to my attention.
Indeed we need diversity of the ecosystems.
Yes, and it is crazy that Apple/Google want us to think that AppStore, OS and ContentFilter are not mutually orthogonal concepts.
I had no idea fossify was fork. Until this moment I had apps from both of them, some orange, some green, but the calendar started bugging out by opening a different date to what I clicked on. I see my phone hasn't updated it since last year. Now finally I've deleted them all in favour of the fossify ones. Thanks.
Google has a track record of turning a blind eye to malware and fraud delivered through their own channels. I like how F-Droid tackles them both - they've been my default app store for years at this point.
Thank you for this info. I had no idea why a couple weeks ago the calendar app was suddenly needing to connect to the net on startup and then doing a splash ad. Will be installing the Fossify version shortly!
Is Simple Gallery known to do anything shady now, behind the scenes? I had no idea it was sold either, and it's been my go to gallery app on all my devices for a long time. Just curious.
Fossify Gallery os a drop in replacement with no risk of data siphoning.
Simple Gallery Pro hasn't been updated since the takeover and doesn't even have the Internet Permission, so it is still perfectly safe to use. It is still superior to Fossify Gallery because of its proprietary photo/video editor (IMG.LY). Fossify's photo editor is extremely limited, and there's no video editor at all.
If you don't use the editors (or if you're using the non-Pro Simple Gallery) then you should probably switch to Fossify now.
If you do use the editors then you should probably disable automatic updates in Google Play, so you get a heads up if they ever push a shady update.
1 reply →
This is how I found out my preferred gallery app is crap. I've switched to Fossify Gallery. Also, it's stupid that Simple Gallery just calls itself "Gallery" when it's installed. I almost didn't check.
Uh, I was still using it up until today... I did block its Internet access though.
HA! I use the "Simple" apps as the poster child for my rants about apps kneecapping themselves on purpose.
It's funny how the more one gets burned the more one becomes the kooky old fart the cliche requires us to be...
I did the exact same research and came to the same conclusion. I wouldn't have been prompted to do it without F-Droid
This sort of application acquisition game happens on ios as well and is part of the reason I am experimenting with a graphene OS phone sans any Google. I guess daddy Google is trying to come fuck me too.
> F-Droid's curation saved me at least once when I wanted to upgrade my Simple™ apps and couldn't find them in F-Droid anymore, which led me to learn that SimpleMobileTools was sold to a company that closed sourced the apps[1] and that there's a free fork called Fossify[2].
> Had I installed these through Google Play, they wouldn't have cared about this particular change and I would've gotten whatever random upgrades the new owners pushed.
sheesh. I've spent my whole mobile device life on iOS and am just now learning an Android device. While I feel I have more control over the finer details of my personal privacy and security, this ecosystem is a total minefield if you care about avoiding spyware and malware.
I'm glad I trusted my instincts and only installed F-Droid first before any apps from the Play Store. Just now found the Isolation app so I can create a Work Profile and separate personal life from the life that the relentless data vacuums are constantly trying to pull from the simplest apps these days.
Neither mobile OS is perfect, but I feel like I was correct about Apple having the user's personal privacy still much more of a priority than Google. There was never any question if those were the two options, IMO. But it does seems like now, finally, Android might be ready to deploy as a mobile operating system for the public. I'm fairly certain that this Android ecosystem that's used its users for so long as guinea pigs (not just Android, but the full unrefined and frankly unsophisticated media sphere as a whole that's been figuring out how to effectively work on us) has harmed the last generation or two beyond repair.
This became all too clear when the first thing I did on my first Android device a few weeks ago was install an offline keyboard from devs with my privacy interests in mind. Spent a few minutes thinking about what it would have been like living with this shitty keyboard system on iOS and realized that honestly, I am lucky that I stuck with iOS through all of this and feel like my mental health is much better than it would have been had I been fighting a malware-riddled Android device this whole time.
edit: I'm not saying you shouldn't use Android or that it's a bad idea, I do think that it is solid enough now (and maybe has been for a while, I don't know) that I can safely protect myself after learning. But ask yourself if all Android users would take the time to properly learn? What about kids?
We use Nara to track our baby's food intake and sleep.
A couple of months ago I noticed Little Snitch complaining about the app making new connections to malware domains. Thankfully I can run the app on macOS and noticed it.
When confronted with how this violated their Privay Policy, they gave a condescending reply. When I contacted Apple about this new update to the app, they ignored my report.
So… no, we're not safer on iOS. Perhaps the barrier to entry is a bit higher to discourage some low-hanging fruit, but Apple does very little for the 30% commission it takes.
15 replies →
Would you even find out if an app has been sold to another company on iOS app store? It's confusing to see all of that diatribe when it doesn't even do much (if anything it almost lulls you into a false sense of security), and you just have less options to choose from to get around being locked out of using your device for apps you want.
22 replies →
"What about kids?"
They usually have someone more mature watching over them as there are also other dangers in life except malware on their phones.
(Also, when I was a kid there was no one to explain me the internet, so I learned on my own and understood it better then those responsible for me.
But it was a different internet back then. )
3 replies →
Odd take. On iOS there is no F-Droid so your options for simple apps is the same ad riddled “in app purchases” crap it is on GPlay.
21 replies →
The topic of kids is a whole another debate - whether or not it is wise to give them an Internet-connected device - beause the same general concerns regarding the Internet exist on iOS as well.
Regardless, if I had to give them a device, it'll definitely be a Linux-based one.
Billions of people use android phones without malware, you are exagerating slightly.
26 replies →
I contacted the European Commission DMA team on this gross abuse of power (Google just followed Apple in this regard, who reacted to the DMA by coming out with this notarization of developers), here is they flacky answer:
"Dear citizen,
Thank you for contacting us and sharing your concerns regarding the impact of Google’s plans to introduce a developer verification process on Android. We appreciate that you have chosen to contact us, as we welcome feedback from interested parties.
As you may be aware, the Digital Markets Act (‘DMA’) obliges gatekeepers like Google to effectively allow the distribution of apps on their operating system through third party app stores or the web. At the same time, the DMA also permits Google to introduce strictly necessary and proportionate measures to ensure that third-party software apps or app stores do not endanger the integrity of the hardware or operating system or to enable end users to effectively protect security.
We have taken note of your concerns and, while we cannot comment on ongoing dialogue with gatekeepers, these considerations will form part of our assessment going forward.
Kind regards, The DMA Team"
The DMA is in fact cementing their duopoly power, the opposite of the objective of the law.
Post author here. I've also been in various DMA enforcement workshops and consulted with EU regulators on the topic of app distribution. The "strictly necessary and proportionate measures to … not endanger the integrity of the hardware or operating system" defense comes up time and time again, and is clearly a primary talking point for those lobbying against effective enforcement.
From a developer's perspective, this stipulation is obviously intended to ensure that the existing on-device protections (sandboxing, entitlement enforcement, signature checks, etc) are not permitted to be circumvented by third-party app stores. But the anti-DMA brigades have twisted their interpretation to imply that that gatekeepers are permitted to ... keep on gatekeeping.
Apple still requires that all software be funneled through its app review (they call it "notarization", but it is the exact same thing as review: developer fees and T's&C's, arbitrary review delays, blocking apps based on policy, etc.) before it is signed, encrypted, and re-distributed to third party marketplaces like AltStore. And now Google is going to introduce its own new gatekeeping for all software on Android-certified devices, which covers 95%+ of all Android devices outside of China.
The lack of alarm has been, for me, quite alarming. Every piece of software installed on billions of mobile devices around the world is going to be gate-kept by two US companies headquartered 10 miles away from each other and with increasingly authoritarian-friendly leadership.
If you have an Android device, install F-Droid today and make it be known that you won't give up your right to free software without a fight.
Telling users that your platform will allow them to run any software they like so you can quickly gain market share, only to break your word after driving competing platforms out of the market is fraud.
I'm pretty sure fraudulent marketing is still illegal.
3 replies →
What are your thoughts as obviously someone with deep knowledge of the ecosystems at play on the various parental control laws that are going into effect in the US?
The one in Utah that was already signed and the one in California plus the looming federal bill? The ones that make app stores verify kids' ages and request permission from parents?
How is F-Droid planning on tackling this?
I think your take is a bit unbalanced
1. You cannot expect a public body to take a legal conclusion with significant financial impact on the basis of a single citizen report or in reply to that report. This takes analysis, technical and legal work, etc. So your expectation that they respond to your message eith something akin to "of course, you provide evidence of a breach. I, the single case officer responding, confirm the facts are true. Thanks for telling us we will now fine them 5 billion" is a bit unreasonable.
2. I don't see how even inadequate application and a non-committal response leads to the conclusion that this is intended to (or even just allows) to entrench the Android/IOS duopoly.
> You cannot expect a public body to take a legal conclusion with significant financial impact on the basis of a single citizen report or in reply to that report. This takes analysis, technical and legal work, etc. So your expectation that they respond to your message eith something akin to "of course, you provide evidence of a breach. I, the single case officer responding, confirm the facts are true. Thanks for telling us we will now fine them 5 billion" is a bit unreasonable.
Both judging or supporting are conclusions. The message is more supporting than necessarily required and that also can have a significant financial impact. If there is even some unclarity, they should just state that they are investigating it, while noting that DMA may allow this. Otherwise this creates foothold for Google, which is not fair either.
1 reply →
It hasn't happened yet, so a fine would not be in question.
[dead]
Regarding (1): I don't see why you cannot expect it. If the matter at hand is significant enough, all it should take is a single person spreading the awareness of something going terribly wrong, like in this case.
I find it rather infuriating, to get treated like a low rightless peasant, as if to say: "How dare you speak to us above?"
It is the difference between people doing their job and being transparent about it. An answer like: "Thank you for reporting, we currently are already looking into this and are taking your report serious. Please note, that drawing legal conclusions takes time, but that we will keep you updated, when we reach a conclusion." would already be great. To know, that one didn't just waste ones time, but that actually people there hear and look into things.
That is, assuming, that there actually is something significant at hand. If it's rubbish, then no need to get processes started.
That's not actually what the reply said, it was extremely noncommittal as you'd expect. If you contacted one of your MEPs they might have a stronger opinion they'd want to promote, but the DMA team are just not going to render judgement based on one email.
But my initial reading of F-Droid's explanation was "hang on, Google are going to get slammed for the same thing Apple got slammed for" so I hope they do come to the same conclusion and do it quickly, before F-Droid is entirely dead.
Maybe that's Google's intention - that the time lag on enforcement is going to be long enough that they achieve half the goal anyway.
This is the primary legal strategy of (1) tobacco companies, (2) investment bank pushing risky products to unknowing customers, and (3) big oil&gas' environmental policy. Regarding EU DMA laws, I feel that Apple and Google are pursuing the same strategy.
Not a lawyer, but seems to me the term "strictly necessary and proportionate" is doing a lot of work here.
I could imagine lobbyists have been trying to do a classic motte-and-bailey there, painting the picture of some poor granny whose phone is instantly taken over by a malicious third party app, because without Google's loving oversight, every dodgy candy crush clone would of course immediately get root and bootloader access.
So they managed to get in a "common sense" exception, which they're now trying to use for things that are entirely not common sense.
At least I would find it hard to argue that a measure is "strictly necessary" to ensure the "integrity of the hardware or operating system" if everything has been working without problems for decades without this measure.
> The DMA is in fact cementing their duopoly power, the opposite of the objective of the law.
Power centralization is a key component of control and we live in times of unprecedented control being exerted on citizens.
This is why the only way forward is open standards not owned by anyone, like SMTP.
3 replies →
I saw some new announcements about new Linux phones (other than Librem and Pine). Unfortunately I don't remember what they're called. Hopefully this is starting a new wave of Linux phones.
3 replies →
it's also the EU's[1] raison d'être
it was created, and exists entirely to centralise power
[1]: the organisation itself, not the countries in it
Of course they want them: if not one could install a modified Signal client from F-Droid and bypass the mass surveillance they want to introduce with Chat Control.
I'm considering that the UK did not take a bad decision of leaving the EU. The EU is demonstrating itself as a more and more corrupt institution that is not democratic (in the sense of doing what the people want it to do) at all.
They are also shooting themself in the foot: the USA impose to us tariffs, we make laws from which benefit 2 big American companies, instead of pushing for developing alternatives to these companies.
> The EU is demonstrating itself as a more and more corrupt institution that is not democratic (in the sense of doing what the people want it to do) at all.
While I agree that democracy could be strengthened at the EU level, representative democracy for better or for worse doesn't imply the representatives' decisions have to match the public's opinion at all times.
> I'm considering that the UK did not take a bad decision of leaving the EU.
That's ironic, given that the UK has always seemed way ahead of the EU when it comes to mass surveillance.[0]
[0]: See https://www.eff.org/deeplinks/2023/09/uk-government-knows-ho... for a recent example.
Have to say that someone played this really well if this was preparation for Chat Control in reality.
A single email can't be expected to shake Google but it has done it's job and from the response, it seems they have included that into their discourse and it can't be ruled out that this concern comes up in not so distant future allowing free side loading of apps.
> Google just followed Apple in this regard, who reacted to the DMA by coming out with this notarization of developers
Apple has required developer "notarization" since the very first App Store in iOS 2.0, no?
They have answered you that they have no answer to give.
Everything hinges on what "strictly necessary and proportionate measures" effectively are and the EU has yet to state if notarisation is ok. I personnaly doubt it will be considering the spirit of the law but the currently German dominated and mostly focused on German interests commission is spineless so who knows.
If you want actual change, pressure your MEP to fire Von Der Leyen and stop voting for the PPE.
> ongoing dialogue with gatekeepers
"Gatekeepers"? "Ongoing dialogue"? Tell me more!
When I wrote to the Commission regarding the Chrome Web Store monopoly and that Google can remove any addon that they don't like (which already happened) they told me that the Web Store isn't a gatekeeper (...of course it is, there is no other way to install Chrome Add-Ons and Chrome is designated as a gatekeeper):
>Thank you for your email in which you raise concerns that some browser extensions are not allowed by Alphabet in its Chrome Web Store or are removed as unwelcomed extensions after they have previously been available. As you may know, the European Commission has designated Alphabet as a gatekeeper for a number of its core platform services on 5 September 2023 under the Digital Markets Act (DMA), including its browser Chrome. As a result, Alphabet must comply with a set of obligations as from 7 March 2024. The Commission has not designated its online intermediation service Chrome Web Store, since it does not meet the criteria under Article 3 DMA, to be designated as a gatekeeper. We would like to thank you for the information brought to our attention and assure you that the Commission will monitor compliance of gatekeepers with the applicable obligations as well as monitor any other core platform service that may meet the criteria to be designated as a gatekeeper under Article 3 of the DMA.
So this doesn't surprise me at the slightest. DMA, DSA and GDPR only strengthen the big american companies because they have infinite money in complying with this bullshit while smaller plays get shafted. You will never be able to "just install an IPA" on an iPhone, mark my words.
The term "gatekeeper" is strictly defined in the DMA and currently doesn't cover the Chrome Web Store. Perhaps in the future it will. The DMA and DSA don't strengthen the big American companies; it rather specifically targets them. Smaller players can do whatever they want.
What the heck.
Those kind of concessions were likely necessary to get them to pass the law at all.
F-droid has been stellar in steering the alternative app store environment over the past 15 years or so, and I'd heed their call on this.
A small call to any googler on the thread - put your support towards this internally. I understand the internal dynamics, and it may seem current option is best amongst imperfect choices, but in this case F-droid is right in that closing out anonymous (but good) software is a line crossed with peril for any open ecosystem. Today it's play store, tomorrow it will be the web, and that will have a significant negative impact on Google.
> A small call to any googler on the thread - put your support towards this internally.
Post author here. This.
Google toyed with a scheme like this a few years ago and reached out to F-Droid, and they were told the chaos it would cause. They backed off. This time, no one has deigned to contact us.
Anyone who wants to talk can reach out to us (board@f-droid.org) or me directly (Signal contact in my profile).
I pinged Sameer Samat for you, hope he will reach out. https://x.com/ArtemR/status/1973050998424784953
https://x.com/ssamat/status/1973223167473885451
1 reply →
"A small call to any Googler"
Do you think any single one remained who cares over their payment, stock options, office perks? They care about not getting laid off with the next wave.
The context is I've worked at Google, and internally was surrounded by many who do care. I also saw other sides of controversial calls - business and other considerations which are not apparent publicly. But one thing Google does well internally way more than others is listen to it's engineers' opinion.
1 reply →
They still exist, I know a few. Most of them are busy protesting Google taking over Microsoft's contract to provide surveillance and targeting information in Gaza, but I can ask about this issue.
Like any other large corporation, Google has selected for compliant employees over all else. It's more akin to a bureaucracy than a startup now.
...and fatalistic attitudes like this are what erode our freedoms imo. if we don't try, then what?
1 reply →
"Best among the imperfect choices"?
What's wrong about the current situation? Why imperfect?
I have had Android phones starting from G1, and never had any problems with them, that I could install any APK that I wished on my own hardware. There's nothing imperfect for me, as a user. What's "imperfect" is that there are apps like ReVanced and PipePipe that deprive Google of the advertising revenue. But that's imperfect for Google, and perfect for the user. Just charge me 30 bucks for Android OS instead.
Spreadsheets are a fundamentally important tool—the original "killer app" for personal computers such as cellphones, and the best way that has been found so far to put computational power in the hands of end-users. Last I checked, there was no spreadsheet in F-Droid, largely because it's a relatively small ecosystem, and most Android users still aren't using F-Droid. Instead they are subjected to the outrageously abusive apps that fill the Play Store, as described for example in https://news.ycombinator.com/item?id=45411897. And many Android phones ship with non-uninstallable malware and shovelware. Backing up an Android phone without a Google account—indeed, even activating an Android phone without a Goolge account—is challenging. From my point of view, these are imperfections.
12 replies →
Oh, you opened a can of worms... In terms of user experience Android is garbage. It forces on you features you cannot remove unless you break into the system (which is kinda illegal or, at a minimum, voids your warranty).
Stuff like "do not disturb" that turns on accidentally and makes me miss calls, and is impossible to remove. It's impossible to remove a bunch of trash from the lock screen, and with some workarounds sometimes only the picture is removed, but it stays interactive or affects other widgets, like the audio player, for instance. Lockscreen randomly trying to dial random numbers, especially if I don't answer an incoming call. Also, taking screenshots randomly, so after almost every run I have to spend some time deleting these screenshots.
Now, when it comes to the subject in OP, it's not really about Android, it's about Google's policies around developers and app store. The whole idea behind Android is very similar to MS Windows: oppress the user because the system provider "knows better". Make choices on user's behalf, prevent users doing from useful things jut to blanket "secure" them from some imaginary threat. Manipulate users into doing a thing that's harmful for them, but beneficial for the system provider.
So, the app store managed by Google is one example of such policies. Google doesn't have the best interest of the user in mind. They are maliciously complying with regulations that want them not to abuse their users. They check the applications submitted to the app store, but they check them for the wrong things. Just to say they did.
I ended up using an FTP server app from F-Droid and a file manager from F-Droid because the stuff that was available for the same functionality found in app store is some atrocious predatory trash. It doesn't matter if I can afford to buy an app. Whatever I tried was just garbage. Once you get used to freedom and the approach of free software after you've spent some time with eg. Linux, using Android will make your blood boil because of how hostile both the system and the programs written for it are.
A bit of devil's advocate here but the current situation is that there's sideloadable malware around.
1 reply →
> closing out anonymous (but good) software
I don’t think we should be framing their new rules like this. They are closing out F-Droid, which is not anonymous, due to a technicality of their implementation. At best, they are collateral damage. At worst, it is malicious compliance in response to a directive that was supposed to ensure their continued existence.
It's f-droid that's clearly calling this out. from the post:
>The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications
F-droid does not want to take responsibility for the app.
6 replies →
I've built a couple of tools for myself over the years, some of which includes android apps. They were never released to the public.
If we go down this path, I will stop all development on android (and at work too, as it is up to me how we deliver, coincidentally). I implore all other developers to resist this. This will completely lock down the platform forever, there will be no going back.The entire reason why android is so attractive is because we have linux in our palms and all the amazing benefits of that. If google wanted to do the right thing, they would go in the opposite direction and make it easier to gain root access on mainstream devices instead of locking it down further.
It seems the only last bastion left is Firefox, so I will be focusing on making all my tools work well on Firefox (mobile & desktop) instead of app ecosystems.
Developing for Android and iOS is already a huge pain, browser based experiences can be even better than native apps in some cases. I will also not invest any more time in developing/following these closed platforms, and try to push web based solutions as much as reasonably possible.
Seriously, HUGE pain in the psu. Javascript is a pain on web but mobile development significantly more painful, even though we have nicer languages & compilers - all the ceremony around it is just too much.
I freaking hate gradle with a passion, as every other week I have to reconfigure my ide, again. As it cannot seem to just chill out and do its work, it demands blood every week or two.
2 replies →
I recently explored wrapping my somewhat-popular website as an app, only to discover that Google wants apps to offer some unique functionalities that the website doesn't support, otherwise they'll reject it as spam listing.
The examples they list of such features are offline support (PWA already allows that), push notifications (browsers already support that), integration with hardware (not applicable), mobile-optimised UI (really?)... all nonsense.
I know they're not strict about this policy as I can name many local apps that are just wrappers of the web version, but I abandoned by idea immediately as it's not beneficial to me in any way to prioritise one particular platform over the others.
> browser based experiences can be even better than native apps in some cases
Not in some cases, in most cases. Clicking shared Google maps link easily opens correct spot on Web, but redirects me to the App Store for God knows reason why on iOS. If I ever need to interact with a new resource, I go check if there's a web site first. If there's no website but there's an app and I don't really need the resource I just drop it altogether without checking the app.
The only apps, besides built-in ones, that I use are chat, bank clients and some home app automation tools that would be problematic to operate as a web app.
Quite honestly, developing for Android and iOS is no longer worth it. I was planning a set of cross-platform native products using Flutter and other tools, but after a careful analysis came to the conclusion that it makes no sense. You have to distribute 5 different apps (Linux, macOS, Windows, iOS, Android) with 5 different packaging, signing, and distribution requirements and have to fight with all kinds of garbage, from Gatekeeper over expensive certificates for Windows to avoid being flagged by antivirus, to anti-competitive app store requirements by Apple and Google.
Web apps have become unavoidable. Native is beating a dead horse.
Let me unpack something: I've been building a commercial product with flutter for the past 2 years. I think after this project is "done" I will never touch cross-platform frameworks ever again - only native. Cross-platform frameworks (like xamarin, flutter, react=-native) - its all lies all the way down. The benefit of having the "one" codebase is so tiny you might as well skip it. The moment you build something more complex than a todo app, when you need reliable background services etc.. guess what, the only reliable way is to revert to kotlin/swift and call it from the framework anyway, as the community packages are truly half-baked messes, abandoned messes, anonymous messes (who is the maintainer?). So never again. Huge waste of time and effort. Then during the release build, you need multiple signing keys, multiple build servers, often multiple pipelines, so what exactly is the point?
3 replies →
I've stopped developing for android as I did not want my address to be public for everyone thanks to google's decisions on how to interpret the EU regulation laws. I'm definitely not surprised by their current behaviour
Firefox is only a browser, you could target libre Linux/BSD/etc platforms instead?
> Firefox is only a browser
Modern web is a platform.
3 replies →
Would you be willing to outline this in more details. I feel like I am in the same boat but arrived at a different point. Are you building your tools as pwas that you run in Firefox? I've landed at porting my things to pure Emacs lisp but this limits me on ux to well an Emacs frame.
Firefox - you mean Mozilla with its dozens of scandals, money squandering, that is entirely dependent on Google financing (and now endorses its AI tool within the browser). There are some good Chromium and Firefox forks. There is nothing else much left.
https://arstechnica.com/tech-policy/2025/02/firefox-deletes-...
I wounder how long would they last if they would have to do browser engine development themselves.
Until Ladybird is ready (which may take years) for all the Mozilla’s scandals there is not a lot better around.
Fair enough.
I meant more in a technical sense & openness.
1 reply →
While Google are capable of being evil all on their own I wonder if the regulatory environment companies are facing around the world is contributing. It is going to lead to increasingly restricted systems with less choice for consumers.
I recently tried to install Thunderbird email on my 17 year old's phone so he could access our self-hosted email for education, jobs, government things that young adults require. After jumping through hoops with age verification it turned out not to be allowed for his age for some unfathomable reason. Increasingly content providers, app stores, os providers etc are coming under chilling industry codes here requiring age verification and age restriction. So I used f-droid so my young adult could start making applications.
What I see as freedom might look a lot like circumvention to regulators.
As all the big commercial services step into line with government codes and turn restrictions to their commercial advantage I am not sure where that leaves those of us who use FOSS software. My apps come from Flathub, arch, debian, f-droid not Apple, Google, or Microsoft stores. My devices come OS free when possible. The volunteers involved haven't participated in the development of industry codes and aren't in a position do all the compliance stuff that governments increasingly demand from tech companies. How much longer will free and open source be tolerated?
My impression is that the order of causality is the opposite. Google and similar companies are lobbying heavily for these industry codes so that app developers have no choice but to introduce the restrictions which only allow you to operate via them.
I think it is probably a bit of both.
There are some compelling reasons to regulate tech companies for the benefit of society and I often have no issue with the intention. The problem is governments invite the industry to design the regulations and it quickly turns into regulatory capture.
If vendors were to start locking out competition or further invade privacy it would upset government regulators but now they can point at another regulatory authority and claim they are forced to do these things to protect the kiddies.
> developers have no choice but to introduce the restrictions which only allow you to operate via them
ok, but what does that mean? Identification, and a fee for that service? Is this unreasonable?
6 replies →
It reminds me of the Calvin and Hobbes strip where the dad jokes that throwing out junk mail makes him a terrorist. Running your own software on your own device? That's hacker talk.
In F-Droid's case this is absolutely a regulatory reaction -- this is directly related to the DMA (and to some extent, the Epic lawsuits.) Google does not want third parties bypassing Google in any way -- which probably ties in to the whole AOSP thing.
> How much longer will free and open source be tolerated?
I don't think they have a choice. Imagine what would happen to Google if half their software stack was Oracle and the EU had backdoors in to all of the management and CEO's devices and private communication. Why not use Chat Control to verify that they are complying with the spirit of EU law? Turn on the remote microphones while they are at it too.
On one hand we can lament the death of open source. Yet, open source has never been healthier. There has never been more open source software available to use and in development. Even when in it comes to AI, the best open source models are actually really damn good, better than anything that existed roughly 12 months ago. As much as Google, Apple, and Microsoft want to force you in to their closed ecosystems they fear being locked in to their competitor's closed ecosystems even more!
This could be a 10 page comment, but yes, the regulatory environment is a real threat to open source and the open internet in general. Most of those threats have been coming from the EU, with things like Chat Control and PLD. Which is unfortunate, because the future of the free world will rest entirely with the United States (Also possible that the EU will be dissolved, the monetary union will have a very difficult time during the next financial crisis.)
On the other hand, software developers and users, have become too reliant on Android which is functionally a fake open source project now. I can't think of a stronger incentive to stop Android development than telling them you can't develop here without paying us.
Calling downloadable weights and biases open source is like calling compiled binaries open source.
1 reply →
I still haven't seen anyone discuss the issues with distributing applications containing GPLv3 components under these new rules given the clause (from the GPLv3):
> “Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.
At the moment, the workaround here is that keys can technically just be generated on the fly (with some caveats). With Google's new requirements, that's not possible.
Whilst details matter in law I assume this will be equivalent to Apple's terms and the FSF believes they are incompatible https://www.fsf.org/blogs/licensing/more-about-the-app-store....
In my interpretation, this clause is for when someone ships a user product that contains GPLv3 software. That means it would apply to the phone vendor if the phone contained GPLv3 (or anything using LGPLv3) software.
But if you're just a developer who ship software GPLv3 software for Android, you are good because any developer that want to modify your software on their phone can, as long as they register to Google to get these keys. It should therefore be respecting the licenses.
But that's just my interpretation.
Sure, but that means that either Google or the application author would be required to give me working keys with no restrictions, which would make the entire system rather pointless.
However, now that I think about it, the fact that "unauthorized" apps can still be installed via ADB exception may cover this?
> as long as they register to Google to get these keys
As soon as e.g. an Iranian user gets access to your GPLv3 app, you've got a problem. They cannot register with Google (due to sanctions), but you are responsible for ensuring they can install and distribute their modified app just as you have.
1 reply →
> any developer that want to modify your software on their phone can, as long as they register to Google to get these keys
Pretty sure the GPLv3 requires you not have any such barrier.
3 replies →
I do think that this very much puts Google in the same boat as Apple in terms of how the GPL is deemed compatible or not for distribution to their platforms and proprietary stores.
Personally, I think that the GPL is still compatible with both platforms, as I've written about before[1]. There's plenty of GPL software on both the Play Store and App Store (Signal, Element, Wordpress, SimpleNote, Bitwarden, Mastodon, Telegram, and Proton Mail, just to name a few), but people tend to feel that iOS is a more hostile environment. The mandatory developer registration requirement may bring a more even-handed assessment of how the GPL and these app stores can live together.
[1] https://appfair.org/blog/gpl-and-the-app-stores
We need to start treating phones differently. We're entering a world where we can't choose what we run on them. Their primary purpose is to gather data on us and serve us advertising, they're engineered for addiction, yet engaging in the world is immensely difficult without one.
Phones are as much a burden as benefit in 2025, and our behaviour towards them should reflect that. Mine is currently off and in the drawer of my desk. I'll turn it on again when I need 2FA, some service provider's app, or when I'm likely to be out of the house for an extended period. I'll turn it off again when I don't need it.
I think this is the right take. Other commenters are mourning the death of general-purpose computing, but general-purpose computing is very much alive and kicking in laptops, desktops, and servers. It's just smartphones and tablets that are being turned into limited-use appliances. The overwhelming majority of users just want a smartphone or tablet that's a limited-use appliance, and those of us on HN who want general-purpose computers are a tiny minority, and our insistence that we be allowed to make our own decisions is drowned out by those who need their hands held in this dangerous world.
My smartphone is used for interacting with systems that I expect to surveil me anyway - my bank, my navigation app, and so on. Serious work is done using serious machines.
> but general-purpose computing is very much alive and kicking in laptops, desktops, and servers.
Two words: Secure Boot.
The only reason we still can run operating systems without Microsoft's approval on these devices, is that alternative operating systems like Linux were already popular enough when Secure Boot was introduced, so to prevent the risk of antitrust enforcement Microsoft allowed (and AFAIK required) that firmware has an option to disable Secure Boot or enroll your own keys, and Microsoft also signs the bootloader of several Linux distributions (as long as they meet some stringent requirements).
But this can change, since all of that is part of Microsoft's hardware requirements for running Microsoft Windows (which hardware makers must follow if they want their devices to run Windows). And it already has, at least twice: some ARM-based laptops were shipped without that option (the hardware requirements back then were that you must be able to disable Secure Boot or enroll your own keys on x86-based hardware), and a class of devices (the so-called "Secured Core" devices) comes with the "third-party" key, which Microsoft uses to sign Linux distributions, disabled by default. Nothing prevents it from being locked down even further in newer versions of Microsoft's hardware requirements, in the name of "security".
4 replies →
People mourn general-purpose computing, because the writing is on the wall for future generations. The living room computer is dead, your average "normie" only has a phone, and maybe a tablet these days. What really opened my eyes to this is how kids I was teaching 3D printing design to were constantly asking if they can use a 3D printer with their phone. Laptops, desktops and servers are becoming more and more niche, and if we don't do anything it dies with our generation (or maybe a generation after that).
1 reply →
>but general-purpose computing is very much alive and kicking in laptops, desktops, and servers
Not for long, remote attestation will put and end to it.
Laptops and desktops are nearly as bad.
You can't share an app you develop without first paying Apple and Microsoft a recurring fee and also get their explicit permission for every update to it.
At any point, for any reason, they can decide they don't like you and Gatekeeper and/or Defender will block your app from running on nearly every computer.
Open source operating systems are closer, but there are still PCs that have locked bootloaders.
All the pieces are in place, all vendors have to do is flip a bit and you'll never run anything without permission again. And it will happen because think of the children/national security/hackers/scammers/trillion dollar companies' bottom lines.
I only tolerate the piece of shit phone because of F-Droid. Most of google's apps are banned from connecting to the network (like their fucking keyboard, I don't need or want any internet-requiring options) via Rethink VPN through which all network traffic is routed.
If this goes through, I'm taking my sim card out and putting it into the cheapest dumbphone I can find, using the smartphone strictly offline for OSMAnd navigation and media, uploaded over USB cable.
So what would I do when daycare needs to reach me about my child? Get a 3310 as my actual phone?
I use a Nokia N95. It works well as a phone, and does have some smartphone features. I can listen to podcasts on it, and Google Maps somehow still works fine.
Actually, yes! It's cheap, and the battery life is awesome. One could go for a second hand old style flip phone.
1 reply →
They still make "dumbphones", you know. You could get one of those. I did.
The "vote with your feet" argument was always specious in a duopoly. If consumer rights depend on the whims of giant corporations like Google and Apple, then consumers never had rights. "Just switch to Android if you don't like iOS lockdown" is now becoming a joke.
Consumers desperately need specific legal rights to do what we want with the electronic devices that we've purchased, rights that cannot be overridden by the decisions of any vendor.
Apologists have always said, "Apple has a right to do what it wants with its platform." Well guess what, by that principle, so does Google. Don't worry, though, because you have a "choice" between two collaborating duopolists.
what about an android fork? just take images of android for given phones and remove the app store requirements? I wonder how will they do it? on kernel level?
Of course they can block root access I guess...
I'm not an expert here so please take what I say with a grain of salt.
It's my understanding that what's included in open source Android (AOSP) is FAR from a complete product and there is quite a bit of Google closed source/proprietary software that goes into the mix before it's shipped as Android (think Google Services.)
So, while you could fork AOSP and try to use that as a basis for and alternative mobile OS, it would require quite a bit of work on top of the AOSP code. This is what's done by custom ROMs like GrapheneOS (ironically Pixel devices only) or LineageOS for example.
2 replies →
Those are called custom ROM's and they are unaffected by this new restriction because it's a Google service which custom ROM's don't ship with. Same for older versions of HarmonyOS that run AOSP. Bigger issue there is that many major OEMs either block bootloader unlocking or make it extremely difficult. Samsung's OneUI 8 update for example turns off bootloader unlocking for all devices. There have been reports of people getting around that though. But still restricted to Exynos devices.
Other companies like Motorola require you to phone home to unlock the bootloader and we saw how well that worked out for LG where once they shut down that effectively preventing devices from running custom ROMs and having root access. The biggest hurdle is that the overwhelming majority of users don't sideload software. So they aren't concerned about this at all. So all Google has to do is hold against some power users and hope there isn't a mass exodus to LineageOS or GrapheneOS. Which is highly unlikely.
1 reply →
Without having in-depth knowledge of what would be required as far as baseband drivers, the corresponding network requirements, etc. I think a mobile Linux distro is a better bet. It's been done by Fairphone, PinePhone, etc. and there's no reason _why_ it can't work -- the demand just hasn't been great enough.
What a disaster this will be. The end of any really open phones. By the time I cannot sideload apps or torrent onto my device, I might as well move to an iPhone and at least get less data tracking and better security.
Consider trying Ubuntu Touch, very active community and fun if you're interested to be a developer.
Jumping from a shark to another is maybe not the solution we should aim for.
I released an app on the Ubuntu Touch store: took a minute to fill in the form and then you get people giving you feedback/help if anything doesn't work (since you can link your source code too).
Nice that's still moving forward!
What's the current state of hardware? Is there a phone that's decent at being a phone, with an OK camera and a battery that last through the day running Ubuntu?
What's the current state of Waydroid? Any chance to get my banking apps running, or at least standard fare like public transit apps?
3 replies →
I don't understand, what's the point of reinventing UI and apps from scratch when there is Android Open Source, with GUI and millions of apps? Wouldn't it be better to cut away all the telemetry from AOSP, add a custom wallpaper and call it a day?
6 replies →
i guess it would be 'trying' indeed, as per usual it would mean that i'd need multiple devices. 2FA, e-Banking, messaging, instant payment apps and more would probably be missing, right?
4 replies →
ubuntu touch requires you to twrp which might not be available to your device
1 reply →
I'll never reward Apple with another dime. They started and normalized this. Plus whatever rights Apple takes away next, Android will likely continue to lag behind in implementing for years.
I don't believe for one second that Google is doing this because Apple does so too. They would have done so long ago. I would rather bet this has to do with recent political shifts that are also pushing for mandatory digital IDs and spying on encrypted messages (see UK and EU). This and Windows 11 depending on certain hardware are all pointing in one direction: a war on general computing.
11 replies →
> The end of any really open phones.
One could argue whether Phones with the Google android were ever really open.
As for the really really open phone with alternative OS or Linux based OS, they will continue to exist as before. Perhaps even become more popular after this?
> One could argue whether Phones with the Google android were ever really open.
In recent years, you can argue that android has no longer been open. In the early years of Android that argument would be much harder to make. To be clear, I am not talking hardcore FOSS libre open. But meaningfully open for the end user to do what they want on their device without much restriction. Early android didn't have sandboxing, had no permission system, was easy to root, etc.
Certainly with Nexus devices you had pretty much the freedom to what you wanted.
Could it have been more open? Sure, but I feel like it is almost disingenuous to say it was never if we are comparing it to the real world situation we find ourselves in today.
1 reply →
Doubling the number of people on a custom ROM dose not nearly balance the loss of options for those that remain on a stock ROM. I do not want my less technical family to have to give away all the genuine (though imperfect) safety the Play Store currently provides.
1 reply →
But then you will have to deal with lots of shit from Apple, because they do everything they can to prevent their ecosystem to interact with open source solutions and to make it difficult for normis to get data off their phone, so that after a couple of years the phones are always full and a new one "needs to be bought".
iPhones are terrible with their link to an icloud account and their terrible repair situation with hardware component pairing.
I had an iPhone 7 for testing I bought on eBay. I had my icloud account logged into it. One day, I couldn't log in to the account despite having a correct password - "account is locked and cannot be used". It won't let me log off from the account on the device. So now I have an icloud-locked e-waste paperweight. It was an old device so I don't care much but purely on this experience I am not buying an apple device ever again.
I hope there will be more truly open devices in the future eventually... otherwise I will just start considering smartphones being 2FA/banking bullshit proprietary tracking/spying devices and avoid use them sporadically..
I was waiting for fdroid's voice about this. Google's move is as bad as I initially thought. This makes me a bit sad honestly, android development is getting worse every year. I wonder if the same will happen to web as well.
The EU age verification system for the web is currently planned to rely on the Android/iOS anti-tampering device controls: https://github.com/eu-digital-identity-wallet/av-doc-technic.... None of the plans to achieve China's level of internal control over communication can work without banning all user-administrated devices from the web, so I guess that's what you can expect next.
Even China doesn't rely on controlling information from the user-side, they know any devices can be hacked lol. They rely more on controlling the server-side (WeChat, Douyin, Weibo, Bilibili, etc) and infrastructure (GFW).
Well mostly, aside from some exceptions like (allegedly) Apple's AirDrop limitations.
Many Chinese brands still support unlockable bootloader: https://github.com/melontini/bootloader-unlock-wall-of-shame...
Although going forward, there's a strong incentive for manufacturers to follow Google and lock their devices.
3 replies →
> None of the plans to achieve China's level of internal control over communication can work without banning all user-administrated devices from the web
Not that I want that future, but it's not like China has banned all user-administrated devices from the web. Seems odd to say this is necessary when, axiomatically, China has China's level of internal control over communication.
There's a part of me that really wishes that we could have policies around things like age verification that implictly understand the existence of workarounds and accept them. If we're going to have these policies, anyways.
Australia's phase 2 industry codes build on phase 1 which was blocking csam and terrorist stuff and are into the child protection phase with age assurance and content restrictions.
There are draft documents across a range of services including search, social media and internet carriage.
The most relevant ones for Android are:
- app distribution services https://onlinesafety.org.au/wp-content/uploads/2025/07/CLEAN...
- manufacture supply of devices (including operating systems) https://onlinesafety.org.au/wp-content/uploads/2025/07/CLEAN...
The future is looking bleak for open computing and open hardware. They have gone from being a place of education, freedom and empowerment to a loophole in regulation.
This is a reference implementation, national governments are expected to make their own versions. Last I checked the longest discussion thread on there had a comment from a developer who stated it's included in the Digital Identity Wallet app (of which the AV wallet reference is a fork) simply because it's a checkmark item on OWASP Mobile.
1 reply →
This is why we need a "linux" phone. Maybe Jolla would step in more seriously.
Of course it will, given how many every day help Google take over the Web, using features that are effectively ChromeOS Platform, complaining when Firefox and Safari refuse to adopt such features (they are holding Web back!), and shipping Electron crap.
Sadly, our current age of computing is getting locked in devices. Not only most computing today is SoC with closed drivers but it's actively locking the user.
Ironically it all started with Cydia and "hacking" the iPhone until executives understood they can make a cut.
The EU did help to some extent by requesting Apple to enable non-appstore apps. but sadly, instead of doing the right thing of simply having a user switch that allows me to decide if I want to put my device at risk, they went with provisioning that seems to be agreed.
So now, we're getting the same slap from Google/Android which I must say very strangely gets blessing from very specific governments:
> The requirement goes into effect in Brazil, Indonesia, Singapore, and Thailand. At this point, any app installed on a certified device in these regions must be registered by a verified developer.
wait i live in singapore. this sucks, i loved using fdroid and didnt want to take the risk of rooting + flashing a custom rom. i felt the impact of the 'security' the moment i switched from my oneplus nord ce to 13r, i lost access to most android/data folders even with shizuku this is just so annoying in general for me, i might have to go the custom rom route then
> any app installed on a certified device in these regions must be registered by a verified developer.
I can imagine crooks paying some random junkie / drunk 100 dollars to become a "verified developer"
It was never meant to stop criminals.
Of course.
But pesky adblockers are malware and thus will get barred.
It's about money, of course.
There are so many scams going around many nations they are resorting to whatever they can do to stem the flow of scams.
You can still install via cable or adb but less tricking peoples grandparents to download malware.
Now they need to trick developers to release malware or scam apps which is a little more difficult.
There are thousand scam apps on the iOS App Store and Google Play Store, this will change nothing. It will only punish those that seek privacy.
how did you make your comment in gray?
2 replies →
Related thread from a month ago: We should have the ability to run any code we want on hardware we own, link: https://news.ycombinator.com/item?id=45087396)
I trust F-Droid more than the Google Play Store. I have F-Droid installed, but not the Google Play Store.
I agree with the first point! On the second- how do you access apps tied to services like banking, utilities, transport, etc?
This is one of the main things keeping me tied to the Google ecosystem, a lot of services require me to have an app that's only available on the play store.
I install MicroG (on my LineageOS on Pixel) which allows me to install my UK banking apps and Google Maps, etc. MicroG just reimplemented the Google APIs:
> microG GmsCore is a free software reimplementation of Google's Play Services. It allows applications calling proprietary Google APIs to run on AOSP-based ROMs like LineageOS, acting as a free replacement for the non-free, proprietary Google Play Services (sometimes referred to as the more generic term "GApps"). It is a powerful tool to reclaim your privacy and freedom while enjoying Android core features (although apps you use that take advantage of it may still be using proprietary libraries to communicate with microG, just as they do when communicating with the actual Google Play Services).
Source: https://github.com/microg/GmsCore/wiki
I add the official MicroG repo to my F-Droid using this QR code: https://microg.org/fdroid/repo/
Also, I download apps (like my UK banks) from official Play store using Aurora Store, which connects to Google servers directly to download the APKs, keep them updated, etc. No need to use those dodgy APK websites. Aurora Store is itself also available on F-Droid too.
I guess in time Google will target these apps :(
5 replies →
The Aurora Store lets you access Play Store apps without having a Google account by using their shared accounts, it is recommended on GrapheneOS (a privacy/security Android fork).
https://auroraoss.com/
Of course government, banking, McDonalds and other apps ban non-Google versions of Android, so you might be stuck with either Google or Apple until lawmakers catch up with this situation.
https://grapheneos.org/articles/attestation-compatibility-gu...
2 replies →
Web sites. Uber works from its web site. I mostly do things from desktops, not phones.
I don't have any financial stuff on my phone. More secure.
1 reply →
bank through a web browser, works for me, every new phone gets de guggled right out of the box, turning off the notifications requires loadeing alternate phone apps, which for some reason de-grayout's the notifiction/harsments from guggle on everything else currently gathering all of the alternate OS phone info I can find, and will start a thread when things get hotter
(GrapheneOS user, no Google services)
My bank provides the APK of their app directly on their website, and it supports updating itself after that. Actually a surprising amount of apps do this!
Other proprietary stuff I either get from RuStore (Russia-specific), or occasionally from APK mirrors / Aurora. At the moment I have no such apps (they're usually for some specific thing, e.g. an airline app that I need for a day or two).
I do banking, bill paying, etc from a laptop. I have the minimum number of apps on phone, mostly from Fdroid, plus Uber (my location turned off except the rare occasions when I need to call uber).
Same, and when all my apps stop working, I'll just stop carrying a phone.
I turned on "Advanced Protection" a couple weeks ago, and promptly turned it off the other day when it blocked f-droid updates. What a scam android has become.
Samsung [^1] has an autoblocker. I have no idea what it does exactly. I always need to turn it off while installing or updating anything from F-droid. Then I enable it again in the naive hope it might prevent dome drive-by attack.
[^1]: My employer paid for it. I never would pay for the crapware full of uninstallable stuff I don't want. Is Pure Android still a thing if you don't want to pay The Evil Company?
Interestingly, I read in a recent article on upcoming features for OneUI 8.5 (based on a leaked build) is the "Ability to temporarily disable Auto Blocker" [1]. This is specifically to allow the sideloading of apps. That really makes me wonder why Samsung would have such an option in an upcoming version if they were aware that Google is planning to block all unverified sideloading in the very near future.
[1] https://www.androidauthority.com/samsung-galaxy-phones-new-u...
2 replies →
Motorola is quite close to the 'pure' Android, ie with all that Google... stuff.
But most of the time it is easy to disable most of the Google apps through the built-in settings without using any 3rd-party tools.
NothingOS is as clean as it gets
I've been using Motorola for years, for that reason.
> What a scam android has become.
An optional advanced security feature targeted at non-typical users doesn't seem like a good indicator of this statement.
How is blocking fdroid updates an "advanced security feature"?
4 replies →
Better totally leave Android.
It will be a long tough uphill battle, but digital freedom is possible.
Purism is for example providing the Librem 5 phone with PureOS. Closing the app gap is big challenge, but I use the Librem 5 as my daily phone. Yes, I may have some inconvenience, but I have freedom, and the software is getting better and better.
For more info see also:
* https://puri.sm/posts/googles-new-sideloading-restrictions-w...
* https://puri.sm/posts/closing-the-app-gap-momentum-and-time/
> Better totally leave Android.
to where? Everything else is either worse or non even remotely close to matching Android's features and accessibility.
You got to take a small toll on comfort if you want anything not backed by a huge evil corporation to have a chance.
Before it was Linux and now it's Ubuntu Touch, sure it's not perfect but it's a very much usable system which needs more people to try it out as their daily driver. I made the shift a month or so ago because I don't want to have to choose between two evils.
3 replies →
> 800$ for 720p screen and 3GBs of RAM > Can't even use a bank app with it I'm sorry, but this will never see adoption wide enough to be useful. I can't imagine paying 800 and still having to carry a "backup" phone for payments, public transit and such.
At that cost I'd think more about seeking out a second hand phone that's survived and has good parts availability/repairability to keep it going. It would seem with both you're in the situation where google doesn't about you but at least the phone would be semi-smart enough to do some tasks and less drain on the wallet.
i read the exact same comments about the Librem 5 on HN back in about 2017/18. hope they'll continue with progress but it is giving, "This year is the year of the Linux [phone, desktop]!"
Purism is a shit company. It took 6 years to get a refund for my Libem 5 order (it was ready to ship after 3 years). I had to file a complaint with my credit card company.
Other people who paid over $1,000 got their shit out of date phones before me! Fuck Purism. They can go die in a fucking cesspit.
This whole situation sucks. I enjoy F-Droid exactly. Because I can use stores like F-Droid or just download a package from github and be able to run it on my phone. That going away for corporation and governmental greed is just... Sigh.
Reminds me of Nokia/Symbian. To install a `.sis(x)` with any useful capabilities (permissions in Android) one needed to sign it with Nokia's keys; which they normally couldn't, at least with non-business email addresses. Until someone found a way to hack the roms and it became a Tom&Jerry struggle between hackers & Nokia who wanted to suffocate them by patching those loopholes.
Then came Android. The freedom to sideload any `.apk` on any device was magical. And now we've come full circle.
Except that Symbian wasn't source-available, so there was a bigger hope for a successful rebelion.
> so there was a bigger hope for a successful rebelion.
Not if you want to run banking apps on that device.
I'm willing to lose the banking apps and just use the website if it means I can have an open device.
1 reply →
At the time, the banks weren't app first. It was USSD, SMS and web, so they didn't care.
But yes, the banking and streaming apps too (regardless of their existence being good or bad or even justified) are yet another nail on that coffin.
Why do you need a banking app, do you want to share your contact list and geolocation with the bank so badly? Do you need a bank app's antivirus to scan your phone and flag you as a suspicious user? Are you missing notifications offering a credit card with 45% yearly rate? Do you want to make investments while riding on a train while several suspiciously looking beggars carefully look at the numbers? Do you want to allow anyone who has a Linux kernel exploit to access your bank account?
I don't understand. It's unsafe and inconvenient.
1 reply →
F-Droid is great. It's a stark and sad outlook that the only path forward suggested by F-droid is to contact your representative. Effectively, this means there's nothing we can do. Expecting our representatives to go to war with Google on this somehow doesn't seem too plausible. I think it's more likely there will always be a way to sideload apps, or if not, maybe the degoogled OS alternatives will find their moment to shine.
F-Droid apps have enabled me to more-or-less DeGoogle my tablet and populate the device with some truly exceptional software, much of which just isn't available on Google's Play Store. I've also made sure to pay/donate where possible: we can't afford to lose this resource!
If you aren't already aware of it, here is Google's official feedback form on this proposal:
https://docs.google.com/forms/d/e/1FAIpQLSfN3UQeNspQsZCO2ITk...
"You may also need to upload official government ID."
That would be illegal in Germany, and probably also in other EU countries. Only the gouvernment and banks are allowed to make copies of IDs. Alle others aren't. Can get you in serious legal trouble. Not that a data hog like Google would care.
Forget the legality altogether. The fact that they need real world validation of any form should be alarming in itself. Never forget how hard it is to resolve any issue - even falsely flagged ones - resolved with Google's support. Do you really need such a gatekeeper?
Exactly. When the laws become antihuman and lawmakers absolutely corrupt, it is obeying those laws that is the true crime.
This is no longer true. Copies of IDs are legal in Germany as long as certain conditions are met, which aren't particularly onerous.
Like Google cares. There will be a 5-10 year long court case, and Google will be forced to pay a few billion. That will be it.
Maybe the person who made a copy and sent it, will have to pay the fine?
The article has corrupted paragraphs towards the end? Only for me? Read it with niche browser, did not verify with any mainstream browser.
Same for me, the source for the article can be found here: https://gitlab.com/fdroid/fdroid-website/-/blob/master/_post...
So we could send them a MR to fix the footnotes (cause mentioned in sibling response). If it has not been fixed already. Not me anymore, well past midnight an a long trip in front of me tomorrow.
Yes. It's sad because this is an otherwise well-written and important article that needs to be widely distributed and taken seriously. But people will be put off by the formatting errors.
Looks like the markdown source had some misformated footnotes which were not properly processed.
Whoever uploaded/published this didn’t see to review it first.
It has corrupted formatting throughout for me.
It looks like 8 out of 17 footnotes didn't become footnotes properly. Every second footnote is displayed in the middle of the text, with a name tag like [^regappid] instead of getting a number.
I think we have reached the point when AppStore / Google Play must be spun off from Apple / Google and made to work as a separate companies, and have access to Android / iOS platforms on equal terms with other vendors.
We have a great example of such approach on desktop: while some people decry Steam for being a monopoly, it is totally different. Users aren't forced to use it, but choose to use it, and nobody prevents them from installing epic store or whatever. This will stop monopolistic anti-user abuse in their tracks and greatly improve conditions for everybody (except Google and Apple, but after all these years, they kinda deserve it).
Anyone else thinking this looks like precursor to banning Signal and similar?
1) Put google in control of what you can install.
2) Get google to block it.
Noting that making it harder to install does most of the job as you need you contacts to use signal before you can.
Signal (Open Whispers) is likely CIA funded. It's like TOR (made by the Navy/DARPA): make something that works so your own operatives can hide behind it too
https://www.kitklarenberg.com/p/signal-facing-collapse-after...
https://yasha.substack.com/p/signal-is-a-government-op-85e
https://bigleaguepolitics.com/court-docs-show-fbi-can-interc...
Maybe not Signal in the immediate future, but for sure NewPipe, offline MP3 players and many ad blockers.
If they wanted to block Signal why wouldn't they start with the Play Store version which 99% of users use?
Because then you get a fight. Signal moves to F-Droid and F-Droid gets a huge mindshare increase and much harder to kill.
Signal is today's thing the security state in Europe & the US clearly hate and want to backdoor and destroy. So let's speculate they'd rather be able to make sure that no app, for any purpose that they don't control can survive or succeed?
My Pixel 6 just broke, and after 15 years of using Android (I still miss that Nexus One trackball!), I’ve finally been convinced to move to iOS.
If I have no options left and must live in a walled garden, I suppose I’ll choose the one with nicer flowers.
I highly recommend GrapheneOS - it really is Android as it should be. More secure, more open, no ads or tracking.
never thought that I (lifelong gnu/linux user) would ever seriously consider getting an iPhone, but here we are.
The time to fight is now!! We are careening toward a bleak future of mobile computing.
Unfortunately the fight seems to be enormous. It's not just this little slice of computing freedom, it's all the random bullshit that various world governments get up to that I keep seeing in EFF newsletters: big tech enforcing government censorship or ratting you out to your government that's having a play at fascism, or making you verify your identity to access services, or trying to get access to your encrypted communications, but on top of that it's also: weaponizing copyright law to get you in trouble for repairing things you bought, choking out small businesses that might compete with regulatory capture or copyright shenanigans, shadowbanning your content if it doesn't look nice next to coca-cola ads (everyone putting little stars on sui*ide or whatever other nonsense), adding fees on all your payments or completely un-humaning you if you don't pay to play (credit card companies; UK allowing "CC only" shops).
Not to be the strings on the pegboard guy, but, it's all looking to be connected, and it's all looking to be the natural outcome of organizing our societal value systems around profit motive and letting gigantic inhuman profit-seeking algorithms (corporations) run rampant and allowing capital to be transferable to political power.
Walkaway by Cory Doctorow seems the most feasible path forward for people that are tired of this sort of society. Modern society seems too prepared to be able to overcome with widespread revolution, and in any case such an overthrow seems too vulnerable to co-opting by bad, authoritarian actors.
It is connected, but not in the "man behind the mirror" sense. It just happens to be the result of important governments across the world shifting politically right simultaneously and pushing/tolerating agendas that value government-enforced security over personal freedom.
1 reply →
> Unfortunately the fight seems to be enormous.
It is, but the longer the general public plays ostrich in the sand and prefers losing their tail feathers one by one to unburying their eyes and admitting where all this has been going, the more enormous it will be.
1 reply →
The time to fight back was when Microsoft got a slap on the wrist 25 years ago from the Justice Department.
Syncthing-fork is only distributed by f-droid and direct download from github.
F-droid is essential for many apps.
I managed to get around with apps only from F-Droid. No ads, no popups, no notifications, work without Internet access, better than Google Play apps in every aspect. The only thing left is to make a ROM without preinstalled garbage apps from the vendor.
> The only thing left is to make a ROM without preinstalled garbage apps from the vendor.
Would e-os fit your use case? https://e.foundation/e-os/
Maybe.
Lineage (without installing Gapps) does this.
So for Australia, what can someone do?
I don't believe that regulation these days can stand against corporate interests. I have seen this happen many times already. So what can I as a consumer do? The two practical options seem to be either Apple or Google.
Its our government plan, too.
Controlled distribution:
https://onlinesafety.org.au/wp-content/uploads/2025/07/CLEAN...
Controlled hardware:
https://onlinesafety.org.au/wp-content/uploads/2025/07/CLEAN...
GrapheneOS is probably the answer?
Yes, Evil Corp is doing bad things so let's switch to project that is tightly coupled to the Evil Corp's hardware.
Attestation means you probably will need an Apple/Google device in addition to the GrapheneOS one:
https://grapheneos.org/articles/attestation-compatibility-gu...
6 replies →
I heard there are Linux based phones but I haven't tried any
Expensive (well, except pine) and behind but i buy them anyway, as I cannot stand this corporate crap.
2 replies →
I've messed around with funky phones, and after having an emergency call fail on two different ones, I've decided not to mess about with them anymore (GrapheneOS on some random pixel and a funky e-ink phone). Maybe it works great on whatever linux phone you mean but my path forward has looked more like just always using secondhand androids until I can install fdroid anymore, and then just using a linux phone tethered to a dumbphone that can hotspot. Finding out you can't call emergency services when you really super duper need to is something I never want to risk happening to me again.
I see a lot of comments here talking about "end of free computing" and similar stuff. However, I'm trying to find ways to be somewhat optimistic. There are already companies that attempt to make smartphones that actually try to preserve our freedoms (Fairphone and PinePhone come to mind, I'm sure there are more). So even if mass-market smartphones become locked-down completely, we will still have alternatives. Sure, in some ways these alternatives might be less convenient, and they might be expensive - but if you can put a price tag on your freedom then you might not need it too much in the end.
> So even if mass-market smartphones become locked-down completely, we will still have alternatives. [...] (Fairphone and PinePhone come to mind, I'm sure there are more)
You're not looking far ahead enough. Use of these alternatives will be banned.
I already cannot use any of these alternatives: all cell phones must be certified to be imported into Brazil, and so far I could find none of these alternatives certified by ANATEL. My only options are Android, Apple, or non-smartphone "feature phones" (they still exist). Yes, Brazil is one of the first countries on the list for this change from Google, and Apple already does something similar.
That sounds quite dystopian. I did consider this possibility, but thought that it was sufficiently far in the future. Sad that this future already arrived :(
But can you elaborate on how this is enforced? Probably by requiring IMEI registration? (supposedly with a carve-out for tourists, something like "a new IMEI can be used for two weeks without registration, after that it stops working")
If it's IMEI-based, then probably you can still have an alternative phone that will use WiFi hotspot from the "certified" one. Speaking from experience here - we had a problem in Indonesia where we were unable to register a phone due to bureaucratic shortcomings, and so we bought a cheap phone to serve as a hotspot. Inconvenient, true, but still workable.
Also, I don't know how IMEIs are implemented at hardware/software level. Maybe there are ways to spoof them somehow?
2 replies →
You're missing the part where government-mandated apps will rely on remote attestation which will only work on "certified" phones.
I've got this covered :) I use a separate phone for these apps. So I have a "normal" phone that I use regularly and can do whatever I want with it, and a "certified" phone that has these pesky apps - and nothing else.
... Shift Phones! They even have an installer so you can install a phone OS of your liking (e/OS, Lineage, Ubuntu, etc...).
I was looking at Shiftphone but haven't been able to identify a single advantage over Fairphone. More vendors isn't bad, but it's so niche, I think more people actively use F-Droid (and that's already niche) than know the name Shiftphone! They'd stand stronger and be a more realistic option if they collaborated on some level
I'm curious if you know of any reason to buy Shift besides specifically supporting German economy instead of the Dutch one
And would you know why they don't work together? At least on the software side that's easy to do remotely. I know Fairphone has been struggling to catch up with the machine learning and other services other vendors are adding on top of e.g. the camera sensor to get good photos. They seem to be doing better now but Shift seems to still have a lot of software bugs, eyeing their forums
1 reply →
Thanks for the info! They do look nice and the prices are very affordable.
I'm a bit worried by their lack of focus, though - looks like they are spreading themselves a bit thin, they are trying to build a lot of different gadgets all at once (keyboards, speakers, laptops, headphones, etc). Building a phone is hard enough, trying to build all other things might dilute the valuable development resources.
F-Droid is the best. I have around 20 apps from them on my phone, more then half of them can not be found on the Google Play Store.
I'm glad fdroid is voicing its concerns and asking people to act.
This is not just another technical challenge. If your country is ever in the crosshairs of "American interests" and bears the brunt of its sanctions, it is possible that you cannot install apps from your fellow citizens i.e. your own local government, bank and store apps.
Countries that are likely to face sanctions are also likely to be predominantly Android users, so it affects them disproportionately. Good luck teaching your fellow citizens to root phones their phones(which is getting hard and outright impossible on certain phones) if that happens.
This is a real challenge that countries need to think and plan for.
Lineageos has probably the most compatibility among the android-compatible opensource and open (not vendor-locked) phone OSes. However the list of compatible phones is too small. There's almost devices one can go and buy (except Pixels, but I would not use Google's Pixels just to avoid feeding the wolves).
If Google really goes through with this I might seriously consider GrapheneOS. At least Pixel hardware ought to still support unlocking the bootloader. But for how long...
GrapheneOS will help with being able to install F-Droid, apps from it and sideload other apps, but it means you will be blocked from installing government/other apps, so you will need a second phone with an Apple/Google OS.
https://grapheneos.org/articles/attestation-compatibility-gu...
If you use those apps. All of the apps I use, including my banking app, work fine on GrapheneOS.
1 reply →
I have installed Graphene and Lineage in the last couple months and had good experiences. Easy as ever. Not on my daily driver though
I already use 2 Android phones. One for main usage without the evil company. Another one with 2 apps from Playstore installed; it would cost me significant money not to use one of the duopolists there. I really hate having to pay the Google/Apple tax. The only choice I have is to decide which bad actor receives it.
(Typing this on my 3rd phone, Sailfish OS. Unfortunately the software lacks sufficient maintenance efforts and the hardware does not suit me for primary phone use)
This isn't just a competition between app stores; it's a struggle for choice and dignity Your phone shouldn't be a cage carefully constructed by others, but an extension of your own will. Allowing apps like F-Droid to exist preserves an enclave of freedom, transparency, and trust in the digital world. It protects not a particular platform, but our fundamental dignity as digital citizens: my device, my choice
I wonder what would happen if F droid signed all software under their keys even though they aren't the developer? Make Google ban them instead of just giving up?
This is addressed in the article as well, and while there's no technical reason they couldn't do this, it would break the licensing of the apps as well as the dangers of centralizations mentioned by a sibling reply.
> The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.
Oh... this makes things much clearer to me actually. The issue is that you don't want apps that impersonate other apps showing up. For example, if someone put an app in another market that could sideload to impersonate Facebook's intents and do evil-maid type things. In the new system it would become very difficult to install a fake Facebook that is able to convince other apps that it is in fact Facebook's own app. Google's announcement can be seen as them operating essentially like DNS for app ids and intents and making things safer for a multi-app-store universe.
For example, there is an annoyance that happens sometimes with apps that are distributed in both F-Droid and Play Store related to updates. F-Droid and Play Store will think they both can update the app (they have the same tld.what.ever identifier) but the signing keys only match the store they were installed from. I think F-Droid is now a bit more careful about this and only tries ones it has specifically installed. This is different... but somewhat related.
F-Droid in general is a model good actor as far third-party app stores go, but from the perspective that malicious app stores might exist you would want to try and isolate apps from each other (and prevent unauthorized re-distribution of tampered versions etc). I think what Google is doing forces apps in each store to be cleanly namespaced from each other and prevent collisions (accidental or otherwise). This lets each app store tend and be responsible for its own walled garden.
3 replies →
f-droid could distribute their apps with a different identifier.
That might be the least-worst option here.
Any centralisation like this is bad: it's too easy for Google to delete all f-droid apps with their play protect one day.
Okay so the options are:
- don't exist
- exist until you get deleted
You seriously prefer the former?
2 replies →
FDroid owns the keys for any app submitted without reproducible builds. But I believe they would prefer 100% reproducible builds and to own no keys
maybe they can distribute the apps with a different identifier? just add a suffix? like fdroid.__original_identifier__ ?
Maybe users could provide their own keys into the F-Droid app and the F-Droid installer swaps keys as part of the download and install. At the end of the day we're just talking about a signature.
No. You pay Google for the license and Google can kill your app, even on f droid.
We don't need a work around. We need Google to stop killing our apps.
3 replies →
- there is no escape from digital techno feudalism
- you will have to obey corporations
- sooner or later everything will work using digital ID, or some other IDs
- sooner or later phones, PCs, browsers, will be locked in
- majority of populations will have no problems about that, aka golden cage
- I do not such a future exists when it will not look like this
- I am uncertain what is the future of open source. I think it also will be regulated by accounts, digital IDs. You will not be able to participate in open source without verification
Open source on a large scale is a double edged sword because it is at odds with an economic reasoning that it prevents the realization of monetary value provided by this software as profit. A crackdown on OSS would be devastating, but also not totally surprising to me in the current political landscape.
> I do not [believe] such a future exists when it will not look like this
This is the deepest root of the problem. Decades of psychological conditioning took effect.
No future is 100% predefined, my friend. Please do believe.
I still don't understand a lot of the specifics of the signing. So they're going to force through this change with a Google Play Services update? This will affect even old devices - like ones running some kiosk app?
How does this work with Chinese ROMs - that don't come with Google Play Services? How do it affect secondary app stores? A developer releases their app on Vivo's app store - and he has to register with Google's ID procedure?
If you're running some old Android version and you block Google Play Services from updating, will the Play Services stop working entirely and brick the kiosk phone/tablet?
If this was a change required in the next version of Android, then I could kind of understand. You buy a new phone and this is the Faustian bargain you choose to accept. Google's search ad cash cow is dieing. Time to milk all their assets. Google obviously doesn't want people making money off of their Android work - to me this was inevitable. But the fact they're forcing this down the throats of existing users.. this seems messed up and maybe illegal?
This likely won’t affect Chinese or open source Android distribution. It will affect Android as distributed by Google’s partners.
People using LineageOS, Calyx or alike will be unaffected. The other 90% of western android users will be affected.
LineageOS and company aren't Certified Android Devices. However, I think for instance a Vivo OriginOS device is. They will have a separate Play Service for Chinese-bound devices?
Where are you getting your information btw?
It's been added to the last Android 16 build (https://android-developers.googleblog.com/2025/09/android-16...).
No idea if they'll also decide to enforce it with the Play Services at some point.
good catch. interesting. if they kept it to android 16 then i could live with android 15 for quite a while.
It irks me to no end that for proper GrapheneOS support one has to buy a Pixel.
I wonder if Google actually makes a profit on Pixels, or if the idea is to sell at / below cost and make up for it through advertising the sale of user tracking data from the device.
If it's the latter, buying a pixel to run Graphene might be a particularly solid counter.
Doesn't this issue get solved by reproducible builds?
Using reproducible builds allows developers to publish apps on F-Droid using their own signing keys [1]. Those signing keys can then be verified by Google.
In 2023 already, 2 out of 3 new apps used this approach [2].
With this in mind, F-Droid should be able to continue functioning after this change by mandating reproducible builds.
[1] https://f-droid.org/docs/Reproducible_Builds/
[2] https://f-droid.org/2023/09/03/reproducible-builds-signing-k...
Google will require you to authenticate with your real name and/or government ID which is something a lot of FLOSS developers don't want to do.
I expected one person to step up, do the verification, and F-Droid can use that signing key to distribute apps to phones with facism mode enabled. They just need to pick an app ID that isn't already in use, could even be sequential under org.fdroid.*
It's quite scary that there's no such idea being floated in the post. Apparently they're ready for F-Droid to be relegated to the realms of Google-free devices that nobody, outside of a few hardcore privacy activists, is currently willing to use. Maybe that'll change, but I doubt significantly enough for governments to reconsider which OSes and third-party stores they need to support
Well, that's because of trusted computing: https://en.wikipedia.org/wiki/Trusted_Computing
And again, to quote Benjamin Franklin, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety".
Sadly nobody cares nowadays.
Are there any Google people that have commented anonymously about what is going on internally?
There are reports of intense cackling coming from within their Scrooge McDuck-ian money vault.
It's sad, that android is the only system that can be used to code on the device thanks to termux and now google wants to end this.
I want to take something from this article which deeply fascinated me.
The Right to Run
If you own a computer, you should have the right to run whatever programs you want on it.
I always thought that this was something natural yet Google is doing the developer registration and spotify is dmca'ing/suing? revanced team just for skipping some lines of code.
it is my computer and if I want to run a open source software from f-droid, I should be able to without one of the largest companies in the world meddling in the way.
If I want to run spotify in revanced, the developers shouldn't be sued for just skipping some lines of code. Theoretically it breaches on my rights to run software.
Its my computer,my phone, my devices and I want to run whatever I want with it. I paid for it completely and I want to use it completely.
Yet more and more, its becoming as if your device is becoming something similar to license, like they are making us think that we haven't bought a phone, we have licensed it and there is a big difference.
They might want to slowly extract into even more of our rights to somehow sell a phone as a subscription even after buying it and what not, god.
Imagine google packages up a developer service where for 5 bucks we could side load the apps, that WE ONCE COULD DIRECTLY.
This isn't far off. But we have made almost our hardware like a service and that saddens me/violates my rights and I want to fight against them. Fuck big corpos. Fuck google.
Its my damn computer and none of your damn business saying what I have to do with my own computer. I paid for it completely and I am gonna use it completely.
I'd say the difficulty now is how online services are integrated as part of being able to function in many tasks we're now asking phones (or mobile computers) to do. If you're only doing local stuff then you can probably get by, but so much of the world prioritizes online and having secure payments if your phone doesn't respond correctly to those services then there's a risk of exclusion or a time/money cost to use them in a less convenient way.
>I always thought that this was something natural yet Google is doing the developer registration and spotify is dmca'ing/suing? revanced team just for skipping some lines of code.
And how does Google enforce this? With the very same copyright laws they ignore to train their AI.
don't you know that its official that laws only apply to us small guys and not the big guys, this has been a open secret for so long.(maybe? satirical) /s
They are just gonna be given a fine and does crime just suddenly become legal of sorts as it maybe bucket change for these companies.
You still have the right to run whatever you want. You just have to use adb to install it, instead of letting it happen automatically.
It sucks, but it's not the end of everything...
That is a very very weird spot that I would be limited to.
I can have my phone right now which has f-droid and download apps directly without requiring any other device anywhere as long as I have internet access to download the apk or I have the apk
With adb, I would need to have another specific device with me which can get real uncomfortable/ be a real breaker for a lot of times.
On top of my mind, I see myself being in the metro downloading games on f-droid to see the state of open source games, I couldn't imagine myself having a laptop in that time, and neither did I have a laptop. I just had a pc back then.
Also a huge % of people who are using f-droid right now would just not do things like adb etc. which are a huge breaker I suppose and in the end it is a huge net negative for the community/ecosystem/still goes against the right to run as I had mentioned.
But I also didn't know that adb was still enabled, I had actually thought that you genuinely couldn't run any app except google's developer registration AT ALL.
but this is also a slippery slope and what prevents them from blocking that too. unless we fight against this, it sets a really really bad precedent for them to follow/essentially dictate my hardware in the future.
Seems like it's time for more linux on phones and less android
I live for the day when regulators sat Android (and iOS) should not ship with a default store, and should allow users the choice. Break the platform monopoly.
In the meantime, I guess it is time to return to degoogled Android, for me at least.
Another good example of Google's worst instincts, though: backups. The backup API can only be implemented by things which are included at build time, so apart from e/OS/ I've never seen an option except Drive. (e/OS/ supports nextcloud as a target)
The thing that bothers me the most is government apps. How can a government require me to use a certain os or browser to use something.
What are someways that we can be active about this and have support for these apps everywhere. I'm in Europe . For banking apps, sure ok, I can still go tho the bank but what if that becomes unavailable for me to do. Our countries can't build software based on evil companies like Google.
I see this degradation of the developer and customer experience on mobile as an opportunity for better PWA/web application development. Many things done as an app today could be a PWA, including banking apps. WASM ensures the performance and the browsers have most of the capabilities to do this. I'm sure both Google and Apple will change course when they discover no one does apps anymore.
I don't thing Google will enforce this verification as an option that cannot be disabled. Not because they care about open-source, but because there are contexts where Android is used where the device doesn't have an internet connection to contact Google services to verify apps that are installed by whatever deployment method is used. I talk about all the industrial contexts where the devices (terminals that operators use) doesn't connect to the internet but to a local network that is only used to communicate internally with the server the application is using.
By the way, if that is truly implemented and not bypassable using some methods such as some developer option, I think that I will return to running a custom ROM (hoping that they would not start restricting also the possibility to unlock the bootloader, fortunately that is up to the manufacturer and you would still find phones with unlockable bootloader, or just get an older phone).
It probably doesn't require a network connection for basic checking, as the signed key can be cryptographically checked even when offline as long as Google preloads their public keys to the phones
> It probably doesn't require a network connection for basic checking, as the signed key can be cryptographically checked even when offline as long as Google preloads their public keys to the phones
But of course it does nonetheless: https://developer.android.com/reference/android/content/pm/P...
This is for "certified" Android devices, I'd imagine the industrial systems Android is flashed to aren't certified.
Here is a sample email template you can use to send to your congressperson if that is helpful:
Dear <Congressperson>,
I am writing to you out of deep concern regarding Google’s recent decision to require all Android developers worldwide to register directly with Google by providing personal government identification and other sensitive details as a condition for distributing their applications. While this policy may appear to be framed as a security measure, its consequences would be far-reaching and detrimental to digital freedom, competition, and privacy.
For over a decade, the F-Droid project has demonstrated that safe, secure, and privacy-respecting app distribution is possible without central corporate gatekeeping. F-Droid and similar open-source platforms provide verifiable builds, transparent review processes, and applications free of hidden trackers or predatory monetization schemes. By contrast, Google Play has repeatedly hosted malicious apps, showing that centralization is not the same as security.
The new registration decree effectively forces independent developers to surrender their personal identities to Google, erecting unnecessary barriers to participation in the software ecosystem. Worse, it would prevent alternative app stores like F-Droid from continuing to operate, depriving millions of users of trusted open-source applications and their ability to freely choose how they use their own devices.
This is not only a matter of consumer choice, but of civil liberties. Forcing creators to register their identities with a single corporate gatekeeper in order to distribute software is analogous to requiring authors or artists to register with a private company in order to publish their works. It strikes at the heart of free expression and innovation.
I respectfully urge you to take action to prevent this consolidation of control. Whether through competition oversight, digital rights protections, or support for open-source distribution, Congress has a role to play in ensuring that security justifications are not abused to restrict user freedom and entrench monopolistic power.
Please help preserve a healthy, competitive ecosystem where developers can create freely and users can choose openly — without unnecessary corporate barriers.
Thank you for your attention to this urgent matter, and for your continued service to our district and the nation.
Respectfully,
-<Your name>
Maybe a sufficient number off hackers are offended enough now and contribute to really free platforms, like PostmarketOS or Mobian. There has been great work there in the last years. I think we are not very far away from a really usable free phone, we need device drivers and android emulation / f-droid as long as native apps did not catch up.
I demand some degree of freedom as an end-user. If all of the possible alternatives strip that basic freedom from me, I will simply fall back to the option which has the most features, which means moving to Apple.
(Also, losing to competition seems to be the only way companies nowadays can perceive loss of users' trust)
Wait. Is the same freedom available on iOS at all? Don't you need a developer license there as well? Forget the fact that side loading and alternate stores are not possible at all.
Can anyone using GrapheneOS report if Firebase notifications come in consistently and reliably via sandboxed Play Services?
I'm in the market for a new phone, and I'm going to buy a Pixel 9a this week for GrapheneOS if I can reliably get notifications on it. (I already have an A05 for banking apps)
I'd be happy to check for you, but will need concrete steps. Signal working reliably is pretty much all I can confirm, since I don't use any others apps on that device that would give me notifications. Signal afaik uses this Google Cloud Messaging thing or whatever their TCP connection marketed as push service is called. Maybe that's now called Firebase?
But Signal can also fall back to websockets, which I use on my personal phone and that's working great without any battery loss so I don't know how to tell the difference
Yes, all notifications work fine with sandboxed Play Services installed. All my banking apps also work fine. I haven't really had any problems with app support or any other problems for the many years I've run GrapheneOS as my daily driver.
The War on General Computation continues, and we’re losing.
If you live in the EU please complain about Google's developer registration (and other anti-competitive stuff such as Google Play Integrity) here. The EU is asking for people's feedback regarding the Digital Fairness Act. https://ec.europa.eu/info/law/better-regulation/have-your-sa...
Then what is the point of having an android phone? I might buy an iphone.
Isn't it an editor, an app store or the FSF that would start an antitrust litigation against Google? I would easily do a donation to a fund to do that.
In my opinion, Google is doing that to keep control as there is now the European regulation that said that they can't force manufacturer to install exclusively what Google asks them to "to be certified". So, in theory there could have been big brand smartphones with only the vendor or alternative app store by default anytime soon without this change.
This confuses me. Google uses their closed source apps as leverage in the certification process. If they are no longer able to enforce bundling, then what?
Thinking that you can litigate every matter of user freedom against two ultra-wealthy co-monopolies of mobile OSes is frankly short sighted, if not misguided. They throw around lots of money to lawyers, lobbyists and politicians on every case. They may not win every case. But they don't need to. Each case they win is a step forward for their ambitions of total device control and indefinite money grab. On the other hand, we need to win every case with meager resources to keep our freedoms. At best, this will slightly delay our inevitable surrender to corporate greed.
We really need to get off these abusive rent-seeking spyware platforms and go for something similar to how Linux distros or various BSDs work. The main hurdles are the hardware, drivers and essential applications like banking and transportation. The hardware is an even bigger problem than the OS platform itself. But this is getting desperate. We really have to start moving in that direction before we're left with nothing else.
Stupid question but does this mess up using alternative OSes? I have a rooted 7" nexus from 2013 that I out lineage on and use for carplay when rentals don't have it installed and have been thinking about upgrading. Will this mess up doing that in the future, and should I just upgrade now? Also open to tablet recs to put carplay on, no familiarity with android tablets aside from the one I own
> every app is free and open source, the code can be audited by anyone, the build process and logs are public, and reproducible builds ensure that what is published matches the source code exactly. This transparency and accountability..
That might be transparent, but where is the "accountability"? There's no identification of who is involved, how are they held to account?
Meanwhile, the Web is still there, good enough for most use cases.
Last week I discovered the Geolocation API's coordinates.speed param.
Tested it with a few bike rides, it just works to display the current speed.
How many apps are there on stores to display the device's speed ?
How many people in 2025 will search for a Web app (hidden in bullshit articles) instead of downloading apps full of trackers on the Play Store ?
Trust has to exist somewhere, and these days everyone seems to be a target. If you have a bitcoin wallet on your phone, well you're a target, and have been for some time now. You might trust F-Droid today, but the reality is if leverage has been manufactured against them, there's no canary to tell you to uninstall F-Droid.
The days of two phones are here. Use the more "secure" no nonsense low spec device (e.g. the cheapest iPhone) for banking/govt stuff and a main phone (e.g. grapheneOS or lineageOS) for daily driver. Definitely inconvenient but maybe a blessing in disguise considering the malware/phishing risks.
Easy sideloading using ADB is one of the things that keeps me from using an iPhone.
Yeah I think ADB based solutions will be the way to bypass Google's Play store app developer registration and app ID registration crap that will kill F-Droid. Even now I grab a bunch of APKs and then have a script that wirelessly updates my devices... F-Droid ADB mode!
I have a way to get app distribution totally out of the hands of the app stores AND the browser but with any native OS UI you want ON any OS you want to any user within the TOS. Will share soon.
Seems Google is trying to make the price the only benefit on Android.
I wonder, excluding the freedom/device control and the price, what makes someone choose Android over iOS?
After developing an app for Android and iOS, it has become clear how wonderful it is to just publish a website in the internet.
All of this because some asshole wanted to prey on kids' credit cards for an extra couple of cents per V-Buck.
Thanks, Timmy Tencent.
Google should lose control of the app store and it should be managed by a group rather than any single company.
can EU save all of us????
I think US gov wouldn't a care about this, do we really cant do anything about this??
I wouldn't put my hope in a totalitarian regime.
Yes and our company is planning to stop distributing to google App Store in near future.
regulators asleep as usual
Does someone make an F-Droid only phone?
Don't Do Evil!
"When contrasted with the commercial app stores - of which the Google Play store is the most prominent - the differences are stark: they are hotbeds of spyware and scams, blatantly promoting apps that prey on their users through attempts to monetize their attention and mine their intimate information through any means necessary, including trickery and dark patterns."
Silicon Valley's so-called "tech" companies, e.g., Alphabet's Google LLC, also "prey on users through attempts to monetize their attention and and mine their intimate information through any means necessary, including trickery and dark patterns."
There is ample evidence of this behavior from a long litany of litigation where Google unsuccessfully attempted, or did not attempt at all, to rebut the evidence
It seems that app developers producing "malware"^1 would be in direct competition with these Silicon Valley companies such as Google
1. What is "malware". It could be defined as software that works against the user's interests. If so defined, the definition could vary from user to user, depending on each user's particular interests. Certainly "malware" can vary in terms of possible criminality and severity. Not all "malware" is criminal in nature, nor does all "malware" pose the same level of threat
"Do you want a weather app that doesn't transmit your every movement to a shadowy data broker? Or a scheduling assistant that doesn't siphon your intimate details into an advertisement network?"
If using "Google Apps" that come pre-installed into Android, then one can be assured that Google is using them in its round-the-clock efforts to collect such information
Google, too, is an "app developer"". For some users, Google's surveillance and data collection may be in competition with other "malware"^2
2. Using the definition of "malware" above, i.e., "software acting against the interests of the user" as F-Droid puts it, we are assuming there are users who interested in avoiding surveillance and data collection
"While directly installing - or "sideloading"[^sideloading] - software can be construed as carrying some inherent risk, it is false to claim that centralized app stores are the only safe option for software distribution."
When evaluating Google's strategy to allegedly "protect users from malware", one could ask, "Is there another way to do it?" The answer of course is yes
"We do not believe that developer registration is motivated by security. We believe it is about consolidating power and tightening control over a formerly open ecosystem."
By identifying app developers and forcing them to pay fees (consideration), these developers are entering into legally enforceable contracts with Google. Consider that the app developer, as stated above, may be in competition with Google for user attention and data collection. With few exceptions, the relative bargaining power of the parties, app developer versus Google, is overwhelmingly one-sided
Like "YouTube creators", the app developer becomes essentially an unpaid independent contractor. Payment, if any, is not in return for the contractor's work (the software). And any payment comes from advertisers. Google is only an intermediary (middleman) that takes a cut
From a user perspective, where the user is interested in avoiding targeted surveillance, data collection and advertising, is the threat of "malware" from non-Google app developers greater than the threat of malware from app developer Google. Avoiding Google's surveillance and data collection is considerably more difficult than avoiding surveillance and data collection by non-Google app developers^3
By using open source apps from F-Droid a user can easily avoid surveillance and data collection by non-Google apps. Using an app from F-Droid such as NetGuard it is trivial to avoid unwanted remote connections, surveillance and data collection initiated by non-Google apps.
Arguably app developer Google poses the greatest threat in terms of surveillance and data collection. This is in part because app developer Google also controls the operating system, the DNS settings, endpoints used by apps, major websites that most users visit, in some cases the user's hardware, and so on
[flagged]
[flagged]
AIUI, the law puts restrictions on "traders", ie businesses, people making a revenue, integrating ads etc.
A free FLOSS app would be exempt from these requirements under the DSA. Apple and Google don't make a difference betwren commercial and non-commercial publishers, so in this sense they both do malicious compliance.
In theory. In practice Germany requires your private non-commercial web page to have Impressum and there is an army of legal trolls who would destroy you for not having one.
I guess the same will happen with signed apps.
2 replies →
[flagged]
this applies to Google and Apple app store, anything side loaded shouldn't be touched by this
Fdroid owning the signing keys for the apps of other developers was always a security mistake. This announcement should make them realize this instead of doubling down on it.
Fdroid need to build the apps themselves to ensure they match the upstream source. They've moved away from owning the keys by recommending reproducible builds, however reproducible builds are hard and many app authors don't do it
No it isn't. I trust fdroid more than random app developers.
They have a reason mentioned by others, however what was news to me that the Google Android application registration also requires them! https://developer.android.com/developer-verification#registe... says
Register your apps: You'll need to prove you own your apps by providing your app package name and app signing keys.
Couldn't this also be verified with a challenge-response signing, using the key? Why should Google have the ability to sign apps of the developer, instead of it being an end-to-end deal? Perhaps they need to have the ability to slip in some additional code if the government so wishes?
Or perhaps there is actually a legit reason for Google to have those keys or I have a misunderstanding of the requirement?
Maybe F-Droid could relax that requirement if it were feasible to do reproducible builds. Then the developer could just deliver the package to F-Droid, F-Droid would check that it matches what they have, and then publish it. But that's probably not going to happen. Alternatively some deeper proof-based certificate could be devised, but that's even less likely to happpen..
To be clear it sounds like the upcoming "Android Developer Console" (distributing APK outside Play Store) https://developer.android.com/developer-verification/guides/...) does *not* require you to disclose your private key, only prove ownership:
> Select your key: Choose your public SHA-256 fingerprint certificate from a list of eligible keys.
> Complete a cryptographic challenge: You must sign a dummy APK with the corresponding private key and upload it to Android Developer Console. This formally verifies your ownership of the key used to sign your existing Android app.
Play Store on the other hand does require you to share keys, so they can optimize your APK for each device. And maybe inject some state malware if you want to be snarky.
They already have required it since 2021.
https://support.google.com/googleplay/android-developer/answ...
The main benefits is that Google is able to optimize downloads for individual devices. It also makes the situation where the developer loses a private key and then they can no longer push anymore updates to their app no longer possible. I'm not a fan of this approach of essentially allowing Google free reign to use your key for deploying jpdates.
1 reply →
Why? Isn't that how most linux distros do their repos?
It is, but Linux distros are not the pinnacle of security. They use a security model decades out of date, so they are not something you should try and copy off of.
4 replies →
Can someone explain the issue with developer registration and how it results the terrible outcomes described in the article. A lot of things have changed for the worse since the beginning of the century but even back in the good old days developers were not anonymous. Every free software I have seen has the name of the developer alongside the copyright. Often it lists multiple contributors as each copyright has to be retained according to the license. I understand sending your ID to Google is more invasive but the anonymity aspect of it is moot. Is Google going to charge developers for this service and hence hinder free software development? Is the issue that younger devs will be unable to complete the verification? And why can’t F-Droid just distribute the binary signed by the developer who has confirmed their identity? Other than that, all concerns expressed in the article are quickly becoming major issues. The web is still open for now but many banks and other institutions have broken websites, forcing you to use their apps or become “unbanked”. Once you download their apps you find out they run only on “certified” OS, forcing you to have Apple or Google owned and controlled software on the hardware you paid for.
The issue with this is that taking many small steps towards an edge of a cliff without any reconsideration of the direction results in falling from it.