Installing any app I want outside the Play Store was the primary reason I decided to go with Android, despite most of the people I know using iPhones. If I can't do this anymore, I may as well switch and be able to use iMessage and FaceTime with them.
I glanced at Ubuntu Touch, but its device compatibility looked severely lacking (https://devices.ubuntu-touch.io/).... I have old Pixel phones I could potentially try it out on, but the last Pixel phone that is officially supported is the 3a. So that is a bummer.
It’s utterly bizarre how BBM could have been the iMessage and WhatsApp and who knows what else. But rich out-of-touch people thinking exclusivity is a perk in a commodities market just shows how business savvy and wealth are in reality disconnected from eachother.
Maybe it’s because I’m European but I’ve never understood what iMessage even is or what it offers above either sms or WhatsApp/signal. And I’ve used an iPhone for the past 15 years.
You can still install apps outside the play store, but the developer does need to verify their signing information. Effectively this means that any app you install must have a paper trail to the originating developer, even if its not on the app store. On one hand, I can see the need for this to track down virus creators, but on the other, it provides Google transparency and control over side loaded app. It IS a concerning move, but currently this is far from 'killing' non-appstore apps for most of the market.
So let's pick a random example app that might be popular on F-Droid today. Oh, I dunno...newpipe.
Given that Google both owns Android/Google Play Store and YouTube: what do you think they would do with the developer information of someone who makes an app that skirts their ad-model for YouTube?
Google is following the same game plan we saw when they decided that the full version of uBlock Origin (the version that is still effective on YouTube) should no longer be allowed within their browser monopoly.
The fact that there was a temporary workaround didn't change the endgame.
It's just there to boil the frog more slowly and keep you from hopping out of the pot.
It's the same game plan Microsoft used to force users to use an online Microsoft account to log onto their local computer.
Temporary workarounds are not the same thing as publicly abandoning the policy.
From a quick glance at /r/GooglePlayDeveloper/ it looks like Google is just as interested in killing playstore apps! It seems that they only want to support the existing larger apps now. I think they are giving a clear message to developers that its not really worth developing for that platform anymore. I think we will all agree that the playstore needed a purge but they seem to be making it impossible for any new solo devs at this point.
It also makes it easy for google to blacklist a developer, if for example the trump administration don’t like them (the same way apple removing apps documenting ICE).
Pretty sure virus creators could just pick a real ID leaked by the "adult only logins" shenanigans, whereas legit app developers probably wouldn't want to commit identity fraud.
Yeah... no. This is normal with desktop computers. Let's stop handholding people. If I trust the source, I trust the domain... I want to be able to install app from its source.
Googles/Apples argument would have been much stronger if their stores managed to not allow scams/malware/bad apps to their store but this is not the case. They want to have the full control without having the full responsibility. It's just powergrab.
I think they’re just going to track down a random person in a random country who put their name down in exchange for a modest sum of money. That’s if there’s even a real person at the other end. Do you really think that malware creators will stumble on this?
This has to be about controlling apps that are inconvenient to Google. Those that are used to bypass Google’s control and hits their ad revenue or data collection efforts.
Then you'd be rewarding the company that pioneered and normalized taking away these rights. The next rights you'll lose will probably originate on Apple again years before Google takes them away too.
You can still side-load signed apps. It's a similar limitation to macOS which won't let you run apps that Apple hasn't signed without command line or control panel shenanigans. Compared to iOS, Android still has the advantage of installing your own full browser (like Firefox) with full-fat ad blocking (uBlock Origin, not Lite). iOS is Safari-only right now though, in theory, some alternative engines may be available in Europe later.
With macOS you run "sudo spctl --master disable", and then you can run whatever you want without sending PII to Apple. Is that the case with the new Android stuff?
You can install full uBlock Origin in the Orion browser, on iOS. It also has decent built-in ad blocking (though uBlock Origin is still better).
I had been thinking for a long time to switch to Android (GrapheneOS, probably) when my current iPhone 13 dies, but this whole thing with "sideloading" on Android is making me reconsider. If I can't have the freedom I want either way, might as well get longer support, polished animation and better default privacy (though I still need to opt-out of a bunch of stuff).
Antitrust action is badly needed in this area. It is ridiculous that I need permission from my device manufacturer to install software on hardware I own. There is no viable alternative than to live in Apple and Google’s ecosystems. This duopoly cannot be allowed to keep this much control of the mobile platforms.
There needs to be a mandatory override for any lock down put in place by a manufacturer. I understand the need for security, but it should be illegal to prevent me from bypassing security if I decide to on my own device. Make it take multiple clicks and show me scary warnings, that's fine.
Technically Android still allows installation of anything if you use the debugging tool. Maybe that is where we have to draw the line, I'm not sure.
We need to stop calling it "sideloading", we should call it freely installing software. The term "sideloading" makes it sound shady and hacky when in reality it is what we have been able to do on our computers since forever. These are not phones, they are computers shaped like phones, computer which we fully bought with our money, and I we shall install what we want on our own computers.
How badly screwed are we that the term "installing" doesn't work because it doesn't exclude the now default assumption that someone else controls everything you are allowed to install.
>The term "sideloading" makes it sound shady and hacky
"side" refers to the fact that it's not going through the first party app store, and doesn't have any negative connotations beyond that. Maybe if it was called "backloading" you'd have a point, but this whole language thing feels like a kerfuffle over nothing.
I get where you are coming from. However, language like this matters when it comes to legislation. People outside there space will be guided by the sideload language to think it's just "something extra on the side so why should I care?"
Language strongly influences how people perceive things. For example, people shown videos of a car crash estimated higher speeds and falsely remembered seeing broken glass if the crash was described as "smashed" or "collided" rather than "hit" or "contacted"[0].
"Direct installation" sounds neutral to me, but "sideloading" sounds advanced or maybe even sneaky.
If Google provides a permanent mechanism to disable this in developer settings, then this devolves to an inconvenience.
The setting to allow unsigned apps could be per appstore tracked by an on-device sqlite database, so a badly-behaving app will be known by its installer.
indeed, but they're not talking about your phone, they're talking about android, which is something you don't buy nor own, you buy a license to use it on the provider's terms.
linux phones can't come soon enough ...
your point about the termn "sideloading" is spot on, though. perverting the language is the first step of manipulation: installing software is "sideloading", sharing files is "piracy", legitimate resistance is "terrorism", genocide is "right to defend oneself" ...
> which is something you don't buy nor own, you buy a license to use it on the provider's terms
The distinction between "own" and "license" is purely a legal one. If I buy a kitchen table I own it, I can chop it up and use the pieces to make my own furniture and sell it. When I buy a copy of a Super Mario game I cannot rip the sprites and make my own Super Mario game because I don't own the copyright nor trademark of Super Mario. But I do own the copy, and Nintendo does not get to march into my home and smash my games because they want me to buy the new one instead of playing my old ones.
> linux phones can't come soon enough
GNU/Linux. I used to think Stallman was being petty for insisting on the "GNU" part, but nowadays I understand why he insists on calling it GNU/Linux. There is nothing less "Linux" about Android than Debian, Arch or any other GNU/Linux distro, but GNU/Linux is fundamentally different in terms of user freedom from Android.
That would require a lot tighter and broader (but not corp-controlled) organization than what open source is accustomed to - making cheap and capable phones that aren't tied to a big corp is big challenge.
> when in reality it is what we have been able to do on our computers since forever
You do realise that's been changing right? Slowly of course, there's no single villain that James Bond could take down, or that a charistmatic leader could get elected could change. The oil tanker has been moving in that direction for decades. There are legions defending the right to run your own software, but it's a continual war of attrition.
The vast majority of people on this site (especially those who entered the industry post dot-com crash) ridicule Stallman.
"Dan would eventually find out about the free kernels, even entire free operating systems, that had existed around the turn of the century. But not only were they illegal, like debuggers—you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that."
Unfortunately it also means giving the key to the Kingdom to a company like Microsoft or Google which are definitely adversaries in my book. Keeping them in check was still possible with full system access.
Even Apple I don't trust. They're always shouting about privacy but they define it purely as privacy from third parties, not themselves.
And they were the first to come up with a plan where your phone would spy on you 24/7.
If you want a real blackpill (I think this is the right word), consider the famous Cathedral and the Bazaar.
I recently had a realization: I can name Cathedrals, that are 800 years old, and still standing. I can't name a single Bazaar stall more than 50 years old around any Cathedral that's still standing. The Cathedral's builders no doubt bought countless stone and food from the Bazaar, making the Bazaar very useful for building Cathedrals with, but the Bazaar was historically ephemeral.
The very title of the essay predicts failure. The very metaphor for the philosophy was broken from the start. Or, in a twisted accidentally correct way, it was the perfect metaphor for how open-source ends up as Cathedral supplies.
> The vast majority of people on this site (especially those who entered the industry post dot-com crash) ridicule Stallman.
I've been in tech and startup culture for over a thousand programmer-years (25-30 normal years). It wasn't dot-com or the crash. It was mobile. The mobile ecosystem has always been user-hostile and built around the exploitation of the customer rather than serving the customer. When the huge mobile wave hit (remember "mobile is the future" being repeated the way political pundits repeat talking points?) the entire industry was bent in that direction.
I'm not sure why this is. It could have been designed and planned, or it could have evolved out of the fact that mobile devices were initially forced to be locked down by cell carriers. I remember how hard it was for Blackberry and Apple to get cell carriers to allow any kind of custom software on a user device. They were desperately terrified of being commoditized the way the Internet has commoditized telcos and cable companies. Maybe the ecosystem, by being forced to start out in a locked-down way, evolved to embrace it. This is known as path-dependence in evolution.
Edit: another factor, I think, is that the Internet had no built in payment system. As a result there was a real scramble to find a way to make it work as a business. I've come to believe that if a business doesn't bake in a viable and honest business model from day zero, it will eventually be forced to adopt a sketchy one. All the companies that have most aggressively followed the "build a giant user base, then monetize" formula have turned to total shit.
I always found this term utterly bizarre. It first showed up in the early days of the mobile "revolution" and felt astroturfed, since no developer would think we need a fundamentally new term for downloading software. It felt like something some dark patterns team came up with to discourage free installation of software on your own device.
Of course maybe I'm overthinking it. It's common for people deep in the bowels of an industry to invent pointless jargon, like "deplane" for getting off an airplane. Anyone know where the term "sideload" was coined or by whom?
If you focus on the fact that Google fraudulently marketed an operating system that allows users to run any software they like (until they successfully drove other open options out of the marketplace) you have all the legal justification you need to force Google to back down.
In the US, there's no requirement for a company to honor the claims of prior advertisements for things that they might do in the future for a different product. And even if a company does lie about the features of their product, advertising law does not require a company to change the features of their product to meet those claims. What could be required is a change in the advertising, or a refund for people who bought the devices under the false terms.
But if you advertise a certain side of feature features in a phone three years ago, and sell something completely different next year, that's entirely legal.
(This is before Apple lobbying efforts result in either the death of the bill or a bunch of exceptions allowing companies to do "notarization" or "developer verification".)
I know this is side topic but if buying the Android or iPhone hardware gives us hardware we don't control, then what alternatives we realistically have? I do own pinephone (and I was recently reading that they kinda staled with development of new phones hardware), I know about librem.. is there anything else on the market?
This is a weak argument. If things have slipped through the cracks with someone actively reviewing it, the alternative cant be 'lets not do any checking whatsoever'.
There are better arguments against this that other commenters here have provided (including "my device, my rule") but this isnt a strong argument.
That's the thing, they don't review their apps, and they actively ignore people flagging apps that are scams or otherwise malicious. Much like their ad empire, its all bots and people making money for pretending to care.
It's not "let's not do any checking whatsoever", it's just "let individual users choose between Google's ineffective checking and alternative app sources that users can trust or not trust with zero involvement from Google".
However, I don't think they haven't measured the number of users installing apps outside of the Play store. May be they just don't care about the small % of total users who are a large % here on HN.
And this will creep out to the major desktop systems too, Apple is doing it with their stupid "non-verified app" and Windows looks more likely to do so with their "need Microsoft account to login" to windows.
It's unfriendly to developers and power users, but very friendly to the other 99.999% of users.
I used to work for Google, on Android security, and it's an ongoing philosophical debate: How much risk do you expose typical users to in the name of preserving the rights and capabilities of the tiny base of power users? Both are important but at some point the typical users have to win because there are far, far more of them.
The article implies that this move is security theater. It's not. I wasn't involved in this decision at all, but the security benefit is clear: Rate limiting.
As the article points out, Google already scans all the devices for harmful apps. The problem is knowing what apps to look for. Static analysis can catch them, dynamic analysis with apps running in virtual environments can catch them, researchers can catch them, users can report them... all of these channels are taken advantage of to identify bad apps and Google Play Protect (or whatever it's called these days) can then identify them on user devices and warn the users, but if bad actors can iterate fast enough they can get apps deployed to devices before Google catches on.
So, the intention here is to slow down that iteration. If attackers use the same developer account to produce multiple bad apps, the dev account will get shut down, requiring the attackers to create a new account, registered with a different user identity and confirmed with different government identification documents.
Note that in the short term this will just create an additional arms race. In order to iterate their malware rapidly, attackers will also need to fake government IDs rapidly. This means Google will have to get better at verifying the IDs, including, I expect, getting set up to be able to verify the IDs using government databases. Attackers will probably respond by finding countries where Google can't do that for whatever reason. Google will have to find some mitigation for that, and so on.
So it won't be a perfect solution, but in the real world, especially at Google scale, there are no perfect solutions. It's all about raising the bar, introducing additional barriers to abuse and making the attackers have to work harder and move slower, which will make the existing mechanisms more effective.
The Android Developer Blog called it "an ID check at the airport which confirms a traveler's identity but is separate from the security screening of their bags."
From the mouths of rubes, I guess. The ID check at the airport has zero to do with safety or security and everything to do with the airlines' business model (no secondary market for tickets), enforced by government.
>The ID check at the airport has zero to do with safety or security and everything to do with the airlines' business model (no secondary market for tickets), enforced by government.
If it's really about protecting "airlines' business model", why did TSA recently start requiring REAL ID to board flights? Were airlines really losing substantial amounts of money through forged drivers licenses that they felt they needed to crack down?
This is nonsensical. The minute the government doesn’t check ID to get on a plane that coincides with your ticket, the airline will start doing ID checks before getting on domestic flights just like they do for international flights.
And some airports are now allowing non fliers inside the terminal.
Even hotels force you to verify your ID to check in even though the reservation I’d transferable - just add a guest to your room when you make the reservation.
If that ever does happen I really hope they just focus on making a proper phone, not trying to make it a hybrid phone and workstation. When they were working on Ubuntu touch (or whatever their phone version was called), they would show off how cool it was that you could just plug your monitor and input devices into it and boom you’ve got an all in one device.
But who wants that? It’s cool. But I’d rather just have a fully functional phone that happens to be Linux.
Yeah, all you need to add is a desktop environment and some kernel drivers that are specific for phone hardware.... except that's what AOSP already is.
I have this profound disgusting feeling when I think I'm going to have to ask Google to validate which app I am allowed to install on the phone I paid freaking money to get !
This is not about open source, the government being able to ban apps, or anything else but a principle.
I'm not a child and Google is definitely not an authority respectable enough to tell me what I can't install. They have lied, been sued countless times, had to pay billions of fines,..
At this point, there are 2 alternatives : iphone, grapheneos (don't even start with Linux phone).
Iphone suck just as bad on that matter but at least the software is more suited to professionals, it's not as half ass done as Google software.
Grapheneos, it runs just fine 99% of the time but these last 1% can be so annoying. Like how they disable face unlock, or how some apps refuse to work because of play integrity.
My last hope is that the eu will come once again to the rescue and bring the mfcker at Google who came up with this idea back to earth.
That or ban Google Android version and make an European Android alternative funded and developed by a consortium of tech companies that want to sell phone in Europe.
After all, Europe is even a more interesting market than the usa.
Can anyone say exactly what this would mean for F-Droid? For instance, not that I want this to happen but if F-Droid really wanted, they could conceivably get verified developer status.
And then they could offer apps, which (again I don't want this, just asking), could also be distributed if verified. F-Droid would have to be verified and would only be able to distribute apps from developers that are also verified.
And so conceivably you could still install apps from outside the Play store if they're verified. Unless the Play store is administering verification.
I'm not saying that would work, in fact, I think in practice it wouldn't. I'm just trying to play out what that would look like to understand the specifics of how F-Droid is being effectively dismantled. But I'm all ears if someone has a different interpretation about how F-Droid lives through this. It would seem that it would only survive on degoogled phones.
> we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.
Since these are open source apps, couldn't f-droid maintain their own fork of each app with a different application identifier?
It would give Google the ability to shutdown F-Droid at will by baning their account and thus far more power to control what F-Droid publishes and how it operates. However, it seems like anyone could fork an open source app and use their own account and setup their own unique identifier for their fork.
No question this increases Google's power but it doesn't seem like it technically makes it impossible to operate a store like F-Droid.
This change would make Google's policies in line with the policies Apple has recently implemented to comply with those court orders you're talking about.
There's an overarching lesson that FLOSS needs to learn from the last fifteen years:
If it's not copyleft, it's not free. Also, it's more than just a legal classification of IP law, it's an ethos. I don't care how "free" your underlying OS is, if most of the userland is proprietary and the only way to really effectively use the software on consumer hardware is to use a megacorp's implementation of it and to bow to their whims, it might as well be Microsoft Windows.
This is why I always thought Android never really was Linux. Sure, it has a Linux kernel, but that kernel just exists to run a bunch of software in a way that you have no real control over.
I really would love to get rid of everything related to Google, Microsoft and Apple. Too bad I am completely depending on them. Business wise and privately. I wish I would wake up tomorrow with a Linux phone with no crippleware, no notifications, no crappy animations, no limits, no nothing.
If that actually were the case, the iPhone would've died in 2007.
In reality, most people don't even know what sideloading is. Those are the people who are buying phones and supporting the market for their existence.
The 0.001% of people who want to side load applications onto their phone, can clamor for a new OS all they want, but unless they put the resources in place to make that happen, it won't.
I just wish BlackBerry went in a different direction. If during the early-mid 2010s they decided to dedicate to open-source and privacy-first, as well as keeping their flagship QWERTY format with the optimized BlackBerryOS, they could still be around serving a particularly large niche in the smartphone market: Those who use their phone for communication and utility over entertainment.
Maybe they can make a comeback. If anyone at BlackBerry is reading this, just do it, please and thank you.
They all died. There were Linux phones until Android and there were some non-Android phones until Android 8 or so, such as Qt Extended, RIM BlackBerry OS, Palm webOS, Mozilla Firefox OS, and Microsoft Windows Phone, to name a few. They all died from numerous footgun wounds as well as pressures from competition.
VoLTE was one of major contributors to the situation, by the way. Only iOS and Android supported voice call on 4G LTE for first 3-5 years, due to it being a huge pile of TBDs and transitional hacks. There were political fights in whether the LTE is to be 4G or it was to be 3.9999G and superseded quickly by a completely separate 4G standard. This meant that companies and consortium that maintained alternative OS could spend unrealistic amount of lobbying and engineering effort trying to get into it, risking investments needed for it, or give up and start procurement process for a white flag. All chose the latter, and we ended up with an iOS/Android duopoly with unprecedented totality.
I've been using Sailfish OS for quite some time, but I don't do all of my computing on the phone. There's quite a high friction for using any of the mainstream Android apps, so usually you have to find an alternative if possible.
I also use Sailfish OS - its not perfect, but useable. :) And the way Android and iOS goes to shit, its current state might already be better than them soon. ;-)
(Sailfish OS is improving over time, if a bit slowly. :) )
It's kind of ironic that you have to actually give Google money in order to not use Android. I'm still amazed that there's no Graphene support for any other device.
> if you compile from source and deploy via adb nothing changes
That's not how I understand it. Do you have a source?
"Starting in September 2026, Android will require all apps to be registered by verified developers in order to be installed on certified Android devices."
> Android Studio is unaffected because deployments performed with adb, which Android Studio uses behind the scenes to push builds to devices, is unaffected.
Yes, like the software for my ebike conversion kit for which I only have the APK. I have vetted the software and would like to install it. If Google blocks that, then fuck them.
it's always hilarious (and there's a lot of this going on right now) when major players eliminate themselves from the competition, while deluding themselves that they've eliminated the competition.
As with manifest v3, Google is once again misusing their position as a source of open standards to benefit their adware business. Hopefully the EU fines them once again.
A weird hill to choose to die on given that in practice it's not really a meaningful percentage of people that are using adblockers and the negative PR they get from these oversteps is massive.
I believed the EU specifically ruled that Apple's rules which include this are NOT ok. And they're currently fighting Apple about it. Unless I missed something.
Meh, I can still install what I want via adb. It's probably a good thing most people won't be able to click a link and have a new program installed by an anonymous person. Especially in an ecosystem where .apks are passed around manually
If you want to install software on your Microsoft Windows computer, it has to be signed by a verified developer, otherwise you get an overridable warning that the developer cannot be verified, the software may contain malware etc.
If you want to install software on you MacOS machine, the same thing applies. It must come from a verified developer with an apple account, otherwise you get a warning and must jump through hoops to override. As of macos15.1 this is considerably more difficult to override.
If you want to install iOS apps, the apps have to be signed by a verified developer. Theres no exceptions.
I just dont see a future where being able to create and publish an app anonymously is going to be supported.
Becoming a verified developer is a PITA, and can take a while or be impossible (i.e. getting a DUNS number if you're in a sanctioned country might be not at all possible) but at the same time, eliminating the ability of our devices from running any old code it downloads and runs is a huge safety win.
I'm okay with overridable warnings, having to open system settings to override the verification, etc. It's a "huge safety win" for the 80% of users who don't really know what they're doing, security wise. But not for me.
I won't be using any OS that doesn't allow me to step outside its walled garden, if I have any alternatives at all. With macOS it's quite simple - the second they won't allow apps from unverified/unsigned developers, I'm switching to Linux. On mobile, I might as well switch to iOS, since I'm not really sure what else Android offers anymore that's so compelling, other than being able to install apps directly. And then I'll just wait for a Linux phone or something.
But Apple will change those "warnings" into straight-up lies, and fail to mention the user can override them, and hide those overrides in non-discoverable places:
Whenever I try to open an unverified app, this popup comes up saying "[AppName] Not Opened" "Apple could not verify [AppName] is free of malware that may harm your Mac or compromise your privacy." Then there's only two options to either press "Done" or "Move to Trash." - https://old.reddit.com/r/mac/comments/1ekv55h/cant_right_cli...
> I just dont see a future where being able to create and publish an app anonymously is going to be supported.
This is strongly needed if surveillance laws like Chat Control are not to be trivially bypassed. This way applications that don't offer governments the required surveillance features can be banned and the developpers can be sued. Not looking forward to that.
I dunno man, it doesn't feel like a "huge safety win" that my computer has to check with a singular US tech company before it will let me use any software on it.
That's only sorta how it usually works. The developer has to check with a singular US tech company before they can sign the software they've given you.
Except yeah, the way this android stuff works is closer to that way. Instead of Google giving out a key for signing, they instead ask for one and tie a developer to a namespace, so yeah, I guess your Android phone has to check whether or not that namespace is "in the clear"
> eliminating the ability of our devices from running any old code it downloads and runs is a huge safety win
No, this is just false. There's numerous, well-documented instances of malware making it past gatekeepers security checks. This move is exclusively about Google asserting control over users and developers and has nothing to do with security or safety.
The only "huge safety win" comes from designing more secure execution models (capabilities, sandboxing, virtual machines) that are a property of the operating system, not manual inspection by some megacorp (or other human organization).
Thats a false equivalency. I didnt say that software was safe because its been checked. Just that at the least, one can somewhat figure out where the software came from.
Getting a DUNS number obviously doesn't make it so that you cant publish malware. It just provides a level of traceability/obstacle that slows down the process of distributing malware.
Dare I say it, I think we're being too harsh on Google here.
When you own a massively successful consumer product like Android, which is foundational to users' lives, you have an obligation to your users to keep them safe*. Sometimes you will have to choose between protecting users who don't know what they are doing at the expense of limiting users who know what they are doing. In this case, they have chosen to err on the side of the former.
I get it. It's OK to not like this development, especially if you use a lot of sideloaded apps. However, if you call this "anti-consumer", then perhaps you and Google have different notions of who the consumers are.
All said and done, Android/Pixel is still the most open mobile platform. Users are still free to install other AOSP-based OSes such as Graphene OS, which have no such restrictions on sideloading.
PS: I'm a former Google employee. I don't think I am a Google shill. I worked on mobile security, but I was not involved on this matter.
* I am using "safety" as a catch all for privacy and security as well.
> Android/Pixel is still the most open mobile platform
There are 2 options in this space (practically). Being better than Apple, who is explicit about the fact that they own every iPhone on the planet, is not a flex.
Do you think Apple is being reckless not doing the same thing on MacOS, Microsoft on Windows? Is the population too stupid to be permitted general purpose computers?
AOSP is starting to be locked down. Google's idea of promoting safety is charging developers for recognition. When there's a profit incentive involved, no, we are not being "too harsh"
> …perhaps you and Google have different notions of who the consumers are.
A relatively small percentage of HN users have empathy for people who haven't the faintest idea how their gadgets work and no curiosity about learning that. It can seem inconceivable.
I agree with you that normal people deserve safety when using their most intimate device, and that backdoors that can give technical people unfettered access will ultimately be abused by bad actors. I wish the world didn't work this way, but it's the one we live in.
If I buy a Google Pixel device then I AM a consumer. You don't have to choose, you could release a separate device for those who know what they're doing, just like Mozilla releases a separate edition of Firefox that doesn't require signatures.
And yes, I while I can still install some alternative OS on my older Pixel (now Google has stopped providing device trees for the newer ones which I therefore won't buy), Google constantly tries to make this as insufferable as possible with their "Play Integrity" crap.
Installing any app I want outside the Play Store was the primary reason I decided to go with Android, despite most of the people I know using iPhones. If I can't do this anymore, I may as well switch and be able to use iMessage and FaceTime with them.
Check UbuntuTouch, it's really a nice third option. The OS is refreshing and the dev community active.
We do not have to choose the lesser of two evils this time.
I glanced at Ubuntu Touch, but its device compatibility looked severely lacking (https://devices.ubuntu-touch.io/).... I have old Pixel phones I could potentially try it out on, but the last Pixel phone that is officially supported is the 3a. So that is a bummer.
I wonder if banking and messaging apps will work on it in the future
Yeah... Does it support WhatsApp? If not that's a deal-breaker in most of the world.
1 reply →
>I may as well switch and be able to use iMessage and FaceTime with them
I, too, love vendor lockin.
Another road that leads to BBM it seems.
It’s utterly bizarre how BBM could have been the iMessage and WhatsApp and who knows what else. But rich out-of-touch people thinking exclusivity is a perk in a commodities market just shows how business savvy and wealth are in reality disconnected from eachother.
3 replies →
I mean, we have mandatory Play Store services, so the experience on android is not significantly less locked-in.
1 reply →
You could also use a thirdparty ROM.
Maybe it’s because I’m European but I’ve never understood what iMessage even is or what it offers above either sms or WhatsApp/signal. And I’ve used an iPhone for the past 15 years.
For me, mainly: no international cost, no metered cost (other than data), no extra app like WhatsApp to install (but other party needs iOS).
Edit: that said, nowadays, maybe because I'm back in the EU, I use WhatsApp way more often than iMessage.
You can still install apps outside the play store, but the developer does need to verify their signing information. Effectively this means that any app you install must have a paper trail to the originating developer, even if its not on the app store. On one hand, I can see the need for this to track down virus creators, but on the other, it provides Google transparency and control over side loaded app. It IS a concerning move, but currently this is far from 'killing' non-appstore apps for most of the market.
So let's pick a random example app that might be popular on F-Droid today. Oh, I dunno...newpipe.
Given that Google both owns Android/Google Play Store and YouTube: what do you think they would do with the developer information of someone who makes an app that skirts their ad-model for YouTube?
2 replies →
Google is following the same game plan we saw when they decided that the full version of uBlock Origin (the version that is still effective on YouTube) should no longer be allowed within their browser monopoly.
The fact that there was a temporary workaround didn't change the endgame.
It's just there to boil the frog more slowly and keep you from hopping out of the pot.
It's the same game plan Microsoft used to force users to use an online Microsoft account to log onto their local computer.
Temporary workarounds are not the same thing as publicly abandoning the policy.
From a quick glance at /r/GooglePlayDeveloper/ it looks like Google is just as interested in killing playstore apps! It seems that they only want to support the existing larger apps now. I think they are giving a clear message to developers that its not really worth developing for that platform anymore. I think we will all agree that the playstore needed a purge but they seem to be making it impossible for any new solo devs at this point.
5 replies →
> currently this is far from 'killing' non-appstore apps for most of the market.
It means that Android is no longer suitable for my own private dev projects.
6 replies →
It also makes it easy for google to blacklist a developer, if for example the trump administration don’t like them (the same way apple removing apps documenting ICE).
1 reply →
Pretty sure virus creators could just pick a real ID leaked by the "adult only logins" shenanigans, whereas legit app developers probably wouldn't want to commit identity fraud.
4 replies →
Yeah... no. This is normal with desktop computers. Let's stop handholding people. If I trust the source, I trust the domain... I want to be able to install app from its source.
Googles/Apples argument would have been much stronger if their stores managed to not allow scams/malware/bad apps to their store but this is not the case. They want to have the full control without having the full responsibility. It's just powergrab.
17 replies →
> need for this to track down virus creators
I think they’re just going to track down a random person in a random country who put their name down in exchange for a modest sum of money. That’s if there’s even a real person at the other end. Do you really think that malware creators will stumble on this?
This has to be about controlling apps that are inconvenient to Google. Those that are used to bypass Google’s control and hits their ad revenue or data collection efforts.
Then you'd be rewarding the company that pioneered and normalized taking away these rights. The next rights you'll lose will probably originate on Apple again years before Google takes them away too.
It doesn't make any difference anyway, does it?
Then I might as well treat myself with better hardware & ecosystem.
1 reply →
I think this isn’t true at all, before the iPhone existed cellular carriers controlled software on consumer phones.
Remember when GPS navigation was a $5/month app that was a cellular plan addon?
1 reply →
And in the EU you can install apps outside of the AppStore on your iPhone!
But not outside of Apple's control, they have a very similar mechanism to this verification process with 3rd party app stores.
Thats a recent addition; hope consumer protection laws around the world become better.
Same, I'm tempted to call android just a shittier iPhone now
What part of cheaper, better, and open source is shittier exactly?
20 replies →
> Installing any app I want outside the Play Store was the primary reason I decided to go with Android
You still can do that with PWAs in Android. Let's see for how long.
There is a big difference between Websites and Applications. Websites are a smaller subset of capabilities.
> PWAs
And I wonder when can we stop lying to ourselves pretending "web"-apps are real (native) apps?
5 replies →
Do you have a single friend who isn't a programmer who has installed a PWA in the last two years?
You can still side-load signed apps. It's a similar limitation to macOS which won't let you run apps that Apple hasn't signed without command line or control panel shenanigans. Compared to iOS, Android still has the advantage of installing your own full browser (like Firefox) with full-fat ad blocking (uBlock Origin, not Lite). iOS is Safari-only right now though, in theory, some alternative engines may be available in Europe later.
If they need to be signed by Google, that's not side loading by definition; it's using an alternate Google channel.
What your describing isn't "side-loading". Doing that means the apps go through Google's chain of control. Please don't let them redefine the word.
With macOS you run "sudo spctl --master disable", and then you can run whatever you want without sending PII to Apple. Is that the case with the new Android stuff?
You can install full uBlock Origin in the Orion browser, on iOS. It also has decent built-in ad blocking (though uBlock Origin is still better).
I had been thinking for a long time to switch to Android (GrapheneOS, probably) when my current iPhone 13 dies, but this whole thing with "sideloading" on Android is making me reconsider. If I can't have the freedom I want either way, might as well get longer support, polished animation and better default privacy (though I still need to opt-out of a bunch of stuff).
3 replies →
> It's a similar limitation to macOS which won't let you run apps that Apple hasn't signed without command line or control panel shenanigans
Can you do something similar to load unsigned apps on Android?
Agreed. While I do not like this move, ti is weird to me how far people are going in their criticism.
The perfect should not be the enemy of the good.
2 replies →
Antitrust action is badly needed in this area. It is ridiculous that I need permission from my device manufacturer to install software on hardware I own. There is no viable alternative than to live in Apple and Google’s ecosystems. This duopoly cannot be allowed to keep this much control of the mobile platforms.
There needs to be a mandatory override for any lock down put in place by a manufacturer. I understand the need for security, but it should be illegal to prevent me from bypassing security if I decide to on my own device. Make it take multiple clicks and show me scary warnings, that's fine.
Technically Android still allows installation of anything if you use the debugging tool. Maybe that is where we have to draw the line, I'm not sure.
Especially when partaking in the duopoly is literally mandatory for life: banking, government services, basic communication, etc.
you don't need permission for the hardware... you can install your own OS.
Not if you don't have permission to install your own OS...
Didn't Google recently kill AOSP and stop providing board support packages for their phones?
Can you, with SecureBoot?
We need to stop calling it "sideloading", we should call it freely installing software. The term "sideloading" makes it sound shady and hacky when in reality it is what we have been able to do on our computers since forever. These are not phones, they are computers shaped like phones, computer which we fully bought with our money, and I we shall install what we want on our own computers.
I like the term "direct install" which someone suggested in one of the previous threads.
Or just "install". This word was sufficient my entire life until the Apple App Store came along and hijacked it.
"Why should I change my name? He's the one who sucks"
https://youtube.com/watch?v=ADgS_vMGgzY&t=3s
2 replies →
I wonder where the term started?
Android itself calls it "install" when you open an APK file, there's not mention of "sideload" in Android at all as far as I can tell.
There is, actually, but in a different context. The `adb sideload` command allows you to boot a device from an image without flashing it.
1 reply →
How badly screwed are we that the term "installing" doesn't work because it doesn't exclude the now default assumption that someone else controls everything you are allowed to install.
if anything, installing the app spoon fed to you by your phone OS provider should get the pejorative.
Let's calling, "Lameloading" or something to really nail it home.
>The term "sideloading" makes it sound shady and hacky
"side" refers to the fact that it's not going through the first party app store, and doesn't have any negative connotations beyond that. Maybe if it was called "backloading" you'd have a point, but this whole language thing feels like a kerfuffle over nothing.
I get where you are coming from. However, language like this matters when it comes to legislation. People outside there space will be guided by the sideload language to think it's just "something extra on the side so why should I care?"
1 reply →
Sounds like "sidestepping" i.e. doing something illegitimately or at least outside the normal path.
Language strongly influences how people perceive things. For example, people shown videos of a car crash estimated higher speeds and falsely remembered seeing broken glass if the crash was described as "smashed" or "collided" rather than "hit" or "contacted"[0].
"Direct installation" sounds neutral to me, but "sideloading" sounds advanced or maybe even sneaky.
[0] https://www.simplypsychology.org/loftus-palmer.html
Mandatory googleloading.
How about "unlocked install"?
Consumers are already familiar with what a "locked phone" is.
Unfortunately not. They are calling it "phone" and ("rooted phone" or "unlocked phone").
Sounds too much like illegal jailbreaking. Direct install better IMO
I like your point. Never thought of it that way. Totally agree
If Google provides a permanent mechanism to disable this in developer settings, then this devolves to an inconvenience.
The setting to allow unsigned apps could be per appstore tracked by an on-device sqlite database, so a badly-behaving app will be known by its installer.
Have you read anything about this? What you are proposing is exactly what is being disabled.
9 replies →
indeed, but they're not talking about your phone, they're talking about android, which is something you don't buy nor own, you buy a license to use it on the provider's terms.
linux phones can't come soon enough ...
your point about the termn "sideloading" is spot on, though. perverting the language is the first step of manipulation: installing software is "sideloading", sharing files is "piracy", legitimate resistance is "terrorism", genocide is "right to defend oneself" ...
> which is something you don't buy nor own, you buy a license to use it on the provider's terms
The distinction between "own" and "license" is purely a legal one. If I buy a kitchen table I own it, I can chop it up and use the pieces to make my own furniture and sell it. When I buy a copy of a Super Mario game I cannot rip the sprites and make my own Super Mario game because I don't own the copyright nor trademark of Super Mario. But I do own the copy, and Nintendo does not get to march into my home and smash my games because they want me to buy the new one instead of playing my old ones.
> linux phones can't come soon enough GNU/Linux. I used to think Stallman was being petty for insisting on the "GNU" part, but nowadays I understand why he insists on calling it GNU/Linux. There is nothing less "Linux" about Android than Debian, Arch or any other GNU/Linux distro, but GNU/Linux is fundamentally different in terms of user freedom from Android.
> linux phones can't come soon enough ...
That would require a lot tighter and broader (but not corp-controlled) organization than what open source is accustomed to - making cheap and capable phones that aren't tied to a big corp is big challenge.
> "your point about the termn "sideloading" is spot on, though. perverting the language is the first step of manipulation [...]."
Precisely.
> when in reality it is what we have been able to do on our computers since forever
You do realise that's been changing right? Slowly of course, there's no single villain that James Bond could take down, or that a charistmatic leader could get elected could change. The oil tanker has been moving in that direction for decades. There are legions defending the right to run your own software, but it's a continual war of attrition.
The vast majority of people on this site (especially those who entered the industry post dot-com crash) ridicule Stallman.
"Dan would eventually find out about the free kernels, even entire free operating systems, that had existed around the turn of the century. But not only were they illegal, like debuggers—you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that."
https://www.gnu.org/philosophy/right-to-read.en.html
Yeah in the name of "security".
Unfortunately it also means giving the key to the Kingdom to a company like Microsoft or Google which are definitely adversaries in my book. Keeping them in check was still possible with full system access.
Even Apple I don't trust. They're always shouting about privacy but they define it purely as privacy from third parties, not themselves.
And they were the first to come up with a plan where your phone would spy on you 24/7.
If you want a real blackpill (I think this is the right word), consider the famous Cathedral and the Bazaar.
I recently had a realization: I can name Cathedrals, that are 800 years old, and still standing. I can't name a single Bazaar stall more than 50 years old around any Cathedral that's still standing. The Cathedral's builders no doubt bought countless stone and food from the Bazaar, making the Bazaar very useful for building Cathedrals with, but the Bazaar was historically ephemeral.
The very title of the essay predicts failure. The very metaphor for the philosophy was broken from the start. Or, in a twisted accidentally correct way, it was the perfect metaphor for how open-source ends up as Cathedral supplies.
17 replies →
> The vast majority of people on this site (especially those who entered the industry post dot-com crash) ridicule Stallman.
I've been in tech and startup culture for over a thousand programmer-years (25-30 normal years). It wasn't dot-com or the crash. It was mobile. The mobile ecosystem has always been user-hostile and built around the exploitation of the customer rather than serving the customer. When the huge mobile wave hit (remember "mobile is the future" being repeated the way political pundits repeat talking points?) the entire industry was bent in that direction.
I'm not sure why this is. It could have been designed and planned, or it could have evolved out of the fact that mobile devices were initially forced to be locked down by cell carriers. I remember how hard it was for Blackberry and Apple to get cell carriers to allow any kind of custom software on a user device. They were desperately terrified of being commoditized the way the Internet has commoditized telcos and cable companies. Maybe the ecosystem, by being forced to start out in a locked-down way, evolved to embrace it. This is known as path-dependence in evolution.
Edit: another factor, I think, is that the Internet had no built in payment system. As a result there was a real scramble to find a way to make it work as a business. I've come to believe that if a business doesn't bake in a viable and honest business model from day zero, it will eventually be forced to adopt a sketchy one. All the companies that have most aggressively followed the "build a giant user base, then monetize" formula have turned to total shit.
3 replies →
I always found this term utterly bizarre. It first showed up in the early days of the mobile "revolution" and felt astroturfed, since no developer would think we need a fundamentally new term for downloading software. It felt like something some dark patterns team came up with to discourage free installation of software on your own device.
Of course maybe I'm overthinking it. It's common for people deep in the bowels of an industry to invent pointless jargon, like "deplane" for getting off an airplane. Anyone know where the term "sideload" was coined or by whom?
No I don't know.
But: "side talking" Is a worthwhile distraction to Google and look at Nokia N-gage memes.
I prefer the term "unlocked install". Consumers are already familiar with the terms: locked phones and unlocked phones.
I call "running unsigned binaries"
They are signed, though. Just not by Google.
4 replies →
If you focus on the fact that Google fraudulently marketed an operating system that allows users to run any software they like (until they successfully drove other open options out of the marketplace) you have all the legal justification you need to force Google to back down.
What country requires that?
In the US, there's no requirement for a company to honor the claims of prior advertisements for things that they might do in the future for a different product. And even if a company does lie about the features of their product, advertising law does not require a company to change the features of their product to meet those claims. What could be required is a change in the advertising, or a refund for people who bought the devices under the false terms.
But if you advertise a certain side of feature features in a phone three years ago, and sell something completely different next year, that's entirely legal.
You keep repeating this argument verbatim, but it doesn't hold up upon critical examination.
I already replied here: https://www.congress.gov/bill/119th-congress/house-bill/3209...
(This is before Apple lobbying efforts result in either the death of the bill or a bunch of exceptions allowing companies to do "notarization" or "developer verification".)
This is a massive stretch. What marketing campaign said that?
And even if it did, it’s not like marketing campaigns make claims that last forever.
Red Lobster doesn’t owe you anything because endless crab legs isn’t a thing anymore.
embrace, extend, extinguish
The EU doesn't need a legal justification. They can stop Google but they actually love this because it helps their total surveillance state ideas.
I hope that F-Droid, the FSF or anything like that will initiate a complaint in US or EU. I would happily give a fund for that purpose.
I know this is side topic but if buying the Android or iPhone hardware gives us hardware we don't control, then what alternatives we realistically have? I do own pinephone (and I was recently reading that they kinda staled with development of new phones hardware), I know about librem.. is there anything else on the market?
Probably Linux phones, they are not there yet, but maybe by the time Android becomes an iOS it will be there.
Problem will be with banking apps and such, well you can get an used iphone and in lockdown mode it should be fine even if it reaches EoL.
> This logic is flawed: historically, we've seen malware slip through the Play Store—signed and “verified”—several times.
Yeah, check for all the fake sora apps in the play store.
This is a weak argument. If things have slipped through the cracks with someone actively reviewing it, the alternative cant be 'lets not do any checking whatsoever'.
There are better arguments against this that other commenters here have provided (including "my device, my rule") but this isnt a strong argument.
That would make sense except they aren't doing any app reviews lol. They're just scanning your government ID. It is a farce.
That's the thing, they don't review their apps, and they actively ignore people flagging apps that are scams or otherwise malicious. Much like their ad empire, its all bots and people making money for pretending to care.
1 reply →
It's not "let's not do any checking whatsoever", it's just "let individual users choose between Google's ineffective checking and alternative app sources that users can trust or not trust with zero involvement from Google".
Yes, it's a very unfriendly decision by Google.
However, I don't think they haven't measured the number of users installing apps outside of the Play store. May be they just don't care about the small % of total users who are a large % here on HN.
This is a part of a bigger trend, Cory Doctorow spoke about 13 years ago in his "The coming war on general computing": https://www.youtube.com/watch?v=HUEvRyemKSg
And this will creep out to the major desktop systems too, Apple is doing it with their stupid "non-verified app" and Windows looks more likely to do so with their "need Microsoft account to login" to windows.
It's unfriendly to developers and power users, but very friendly to the other 99.999% of users.
I used to work for Google, on Android security, and it's an ongoing philosophical debate: How much risk do you expose typical users to in the name of preserving the rights and capabilities of the tiny base of power users? Both are important but at some point the typical users have to win because there are far, far more of them.
The article implies that this move is security theater. It's not. I wasn't involved in this decision at all, but the security benefit is clear: Rate limiting.
As the article points out, Google already scans all the devices for harmful apps. The problem is knowing what apps to look for. Static analysis can catch them, dynamic analysis with apps running in virtual environments can catch them, researchers can catch them, users can report them... all of these channels are taken advantage of to identify bad apps and Google Play Protect (or whatever it's called these days) can then identify them on user devices and warn the users, but if bad actors can iterate fast enough they can get apps deployed to devices before Google catches on.
So, the intention here is to slow down that iteration. If attackers use the same developer account to produce multiple bad apps, the dev account will get shut down, requiring the attackers to create a new account, registered with a different user identity and confirmed with different government identification documents.
Note that in the short term this will just create an additional arms race. In order to iterate their malware rapidly, attackers will also need to fake government IDs rapidly. This means Google will have to get better at verifying the IDs, including, I expect, getting set up to be able to verify the IDs using government databases. Attackers will probably respond by finding countries where Google can't do that for whatever reason. Google will have to find some mitigation for that, and so on.
So it won't be a perfect solution, but in the real world, especially at Google scale, there are no perfect solutions. It's all about raising the bar, introducing additional barriers to abuse and making the attackers have to work harder and move slower, which will make the existing mechanisms more effective.
But those 99.999% of users won't be using F-droid or direct-installs to begin with.
Check Stallman's The Right to Read short story.
Link: https://www.gnu.org/philosophy/right-to-read.en.html
Meta: https://en.wikipedia.org/wiki/The_Right_to_Read
The Android Developer Blog called it "an ID check at the airport which confirms a traveler's identity but is separate from the security screening of their bags."
From the mouths of rubes, I guess. The ID check at the airport has zero to do with safety or security and everything to do with the airlines' business model (no secondary market for tickets), enforced by government.
>The ID check at the airport has zero to do with safety or security and everything to do with the airlines' business model (no secondary market for tickets), enforced by government.
If it's really about protecting "airlines' business model", why did TSA recently start requiring REAL ID to board flights? Were airlines really losing substantial amounts of money through forged drivers licenses that they felt they needed to crack down?
This is nonsensical. The minute the government doesn’t check ID to get on a plane that coincides with your ticket, the airline will start doing ID checks before getting on domestic flights just like they do for international flights.
And some airports are now allowing non fliers inside the terminal.
Even hotels force you to verify your ID to check in even though the reservation I’d transferable - just add a guest to your room when you make the reservation.
Nope. Most of the world does the ID check, and it's recommended by the UN guidelines for security reasons.
My hope is that this lets some more people wake up and finally make Linux on the smartphone a reality.
If that ever does happen I really hope they just focus on making a proper phone, not trying to make it a hybrid phone and workstation. When they were working on Ubuntu touch (or whatever their phone version was called), they would show off how cool it was that you could just plug your monitor and input devices into it and boom you’ve got an all in one device.
But who wants that? It’s cool. But I’d rather just have a fully functional phone that happens to be Linux.
You've been able to do this on android since the Motorola Atrix.
I certainly want that. I use DeX all the time. It's amazing.
Yeah, all you need to add is a desktop environment and some kernel drivers that are specific for phone hardware.... except that's what AOSP already is.
I secretly wish Framework will do this one day.
I have this profound disgusting feeling when I think I'm going to have to ask Google to validate which app I am allowed to install on the phone I paid freaking money to get !
This is not about open source, the government being able to ban apps, or anything else but a principle.
I'm not a child and Google is definitely not an authority respectable enough to tell me what I can't install. They have lied, been sued countless times, had to pay billions of fines,..
At this point, there are 2 alternatives : iphone, grapheneos (don't even start with Linux phone).
Iphone suck just as bad on that matter but at least the software is more suited to professionals, it's not as half ass done as Google software.
Grapheneos, it runs just fine 99% of the time but these last 1% can be so annoying. Like how they disable face unlock, or how some apps refuse to work because of play integrity.
My last hope is that the eu will come once again to the rescue and bring the mfcker at Google who came up with this idea back to earth.
That or ban Google Android version and make an European Android alternative funded and developed by a consortium of tech companies that want to sell phone in Europe.
After all, Europe is even a more interesting market than the usa.
Can anyone say exactly what this would mean for F-Droid? For instance, not that I want this to happen but if F-Droid really wanted, they could conceivably get verified developer status.
And then they could offer apps, which (again I don't want this, just asking), could also be distributed if verified. F-Droid would have to be verified and would only be able to distribute apps from developers that are also verified.
And so conceivably you could still install apps from outside the Play store if they're verified. Unless the Play store is administering verification.
I'm not saying that would work, in fact, I think in practice it wouldn't. I'm just trying to play out what that would look like to understand the specifics of how F-Droid is being effectively dismantled. But I'm all ears if someone has a different interpretation about how F-Droid lives through this. It would seem that it would only survive on degoogled phones.
We wrote about what it means for F-Droid at:
https://news.ycombinator.com/item?id=45507173
Thanks! Macroexpanded:
Google's requirement for developers to be verified threatens app store F-Droid - https://news.ycombinator.com/item?id=45409794 - Sept 2025 (564 comments)
> we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.
Since these are open source apps, couldn't f-droid maintain their own fork of each app with a different application identifier?
It would give Google the ability to shutdown F-Droid at will by baning their account and thus far more power to control what F-Droid publishes and how it operates. However, it seems like anyone could fork an open source app and use their own account and setup their own unique identifier for their fork.
No question this increases Google's power but it doesn't seem like it technically makes it impossible to operate a store like F-Droid.
Android limits on "installing" software of your choice on your own consumer hardware are the most anti-consumer move yet.
Let's call it what it is. Attack on what ownership of our stuff means.
It's a puzzle to me how Google moves to restrain app install out of its store, while Apple loses in court for similar practices.
This change would make Google's policies in line with the policies Apple has recently implemented to comply with those court orders you're talking about.
They saw apple getting away with it under the DMA so they're just doing the same. You can't do anything about it.
Sounds like we need either a viable alternative or a next thing.
The next thing will probably be AR glasses and we could use some alternatives to Meta and Google and Apple.
There's an overarching lesson that FLOSS needs to learn from the last fifteen years:
If it's not copyleft, it's not free. Also, it's more than just a legal classification of IP law, it's an ethos. I don't care how "free" your underlying OS is, if most of the userland is proprietary and the only way to really effectively use the software on consumer hardware is to use a megacorp's implementation of it and to bow to their whims, it might as well be Microsoft Windows.
This is why I always thought Android never really was Linux. Sure, it has a Linux kernel, but that kernel just exists to run a bunch of software in a way that you have no real control over.
I really would love to get rid of everything related to Google, Microsoft and Apple. Too bad I am completely depending on them. Business wise and privately. I wish I would wake up tomorrow with a Linux phone with no crippleware, no notifications, no crappy animations, no limits, no nothing.
And I was willing to give BlissOS a try as a summer project. Guess Android just became less interesting for hackers in gener.
This is the beginning of the end of Android.
Google have over-reached.
It is unacceptable to software developers to be unable to install software on their own phones, and this will lead to a successor to Android.
It will take time, but it will now happen.
If that actually were the case, the iPhone would've died in 2007.
In reality, most people don't even know what sideloading is. Those are the people who are buying phones and supporting the market for their existence.
The 0.001% of people who want to side load applications onto their phone, can clamor for a new OS all they want, but unless they put the resources in place to make that happen, it won't.
> beginning of the end of Android.
You underestimate how much money & effort it takes to make an operating system.
Wouldn't people just fork AOSP? Seems like GrapheneOS has a running start?
1 reply →
Man that seems like a long time ago, eh?
I just wish BlackBerry went in a different direction. If during the early-mid 2010s they decided to dedicate to open-source and privacy-first, as well as keeping their flagship QWERTY format with the optimized BlackBerryOS, they could still be around serving a particularly large niche in the smartphone market: Those who use their phone for communication and utility over entertainment.
Maybe they can make a comeback. If anyone at BlackBerry is reading this, just do it, please and thank you.
Let's make life harder for the only mobile app store (F-Droid) that hasn't had any malware on it since it's inception - someone at Google probably.
As someone who doesn't really care about apps, if I wanted to move away from Android what phones and OSs are worth considering?
Don't know how the Google's actions with affect AOSP. There are few options depending on location / country with base band frequencies.
Murena with e/OS/ [0], Purism with PureOS [1], Volla with Volla OS or Ubuntu Touch [2], and Furei Labs with FuriOS [3].
Those are the companies actually trying to sell a phone versus Pin64 selling a device to tinker with.
Alternative is checking personally managed OSes like postmarketOS [4] and Ubuntu Touch [5].
[0] https://murena.com/ [1] https://puri.sm/ [2] https://volla.online/en/ [3] https://furilabs.com/ [4] https://postmarketos.org/ [5] https://www.ubuntu-touch.io/
They all died. There were Linux phones until Android and there were some non-Android phones until Android 8 or so, such as Qt Extended, RIM BlackBerry OS, Palm webOS, Mozilla Firefox OS, and Microsoft Windows Phone, to name a few. They all died from numerous footgun wounds as well as pressures from competition.
VoLTE was one of major contributors to the situation, by the way. Only iOS and Android supported voice call on 4G LTE for first 3-5 years, due to it being a huge pile of TBDs and transitional hacks. There were political fights in whether the LTE is to be 4G or it was to be 3.9999G and superseded quickly by a completely separate 4G standard. This meant that companies and consortium that maintained alternative OS could spend unrealistic amount of lobbying and engineering effort trying to get into it, risking investments needed for it, or give up and start procurement process for a white flag. All chose the latter, and we ended up with an iOS/Android duopoly with unprecedented totality.
I've been using Sailfish OS for quite some time, but I don't do all of my computing on the phone. There's quite a high friction for using any of the mainstream Android apps, so usually you have to find an alternative if possible.
I also use Sailfish OS - its not perfect, but useable. :) And the way Android and iOS goes to shit, its current state might already be better than them soon. ;-)
(Sailfish OS is improving over time, if a bit slowly. :) )
You don't really have a choice: it's either Android or Apple iOS.
PostmarketOS, Mobian, and GrapheneOS all seem to be good choices. Or simply not carrying a phone as I often do.
GrapheneOS on a Pixel
Let's see what will the future of Graphene be, since Google is not publishing the device tree anymore for Pixel devices...
3 replies →
Does anyone have a rough estimate for how many installation of GrapheneOS there are?
It's kind of ironic that you have to actually give Google money in order to not use Android. I'm still amazed that there's no Graphene support for any other device.
3 replies →
from what i understand:
- if you compile from source and deploy via adb nothing changes
- if you use a closed source binary, the identity of the owner becomes mandatory
so the issue is anonymously published closed source software?
> if you compile from source and deploy via adb nothing changes
That's not how I understand it. Do you have a source?
"Starting in September 2026, Android will require all apps to be registered by verified developers in order to be installed on certified Android devices."
https://developer.android.com/developer-verification
https://android-developers.googleblog.com/2025/09/lets-talk-...
> Android Studio is unaffected because deployments performed with adb, which Android Studio uses behind the scenes to push builds to devices, is unaffected.
> anonymously published closed source software
Yes, like the software for my ebike conversion kit for which I only have the APK. I have vetted the software and would like to install it. If Google blocks that, then fuck them.
> - if you use a closed source binary, the identity of the owner becomes mandatory
So I can't just build an apk and distribute to others? What's the process for providing identity?
it's always hilarious (and there's a lot of this going on right now) when major players eliminate themselves from the competition, while deluding themselves that they've eliminated the competition.
I imagine custom ROMs would be able to work around this restriction, but I wonder if simply rooting the phone would also allow you to switch it off?
Yes, this verification will be implemented in the OS but not in the TEE, so rooting does give you the ability to affect it.
But Google is working hard to make sure important apps won't work anymore due to their "Play Integrity" crap.
Why having your own website is essential
does anyone know if this affects lineage os or are they able to work around the madness?
The way Google is going, you might as well just have Apple and fully embrace consumer hostility.
As with manifest v3, Google is once again misusing their position as a source of open standards to benefit their adware business. Hopefully the EU fines them once again.
A weird hill to choose to die on given that in practice it's not really a meaningful percentage of people that are using adblockers and the negative PR they get from these oversteps is massive.
Didnt EU rule that it was OK for Apple to do, and Google is just just mirroring that?
I believed the EU specifically ruled that Apple's rules which include this are NOT ok. And they're currently fighting Apple about it. Unless I missed something.
1 reply →
Meh, I can still install what I want via adb. It's probably a good thing most people won't be able to click a link and have a new program installed by an anonymous person. Especially in an ecosystem where .apks are passed around manually
If you want to install software on your Microsoft Windows computer, it has to be signed by a verified developer, otherwise you get an overridable warning that the developer cannot be verified, the software may contain malware etc.
If you want to install software on you MacOS machine, the same thing applies. It must come from a verified developer with an apple account, otherwise you get a warning and must jump through hoops to override. As of macos15.1 this is considerably more difficult to override.
If you want to install iOS apps, the apps have to be signed by a verified developer. Theres no exceptions.
I just dont see a future where being able to create and publish an app anonymously is going to be supported.
Becoming a verified developer is a PITA, and can take a while or be impossible (i.e. getting a DUNS number if you're in a sanctioned country might be not at all possible) but at the same time, eliminating the ability of our devices from running any old code it downloads and runs is a huge safety win.
I'm okay with overridable warnings, having to open system settings to override the verification, etc. It's a "huge safety win" for the 80% of users who don't really know what they're doing, security wise. But not for me.
I won't be using any OS that doesn't allow me to step outside its walled garden, if I have any alternatives at all. With macOS it's quite simple - the second they won't allow apps from unverified/unsigned developers, I'm switching to Linux. On mobile, I might as well switch to iOS, since I'm not really sure what else Android offers anymore that's so compelling, other than being able to install apps directly. And then I'll just wait for a Linux phone or something.
Or you can try not updating Android or continue using a device already EOL. Can't have your cake and eat it too on releases and security patches.
There is a world of difference between "the OS throws up a bunch of warnings" and "the OS won't let you run unsigned software"
But Apple will change those "warnings" into straight-up lies, and fail to mention the user can override them, and hide those overrides in non-discoverable places:
Whenever I try to open an unverified app, this popup comes up saying "[AppName] Not Opened" "Apple could not verify [AppName] is free of malware that may harm your Mac or compromise your privacy." Then there's only two options to either press "Done" or "Move to Trash." - https://old.reddit.com/r/mac/comments/1ekv55h/cant_right_cli...
Your only option is to click on OK button, which won’t open the app. So how do you do it? - http://www.peter-cohen.com/2016/12/how-to-open-a-mac-app-fro...
Apple knowingly falsely claiming unsigned apps are "damaged": https://appletoolbox.com/app-is-damaged-cannot-be-opened-mac...
3 replies →
> I just dont see a future where being able to create and publish an app anonymously is going to be supported.
This is strongly needed if surveillance laws like Chat Control are not to be trivially bypassed. This way applications that don't offer governments the required surveillance features can be banned and the developpers can be sued. Not looking forward to that.
I'd be fine if it was just any old code "it" downloads. The problem is that it's any old code "I" download too.
I dunno man, it doesn't feel like a "huge safety win" that my computer has to check with a singular US tech company before it will let me use any software on it.
That's only sorta how it usually works. The developer has to check with a singular US tech company before they can sign the software they've given you.
Except yeah, the way this android stuff works is closer to that way. Instead of Google giving out a key for signing, they instead ask for one and tie a developer to a namespace, so yeah, I guess your Android phone has to check whether or not that namespace is "in the clear"
1 reply →
> eliminating the ability of our devices from running any old code it downloads and runs is a huge safety win
No, this is just false. There's numerous, well-documented instances of malware making it past gatekeepers security checks. This move is exclusively about Google asserting control over users and developers and has nothing to do with security or safety.
The only "huge safety win" comes from designing more secure execution models (capabilities, sandboxing, virtual machines) that are a property of the operating system, not manual inspection by some megacorp (or other human organization).
Thats a false equivalency. I didnt say that software was safe because its been checked. Just that at the least, one can somewhat figure out where the software came from.
Getting a DUNS number obviously doesn't make it so that you cant publish malware. It just provides a level of traceability/obstacle that slows down the process of distributing malware.
Dare I say it, I think we're being too harsh on Google here.
When you own a massively successful consumer product like Android, which is foundational to users' lives, you have an obligation to your users to keep them safe*. Sometimes you will have to choose between protecting users who don't know what they are doing at the expense of limiting users who know what they are doing. In this case, they have chosen to err on the side of the former.
I get it. It's OK to not like this development, especially if you use a lot of sideloaded apps. However, if you call this "anti-consumer", then perhaps you and Google have different notions of who the consumers are.
All said and done, Android/Pixel is still the most open mobile platform. Users are still free to install other AOSP-based OSes such as Graphene OS, which have no such restrictions on sideloading.
PS: I'm a former Google employee. I don't think I am a Google shill. I worked on mobile security, but I was not involved on this matter.
* I am using "safety" as a catch all for privacy and security as well.
> Android/Pixel is still the most open mobile platform
There are 2 options in this space (practically). Being better than Apple, who is explicit about the fact that they own every iPhone on the planet, is not a flex.
Do you think Apple is being reckless not doing the same thing on MacOS, Microsoft on Windows? Is the population too stupid to be permitted general purpose computers?
No, I am not flexing. I am just stating a fact.
FWIW, I am also pissed that there are only two mainstream options.
AOSP is starting to be locked down. Google's idea of promoting safety is charging developers for recognition. When there's a profit incentive involved, no, we are not being "too harsh"
Almost all of the pushback I have seen is on the notion of "developer registration", not the cost. That's what I was responding to.
I don't know how much it costs. But if there's any pushback that it costs too much, my comment is not about that.
> …perhaps you and Google have different notions of who the consumers are.
A relatively small percentage of HN users have empathy for people who haven't the faintest idea how their gadgets work and no curiosity about learning that. It can seem inconceivable.
I agree with you that normal people deserve safety when using their most intimate device, and that backdoors that can give technical people unfettered access will ultimately be abused by bad actors. I wish the world didn't work this way, but it's the one we live in.
I have empathy for them, that's precisely why I made them much more secure by recommending mobile Firefox with uBlock :)
If I buy a Google Pixel device then I AM a consumer. You don't have to choose, you could release a separate device for those who know what they're doing, just like Mozilla releases a separate edition of Firefox that doesn't require signatures.
And yes, I while I can still install some alternative OS on my older Pixel (now Google has stopped providing device trees for the newer ones which I therefore won't buy), Google constantly tries to make this as insufferable as possible with their "Play Integrity" crap.