Comment by yjftsjthsd-h
7 days ago
> We heard from developers who were concerned about the barrier to entry when building apps intended only for a small group, like family or friends. We are using your input to shape a dedicated account type for students and hobbyists. This will allow you to distribute your creations to a limited number of devices without going through the full verification requirements.
In classic Google fashion, they hear the complaint, pretend that it's about something else, and give a half baked solution to that different problem that was not the actual issue. Any solution that disadvantages F-Droid compared to the less trustworthy Google Play is a problem.
Even restricting the mitigation to "students and hobbyists" is bad.
I should have the right to have parents, friends or anyone use a "free" store that is not under control of Google if the user and app developer wish so. But also, somehow there should be something done to avoid the monopoly forcing to use the Google services. Like major institutions like bank, gov and co being forced to provide alternatives like a webapp when they provide app tied to the Google play store.
> I should have the right to […] use a "free" store that is not under control of Google
Yes, but we also need to stop thinking like we’re trying to please the ghost of Steve Jobs. There is no ”store”. There are installers. You distribute them how you see fit, probably through the web.
These ”alternative stores” angle is a controlled dissent corporate plan B, much like how recycling was propped up by the fossil fuel industry.
We deserve web installs without deep settings menu configurations, scare walls, or onerous processes.
The EU and every other nation with digital sovereignty concerns need to make this happen to both Apple and Google.
These are our devices. The giants are camping.
But unfortunately, it turns out that some people you interact with aren't actually your friend. That guy that seems totally legit and just wants your sister to install his fun little game/app that he wrote is actually trying to get her to install an app that's going to track your location and read all your messages and copy all your photos. To keep her safe from the "actually" bad people, of course.
By default their app cannot though because Android uses proper sandboxing and gated API access. So you actually have to give the app location access, access to your messages and access to your photos.
Well, unless you use one of the many crappy Android devices that never get security updates, are running old kernels, old vendor security patch levels, miss all Android security patches, except applying the backported security bulletins every three months (1-2 months late). Yet, Google is happy to certify them as Android devices.
It was never about security, it is about control. If it was about security, they would have revoked the GMS licenses of pretty much every vendor outside Google themselves and maaaaybe Samsung, until vendors actually started caring about security. If it was about security, there would not be as many scam apps in the Play Store itself.
Back to your sister, the proper solution is to educate her (and everyone else) not to give apps unfettered access when they ask you to, plus let Google implement more security measures that systems like GrapheneOS already have (contact scopes, sensor permissions, network access permissions, etc.).
3 replies →
>going to track your location and read all your messages and copy all your photos. To keep her safe from the "actually" bad people, of course.
The guy's name? Google. ;-)
2 replies →
As opposed to the Play Store where you search for "ChatGPT" and end up on a scam app which read all your messages and copy all your photos?
And that example isn't random, I just tried and the first result for me is a counterfeit app with the logo of chatgpt copied .
> That guy that seems totally legit and just wants your sister to install his fun little game/app that he wrote is actually trying to get her to install an app that's going to track your location and read all your messages and copy all your photos.
Is "that guy" in the room with us right now?
1 reply →
So, what you're saying is that Google should work on better privacy controls. Right? Right???
Let's ban passwords because you could give me your password
6 replies →
I'm far from a Google apologist, but at the end of the day don't they have the right to write software however they want it? You have the right to build things the way you want to, fork Android, etc etc. If you're trying to say you have the right to tell Google what the code their employees write can do, well, I don't really agree with that. Sounds coercive, honestly. I wouldn't want them to do that to you and I don't want you to do that to them.
Does a business have right to produce whatever it wishes even if it affects the environment ?
Does a business have right to pay literal pennies per hour if it manages to find people willing to work at that pay ?
Does a business have right to lace food products with addictive substances for repeat customers and profit ?
All these cases are already happening today at some level depending on who you ask. But they don’t tilt to extremes because we have laws in place to maintain balance between business needs and collective good.
This move by Google will tilt that balance forever towards absolute duopoly in mobile computing space. It is time for legislation to avoid that.
Yes they do, unless it limits my right tondo whatever I want we software I bought.
And also monopoly.
This is exactly the thing for which Apple gets bashing. Closed garden.
No they don't. They couldn't legally write software to hack into the Pentagon and launch nukes at North Korea. They couldn't legally write software that live streams your camera to them without your actual consent.
No, Google does not have the right. If you're building roads, you don't have a right to build them unsafely. Doesn't matter if they're privatized or not; they're important infrastructure for which we don't have meaningful alternatives.
> I'm far from a Google apologist, but at the end of the day don't they have the right to write software however they want it?
Not after creating de facto duopoly.
It is little surprising a lot of smart people somehow miss this simple logic.
Android is massive and extremely popular and I know several people who have been scammed already. It is important that Google makes this harder for scammers.
Google is not doing this to harm developers but to protect their users.
8 replies →
I think you've omitted the next section, which seems more relevant. It seems like they will still allow installs, just hide it behind some scare text. Seems reasonable?
> It seems like they will still allow installs, just hide it behind some scare text.
This was already the case for enabling sideloading at system level: it warned you. Nobody really says having this toggle is a bad thing, basically the user shouldn't get an ad network installing apk's just browsing around the web without their informed consent (and android has been found to be vulnerable to popunder style confirmations in the past).
They also already had the PlayProtect scanning thing that scans sideloaded APK's for known malware and removes it. People already found this problematic since what's to stop them pulling off apps they just don't like, and no idea what if any telemetry it sends back about what you have installed. There have been a handful of cases where it proved beneficial pulling off botnet stuff.
Finally, they also have an additional permission per-application that needs to be enabled to install APK's. This stops a sketchy app from installing an APK again without user consent to install APK's.
The question is: How many other hurdles are going to be put in place? Are you going to have to do a KYC with Google and ping them for every single thing you want to install? Do you see how this gets to be a problem?
The whole point of TFA, if you read it, is that they SAID they would do that, but there has since been ZERO evidence that they actually will. This feature is not present in anything they have released since that statement.
On the other hand, blocking installation of non-notarized apps is not present in anything they released since that statement either, as far as I know.
3 replies →
Why is it reasonable that installing software is behind an "advanced flow" what ever that means? I find it not very reasonable at all that the only way to install software on my phone is by jumping through hoops. I don't think it reasonable that the Play Store is the only portal. I don't even find it reasonable to call installing software "sideloading". Downloading and installing software from a vendor's page has been the norm for decades before smart phones came along but all of a sudden when it is on a small screen the user can not be trusted? That's ridiculous and not at all reasonable.
It's not the screen size, it's the demographic shift. By 2000, only half of U.S. households had a shared living room PC, mostly for work and/or games. Everybody having a phone in their pocket later was a change that we did very much have to account for. Non-technical people can be scammed very easily into life-ruining mistakes with a little social engineering and a little bit of access to powerful tools already on their devices.
I remember when big sites started having to put big banners in your browser console warning you that if you weren't a dev and someone told you to paste something there, you had been scammed, and not to do it. They had to do that because the average Facebook user could be tricked very easily by promises of free FarmVille items or the opportunity to hack someone else's account, and those are fairly low stakes bait. Now people bank with real money on their phones.
7 replies →
No, because it isn't something that should be up to google's control.
Why not? It's their operating system, and they're trying to balance quite a few competing priorities. Scammers are not a threat to dismiss out of hand (i've had family who were victims).
For it to be truly considered open source, you should be able to fork it and create your own edits to change the defaults however you wish. Whether that is still a possibility or not, is a completely separate issue from how they proceed with their own fork.
36 replies →
> We are designing this flow specifically to resist coercion, ensuring that users aren't tricked into bypassing these safety checks while under pressure from a scammer. It will also include clear warnings to ensure users fully understand the risks involved, but ultimately, it puts the choice in their hands.
I've lived through them locking down a11y settings "to resist coercion, ensuring that users aren't tricked into bypassing these safety checks while under pressure from a scammer", and it's a nightmare. It's not just some scare text, it's a convoluted process that explicitly prevents you from just opening the settings and allowing access. I'm not giving them the benefit of the doubt; after they actually show what their supposed solution is we can discuss it, but precedent is against them.
> Seems reasonable?
No. As I said before, any solution that disadvantages F-Droid compared to the less trustworthy Google Play is a problem.
> It seems like they will still allow installs, just hide it behind some scare text.
That describes the current (and long-established) behavior. App installation is only from Google's store by default and the user has to manually enable each additional source on a screen with scare text.
It's deliberately written to be vague and not say anything, and given the original intention, it's hard to believe that means it should be interpreted generously.