Comment by greatgib
6 days ago
Even restricting the mitigation to "students and hobbyists" is bad.
I should have the right to have parents, friends or anyone use a "free" store that is not under control of Google if the user and app developer wish so. But also, somehow there should be something done to avoid the monopoly forcing to use the Google services. Like major institutions like bank, gov and co being forced to provide alternatives like a webapp when they provide app tied to the Google play store.
> I should have the right to […] use a "free" store that is not under control of Google
Yes, but we also need to stop thinking like we’re trying to please the ghost of Steve Jobs. There is no ”store”. There are installers. You distribute them how you see fit, probably through the web.
These ”alternative stores” angle is a controlled dissent corporate plan B, much like how recycling was propped up by the fossil fuel industry.
We deserve web installs without deep settings menu configurations, scare walls, or onerous processes.
The EU and every other nation with digital sovereignty concerns need to make this happen to both Apple and Google.
These are our devices. The giants are camping.
But unfortunately, it turns out that some people you interact with aren't actually your friend. That guy that seems totally legit and just wants your sister to install his fun little game/app that he wrote is actually trying to get her to install an app that's going to track your location and read all your messages and copy all your photos. To keep her safe from the "actually" bad people, of course.
By default their app cannot though because Android uses proper sandboxing and gated API access. So you actually have to give the app location access, access to your messages and access to your photos.
Well, unless you use one of the many crappy Android devices that never get security updates, are running old kernels, old vendor security patch levels, miss all Android security patches, except applying the backported security bulletins every three months (1-2 months late). Yet, Google is happy to certify them as Android devices.
It was never about security, it is about control. If it was about security, they would have revoked the GMS licenses of pretty much every vendor outside Google themselves and maaaaybe Samsung, until vendors actually started caring about security. If it was about security, there would not be as many scam apps in the Play Store itself.
Back to your sister, the proper solution is to educate her (and everyone else) not to give apps unfettered access when they ask you to, plus let Google implement more security measures that systems like GrapheneOS already have (contact scopes, sensor permissions, network access permissions, etc.).
The tricky bit with that is it would get a monopoly lawsuit from manufacturers with a lot more money to throw around quickly. The biggest problem in improving android security posture is getting manufacturers to have robust security and release updates without getting monopoly lawsuits.
It also doesn't help that mobile carriers can delay updates for months. Thanks T-Mobile.
1 reply →
You mean those crappy devices that let me record my phone calls and let the voice recorder continue recording the lecture even when the screen is locked?
>going to track your location and read all your messages and copy all your photos. To keep her safe from the "actually" bad people, of course.
The guy's name? Google. ;-)
Actually, what Google does is totally legit because they pester you constantly about "sharing your location/photos/installing Gemini" until you accidentally press yes, and they can say they have your consent. So they are actually the good guys.
1 reply →
As opposed to the Play Store where you search for "ChatGPT" and end up on a scam app which read all your messages and copy all your photos?
And that example isn't random, I just tried and the first result for me is a counterfeit app with the logo of chatgpt copied .
> That guy that seems totally legit and just wants your sister to install his fun little game/app that he wrote is actually trying to get her to install an app that's going to track your location and read all your messages and copy all your photos.
Is "that guy" in the room with us right now?
No. Thankfully the FBI caught them and they're in prison now.
So, what you're saying is that Google should work on better privacy controls. Right? Right???
Let's ban passwords because you could give me your password
Hilarious example to use, because that literally is an effort that’s underway.
Thousands of people get scammed and have their lives ruined every year, so deprecating passwords is absolutely the right move
2 replies →
That's why passkeys were introduced. Can not fish them
1 reply →
Forced "Log in with a magic link!" wants to say hello
I'm far from a Google apologist, but at the end of the day don't they have the right to write software however they want it? You have the right to build things the way you want to, fork Android, etc etc. If you're trying to say you have the right to tell Google what the code their employees write can do, well, I don't really agree with that. Sounds coercive, honestly. I wouldn't want them to do that to you and I don't want you to do that to them.
Does a business have right to produce whatever it wishes even if it affects the environment ?
Does a business have right to pay literal pennies per hour if it manages to find people willing to work at that pay ?
Does a business have right to lace food products with addictive substances for repeat customers and profit ?
All these cases are already happening today at some level depending on who you ask. But they don’t tilt to extremes because we have laws in place to maintain balance between business needs and collective good.
This move by Google will tilt that balance forever towards absolute duopoly in mobile computing space. It is time for legislation to avoid that.
Yes they do, unless it limits my right tondo whatever I want we software I bought.
And also monopoly.
This is exactly the thing for which Apple gets bashing. Closed garden.
No they don't. They couldn't legally write software to hack into the Pentagon and launch nukes at North Korea. They couldn't legally write software that live streams your camera to them without your actual consent.
No, Google does not have the right. If you're building roads, you don't have a right to build them unsafely. Doesn't matter if they're privatized or not; they're important infrastructure for which we don't have meaningful alternatives.
> I'm far from a Google apologist, but at the end of the day don't they have the right to write software however they want it?
Not after creating de facto duopoly.
It is little surprising a lot of smart people somehow miss this simple logic.
Android is massive and extremely popular and I know several people who have been scammed already. It is important that Google makes this harder for scammers.
Google is not doing this to harm developers but to protect their users.
You already get a pretty scary warning when you try to install an app that was downloaded outside the Play Store. If people still install malware, that's the responsibility that comes with freedom. Your line of reasoning can be applied everywhere in life - people should not be able to do their own bank transfers or use a credit card, I know several people that who have been scammed already.
Moreover, there are better ways to protect against malware: 1. educate people; 2. rather than using whitelisting, use blacklisting (similar to XProtect on macOS).
Finally, the argument is not very strong on Google's side, since the Play Store itself has had its history of scams. Which, again is easier to protect against by educating people. No, don't put your banking information in a random app you downloaded from the Play Store (use the app that your bank tells you to). Do not install random keyboards from the Play Store. Etc.
1 reply →
> It is little surprising a lot of smart people somehow miss this simple logic.
Is it that people "somehow miss this simple logic", or is it that they weigh security and freedom differently than you?
This is "think of the children/grandma" logic. There is a different between maintaining a company store where everything is verified, and forcing everyone to use it.
Google shouldn't be able to hold a vertical monopoly, on what apps can run, what os's are allowed and what hardware can be used on devices that run Android, rest solely on this weak excuse that someone might harm grandma.
Oh, and of course, if grandma gets scammed by a app in the Google store, Google isn't in any way held responsible. Such garbage, two-faced bs.
That argument falls apart when you consider that:
1. The ownership of security can be entrusted with the user. For example, if the user wants to install a 3rd party app store that doesn't use developer registration, they should be able to do so. The consequences of that decision should be on the owner. FDroid is one such app store. But I trust it over play store any day.
2. Careless users can be prevented from making such decisions, and capable users can be prevented from making mistakes, by careful UI designs that provide copious warnings and require deliberate actions. We have plenty of examples for both. An example for a system that prevents mistakes with warnings is the certificate trust override in browsers. They allow you to override rejection of untrustworthy certificates, but not before you read a lengthy warning message and click a couple of buttons. Similarly, an example of a deliberate action is when you want a repo to be deleted on github or gitlab. They force you to type in the repo name as confirmation. Not only does it take multiple key strokes, it forces you to review what you're actually deleting.
> Google is not doing this to harm developers but to protect their users.
No. Google is doing this to satisfy their insatiable appetite for profit growth by squeezing their current revenue streams. This protects no one, but their shareholders and top executives. I'm a bit ashamed to have to explain this on HN.