Yeah. I had to remove malware from family phones because they installed the wrong "QR Code Scanner" out of the trillions of copies on the play store, which contained malware that somehow replaced the launcher on a Samsung phone and then showed ads all over the place. The Play store is fucking malware, Google services are malware, and the family member now uses a Pixel 9a with GrapheneOS which makes normie phone usage riskless and clean again. Fuck Google for Gaslighting us all with this Sideload change.
I really like f-droid in this case because I can be so much more sure about using an app there than from play-store
> Play store is the largest distributor of spyware and viruses for Android.
I think all companies are taking part in somewhat of a double-speak. Meta is lobbying for child safety and so many other things.
I feel like they really can't come up loud and say what exact reasons they are doing this (for locking down Android) and thus have to use this as an excuse.
It's all smokescreens and mirror to a certain degree.
It's a very small concession. The high initial friction still means when someone comes to me with a problem and I tell them the solution is in F-Droid, they have to wait a day. Most give up and pick a different, less trustworthy solution from Google Play.
Incredibly small concession that doesn’t warrant this article’s absolutely insane framing: “Even less of a problem than we thought,” “very, very good news,” “already sounded perfectly manageable.”
The author is so giddy to defend this monopolistic restriction on Google’s part. Hackers can use F-Droid without annoyance, but this really does kill any chance at normies using it. They absolutely will use the worst spyware on Google Play instead, and the author seemingly loves it.
Given the Epic settlement means Google is allowing alternate app stores, and also the delay only applies for unregistered developers, I'm not certain it won't actually get easier to get folk set up on F-Droid.
It still remains to be seen what the actual requirements are, and even if F-Droid could become "approved" that doesn't mean they want to. Time will tell.
"only applies for unregistered developers" but remember the whole point is to allow Google to pull your "registered developer" status on a whim. Something they've shown over and over again they cannot be trusted with
Why the hell should we "mother may I" with Google for running apps on our own phones if it isn't sourced from the Play Store?
The "security" rationale is horseshit given just how much malware is readily download able on the Play Store. Google never cleans its own house before going after others.
The rationale behind this move makes no sense either - most of the scams happen via some instruction to install Anydesk or some such remote-support software, not some shady apkg downloaded from some third party website.
Seems like a move to get around the Epic Games ruling (and assorted rumbles from countries like India).
I'm biased, but I don't think less trustworthy is a fair assessment. I think you can suggest that open source software provides a different trust model than closed source and distributed by Play, but to conclude it's less trustworthy is a real stretch.
The vast majority of software on Google Play is absolute spyware-laden slop. There are turstworthy apps, sure, but they are drops in an ocean. F-Droid’s trustworthy-to-ad-ridden-slop ratio is pretty much definitionally lower than Google’s, by virtue of it being actually curated. That everything on it is libre and they are working hard on reproducible builds just makes it all the better.
We hereby grant you a conditional right to install software on the device you "own", subject to conditions, and terms, but only under certain circumstances and only so long as it pleases us.
Yeah, to me android is another Linux machine. I can change the date and for the device it's tomorrow. At least should be. What then? Will it accept the apk I just installed because it's tomorrow? Or reject because of no lease token from the one-almighty-Google? Or maybe it won't work at all when offline even with offline apk?
If I was a hostile phone OS designer, I would make it use the time reference given by nearby cell networks, GPS, or an RTC in the motherboard rather than the local clock. That’s closer to ‘true’ time if you want to make sure a day has actually passed.
None of the comments here seem to discuss or even mention how this situation looks from googles perspective? I feel like HN readers are not aware of the scale of the problem they face or their motivation behind these changes.
If you look at the rate of growth of the call/text scam industry I think it's entirely possible that android owners are getting scammed out of more money than google themselves makes on the android platform as a whole. It's at least not that far off. Which doesn't even account for the humanitarian issues which they probably feel partially responsible for.
Why does nobody ever think of the poor megacorporation?
I mean maybe you're even right and they care a little bit about people being scammed. But if you believe that the scamming thing is any more than a pretense for further establishing Google's absolute control over the Android ecosystem, that is just very naive.
Their goal is to make money. Apps installed outside of Google mean less money for them. Ergo, consumer's right to install what they want on their devices must go.
I understand usually the megacorporation is simply being anti-consumer with these kinds of changes, and who knows maybe this is the same. But I think this might be an actual exception. They seem to be actually implementing a lot of high effort scam protection features recently in android so unless they did all of that just as an excuse to make side loading harder then they've fooled me.
For more context, the the "reason" they're increasing the friction in sideloading is to prevent one extremely specific scam where someone instructs you over the phone to download a malicious android app, which then steals your banks 2 factor verification code from your notifications and sends it to the scammers. The 24 hour limitation does seem specifically designed to prevent that so I'm inclined to believe them.
Google's perspective is that they want full control on Android.
If they really care about scams, the first result when I search for chatgpt is a fake app with a fake logo. Maybe they should start by tackling the scams on the play store as the play store is the far west.
Their solution to every problem is to take away more control of the smartphones each time from the users who own them. Meanwhile, I have much less problems with scam and security issues and more freedom with software off FDroid. Makes you wonder if the actual problem is perhaps the one coming up with these solutions and their malevolent intentions behind a thin veil of laughable PR. Besides, I don't get people's habit of justifying trillion dollar corporations that can't seem to come up with any non-dystopian solutions.
Two steps forwards and one step backwards in the never-ending march to dytopia and you celebrate it as a show of your generosity and benevolence! I don't know who you're trying to fool. But I'm certainly interested in finding out, because that person must be both naïve and incredibly powerful if you think that it's worthwhile to pull off a public charade like this.
What's the phone OS landscape now? What can someone who values their agency and wants FOSS choose?
* iOS - walled garden, so no
* Android:
* * with a Google account and Play Services - a bit less of a walled garden, but still no
* * Android without Google:
* * * GrapheneOS - root or adb not supported, so no
* * * LineageOS - (edit: root or adb not supported, so no - just learned) seems like a viable option although it seems like it depends on Google's development of Android and keeping it FOSS. How's the situation with security updates? Which phones would you recommend? I don't count Samsung or whatever crap as they're generally quite user-hostile.
* Linux - IIRC only PMOS supported FDE. Is that still the case? Are there are good Linux phones? I tried PinePhone a few years ago, but it was crappy. The OS also lacked basic features like new windows showing up inside the screen.
Like the other poster said, you can get root on GOS. However it's highly ill advised and severely breaks the security model of devices. 99% of the time nobody, especially the average person, needs root on their phone (imo). Allowing that easily just opens up the average person to getting duped into getting their phone rocked with exploits and possibly persistent malware.
There is no reason that a lack of root access should be viewed as a negative within the context of GrapheneOS. In that case why even mention or choose GOS? Just choose an Android fork with poor security or a Linux phone with zero security instead.
> 99% of the time nobody [...] needs root on their phone
Do you also not have root on your laptops or desktops? I don't get why it's so different. I don't just want to open TikTok and Instagram, I want to use my phone computer as a computer. I assumed HN folks would get it.
I would choose something as locked down as GrapheneOS for its security if I was going to use it to install random apps left and right and give them root or run JavaScript from random sites on a browser I gave root to.
Anyway, not having root seems like a very weird way to harden security. What about compartmentalization?
And what's wrong with my my terminal app having root sometimes? How is shadycryptonews.xyz/exploit.js going to leverage it? How would even the Official Authoritarian Police State app leverage it?
I probably don't get it, but it's like people see 2 extremes - run nothing ever in root or run everything in root all the time.
I want to run like 5-6 apps I trust.
Maybe if I wanted to secure a billion dollars worth of Bitcoin, I would be OK with a separate phone without root, but then again I would likely use a hardware wallet. What's the threat model for someone who doesn't blindly give apps root or do anything stupid, really?
I had the first two iPhone models, but then moved to Android. So I've been an Android user for ~15 years. This will probably be the drop that makes me go back and try an iPhone again. If all phone OSes are going to be walled gardens, might as well go for the best one.
Android has always been lagging on usability/performance/polish, but I stuck with it for the openness and because it generally was first to tryi new things. I remember how people at work laughed at me when I got a Samsung Galaxy Note ("It's so big it looks like you have an iPad in your pocket"), yet a few years later every phone was that size. And now Android is leading with foldables. I love my OnePlus Open, but OnePlus seems to be pulling out from the Western market so further support is looking "iffy", so might as well get an iPhone.
GrapheneOS - does allow you to root/ADB. It's just not official, just like LineageOS. You can even sign your own images and relock the bootloader and have root i f you put in the effort.
So I misunderstood about LineageOS - I haven't read anything about it for a while. Everyone on GrapheneOS's forum is really anti-root, they even mention it's not GrapheneOS anymore. From what I saw you can't get any support whatsoever if you have an issue with root or adb, which seems like a core component to any OS to me. Would've been nice if there was a community that gave each other support for rooted LOS or GOS. There could be one, though - I haven't researched it.
I think a problem is that phones, as a concept, are communication first, rather than general computing first.
If you want to partake in social networks, messaging, work communication, banking, etc you're at the mercy of the service's owner and their moat. You can't access Instagram in any other way than their app, and at that point an open OS doesn't help a lot.
I'm sure FOSS can make a feature equivalent Instagram (or Whatsapp, or whatever) but the people aren't in there.
> I think a problem is that phones, as a concept, are communication first, rather than general computing first.
I use all kinds of computers for communication. I'm communicating with you on my desktop. I had a call earlier on my laptop. And a phone IS a computer, so why pretend it's not?
> If you want to partake in social networks, messaging, work communication, banking, etc you're at the mercy of the service's owner and their moat. You can't access Instagram in any other way than their app, and at that point an open OS doesn't help a lot.
I wouldn't use proprietary work tools on a personal device. It's not good hygiene.
I don't care if Instagram requires an app on a non-rooted phone with verified Google attestations because I don't use it and it's not essential.
Banking apps ARE a problem because a lot of banks don't let you use their site without their app at all. That should be solved with regulations - give people a FOSS banking app or, better yet, an API, so they can bank however they want to. Let us create FOSS interfaces for the different banks. Right now we need to revert the regulations who more or less force us to rely on Google or Apple's attestation. Internet banking is important both because there's a trend, even in countries where cash is still widely used, to have places that don't take cash, and because it's a highly regulated system paid for my taxes - I should be able to participate in a modern way with bullshit restrictions allegedly made to prevent someone's grandpa from getting hacked or phished.
But if I can't access my bank online, I'm not going to bow my head and buy a bank-approved phone with a bank-approved OS and a bank-approved $tech_company account. Who banks that often that they really need to do that, outside of places like Sweden where cash is almost dead?
> If you choose to root, then I believe its not considered to be "GrapheneOS" any longer and assistance will not be provided for issues you face
Getting no support would suck. Obviously it's a FOSS OS, so it would be community support for the most part, but it's still invaluable when you run into issues.
It was a long time ago, so I don't remember. Phosh or Plasma. I tried to like Sxmo, but it was really unintuitive, unlike tiling WMs on Linux.
Fairphones seems OK, although for €549 I'll probably stick to a dumb phone and invest in a better laptop for now. I'm not saying it's too expensive for what it is, though - it's still a tiny computer with all kinds of periphery.
I just wish there was a version with a shitty camera for €50 less or with no Bluetooth for €10 less - you get the idea.
Because my new phone would be my new phone. And a phone is a computer. That should be enough of a reason.
I'm quite surprised people who post here don't get that. I've been lurking for years even though my account is new and even though general hackerishness here has gotten a bit reduced over the years, but it's still HackerNews, not ConsumerNews. No offense implied - I just hoped I'd see more people willing to claim their right to own and modify their OS like a true hacker.
this is awesome! because i get a new phone every week, this will save me so much time.
WAT? how is that even better than the ability to skip the wait time?
you are right, i am not seriously bothered by the wait time, i'd just activate it on a new phone, wait a day and be done with it. i have had to wait two weeks to unlock a xiaomi phone, so this is not that of a big deal. (besides i am not going to be affected anyways because i use a custom rom, but that's besides the point. let's assume i will be affected)
who changes their phone so often that being able to carry over the setting to skip the wait is a win?
i am embarrassed that i fell for this article, believing that there would actually be a genuine improvement to sideloading.
I thought that even after the 24h wait, you will have to go through some annoying dialog to install (or maybe even update) anything not from the play store. So installing from F-droid will become an obnoxious process. Even worse if updates also become obnoxious. F-droid often wants to update several apps at once, so I click "update all". If that becomes multiple dialogs, that sucks.
The first thing I do with any new phone is to enable developer mode. If it is weekend, I will use adb to sideload, if not, I will do it in next weekend as I don't have much time at workdays. In any case the sideloading will be done on the same day as now. Problem solved.
> ADB would be unaffected, and any power users who needed to install an app straight away could always connect their Android device to a computer and use ADB commands to manually install - no delay at all.
So in practice this won't be an issue for anyone tech-savvy who uses their Android device with apps outside of the Play Store, as they can simply install through the ADB mechanism via a separate device. It can even be done using WebUSB.
However, the many, many people worldwide who lack such technical knowledge, and are more susceptible to being scammed via malicious app installs because of it, are still protected by this new process Google are introducing.
How will the transfer occur? I'm assuming via Google account?
So this is vendor lock-in to an online account being sold as a way to "win" against a problem _created_ by said vendor? I would prefer a per-device wait time and I sincerely hope a Google account will not be a hard requirement. I didn't consider this initially.
Google is in the process of stealing the shirts from our backs and selling them back to us. Whoever wrote this article is drinking the kool-aid. This should NOT be presented as a positive thing. Some of us use Android without a Google account and would still like to sideload.
I despise how this incredibly user-hostile move is spun in the title: "Google just gave Android power users a huge sideloading win", as if it was a good thing that Google did for some portion of its users. That's such a blatant, incredibly damaging lie, on all levels, that it's probably called journalism at this point.
AFAIK, all current versions of Android have Google Play Services. It's an essential part of the "official" Android.
If you run GrapheneOS, LineageOS or whatever, then it's not real Android, and the entire problem of your OS restricting you from installing apps does not exist.
If you don't have the framework, you don't have to worry about any of this (you also don't get the benefits, bank apps that require validated OS, tap to pay etc, without the framework).
What is this steaming pile of shit? Android and Google are bending their customers over a table and ramming it into their asses.
If a device doesn't allow the user full control, then it isn't your device.
You are renting it from a duopoly that will bend over backwards to give all your data to the government! Also selling it to other corporations.
It is no excuse that an extremely small amount of ancient people over 85 who have never used technology in their life got scammed by some foreigner who worked them over for a full day or two.
That will happen regardless of whatever immoral restrictions are placed on our devices.
If you aren't smart enough to use the tech, don't use it.
Maybe Im a conspiracist but it seems there is a recent concerted effort to lock OS platforms down.
Just last week apple added an age verification system to uk iPhones. No legal req. as far as I can tell
Google is going to keep tweaking this because they have two conflicting goals. They want to cut off alternative app stores where they don't get their 30% cut, and they absolutely do not want to push people to other operating systems like graphene etc. They need it to be very high friction to accomplish the former, but if they make it too high-friction they'll trigger the latter. It's a catch-22, and they're going to dither in an infinite loop.
Guggle et all, are starting to panick, as the whole adversurvielance scam is unraveling, there is NO concievable end game.
The surviving frogs, having been cooked en mass are getting ready to spontainiously evolve, AI is destroying vulnerable peoples ability to make descisions and the knock on effects as basic infrastucture erodes while costs spiral and actual knowledge is lost, but AI will be cheering them on by telling them walking and chewing gum are seperate activities that should be scheduled sequentialy after rest periods.
How long before there is a "we've detected your account has been used multiple times to re-setup a phone.. we've re-enabled the Google Nanny Safety mode.. also we've locked your google account just in case.. "
I mean other than hackers, who has needed to factory reset their phone more than once in a year you must be doing something shady... right right?
There's not really a way to bypass Google if they don't want there to be, and that's what they're moving towards. The only long-term solution is to cut Google out entirely.
Motorola with GrapheneOS is an interesting prospect. The space is ready for disruption and the tools to do it are more available than ever. Maybe it will come from the EU. Who knows, but Google overplayed their hand, IMO.
Also, let's be clear about the mobile landscape right now. Many apps aren't written in Java or Swift, but instead are being transpiled from other languages like TypeScript and using UI libraries that aren't locked to the mobile platform itself.
When a new mobile platform enters the space it will require some react-native and capacitor glue code and we are in business.
You still seem to need a Google account to be able to use the hardware you just paid for. I don't have one, don't want one either. I've been using Android without Google for about 15 years now but will hold off on getting a new device until I'm sure I can continue using it without getting a Google account.
I'm using stock Android with a bunch of F-droid apps and no Google account. I've never installed anything from Play and don't feel like I'm missing anything.
On some devices I run custom distributions (mostly LineageOS), others I just root and de-fang by removing all objectionable content including the Google bits. In all cases I put on F-Droid with a few configured repos to get the applications I want. On a few devices I also add some proprietary apps which are more or less mandatory - electronic ID (BankID) being the main one - either by manually installing it or through Aurora Store, an alternative play store front-end which does not require a Google account. No Google, no problem and no real hassle. My current main phone - a Xiaomi Redmi Note 5 Pro - is 8 years old, I already have a replacement in a drawer but have not configured it yet because I first want to make a cover for it. Even though it is 8 years old it works fine, the battery holds for 2 days and all applications I need still run on it. The oldest device in use is 15 years old and also works fine but it can no longer be used as a phone since 3G was switched off where I live.
WTF win? Sounds like I will need a tracking google account because it can "carry over" when I "upgrade my phone"
"Google giving a concession" is no win.
WTF Concession? Why are we asking google for permission to use the devices we bought as they see fit?
Ok, google is doing what is best for them, abusing users. But the manufacturers are really to blame here because the devices are by default locked to what google and them decide. There is no Market Choice here.
Yeah, but then banks need to be pushed to support it. And while we're at it it would be good if people responsible for European eID also stopped recommending Google device attestation.
Graphene's policy is to work on one phone at a time. If other vendors want to support it they'll have to pay for the work to be done to Graphene standards, themselves.
Play store is the largest distributor of spyware and viruses for Android.
Not even a small fraction of a percentage of scams come from installing software normally, but only from Google Play store.
Yeah. I had to remove malware from family phones because they installed the wrong "QR Code Scanner" out of the trillions of copies on the play store, which contained malware that somehow replaced the launcher on a Samsung phone and then showed ads all over the place. The Play store is fucking malware, Google services are malware, and the family member now uses a Pixel 9a with GrapheneOS which makes normie phone usage riskless and clean again. Fuck Google for Gaslighting us all with this Sideload change.
Oh man, my grandpa also had an app replace the launcher on his phone! I forget what exactly it was pushing but needless to say it's been removed.
I really like f-droid in this case because I can be so much more sure about using an app there than from play-store
> Play store is the largest distributor of spyware and viruses for Android.
I think all companies are taking part in somewhat of a double-speak. Meta is lobbying for child safety and so many other things.
I feel like they really can't come up loud and say what exact reasons they are doing this (for locking down Android) and thus have to use this as an excuse.
It's all smokescreens and mirror to a certain degree.
1 reply →
It's a very small concession. The high initial friction still means when someone comes to me with a problem and I tell them the solution is in F-Droid, they have to wait a day. Most give up and pick a different, less trustworthy solution from Google Play.
Incredibly small concession that doesn’t warrant this article’s absolutely insane framing: “Even less of a problem than we thought,” “very, very good news,” “already sounded perfectly manageable.”
The author is so giddy to defend this monopolistic restriction on Google’s part. Hackers can use F-Droid without annoyance, but this really does kill any chance at normies using it. They absolutely will use the worst spyware on Google Play instead, and the author seemingly loves it.
I've given up on getting normies to care. So long as we can use these things on our own terms, it's fine.
1 reply →
Given the Epic settlement means Google is allowing alternate app stores, and also the delay only applies for unregistered developers, I'm not certain it won't actually get easier to get folk set up on F-Droid.
It still remains to be seen what the actual requirements are, and even if F-Droid could become "approved" that doesn't mean they want to. Time will tell.
"only applies for unregistered developers" but remember the whole point is to allow Google to pull your "registered developer" status on a whim. Something they've shown over and over again they cannot be trusted with
Why the hell should we "mother may I" with Google for running apps on our own phones if it isn't sourced from the Play Store?
The "security" rationale is horseshit given just how much malware is readily download able on the Play Store. Google never cleans its own house before going after others.
33 replies →
The rationale behind this move makes no sense either - most of the scams happen via some instruction to install Anydesk or some such remote-support software, not some shady apkg downloaded from some third party website.
Seems like a move to get around the Epic Games ruling (and assorted rumbles from countries like India).
Do you have to wait a day, or do you have to set your clock forward a day?
Cell phones know what time it really is.
You can bypass the wait time with adb install at least.
I'm biased, but I don't think less trustworthy is a fair assessment. I think you can suggest that open source software provides a different trust model than closed source and distributed by Play, but to conclude it's less trustworthy is a real stretch.
The vast majority of software on Google Play is absolute spyware-laden slop. There are turstworthy apps, sure, but they are drops in an ocean. F-Droid’s trustworthy-to-ad-ridden-slop ratio is pretty much definitionally lower than Google’s, by virtue of it being actually curated. That everything on it is libre and they are working hard on reproducible builds just makes it all the better.
> have to wait a day
The horrors!
We hereby grant you a conditional right to install software on the device you "own", subject to conditions, and terms, but only under certain circumstances and only so long as it pleases us.
Modern handheld computing is such a shitshow...
Yeah, to me android is another Linux machine. I can change the date and for the device it's tomorrow. At least should be. What then? Will it accept the apk I just installed because it's tomorrow? Or reject because of no lease token from the one-almighty-Google? Or maybe it won't work at all when offline even with offline apk?
If I was a hostile phone OS designer, I would make it use the time reference given by nearby cell networks, GPS, or an RTC in the motherboard rather than the local clock. That’s closer to ‘true’ time if you want to make sure a day has actually passed.
So Google proved that Android is not Linux. Time to switch to actual (GNU/)Linux phones?
Sent from my Librem 5.
"hand held computing" indeed.
Come on, this is a totally reasonable approach that should help a bit with high pressure scan tactics but doesn't really hurt side-loading.
As long as they keep it like this. The existence of the "only allow side-loading for 7 days" option is definitely worrying.
I find it unacceptable, and they will not keep it like this. They will boil the frog slowly, as usual.
None of the comments here seem to discuss or even mention how this situation looks from googles perspective? I feel like HN readers are not aware of the scale of the problem they face or their motivation behind these changes.
If you look at the rate of growth of the call/text scam industry I think it's entirely possible that android owners are getting scammed out of more money than google themselves makes on the android platform as a whole. It's at least not that far off. Which doesn't even account for the humanitarian issues which they probably feel partially responsible for.
Google’s perspective is that they don’t want people to install NewPipe so that the CEO can buy more yachts.
I would bet the amount of people getting scammed is probably higher than those installing NewPipe.
1 reply →
Why does nobody ever think of the poor megacorporation?
I mean maybe you're even right and they care a little bit about people being scammed. But if you believe that the scamming thing is any more than a pretense for further establishing Google's absolute control over the Android ecosystem, that is just very naive.
Their goal is to make money. Apps installed outside of Google mean less money for them. Ergo, consumer's right to install what they want on their devices must go.
I understand usually the megacorporation is simply being anti-consumer with these kinds of changes, and who knows maybe this is the same. But I think this might be an actual exception. They seem to be actually implementing a lot of high effort scam protection features recently in android so unless they did all of that just as an excuse to make side loading harder then they've fooled me.
https://security.googleblog.com/2026/02/strengthening-androi... https://blog.google/innovation-and-ai/technology/safety-secu...
For more context, the the "reason" they're increasing the friction in sideloading is to prevent one extremely specific scam where someone instructs you over the phone to download a malicious android app, which then steals your banks 2 factor verification code from your notifications and sends it to the scammers. The 24 hour limitation does seem specifically designed to prevent that so I'm inclined to believe them.
7 replies →
Google's perspective is that they want full control on Android.
If they really care about scams, the first result when I search for chatgpt is a fake app with a fake logo. Maybe they should start by tackling the scams on the play store as the play store is the far west.
Their solution to every problem is to take away more control of the smartphones each time from the users who own them. Meanwhile, I have much less problems with scam and security issues and more freedom with software off FDroid. Makes you wonder if the actual problem is perhaps the one coming up with these solutions and their malevolent intentions behind a thin veil of laughable PR. Besides, I don't get people's habit of justifying trillion dollar corporations that can't seem to come up with any non-dystopian solutions.
That may be, but I think you are missing the point of the outrage: this solution is not good.
So let's discuss a good solution instead of this boring repetitive outrage.
6 replies →
Two steps forwards and one step backwards in the never-ending march to dytopia and you celebrate it as a show of your generosity and benevolence! I don't know who you're trying to fool. But I'm certainly interested in finding out, because that person must be both naïve and incredibly powerful if you think that it's worthwhile to pull off a public charade like this.
What's the phone OS landscape now? What can someone who values their agency and wants FOSS choose?
* iOS - walled garden, so no
* Android:
* * with a Google account and Play Services - a bit less of a walled garden, but still no
* * Android without Google:
* * * GrapheneOS - root or adb not supported, so no
* * * LineageOS - (edit: root or adb not supported, so no - just learned) seems like a viable option although it seems like it depends on Google's development of Android and keeping it FOSS. How's the situation with security updates? Which phones would you recommend? I don't count Samsung or whatever crap as they're generally quite user-hostile.
* Linux - IIRC only PMOS supported FDE. Is that still the case? Are there are good Linux phones? I tried PinePhone a few years ago, but it was crappy. The OS also lacked basic features like new windows showing up inside the screen.
* anything else?
> GrapheneOS - root or adb not supported, so no
Like the other poster said, you can get root on GOS. However it's highly ill advised and severely breaks the security model of devices. 99% of the time nobody, especially the average person, needs root on their phone (imo). Allowing that easily just opens up the average person to getting duped into getting their phone rocked with exploits and possibly persistent malware.
There is no reason that a lack of root access should be viewed as a negative within the context of GrapheneOS. In that case why even mention or choose GOS? Just choose an Android fork with poor security or a Linux phone with zero security instead.
> 99% of the time nobody [...] needs root on their phone
Do you also not have root on your laptops or desktops? I don't get why it's so different. I don't just want to open TikTok and Instagram, I want to use my phone computer as a computer. I assumed HN folks would get it.
I would choose something as locked down as GrapheneOS for its security if I was going to use it to install random apps left and right and give them root or run JavaScript from random sites on a browser I gave root to.
Anyway, not having root seems like a very weird way to harden security. What about compartmentalization?
And what's wrong with my my terminal app having root sometimes? How is shadycryptonews.xyz/exploit.js going to leverage it? How would even the Official Authoritarian Police State app leverage it?
I probably don't get it, but it's like people see 2 extremes - run nothing ever in root or run everything in root all the time.
I want to run like 5-6 apps I trust.
Maybe if I wanted to secure a billion dollars worth of Bitcoin, I would be OK with a separate phone without root, but then again I would likely use a hardware wallet. What's the threat model for someone who doesn't blindly give apps root or do anything stupid, really?
3 replies →
I had the first two iPhone models, but then moved to Android. So I've been an Android user for ~15 years. This will probably be the drop that makes me go back and try an iPhone again. If all phone OSes are going to be walled gardens, might as well go for the best one.
Android has always been lagging on usability/performance/polish, but I stuck with it for the openness and because it generally was first to tryi new things. I remember how people at work laughed at me when I got a Samsung Galaxy Note ("It's so big it looks like you have an iPad in your pocket"), yet a few years later every phone was that size. And now Android is leading with foldables. I love my OnePlus Open, but OnePlus seems to be pulling out from the Western market so further support is looking "iffy", so might as well get an iPhone.
GrapheneOS - does allow you to root/ADB. It's just not official, just like LineageOS. You can even sign your own images and relock the bootloader and have root i f you put in the effort.
So I misunderstood about LineageOS - I haven't read anything about it for a while. Everyone on GrapheneOS's forum is really anti-root, they even mention it's not GrapheneOS anymore. From what I saw you can't get any support whatsoever if you have an issue with root or adb, which seems like a core component to any OS to me. Would've been nice if there was a community that gave each other support for rooted LOS or GOS. There could be one, though - I haven't researched it.
I think a problem is that phones, as a concept, are communication first, rather than general computing first.
If you want to partake in social networks, messaging, work communication, banking, etc you're at the mercy of the service's owner and their moat. You can't access Instagram in any other way than their app, and at that point an open OS doesn't help a lot.
I'm sure FOSS can make a feature equivalent Instagram (or Whatsapp, or whatever) but the people aren't in there.
> I think a problem is that phones, as a concept, are communication first, rather than general computing first.
I use all kinds of computers for communication. I'm communicating with you on my desktop. I had a call earlier on my laptop. And a phone IS a computer, so why pretend it's not?
> If you want to partake in social networks, messaging, work communication, banking, etc you're at the mercy of the service's owner and their moat. You can't access Instagram in any other way than their app, and at that point an open OS doesn't help a lot.
I wouldn't use proprietary work tools on a personal device. It's not good hygiene.
I don't care if Instagram requires an app on a non-rooted phone with verified Google attestations because I don't use it and it's not essential.
Banking apps ARE a problem because a lot of banks don't let you use their site without their app at all. That should be solved with regulations - give people a FOSS banking app or, better yet, an API, so they can bank however they want to. Let us create FOSS interfaces for the different banks. Right now we need to revert the regulations who more or less force us to rely on Google or Apple's attestation. Internet banking is important both because there's a trend, even in countries where cash is still widely used, to have places that don't take cash, and because it's a highly regulated system paid for my taxes - I should be able to participate in a modern way with bullshit restrictions allegedly made to prevent someone's grandpa from getting hacked or phished.
But if I can't access my bank online, I'm not going to bow my head and buy a bank-approved phone with a bank-approved OS and a bank-approved $tech_company account. Who banks that often that they really need to do that, outside of places like Sweden where cash is almost dead?
3 replies →
Obligatory mention of Sailfish OS.
Website: https://news.ycombinator.com/item?id=41749296
You can root GrapheneOS, they just don't recommend you doing so.
In their forum they repeatedly say stuff like:
> If you choose to root, then I believe its not considered to be "GrapheneOS" any longer and assistance will not be provided for issues you face
Getting no support would suck. Obviously it's a FOSS OS, so it would be community support for the most part, but it's still invaluable when you run into issues.
fairphone support for pmOS is improving. What DE were you using? It was probably just slow on the pinephone.
librem 5 is also an option. It is sorta expensive and weak but is the most capable.
https://wiki.postmarketos.org/wiki/Devices
right now im on calyxos but development has been paused for like a year
It was a long time ago, so I don't remember. Phosh or Plasma. I tried to like Sxmo, but it was really unintuitive, unlike tiling WMs on Linux.
Fairphones seems OK, although for €549 I'll probably stick to a dumb phone and invest in a better laptop for now. I'm not saying it's too expensive for what it is, though - it's still a tiny computer with all kinds of periphery.
I just wish there was a version with a shitty camera for €50 less or with no Bluetooth for €10 less - you get the idea.
Interestingly, when I went to
https://www.fairphone.com/shop-home
the prices for the headphones were lower for a few seconds and got higher afterwards.
€186.75 -> €249
€74.25 -> €99
while the phone price remained the same. Both are increases of 33.(3)%. Probably a script that determined my location and added a VAT.
Why do you want to root? I didn't really feel the need for the past few years.
Backing up all app data.
1 reply →
An alternative if you are using Graphene would be to build your own image with the changes that you want, without or without root.
Because my new phone would be my new phone. And a phone is a computer. That should be enough of a reason.
I'm quite surprised people who post here don't get that. I've been lurking for years even though my account is new and even though general hackerishness here has gotten a bit reduced over the years, but it's still HackerNews, not ConsumerNews. No offense implied - I just hoped I'd see more people willing to claim their right to own and modify their OS like a true hacker.
4 replies →
When typos are inadvertently funny:
> Google’s been working hard to relive everyone’s fears...
this is awesome! because i get a new phone every week, this will save me so much time.
WAT? how is that even better than the ability to skip the wait time?
you are right, i am not seriously bothered by the wait time, i'd just activate it on a new phone, wait a day and be done with it. i have had to wait two weeks to unlock a xiaomi phone, so this is not that of a big deal. (besides i am not going to be affected anyways because i use a custom rom, but that's besides the point. let's assume i will be affected)
who changes their phone so often that being able to carry over the setting to skip the wait is a win?
i am embarrassed that i fell for this article, believing that there would actually be a genuine improvement to sideloading.
I thought that even after the 24h wait, you will have to go through some annoying dialog to install (or maybe even update) anything not from the play store. So installing from F-droid will become an obnoxious process. Even worse if updates also become obnoxious. F-droid often wants to update several apps at once, so I click "update all". If that becomes multiple dialogs, that sucks.
The first thing I do with any new phone is to enable developer mode. If it is weekend, I will use adb to sideload, if not, I will do it in next weekend as I don't have much time at workdays. In any case the sideloading will be done on the same day as now. Problem solved.
they will make you wait 1 week to enable developer mode
Key point from the article:
> ADB would be unaffected, and any power users who needed to install an app straight away could always connect their Android device to a computer and use ADB commands to manually install - no delay at all.
So in practice this won't be an issue for anyone tech-savvy who uses their Android device with apps outside of the Play Store, as they can simply install through the ADB mechanism via a separate device. It can even be done using WebUSB.
However, the many, many people worldwide who lack such technical knowledge, and are more susceptible to being scammed via malicious app installs because of it, are still protected by this new process Google are introducing.
> Google's latest concession makes the sideloading controversy a big nothingburger.
It's really not. Try to realise that it's not meant to be Google's phone and they shouldn't be "letting" me do things
How will the transfer occur? I'm assuming via Google account?
So this is vendor lock-in to an online account being sold as a way to "win" against a problem _created_ by said vendor? I would prefer a per-device wait time and I sincerely hope a Google account will not be a hard requirement. I didn't consider this initially.
Google is in the process of stealing the shirts from our backs and selling them back to us. Whoever wrote this article is drinking the kool-aid. This should NOT be presented as a positive thing. Some of us use Android without a Google account and would still like to sideload.
I despise how this incredibly user-hostile move is spun in the title: "Google just gave Android power users a huge sideloading win", as if it was a good thing that Google did for some portion of its users. That's such a blatant, incredibly damaging lie, on all levels, that it's probably called journalism at this point.
Google clarifies that this status can carry over to new devices, so you only ever have to go through it once.
Which makes no sense, if the property is in Android itself.
For example, lots of people use phones without any google play framework installed. Without that framework, how does it "carry over"?
This just raises more questions about how this whole process works.
Is it only the play api doing so? If so, then if you de-google, this entire problem goes away?
If not, then how can you 'carry over' to a phone unless you also install the play framework? Seems like that's unhelpful.
AFAIK, all current versions of Android have Google Play Services. It's an essential part of the "official" Android.
If you run GrapheneOS, LineageOS or whatever, then it's not real Android, and the entire problem of your OS restricting you from installing apps does not exist.
If you don't have the framework, you don't have to worry about any of this (you also don't get the benefits, bank apps that require validated OS, tap to pay etc, without the framework).
This change was never relevant for devices without Play Services.
Thanks for stating in one sentence what this slop article danced around for 10 or so paragraphs.
What is this steaming pile of shit? Android and Google are bending their customers over a table and ramming it into their asses.
If a device doesn't allow the user full control, then it isn't your device.
You are renting it from a duopoly that will bend over backwards to give all your data to the government! Also selling it to other corporations.
It is no excuse that an extremely small amount of ancient people over 85 who have never used technology in their life got scammed by some foreigner who worked them over for a full day or two.
That will happen regardless of whatever immoral restrictions are placed on our devices.
If you aren't smart enough to use the tech, don't use it.
Maybe Im a conspiracist but it seems there is a recent concerted effort to lock OS platforms down. Just last week apple added an age verification system to uk iPhones. No legal req. as far as I can tell
Google is going to keep tweaking this because they have two conflicting goals. They want to cut off alternative app stores where they don't get their 30% cut, and they absolutely do not want to push people to other operating systems like graphene etc. They need it to be very high friction to accomplish the former, but if they make it too high-friction they'll trigger the latter. It's a catch-22, and they're going to dither in an infinite loop.
Guggle et all, are starting to panick, as the whole adversurvielance scam is unraveling, there is NO concievable end game. The surviving frogs, having been cooked en mass are getting ready to spontainiously evolve, AI is destroying vulnerable peoples ability to make descisions and the knock on effects as basic infrastucture erodes while costs spiral and actual knowledge is lost, but AI will be cheering them on by telling them walking and chewing gum are seperate activities that should be scheduled sequentialy after rest periods.
Bring back keypad based phones with J2ME, they were way too fun.
There is no win. They are winning 50-0 and they just scored an own-goal; so what?!
Can't agree with you enough.
They're still moving the Overton window on making Android a walled garden. They're playing a longer game.
They didn't score an own goal, they just killed a guy and then put sunglasses on him so that the people around do not notice he's dead and complain
step 1: make situation very bad
step 2: make situation tiiiny amount better
step 3: proclaim this as "a win"
...really?
Big companies have gotten scaringly good at manipulating the media and general public to avoid many people getting too angry at the same time.
How long before there is a "we've detected your account has been used multiple times to re-setup a phone.. we've re-enabled the Google Nanny Safety mode.. also we've locked your google account just in case.. " I mean other than hackers, who has needed to factory reset their phone more than once in a year you must be doing something shady... right right?
"Government gives citizens a win by allowing them to breathe air."
[flagged]
Please don't fulminate on HN. The guidelines make it clear we're trying for something better here. https://news.ycombinator.com/newsguidelines.html
[flagged]
can't wait until this is just completely bypassed and we can ignore Google again.
There's not really a way to bypass Google if they don't want there to be, and that's what they're moving towards. The only long-term solution is to cut Google out entirely.
Motorola with GrapheneOS is an interesting prospect. The space is ready for disruption and the tools to do it are more available than ever. Maybe it will come from the EU. Who knows, but Google overplayed their hand, IMO.
Also, let's be clear about the mobile landscape right now. Many apps aren't written in Java or Swift, but instead are being transpiled from other languages like TypeScript and using UI libraries that aren't locked to the mobile platform itself.
When a new mobile platform enters the space it will require some react-native and capacitor glue code and we are in business.
1 reply →
You still seem to need a Google account to be able to use the hardware you just paid for. I don't have one, don't want one either. I've been using Android without Google for about 15 years now but will hold off on getting a new device until I'm sure I can continue using it without getting a Google account.
Do you run a custom ROM? I can't imagine bothering with the hassle of running a vendor OS without signing into Play.
I'm using stock Android with a bunch of F-droid apps and no Google account. I've never installed anything from Play and don't feel like I'm missing anything.
1 reply →
Aurora store make it pretty seamless. Used to run my Samsung without any account, no Google nor Samsung and things worked perfectly.
On some devices I run custom distributions (mostly LineageOS), others I just root and de-fang by removing all objectionable content including the Google bits. In all cases I put on F-Droid with a few configured repos to get the applications I want. On a few devices I also add some proprietary apps which are more or less mandatory - electronic ID (BankID) being the main one - either by manually installing it or through Aurora Store, an alternative play store front-end which does not require a Google account. No Google, no problem and no real hassle. My current main phone - a Xiaomi Redmi Note 5 Pro - is 8 years old, I already have a replacement in a drawer but have not configured it yet because I first want to make a cover for it. Even though it is 8 years old it works fine, the battery holds for 2 days and all applications I need still run on it. The oldest device in use is 15 years old and also works fine but it can no longer be used as a phone since 3G was switched off where I live.
Very, very good news everyone! Google has agreed to only gently fuck us in the ass! They were even kind enough to offer to use lube!
WTF win? Sounds like I will need a tracking google account because it can "carry over" when I "upgrade my phone" "Google giving a concession" is no win.
WTF Concession? Why are we asking google for permission to use the devices we bought as they see fit?
Ok, google is doing what is best for them, abusing users. But the manufacturers are really to blame here because the devices are by default locked to what google and them decide. There is no Market Choice here.
Hopefully other vendors will adopt GrapheneOS like Motorola is prepared to.
Yeah, but then banks need to be pushed to support it. And while we're at it it would be good if people responsible for European eID also stopped recommending Google device attestation.
Graphene's policy is to work on one phone at a time. If other vendors want to support it they'll have to pay for the work to be done to Graphene standards, themselves.