Android Developer Verification: Threat masquerading as protection

15 hours ago (f-droid.org)

It doesn't solve the current issue, but in case we don't manage to push back on this, some people might not know that there are various actual linux OSes for mobile:

- SailfishOS: still linux based and seems fairly community inclusive, but the UI part of the stack is closed source. Is the only one officially allowed to run android apps, via emulation. Has existed for a very long time, it's lightweight and I think the most stable/bug-free in this list.

- Ubuntu Touch: fully open source and community driven, it uses snap packages for security, you might be able to run android apps. Last time I run it also seemed fairly stable/bug-free.

- PureOS: fully open source and privacy focused. I think it's the only one that, released with the Librem 5, can avoid using proprietary blobs for interfacing with the hardware. Seems less stable than SailfishOS and Ubuntu Touch. You would need to buy a fairly expensive-but-old phone(librem 5) to run it.

- PostmarketOS: fully open source, focused on being lightweight and revive old phones, has a huge amount of phones it has been tested on, is based on Alpine.

- Mobian: mobile version of Debian, it's fairly new on this list.

There are many more linux mobile OSes, but as far as I know these are the main ones. There might also be some inaccuracies on this post, I tested some of these a long time ago, and I never actually run the last 2.

  • I'm using a Librem 5 as my daily phone. PureOS is actively developed and based on Debian. Monthly development updates are published here: https://puri.sm/posts/tag/advanced-readers/

    Personally, I do not use Android apps on the Librem 5, but Waydroid is available in the PureOS repository. Waydroid is a container-based approach to boot a full Android system on regular GNU/Linux systems running Wayland based desktop environments (like PureOS).

    PureOS also provides convergence via Phosh. Convergence means here that the same app can be used on a phone and on a big screen, the GUI adjusts to the available screen size.

    Phosh aims to provide a daily-usable, robust and easy to use graphical user environment for mobile devices running mainline Linux. Phosh was originally initiated by developers from Purism for the Librem 5 phone but is nowadays used on many different devices covering smartphones, tablets and convertibles. It has even been seen on laptops.

  • Usability-wise, they are no match for Android and iOS—or even versions of them from five years ago.

    UI/UX is costly, and most FOSS projects cannot get it right without massive investments from enterprises (e.g., Red Hat's UX designers heavily contributed to GNOME) or startups (e.g., Zed, Element, Bluesky).

    Projects without that backing are mostly unusable, at least from a Gen Z perspective.

    • I agree that the usability is behind, as we would expect. For me mainly is about missing apps and some hardware support. But in terms of UX for example I liked using SailfishOS, although I'll admit the UI needs some getting used to.

      But I prefer this to the feeling that I'm being limited on what I can do on Android/Apple, and the worry of being in a duopoly that allows the companies to worsen their products without ever fearing competition(as far as they do it in small chunks).

  • And all are useless because you can't use your mandatory bank or gov id app.

    • Not useless. It is like the missing printer driver for Linux Desktop. It makes the experience ugly, but this is not the fault of the Linux OSes.

      Also the bank should not require apps (instead they can offer hardware key support or desktop apps) and in fact some - at least in Germany - offer a different authentication possibility. Also the app for the German ID is published on fdroid and does not rely on Google services.

      7 replies →

    • We're moving to a world where it makes sense to have one cheap locked down phone with the society mandated garbage apps on it, and another device that you use for real computing.

      6 replies →

    • In my country, partially due to sanctions, you can access the bank via browser and receive 2FA codes on $15 dumb phone. Also why do you need bank app on your phone? Do you like to give money to random strangers on the street? Only scammers need money urgently. Also it is not secure to use the phone as a single factor to access the bank.

      I do not have any bank apps on my phone (it is not even connected to the Internet) and I have no problem.

      13 replies →

    • Online banking is a thing. A heck of a lot more secure than an app on a certified android device passing play integrity but having last received security updates years ago and with a ton of privilege escalation exploits. Gov id? Just say no.

    • This bogus "justification" for not considering any alternative, non-corporate mobile OS on any phone makes no sense

      HN commenters will not let it go

      Most HN readers have multiple computers, including multiple phones

      There is no requirement that one has to run a closed-source banking or government ID app on the same phone as open-source apps, e.g., apps from F-Droid

      And it ignores countless people who do not and will never use banking or government ID apps

      I tested a banking app for depositing a paper cheque and it was incredibly convenient. I can understand the appeal

      At the same time, the app tried to make a plain, unencrypted HTTP connection to www.google.com

      I blocked these connection attempts and the app still worked, with plenty of phoney error warnings

      Every user is different but it makes no sense to argue on HN of all places that these closed-source banking apps are essential for everyone. Many HN users are never going to use these apps, and rightfully so

    • Might be worth trying to get your gov to pin down the number of users or process to get gov id supported on any new platform.

      They likely wont specify 100k people or 10% of population or whatever email/petition but it at least records the requirement that other OSes exist and requires a process to support

    • I mean gov id app really doesn't matter (for now) you can just use you id card which is credit card sized. (For now has things might change wrt. age verification.)

      But banking apps are a problem.

      It's not even about the main online banking (you can use a web portal) or storing a EC digitally in you phone (convenient but really unneeded).

      The problem is dump, misguided 2FA apps. E.g. credit card 2FA which already mostly required Android/iOS to work or even online banking login 2FA, transaction 2FA etc. with same requirement.

      Currently for the later I can still use other methods but for a huge amount of Banks where I live you can't use a credit card (reliably) without Android or iOS as "carrier" for an 2FA app.

    • I switched banks and made sure it doesn't require Android/iOS. Many banks propose FIDO2 + SMS, even bank of america does.

    • I don't use bank or gov id apps, why are these mandatory? Country-specific?

  • I really wish SailfishOS supported more hardware. I love sony phones, but the sony phone I love the most isn't supported despite being nearly identical to a supported one

  • There's also FuriOS with the FuriPhone.

    That's debian based with gnome and seems to be built by capable people. Also, it can run android apps.

  • Which phones are supported by which of these operating systems? And can you provide some relevant links?

Google won't ever take a break until we all pay for YouTube Premium. I think this trojan horse is mostly because of apps like New Pipe, Vanced, SmartTube and ad blockers in general.

Android users need to switch to Graphene.

Someone needs to create a Linux based mobile OS foundation - Google's domination is contrary to many large companies interests, and if Meta and many other such companies were approached, they may well donate large sums of money in their own strategic interests.

  • GrapheneOS is currently the blessed child. Like CyanogenMod previously. They are "permitted" to access to Google Play Services because their work hardening Android currently benefits Google.

    Once Google feels like there is sufficient stability and compatibility with hardened memory allocator and tagged memory (and when they can get Qualcomm to support it across their range), they will make harder, until impossible, for Graphene.

    An old article [1] but:

    > Google’s Android—and [Open Handset Alliance] members are contractually prohibited from building non-Google approved devices

    So to compete you'd have to create a compatible Google Play Services as well as find a supporting manufacturer. Samsung managed their own competing apps and store [2] for a while along with Tizen, likely for leverage or theoretical pivot. But has since dropped that effort.

    [1] https://arstechnica.com/gadgets/2018/07/googles-iron-grip-on...

    [2] https://arstechnica.com/tech-policy/2021/07/google-bought-of...

    • Your claims about this don't make sense. Google does not provide compatibility with GrapheneOS for Google Play services. They do not provide support for using it or fix the issues introduced in new releases.

      GrapheneOS doesn't license Google Mobile Services (GMS), doesn't include it in the OS and doesn't have Google certification. It isn't permitted by the Google Play Integrity API device and strong integrity levels because it doesn't have a GMS license. Google doesn't offer any way for GrapheneOS to license it.

      We're legally allowed to provide compatibility with Google Play via our sandboxed Google Play compatibility layer. Similar to APK mirror sites, we're also allowed to mirror the freely available APKs.

      We've put enormous time into developing sandboxed Google Play compatibility layer and there's ongoing work to continue resolving edge cases we haven't covered. If Google wanted Google Play to be used outside of stock operating systems licensing it, they could make it work as a set of regular sandboxed apps without us needing a compatibility layer. Our baseline compatibility layer isn't doing anything they couldn't do themselves by making them apps handle being portable to operating systems not deeply integrating it into the OS with highly privileged access.

    • >> Google’s Android—and [Open Handset Alliance] members are contractually prohibited from building non-Google approved devices

      >So to compete you'd have to create a compatible Google Play Services as well as find a supporting manufacturer. Samsung managed their own competing apps and store [2] for a while along with Tizen, likely for leverage or theoretical pivot. But has since dropped that effort.

      What's wrong with the upcoming partnership with Motorola where they work with grapheneos to get it suppported, but it's not preloaded?

      1 reply →

    • > They are "permitted" to access to Google Play Services because their work hardening Android currently benefits Google.

      Very little in GrapheneOS has gone back upstream post-Copperhead.

      > Once Google feels like there is sufficient stability and compatibility with hardened memory allocator and tagged memory (and when they can get Qualcomm to support it across their range), they will make harder, until impossible, for Graphene.

      What are you talking about? Google doesn't use hardened_malloc, and they literally invented MTE.

      1 reply →

  • > Android users need to switch to Graphene.

    Doesn't GrapheneOS supports only Google Pixel smartphones now? For most of the users, that would mean changing their phones beforehand. And if we're talking about common people (especially not in US), it's not even everyone who can afford that. Moreover, in my opinion, by buying Google phones you're feeding Google, and I, personally, would like to avoid that.

    • The vast majority of smartphones don't allow installing another OS. Multiple Android OEMs have been restricting or fully phasing out supporting it. Among devices which do permit it, none have provided the hardware-based security features or driver/firmware update support needed by GrapheneOS beyond Pixels. Our hardware requirements are listed here:

      https://grapheneos.org/faq#future-devices

      GrapheneOS has an official OEM partnership with Motorola Mobility and a subset of their next generation devices will be provided official support for GrapheneOS. They'll be providing us with a more minimal form of hardware support code close to the standard Qualcomm and other vendor code, so it will be cleaner than Pixels. Our partnership with Motorola is non-exclusive so we're free to support other devices with the help of other OEMs interested in meeting our requirements, but no other OEM is working with us yet.

      We can't use devices with an end-of-life Linux kernel, no firmware updates, no driver/HAL updates and no support for important hardware-based security features we use. Several devices of a lot of the way towards providing what we need and several next generation Motorola devices will provide it. Other OEMs can do the same.

      2 replies →

    • > Doesn't GrapheneOS supports only Google Pixel smartphones now?

      For good reasons. Most other devices arent secure enough to guarantee privacy. Especially not if loaded with a custom operating system (most devices don't allow to verify the boot chain with a custom OS)

      > And if we're talking about common people (especially not in US), it's not even everyone who can afford that.

      You can get a new Pixel 9a here in europe for around 350€ and it will be supported at least until April 2032

      > Moreover, in my opinion, by buying Google phones you're feeding Google, and I, personally, would like to avoid that.

      Google phones are surprisingly open and work well. Google takes a pro-user stance here that is extremely rare in the ecosystem, so why not support this product?

      13 replies →

  • I tried. But then I didnt get access to essential services like banking and national resources.

    • Correction: i did get bank access. I just couldnt log into the bank without a google or apple controlled device.

    • lol, this problem stopped me from installing GrapheneOS early. But now.. I removed banking apps by myself because my state require room them to collect phone fingerprint and access to location EACH time they opened. So... looks like now nothing stops me

  • I keep hoping for something more radical like Jolla and SailfishOS taking off or postmarketOS becoming a true viable alternative but as things are looking like now there's a better chance we'll ditch phones altogether in 10 years when smart glasses will replace them instead.

    • > we'll ditch phones altogether in 10 years when smart glasses will replace them instead.

      Billions are spend right now to make sure the glasses also run Android or iOS. So far, Google, Samsung, Magic Leap, RealWear and Vuzix are working with/on Android XR, and obliviously Apple is working on AR/VR iOS.

      Meta and a couple of smaller startups are doing something in-house, but I don't give them much chances to get an ecosystem going.

    • Honestly don't think that would be so terrible, with how bad and locked down the mobile ecosystem has gotten.

      Rolling the dice on a new technology could wind up being much more favorable.

      1 reply →

  • I know Graphene has innovative security measures, do you happen to know whether that includes anything wrt. phishing or social engineering?

    (For those who haven't been following along: this whole affair started with phishing. People were social-engineered into installing an app and a little later their bank accounts were empty. A big issue in various poor countries.)

    • That's one of its primary arguments: besides the hardening against exploits, they're considered such a safe OS because you cannot access your data either and give the wrong app root access. Everything lives in a sandbox. Whether not being able to grant full access to e.g. adb shell, Termux, or Restic is what you want is a personal choice, but it adds a layer of security against any malware that tries to get you to grant them root access

      This is also the argument they use to try to convince app vendors to add their keys to the allowlist, because the app makers can trust that their DRM will be active (if Netflix sets a "no screen recording" flag, you the user cannot circumvent it by e.g. reading /dev/fb0). It should have broader compatibility than other FOSS Android builds (when running the officially signed version of course, you can't compile it yourself and expect such apps to run there)

      8 replies →

    • It is not an OS with bubblewrap, you can still mess up your privacy / security if you want to, that includes phishing and social engineering.

      2 replies →

    • > do you happen to know whether that includes anything wrt. phishing or social engineering?

      Yes. For example if you install an apk from an unknown source (like a random website via browser or messenger) it will warn you what you are about to do and what effects that has.

      You don't need to block stupid behavior. Just make sure users are well aware of their actions as long as they actually read warnings.

    • my brother in Christ, people who root their phones don't fall for "Hello sir, I'm sir John from Microsoft, you have virus sir, please do the needful install antivirus and send gift card sir."

      4 replies →

  • The only reason I have not switched Graphene is because for reasons I do not understand, Graphene OS is very closely tied with Google hardware.

    I bought a /e/os Fairphone instead.

    • Pixels are consistently "third party Android builds friendly", plus GrapheneOS has a list of required security features (beyond their control): https://grapheneos.org/faq#future-devices

      e.g. first one in the list:

      > Support for using alternate operating systems including full hardware security functionality

      GrapheneOS wants users to lock the bootloader (≈enable Secure Boot) after install by providing user signing keys (avb_custom_key) -- that already seems to leave only Pixel, Nothing and Fairphone.

      https://github.com/chenxiaolong/avbroot/issues/299

      2 replies →

    • I bought a second hand pixel when I had to buy a new phone. Still better for the planet than buying a new fairphone anyway.

    • Sigh, /e/OS.

      Your phone is running proprietary Google DroidGuard blobs in a privileged process every time an app initiates a Play Integrity request.

      If you install some Google apps like Google Maps, they are run with more privileges than other apps (their microG fork gives apps elevated privileges when they match certain Google signing key fingerprints).

      Also, your device is running a firmware bundle provided by Fairphone's Chinese ODM, including TCL image processing blobs. Your phone will soon run an ancient kernel and firmware tree with many known critical CVEs.

      But this all doesn't matter anyway, because security hardening is only for spies and pedophiles according to the CEO of Murena (the company that makes /e/OS).

  • > Android users need to switch to Graphene.

    Which supports only Pixel devices.

    • The resason is that only Google bothers to put enough hardware security features to build software on top that allows to make a really secure device that blocks tampering.

      2 replies →

  • I get it, but it really sucks that Graphene only works on Pixel hardware. I switched to Samsung with my last phone.

    • Korean manufacturers are even worse when it comes to privacy violations.

      I use a Samsung too. The bloat, dark patterns and enshitification with every update are even worse.

  • I wonder if it makes sense to create an independent hard-fork of AOSP in the future. But probably the only option to keep this somehow maintainable is to replace many android-specific components with other userspace linux components that are already well maintained (systemd, networkmanager, wayland)

I use Android because it lets me install whatever I want on my phone, which it does not seem to me, controversial. The phone is either mine or it is not. I don't want Google's protection. Particularly, if I can't refuse it.

  • That's a nice digital content you have there. It would be a shame if something happened to it...

  • Well… you can run android without google? The problem is that essential security services require apple or google devices and you as a member of society need the security services.

    • > Well… you can run android without google?

      You can only run LineageOS on smartphones that allow unlocking the bootloader (which is more and more rare), and properly release the kernel source-code (many still don't, especially low-end MTK-based phones...)

    • Yet on LineageOS you're not affected. It seems you can build Android that isn't affected by Google, at least if you're willing to personally adjust the code to do what you want. You'd have to get exceptionally busy before it's not recognisable as an Android distribution anymore

      1 reply →

I understand the frustration (I'm an avid fdroid user across many many devices). But this article comes off as childish with the virus/trojan/"malware vendor".

With such an article, many (including perhaps google) get the ammo to disregard what fdroid says, by branding them as childish/not to be taken seriously. for eg: no reputable news org is going to post this.

PS: https://keepandroidopen.org/ is better done.

  • I thought the same thing but he apparently has a point. The stated purpose covers only a tiny sliver of the capabilities. The agreement points to the TOS where it (last time I looked) says service may be terminated at any time without stating a reason. Nothing guarantees it won't be used for things other than security. And finally he has a point where it also doesn't really do much for security.

    If we ask their fine search engine, the AI helpfully explains malware to be software designed to gain unauthorized access to disrupt, extort payments and/or hijack devices.

    If you still think the shoe doesn't fit, imagine what would happen if one managed to create an app with the same capabilities. Google would remove it immediately for being malware. Obvious malware.

    • I'd usually say it'd be far fetched

      but I can totally see Google banning developers and removing their apps for political reasons, where some lobbying group bombs them with emails

      because with this they're explicitly saying they're now choosing who gets to be in or out, there's no way for them to say we can't do anything about it

      I do think this would improve security, but I also think it's sort of a Trojan horse to lock down the ecosystem

      2 replies →

    • nothing guarantees the Microsoft/Apple/Ubuntu/RedHat will not push an update through their infrastructure to delete some software from your computer

      all OSes have malware level capabilities. it's literally the definition of an OS

      1 reply →

  • I think the point they are trying to make is that in the terms of service Google says they get to define what is malware (halfway through article) so the author is trying to point out that exact danger: what happens when Google gets to randomly call things malware.

  • The article provides enough evidence for that label. Unlike Google, who can arbitrarily call anything "malware". This is the contrast the article attempts to point out.

  • I have the opposite opinion, Google is doing a lot of garbage in the name of "Security", time to play their game and report their control on Android as security vulnerability

> In computing, a trojan horse or trojan is a kind of malware that misleads users as to its true intent by disguising itself as a normal program. [1]

Google is Trojans all the way down. What is the true intent of almost every Google product? Data harvesting.

Every single product is spyware of some kind. They've even managed trojanize TVs by subsidising manufactuers to ship their spyware.

[1] https://en.wikipedia.org/wiki/Trojan_horse_(computing)

While attribution is a strong weapon in fighting malicious software, persevering the ability to install and run anonymous software is essential to fight authoritarian regimes and corrupt systems. If we accept that only signed, permitted software can be installed and run on users’ phones, democracy and our freedom are doomed. Regardless if it is in the West or the East, or it’s against an AI overlord.

We can't make arbitrary changes to much of hardware and software we rely on. We can't inspect their designs, we can't reproduce them, sometimes we can't repair them. Sometimes we can't even tell that they're designed to act against our interests, and, if we do, sometimes we can't do anything about it. We are forced to choose between price and privacy, between interoperability with proprietary (or official) systems and liberty.

Android making another step in this direction is bad. But, let's not kid ourselves: we are neck deep in this cyberpunk serfdom, and have been for decades. If we were to get this Android win, it would be only a small win. I'm saying this not to be defeatist, but to remind us of the bigger fight.

How does this feudal goliath meet its end? When is enough enough?

Emotional talk aside, there's not many good solution to this problem, unless of course F-Droid starts to make their own phones.

But then, Librem 5 Phone was just failed few years ago, telling the story that people who care about their rights are still sensitive to how much they would pay (which is a form of rights too).

Also but, there is the thing, making a phone is not easy. If you reach deep enough, you'll eventually reach the layer where you realize how solid the monopolization has become. The global telecom standards if you read them is in the hands of few companies, Boardcom, Motorola, Huawei, Nokia and such. They'll control whether or not your phone can access the network. Then there's telecom companies who runs the network, and they might have to approve your device/modem as well since they got their channel allocation from the government.

It's not easy, and it's not just the software problem.

Oh and yes, we also have the software problem. Linux, if you want to go that route, cannot be used as a mobile OS, as least not for the public, because the average people don't know how to properly secure their system, and Linux is not a restrictive-by-default system. It will be a malware nightmare if you ship Linux on a phone as is.

The best hope for now I think is for geek vendors to make more mobile/4/5G enabled Fairphone or uConsole-like product to the enthusiast market, and then you can load whatever OS on it as you want.

  • The Librem phones do exist and people use them.

    Did it take the world by storm ? No.

    But it exists, has users & is building the case (together with Sailfish OS and others) that having an abusive mobile OS duopoly is not the desirable state of matters.

  • I was surprised to hear Librem failed, but a quick search show this is not true. Quite alive and hopefully well.

  • There is a good solution. A big disclaimer and the user accepting the risk of running the software they want. The same solution they've been doing for years that did not need change. The new developer program is only here because it is more convenient to Google and governments.

    • We've known for literally decades that that doesn't actually work, for several reasons:

      1. People are conditioned to ignore warnings. There are way too many benign warnings in the world; you can't read them all.

      2. Even when people wouldn't ignore them, in cases where they are being tricked by scammers it's easy for the scammer to talk people into accepting them.

      3. Those sorts of warnings aren't actionable. You're installing a new app. It appears legit. You want to use it. You get a warning like "this app hasn't been verified; it might be malware!". What can you do with the information? Absolutely nothing. 99.9999% of users have zero way of doing any deeper check to see whether it actually is malware. Their only options are to give up and go home, or just hope that the warning is wrong. Even I - a highly technical user - get zero value from things like Windows' smart screen. "The app you're running hasn't been signed! It might be malware!". Err yeah sure. I'm not going to reverse engineer it to check am I?

      I think their solution of allowing you to disable the restriction with a one-time one-day delay is actually a really reasonable solution. As long as they don't go further than that - the risk is that it is just a temporary placation and they'll ditch that option in a few years.

      4 replies →

  • > because the average people don't know how to properly secure their system, and Linux is not a restrictive-by-default system. It will be a malware nightmare if you ship Linux on a phone as is.

    Linux is a kernel. A Linux-based distribution decides what the defaults would be. Why, in your opinion, would a Linux distro targeting phone-ish ARM64 hardware be problematic? Why would it be a "malware nightmare"?

We finally live in an age when I can tell a clanker that I want an app that does something that I need, connect the phone with adb and in half an hour have a working solution for my tiny problem while knowing little about android development. This is something google should embrace, not kneecap.

  • Then tell the courts to stop fining them and start fining all the closed platforms.

    There is a clear legal asymmetry where allowing competitors on your platform makes you liable if they complain, but blocking out everyone except for yourself is a totally ok and legally rosy way to do business.

I'm still a little bit confused why the EU does not take action in this. This is definitely a monopolist overreach which has to be shutdown from the beginning

  • But they did. EU formally allows all these measures by Google in the name of "security" as described in Digital Markets Act Art. 6 (4) fourth paragraph.

    https://www.eu-digital-markets-act.com/Digital_Markets_Act_A...

    • They're allowed to do it "to the extent that they are strictly necessary and proportionate ... provided that such measures are duly justified".

      It remains to be seen whether the EU decides that this measure is strictly necessary, proportionate and duly justified. They sometimes do the right thing but I'm not getting my hopes up.

      1 reply →

  • Indeed. I wonder if it falls foul of labour law. Blacklisting is illegal and whitelisting (certification) is normally done with multiple competing third party certifiers.

  • They'd have had to start with Apple which is more locked down and has comparable market power. Apple fans (iirc like 30% of the voter population) already scream bloody murder when compatibility increases due to legislation and Apple pushes some marketing about how terrible this is

    We've accepted that OS vendors can do this for decades. I think that was our mistake: relying on Google as the only available vendor. We can't make a law that punishes Google for having been open all these years. Yes, of course I (like any 'HN' hacker, I'd think) would be in favor of forcing Apple to be open as well, but then it seems that the powers that currently run the EU (and a lot of voters) kinda likes their remote DRM attestation for this digital identification project that you'll soon need for anything not suitable for toddlers and not reachable via a darkweb

  • this is something the EU would love, it's part of the whole Transparency thing where you dox yourself to everyone

    HNers (especially Americans) are super naive and think the EU is some bastion of freedom. no. it just wants to be a huge nanny state but in a wholesome way, where you can do whatever you want as long as it's approved

I just launched an app in the Google Play Store. I did find it a bit weird that I had to provide my physical home address to get my app listed. Not sure what I would do if someone turned up to complain. Make them a cup of tea?

  • well they can swat you, order pizza, send you packages (who knows with what inside), spread false info about you if you've given out more info etc...

    all it takes is one guy who gets too mad for some reason

    and it's gonna be a lot more costly for you to do anything about it vs. that guy who gets to be completely anonymous about it

    • Not sure how well swatting works in the UK, and pizza deliveries are all pre-paid.

      But yeah, you could have a loony turn up.

    • How? I don't see the address published.

      They can sue you and Google will give your address to the court, clearly. But swat? Send packages? How?

      5 replies →

  • It's because of a law in California. Don't remember the reason behind it, but Google decided to apply it everywhere. It's also why I let my app die years ago instead of publishing the updated version.

  • You should not distribute apps via the Google Play Store. Using alternative means, including F-Droid as relevant. And it was a mistake of you to register, because you're helping Alphabet exert more pressure and control on others.

This would be the line for me. If at some point I'm unable to build an .apk and install it on my phone without Google letting me, I'm moving to Huawei.

I wanted to use an alternative mobile OS, but they only support expensive devices like Pixels or outdated models. So I am planning to port some open Android variant. Obviously, all Google Services will be removed and most proprietary apps too. I also want to be able to manually edit permissions and remove Internet access from most of the apps, even open source. It is inconvenient that Android actually has "Internet" permission but doesn't allow the user to revoke it.

I do not need Google Play (a collection of spyware, covertly collecting Wifi points and cell towers location in my country and sending them abroad), I do not need bank apps (I have a laptop for that) so I guess I will be fine. Obviously there will be no developer verification on my device as well, and I mostly use apps from F-Droid anyway.

Good thing about F-Droid is that they build apps themselves and you can always get the sources - unlike Google Play and Apple Store that provide no sources and unlike PyPi/NPM which allows sources to not match the binary distribution.

  • You do need Google Play, or a suitable replacement, because most android apps won't work without it.

    • F-Droid apps do not need Google Play Services. OSMand (offline maps) and other apps works without it. Telegram probably should work too, but I did not test.

      AI also says that it is possible to have push notifications without Google.

I've just stopped using smart phones. If they aren't going to give me more freedom than a dumb phone, I have no reason not to use one

  • It's nice that you have that luxury, but that makes you an anecdote in a world where folks need a smartphone just to access banking or government services.

> looming requirement that all Android developers register themselves centrally

Does this somehow also apply to developers in China? Are Chinese OSs (Vivo/Honor/Oppo/etc.) entirely forked off of Google's Android?

Is the solution to just a Chinese phone without the Play Store?

Does this mean that apks that i've built and installed through adb will stop working? That would be a real damn shame.

Would this also be a strategy to get all Android users to have a Google account? Once you are locked in to using Google's Play Store then can then require login to even install apps. I don't have a Google account. I never will. If I am required to get one to use my phone(Fairphone4, eOS) then I will cease using the phone. There is nothing in my life that requires me to have an Android phone.

  • Banking has slowly been transitioning in this direction as they close brick and mortar places. I'd have to drive 20 minutes to cash a check (which is still sadly common in the US in certain industries).

Btw. This whole debacle made me to stop installing any Android updates. I've done my best to avoid installing even the security updates, so my diabetes apps continue working in the future.

I really need to take the time and go with Graphene OS in this device. My bank N26 kind of still allows it, but they made it harder and harder to use with certain custom checks. Looks like in the future I need a separate banking phone and my daily driver.

The device works right now how I want it. I don't want anything to change.

  • Google Play Services is independent of Android releases and will update itself automatically, though I believe you can disable this by uninstalling a specific system app with adb.

  • I have an old $70 test device with stock Android/Google that hasn't seen security updates in half a decade yet all banking apps, electric car charging, Google services, you name it, work absolutely fine.

    Meanwhile the daily driver phones of my privacy-aware family members running up-to-date Lineage or Graphene OS with recent kernels and frequent updates constantly run into apps refusing to work for "security" reasons. It's a complete joke.

    • To pass MEETS_STRONG_INTEGRITY a device needs to have a security patch within the last year. Most apps don't check for storng integrity, though.

Android developer verification program, together with recent reCAPTCHA push [1], and Manifest v2 force depreciation on chrome [2], make one thing crystal clear. When companies like GOOGLE talks about things in the name of "your security", it's a sign that they want you to sacrifice your own things, e.g., privacy, freedom, etc., for their own security. And if you trust them and show your consent by doing nothing, you pay the price.

[1] https://news.ycombinator.com/item?id=48555244

  • Google has been attempting to license the right to write.

    There are a lot of poor people, mostly brown people, who do not have the ability to get one of these licenses.

    Some of them are feeding themselves with their ability to write, and Google is literally stealing that food from their mouths.

    • I think this argument isn't likely to go far, considering its use of a type of condemned speech (DEI). Part of the purpose of having ID verification for developers is to ensure that Google can provide information to the authorities so that developers can be held accountable for promoting such anti-government and terroristic ideology.

    • Can I ask what you mean when you say "write"? Are you talking about literature / articles, or software?

      This is new to me, want to stay on top of it.

      1 reply →

    • Careful about demanding that dystopia not discriminate against anyone. Because you just might get it, and it'll still be a dystopia.

  • Article got developer verification completely wrong. The point of developer verification is to be able to install apps outside the app store without warning, which brings Google Android builds in compliance with the antitrust ruling. Third party Android builds can choose other trust roots or disable ADV completely and require warnings for everything because they are not subject to the judgment.

    Separately, the process of installing apps that are outside a system app store and aren't verified has also changed, but this is not required by the developer verification feature, and the result seems like a wash to me. The first time you enable installing apps from other sources is harder, but this setting then persists across device upgrades, so the subsequent times go away completely. This now requires developer mode, but apps that check developer mode (I haven't found any in the US) can be mollified with a Tasker task to disable developer mode when launching those apps and enable it again after.

    • That's only the consumer side of it though. As the post states:

      > Should a developer[...] elect to register themself with Google as a “verified” developer, they should expect to sign up for an account and pay a fee, surrender detailed personal information and upload government-issued identification, and then proceed to register the identifiers and signing keys for all the apps they intend to distribute (now or ever).

      Those are big impediments to open development. The agreement developers sign states:

      > 6.5 If You violate any of the Terms or if You distribute malware or other harmful applications, Google may terminate Your access to the ADC…

      But they don't actually define "malware" anywhere in the document. Search HN if you want to hear horror stories about how google handles loose definitions and peoples' accounts.

      2 replies →

After many years of Android freedom and choice, this'll likely be the reason I switch back to iOS/Apple. If I'm forced into a walled garden, it may as well be the best one.

My Android 15 handset doesn't have com.google.android.verifier process. It could be a Ulefone thing. They're especially pro-user (ex:root friendly).

  • Checked my Pixel 7 XL Pro and the app is installed and running (Version 1.0.866414232 com.google.android.verifier). I was able to force stop it, and disable it. Will check later to see if reenables itself.

  • Ex means "example" here right? Or do you mean ex as in the dictionary meaning of ex, as in, "formerly"?

If they go through with this, I will make it my life's mission for the coming months to de-google my personal life and break any dependencies on google at work. Done with this nonsense. Shouldn't take more than a month to remove the tumor.

On my android phone:

My own launcher

My own keyboard

My own sync tool for local net

My own net tools to WoL some devices on my lan.

My own tool to control 3 proxmox servers

My own tool that parses groceries slips

My own tool that keep tracks of my vehicles events/lifecycle/purchases etc.

If they break my launcher/keyboard and my ability to use my phone in my customized way, they will NEVER see me as a client again. None of these apps are in the Play Store, they are signed with my own signing keys, which have never been uploaded to google, in fact, no google account is linked to these apps. These apps are also privacy-oriented (even the keyboard, I ship a 1mb dictionary with and it learns my own words, never transmits anything).

I will not give google my ID , neither Persona or anyone else. I'm very happy to go back to using bank card + chip + pin than use google wallet. Trust me I will walk away. I already move 4 family members off of Windows in the last 2 years, I will get them off google too.

  • I started de-googling a few weeks ago. I don't really know what I'm doing but it's kind of enjoyable to learn. Graphene OS with F-Droid and I'm most of the way there.

    I still use the play store for some apps unfortunately. Also google maps, gmail, google messages (for rcs) and google fi. I'm not sure if theres anything close to the quality of traffic reporting as google maps, so it's hard to give up. The rest I will eventually move away from... Hopefully.

    I have a home server with a reverse wireguard proxy for self hosting photos, calendars, etc.

    I also have firefox with noscript blocking everything by default, but that's a big pain for an average person. Also it doesn't seem like firefox does a good job of anti-fingerprinting, but I haven't looked too deeply into that.

    I even bought a tv that has adb access, and I removed a bunch of bloat, but it doesn't seem possible to remove the google launcher without causing huge system instability. I might just firewall it off.

    There are a ton of open source alternatives to google products now, way more than the last time I tried moving away. It's time to leave.

I have already migrated my government and banking stuff off Gmail. I'm fine losing my access to HN but Google can't be trusted with serious shit.

This kind of speech will only go with fellow technical users, most folks buying phones at the usual phone operators won't care less.

All talk, no solutions from F-droid. What are they actually doing to solve it? Why not stand up their own vetting system? I'd love some technical solutions, instead this is just childish.

  • By analogy, would complaining about any organization ridiculously more powerful than you (e.g. a government) without having a complete alternative ready to go also be "childish"?

  • Because as designed they have to live under whatever google puts into Android because they have inordinate control over the whole ecosystem? I'm not sure why or how you would possibly describe that as "childish".

  • Solutions from F-Droid? There are none. Like they said, it's an unremovable system service.

    • They could register as a corporate developer, but they decline to do so because _"that would effectively seize exclusive distribution rights to those applications."_ But it wouldn't - the course code is still available for anyone who wants to build and distribute the apps themselves.

It would seem to me that the best hse of resources here would be ensuring LineageOS ports to more devices than Pixels ASAP. Yet no one works on that angle.

This is just getting us ready for the coming police state in the US. Choose your ankle monitor: apple or google.

How does this affect the Fairphone? If I buy a Fairphone now (which I've been considering for months now) will I continue to be able to run F-Droid and load arbitrary apps, or does it come with “official” Android that will contain the restrictions?

  • I would in general recommend against getting a Fairphone. They traditionally have a lot of hardware issues. Some of the early issues on the FP6 (fried logic board while charging and broken volume button) are not user replaceable. Many people have had to wait a month before they get a reply from customer support and even longer to get their hardware fixed. They also completely fail to communicate about issues.

    They also have a bad reputation when it comes to updating their software. E.g. their initial Android 15 builds for FP4 had bad memory management issues, with a result that many people could only have one app in memory at the time, which made it impossible to switch between e.g. an app/browser and a password manager/payment app. Some of their updates would cause boot loops when there were fingerprint reader issues, etc. Currently a lot of users are dealing with an issue where apps hang when used over WiFi because IPv6 gets misconfigured when a router sends an IPv6 router advertisement with lifetime 0 (which e.g. Fritz!Boxes that are popular in Europe do). The issue has been there for over three months without any acknowledgement or fix from Fairphone.

    Also, even though they do Android Security Bulletins and major releases (though very late), their phones often run ancient kernels and firmware with many known vulnerabilities. This is also the case if you run an alternative OS, because pretty much all of them use upstream trees. Also their firmware has Chinese TCL image processing blobs (might be a security/privacy issue for some people).

    I think many of these issues stem from the fact that the development of both the hardware and the software is largely outsourced to a Chinese ODM (T2Mobile), who maintain everything, so there is a lot of delay in everything. My guess is that Fairphone as a company is mostly a PR/support/supply chain auditing (as in minerals/labor, not software supply chain) company, with all the development outsourced.

  • It depends of the operating system you install. Fairphone by default comes with a pretty standard Android version with Google Play serices, so it will be impacted.

    If you either buy a Fairphone from Murena (with /e/ OS) or from Iode (with Iode OS) or if you buy a standard one and install a version of Android without Google Play Services (like /e/ os or Iode), then you can still use FDroid.

Why not replace F-Droid with a catalogue of links to open-source apps hosted in play store?

  • Most F-Droid apps are built from source. A link to Google Play may point to a newer version that has changed and could contain undesirable behavior.

I don't understand how this is legal in the EU under the DMA, does anyone know?

As user wouldn't you like knowing there is a non-verified app? Is it restricting And still providing way to override if you choose?

  • Is that not already the case today? Everything on the play store is verified. Anything outside of that is not by google and you are shown something.

    The whole point out of this outrage is alternative stores (like f-droid) can wholly and entirely be shut down on a whim without recourse.

The frustrating part is that security features often look like malware from a technical perspective. The intent is different, but the capabilities can overlap.

What Google is doing is shameful. One of the promises of Android was being more open than the restrictive Apple ecosystem.

Now that they reached penetration they do the switch - under the guise of security.

Just let me do with my hardware what I want to do it. Let it be my responsibility to install whatever I want (and stop calling it "side-loading", as if I am doing something shady from the "side").

We need to resist this! Alas, from the broader response it seems that most people just do not care.

  • Epic games sued both Apple and Google for anti-competitive behavior.

    Apple was found not guilty.

    Google was found anti-competitive.

    In the appeal, Google asked the judge why Apple wasn't anti-comptitive and the judge told them that Apple wasn't anti-competitive because there were no competitors on their platform to compete with.

    Google lost the appeal, an inflection point in tech was created, and Google wondered why the hell they tried being open when xbox, playstation, nintendo, apple, all get to do whatever they want on their closed platform.

    It's incredible how little coverage that ruling gets despite how damning and detrimental to tech it's implications are.

  • It's not just shameful, it's stupid. Freedom was the whole point of tolerating the shittiness of Android. If they get rid of that, then there is no point, and I'll just buy an iPhone instead. If I must be in a walled garden, I'll choose the better kept garden, and it sure as hell isn't Google's.

    • Pragmatically speaking, I doubt that the percentage of users currently choosing Android over iOS for this reason would add up to even 1%. Android dominates worldwide by and large because of cost, and unless Apple pulls another Neo this shall remain regardless of how locked down they make it.

      2 replies →

    • you think it's shitty, but it's a personal opinion that you're phrasing as some kind of widely accepted view

      be sure that it's not, lots of people actually PREFER Android

  • This is worse than Apple. With Apple you knew where you stood day 1.

    • If you go back far enough, the original iPhone didn’t even promise to give you the ability to install apps.

    • Its worse in a different way.

      I mean when people complained about Apple, the standard reply was "if you don't like Apple use Android,it's open! ".

      Now when people complain about Android doing the same, the answer is how is it wrong if Google does it, when Apple has been doing this forever.

    • lol my god the apple shills are out in full force. this is implementing a tiny fraction of control over probably less than 1% of android users (hint for the hn crowd: you dont represent real people and you need to remember that) in an effort to stop a very real problem that far far far more than the people affected by this face. yet they are worse than apple who has been doing this since day one to 100% of users. you’re an unserious person

  • AFAIK you can still install any random APK but the process will require enabling developer mode and one time 24 hour wait period. But the problem is many stupid Apps check that developer mode is on and refuse to work.

    • > many stupid Apps check that developer mode is on and refuse to work

      Do you have some examples? I have developer mode enabled and have never seen any apps complaining (and I have used a lot of different banking apps).

      1 reply →

    • An FDroid desktop client that adb installs APKs would actually be lovely. I pretty much exclusively use FDroid, but I gotta say I unfortunately find all their frontends to be rather buggy and with very little user feedback when things break (repo updates are hard to observe, downloads hang, updates mysteriously fail)

      1 reply →

  • > We need to resist this!

    I agree. What do you suggest? How can we contribute to the resistance?

    • Raise it at whatever level we can.

      I've seen more outrage on HN posts about license changes than those related to this. I mean we are in the midst of one of the biggest rug pull of our lifetime and the response was not even remotely proportional. I wish it was a atleast a fraction of what it was during the SOPA act.

      Not even businesses that could be hurt by entrenching Google more in the mobile space are acknowledging the issue.

      That makes me think may be all the outrage at the SOPA time was probably "promoted" because it aligned with their commercial interests or may be Google is all too powerful and too deeply entrenched that nobody wants to upset them.

    • If you are in the EU, send a message to the DMA Team. Be polite, explain how Google is using its oligopoly power to shut out competing app stores and applications that can be installed outside the Play Store. Explain how it affects you.

      An app becoming unavailable through remote attestation? New recaptcha? Document every case and send an e-mail to the DMA team.

    • I'm sure there's plenty of Google employees on here, some quite high up.

      Push back against these types of decisions internally. Rally your coworkers against them.

      And if you're brave enough, talk to a journalist, or pull a mini-Snowden. Lord knows the company has secrets. I bet there's at least one email chain from some exec bragging about how this policy will squash Revanced, ad-blockers, etc.

      1 reply →

    • This started with phishing, poor people being tricked to install apps that then drained their bank accounts. So to resist, maybe focus on that evil? Better international cooperation, better prosecution?

      12 replies →

A threat being masqueraded as protection is a deception. I now think this has been Google's modus operandi the entire time.

So, what's a good Linux tablet? I was thinking of trying an old Surface Pro.

I think it's funny that they look at the phrase "malware or other harmful applications" and then only have an issue with the definition of "malware" rather than "harmful". Like, wouldn't "harmful" be FAR easier to apply in literally any case you feel like? "malware" sounds like it'd need some proof of malicious intent but "harmful" needs no such thing and is much looser.

isn't this like the ps3's otheros thingie? Where the advertised functionality of the device was crippled after the customers bought them?

  • In the PS3 case the feature was removed fully where in this case you just have to go through a new flow with warnings to reenable sideloading unverified developer's app.

Maybe I've too much faith in Google, but a part of me wonders if Google doesn't want to get sued for this change. After all, their competitors have similar systems. While Microsoft's is circumventable with a few click-throughs, it's particularly nasty in that their code-signing certs are comparatively brutally expensive, too much so for hobbyist projects generally.

If Google is looking at a world where all of their competitors are using first-party-controlled signing, it makes sense for them to wonder "why not us". And if they get sued for this, that would set the precedent for all of their competitors too.

At that point the playing field would be level and platforms would be properly open.

While I hate how user-hostile stock Android is (and it's getting worse, all because of Google's ad business model), these reactions are so blown out of proportion they might only teach Google to do it the subtle way, or use such changes as a smokescreen..

24 hour waiting time? Big outcry.. Anticompetitive permission system where apps can do not that much more than websites? Nah, it's fine..

Unless you unlocked the bootloader, you were NEVER able to install apps you want, as Google had the final say what those apps could do (the anticompetitive permission system where user is the third class citizen, vendors are second-class citizen and there's only one first class citizen - Google). We need to fight for the right to unlock the bootloader and then not be restricted by the actual malware that is Play Integrity.

This is more than enshittification, it feels like purposeful brand destruction.

Are governments going to institute more lockdowns? Is this some topdown control thing?

I will root this POS android phone I have and forego any Google Play services and just use it as web browser and a phone. Fuck these guys!

As a user how do I opt out? Can I root my phone and excise this crap with some tool?

If this is disseminated through Play Protect, does disabling Play Protect prevent triggering this?

The temerity of Alphabet to claim to protect users from malware/spyware, when they are known to share all of your personal information and communications with the US government (Snowden revelations), is the epitome of hubris. And, also, in the world we live in, just another Thursday.

But even ignoring this - it is not for Alphabet/Google to decide whether, and how, I want protections. I want to be able to pick a sequence of bytes and install that as an application on my phone, without Alphabet having any say in whether that happens or not, and in fact without them knowing about it. It's my phone, not theirs, and the software should help me do what I need/want, not help them provide me their often-questionable services.

  • It's even worse when Google believes they have a legally defensible justification that your data has been "anonymized". E.g. "anonymized" location data directly from your phone that just so happens to be accurate to the meter. Such data just cannot be anonymized.

> Disguising itself as the innocuously-titled “Android Developer Verifier” (ADV) process, this trojan horse runs surreptitiously in the background as a system service with full root privileges, quietly awaiting an activation signal. The service cannot be blocked, disabled, or removed. Unlike a commonplace bit of malware, this extraordinary strain won’t be detected and neutralized by Play Protect (the malware scanning and remediation service that is installed on all Android Certified devices). In fact, Play Protect is itself the vector through which this virus is transmitted and installed.

> That is because it is Google themselves who is propagating ADV. And once activated, this malevolent process has exactly one goal: to block you from running software by developers who haven’t been approved centrally by Google.

The rest of the article is a claim that Google's new terms of service amount to "malware is any software we [Google] don't like."

It seems like Google is aiming for its own walled garden.

I've already disabled Play Protect ages ago because it kept removing apps I had installed through F-Droid. Actually, I almost only install apps via F-Droid. I wonder if the ADV will install with Play protect disabled ?

My iOS using friend told me that he can't even use the iOS software that he has written on his own phone. He can run the software but it expires in a week so he'd have to redeploy every few days to keep it running.

Is that right? Is that the future of Android as well?

It is time to dismantle - and subsequently forbid - Google. Too much Evil is now concentrated in this greedy adCompany. Mass-infecting so many devices on purpose is beyond compare now.

how is graphene these days, or is there a better alternative that can run map apps that depend on google play services (like waze)?

we need to create a new os

  • We already have the OS, what we need is a company that is willing to take a bet on it, support it and convince hardware vendors to provide upstreamed drivers for their stuff.

    PostmarketOS may not be perfect as of now, but it would advance and progress so much if people were hired to work on it and if people could buy a smartphone with it preinstalled. Bug reports and corrections would come much quicker as well as supported apps. Right now it is just a confidencial toy OS because of the lack of hardware support really, only a small number of smartphones are supported, only 2 of them are still sold and available as new (pinephone and pinephone pro), their specs are nowhere close to what you would expect for the price and they are only sold through a rather confidential online store.

>Should a developer — contrary to our recommendation — elect to register themself with Google as a “verified” developer, they should expect to sign up for an account and pay a fee, surrender detailed personal information and upload government-issued identification

Again, there is a tradeoff between protecting consumers and protecting vendors. If you protect the privacy of vendors, you do so at the expense of increasing risk to the consumers.

I don't want to be polarizing, but narcissistic is the best word to describe the position of this article. I'm assuming that when they are consumers, they would find it reasonable that their vendors provide due diligence and be held to higher standards. When they go to the pharmacy, and they buy aspirins, would they choose a tablet of aspirins from a pharmacy that doesn't ask where the aspirins came from or who the distributor or producer is? If such privacy of the producer were respected then the market would open up to actors that provide low quality, counterfeit, or malicious product.

You can't have it both ways. If you are a vendor, you are no longer an anonymous consumer. Installing a VPN, paying with cryptocurrency, using firefox and duckduckgo to avoid tracking, that's not on the table for you once you decide to be on the other side of the production market.

If you want to make software and distribute it anonymously, go ahead and submit it to one of the many malware riddled distributors that don't do any due diligence like npm, github, AUR, why must you insist on being let in a club that doesn't want you? Is it perhaps because the reputation of such club is higher because it doesn't have malware because it performs such due diligence?

At least if you are going to complain about this, do it with standard language don't co-opt cybersecurity terms, adding noise to whoever cares about actual security. If this is really a problem you wouldn't need to exaggerate or plain lie about it.

  • > If you want to make software and distribute it anonymously, go ahead and submit it to one of the many malware riddled distributors that don't do any due diligence

    Like F-Droid, one of the most famous malware dens in the Android ecosystem.

I think the most fun part with Google is that if some wayward algorithm decides it doesn’t like you, along with nuking your app and developer account it will probably nuke your 20 year old gmail, your kids Google Drive accounts, your wife’s YouTube premium, the Adsense account of some company you worked for in 2008, and disable your Nest cameras.

And you’ll never reach a human to sort it out.

  • To avoid this, I tried to close my Google Play Developer account. A decade ago I published a free app on it, which was online for half a year.

    It was to no avail. They will not close the account.

    I received only automated responses about bringing my old app into compliance with current policy, to then transfer it to another developer account.

    Only then would Google graciously allow me to close my Developer account.

    Meanwhile, private Google services charge me the wrong prices, because I have a Payments profile in another country. It is associated with a Merchant account, which is linked to the Google Play Developer account.

    The support concluded that this can also not be closed, and that I should close my Developer account first.

    It's hell.

    • It's not just google. Try removing an unpublished but uploaded iOS app. Wasn't possible for decades and I guess it still isn't. You eventually could hide them. The only way to remove it was to publish it, but that requires app validation, which a failed app is not suited for.

    • I tried to close my account, and got the response. But they closed it when I failed to verify it.

    • really? I have to keep making useless updates (just a version number bump) on one of the accounts i manage, because i keep receiving thread emails every 6 months that the developer account sees no activity and if i don't do anything they will remove and close.

      that app is a done project and need only to be udpated when the target SDK becomes too old for the play store

      1 reply →

  • What happens if you "accidentally" become persona non grata with both Google and Apple?

    If you want to participate in the society, you will forever have to resort to shady tactics. Shady can be defined something as arbitrary as using GrapheneOS.

    A temporary workaround like using alternatives like GrapheneOS for those affected will only delay the inevitable but it doesn't stop it at all.

    • If you've accidentally become a persona non grata, then obviously because you've not exercised sufficient self-censorship.

      This is real already. Recently saw a petition for EU to rein in big tech (there are several initiatives advocating this). Had this nagging voice at the back of my head ... what if signing that gets your Google Account terminated.

      I'll leave it open to you whether I signed it.

      For developers relying on any type of Google services, you'd be in for lots of pain.

      8 replies →

    • It's terrifying, yeah.

      To some degree, the closest we have to these situations besides getting flagged with TOS violations (whether real or false-flagged) in these companies are residents of countries that are either trade or economically sanctioned by the USA.

      Thankfully we haven't seen something like an account ban and deletion incident for such cases, but the severe ones I can remember usually prohibit access entirely and that'd be scary if it extended to primary services that others rely on for auth.

      You will be effectively locked out to services if it's all that's linked and that identity provider just decided you'd be persona non grata.

    • iOS can be used without an account. iPhones can be acquired outside of Apple. The EU has the alternative App Store option that doesn’t require an Apple account.

      22 replies →

    • GrapheneOS is not shady at all, since when is wanting to use an actually secure OS that doesn't sell your data to palantir or some other ACTUALLY shady shit like that shady?

      1 reply →

    • "If you had learned to wash lettuce, you wouldn't have had to pay court to Dionysius" - Diogenes.

    • > What happens if you "accidentally" become persona non grata with both Google and Apple?

      https://www.theguardian.com/law/2026/feb/18/international-cr...

      The US made a Canadian judge a persona non grata for any firm domiciled in the US. All because she works for the ICC, and the ICC declared Netanyahu a war criminal (which is indisputible). Why is the US destroying worldwide trust in US businesses on behalf of a reviled nuclear armed hermit nation on the other side of the planet? Good question, but it is what it is.

      This example that the US will spuriously use sanctions like this is why many nations are investigating ways to purge American financial systems and tech.

      1 reply →

    • You are right - now greedy corporations decide who is an "acceptable" human and who is perma-banned.

      Governments need to wake up to this insane level of Evil. And other governments also need the US government responsible here, since they allow this to happen.

      In objective terms this can be called a fascist system.

      > A temporary workaround like using alternatives like GrapheneOS

      The issue still is that so many services and functionalities are tied into private companies. States simply need to wake up now.

      4 replies →

  • One of my best friend has a Jolla phone.

    He never had WhatsApp. He refuses to use google. Only till recently he started using signal. He has been using an old Nokia phone till he was forced to upgrade by his operator. He is European and here in Europe WhatsApp dominates. Despite all that and having a very social life, driven by work, he manages.

    I recently ordered a Jolla phone. I don’t want to know about android. I might tolerate iOS. But shelling thousands of $ for a phone that is controlled by an external company…

    I am looking out for messaging alternatives. I am at a point where I think linking your identity to a phone number is not right either.

    Let’s say we should all wake the fuck up. This is not right. Having a phone with such spyware is a potential attack vector I don’t want to have on the most important device I own.

  • The blast radius is far worse than any "malware" Google could protect you from.

    TFA is playing it up, but it is arguable that this is a real virus, except the shady hackers are Google.

    • I don't think 'virus' is the right term, since it should self-replicate. 'Malware' or 'spyware' are probably better terms.

    • Malware on Android causes more harm, both to individuals and collectively to all Android users, than Google locking people out of their accounts. These aren't even in the same order of magnitude. There are countless examples of people who have lost their life savings, all their data, etc. Losing access to your Google account sucks too, and I don't necessarily agree with what Google is doing here, but you're completely off base here.

      2 replies →

  • > And you’ll never reach a human to sort it out.

    Unless you blog about it angrily enough that you somehow make it to the HN front page and some insider sees it and solves the problem for you.

    Getting my own domain and setting up email on it is one of the best things I've ever done.

  • All service providers above some scale should be obliged to create a transparent processes or be taken for external jusges.

    Even better: all providers of services with more than 100K users or 10% of country internet users should be forced to provide API to export / import data in open format.

    • Maybe service providers above some scale just shouldn't exist, period?

      It would be a lot harder to erect walled gardens if you're only serving a small subset of users - they would balk and leave at any attempt to prevent them from interacting with others outside of the ecosystem, and it would be a lot easier to do so.

  • That happened to me, lost 16 years old gmail account, which is my main account for my digital life. It happened after I disabled some tracking, and Google was no longer able to recognize me, even though I had my phone number registered, it was not enough.

    • Same. Lost my 2004 Gmail because they silently enabled 2FA and the phone number on the account is a long lost one. I have the username/password and the recovery email is set to me. The account also forwards all emails to me, so I still get the mail, but I can't log into the account.

      Not yet found someone to do a SIM swap for me and get the 2FA code...

    • I suspect this will happen to me soon, though all I do with it is occasionally sign in just to keep it registered. It now refuses to log me in unless I am on a specific IP address, no matter how many MFA steps it requests and I pass.

  • This has been known for quite a while; when I published an Android app ~10 years ago I saw lots of people advising you to create a separate Google account to publish apps under, because a robot can just terminate your entire online identity for the crime of trying to contribute to Google's app ecosystem.

    I left behind Android and as many Google services as I could in 2020 and so far I've only been more vindicated with that decision over time.

  • This almost happened to me 4-5 years ago. I don’t recall every detail but right around the time I was deep into a new job interview process, Google Pay decided it needed to verify my identity. It may have been triggered by one of my cards expiring but I don’t think I had ever used the service to actually pay for anything at that point and just had a card saved. Anyhow, I was almost immediately locked out of my primary email account as well and got delayed in sending documents to the potential employer and had to explain that I got locked out of gmail. Unfortunately, I didn’t learn my lesson and still use that gmail account as my primary email but I did at least open alternative accounts on other cloud providers.

  • Have a friend lawyer that will send them a proper letter. They will take you seriously that way. And if you live in EU, use GPT... Actually, use Gemini (!) to craft another great response invoking a number of articles etc that they are in violation of.

  • I tried recently to create dev. account. I have not yet been successful. It is a painstaking process.

    I had to submit my ID, my phone number, email.

    Then to verify I had to give my address. They rejected my ID twice, so I had to submit driving licence.

    I am several weeks in, and could not even produce a single app.

    Their algorithm already rejected me, for no obvious reason.

  • I've seen multiple stories of people buying phones from Fi, the phones never arriving, google refusing a refund, and on a chargeback, their entire google account gets shut down.

    • Holy crap that is scummy.

      I still use 2 Google services, of which neither would crumble me if lost (YouTube, and my old email which now acts as my spam inbox). I have lost accesses before, when I was still partially dependent, and had to give up my privacy to get access again, long enough to get off. It sucks but I do consider myself lucky that I was able to prevent the life crushing consequences that some people have had. Such a terrible company.

  • Leadership at Google should face prison time for this sort of practice. We wouldn't accept it in the physical space, so why do we accept it cyber space?

  • This is why I don't mess with any of Google's AI offerings right now. Losing access to my Gmail (technically a google apps for our domain) account would be devastating. I think the risk that some google ai decides I'm abusing their ai and bans me is too high.

  • We experienced this with Anthropic, not the same blast radius obviously, but out of nowhere account was terminated. No support available. It was via someone’s 30+ year old classmate via LinkedIn the account got reinstated.

    As a counterpoint to the right to the repair there should be a right to recover.

    • There was a more direct case where someone’s child had been interacting with Gemini inappropriately resulting in Google nuking the entire families Google accounts.

      8 replies →

  • I would strongly advise using your personal account to access the developer-side of the Play Store.

    No, these services shouldn’t all be bundled under a single account…

  • You go self-hosted and try to stick to real small alternatives, subset of technical standards, etc.

    I am not a US citizen, but a EU one (well, since we have seriously rogue and toxic EU states, I dunno how long it will last).

    And guess what, the handling of the issue of technical interop for administration online services is done... at the top of the top of the political power: in my EU country, only the president and prime minister do define it. Yep, you read well, it is THAT MUCH important: parliament, no power over it, 'technical authorities' have actually no real power over anything, etc. It requires the same level of power than deciding to make more nukes.

    Basically, in 2015/2016 our president/prime minister at that time literaly gave all the administration (and dependencies) online services to big tech (a technical document which is basically 'law' with a content 'opening the gate' for big tech). Well, I say 'they gave it', but they could have 'sold it'... we have a department in our DOJ to monitor past politicians who could have set up some public money channels in order to benefit from it, often indirectly, afterwards. The following president and prime ministers did change nothing... how deep the rabbit hole goes? Brain washing via hardcore lobbying? Corruption?

    IRL, you had country administration related web sites, working more that fine with "any browsers", small and big, citizen made, small company made, now it is over, they were all broken for web apps which do work only with whatwg cartel web engines with their abomination of "computer language" requiring an even worse SDK. Same with file formats.

    There is light though, if this document of technical 'law' is properly modified, the whole administration and dependencies have 3 years to restore simple web sites and support minimal and subset of file formats.

While I sympathize with the general negative outrage towards this change, I truly believe that people here fail to empathize with the mainstream users of Android phones.

I personally have seen every single older relative and non-tech friend, end up installing bloateare, spyware, and malware inadvertently - because they have no idea how anything in the tech domain works. And given the widespread popularity of Android (globally 70% vs iOS at 30% market share) and even moreso in lower income demographics, it also leads to rampant piracy of obviously non-essential apps like games and streaming (eg Spotify). In fact, even here on HN, almost everyone who has given their parents an iPhone has extolled the virtues of a secured AppStore/device and the peace of mind it brings.

While there may someday be a way to support both the average user and the HN power user, we are not there yet. It’s hard for me to outright reject Google/Android attempts to secure people’s devices.

  • They can lock down the Play store completely, that's what 99% of people and the people most vulnerable to malware are using. The problem is extending that to F-Droid and other alternative services.

  • The only time I've actually seen Android malware in the wild, it was because my mother installed a homescreen flashlight toggle widget from the Play Store that also displayed ads on the lockscreen. That was forbidden under Play Store rules, but there it was. I replaced it with something from F-Droid.

    The Play Store still has a problem with shady apps years later. If Google wants to be more like Apple, they should start with better curation in their own store.

  • I’ve seen a fair bit of bloatware, spyware and what I’d count as malware on people’s Android phones. Every last piece of it has come with the OS or from the Play Store.

This is exactly why I use Android over iOS, for software freedom. If Google forces ADV and locks out F-Droid, they remove the single biggest differentiator between the two platforms. Making Play Protect into a forced gatekeeper instead of an opt-in security scanner is a massive bait-and-switch for users who care about digital sovereignty.

> How long before they designate all ad-blocking software as malware, block installation on all Android certified devices worldwide, and permanently designate all developers of this class of software as malware creators?

Classic slippery slope fallacy.

https://en.wikipedia.org/wiki/Slippery_slope

History shows that when a "slope" appears... regulation steps in, technology evolves to solve the problem, or the culture shifts to reinterpret the thing.

In almost every case, the feared "bottom" of the slope was never reached because humans constantly built ramps or bridges along the way.

  • > In almost every case, the feared "bottom" of the slope was never reached because humans constantly built ramps or bridges along the way.

    Perhaps it happens because the slope is called out...

    • Plus, it is not the bottom I fear, it's the precedent from letting companies slide down the slope.

      Regulation may try to stop it but history has shown some have slid to the point of no return or past a point where people can care enough to build out of.

      Prevention is better than retroactively fixing stuff.

    • Much like the fallacy behind: "The Y2K bug was was a total hoax, you can tell because nothing much happened on 2000-01-01."

  • I alternate my thoughts frequently (which I believe is healthy), and sometimes I think we should let things take their course a bit more before reacting. It's certainly tiresome and can be pointless (some people claim 'hysterical') to fight lots of changes, not necessarily this one but some like it.

    But I've come to realize there are serious downsides to letting things run their course too. Some changes are very hard to roll back (famous 'cat's out of the bag') just taking a lot of time to reverse if ever. For example, once there is a long term contractual agreement, if one parties decides to roll back they may just not be able to until the contract expires (like renting land; or worse, selling). A change in software systems for example that need backward compatibility can be quite difficult in technical and nontechnical ways.

    I think people need to also keep some sympathy for the protests and let people protest more. I'm leaning more toward: if in doubt, provide visibility to a cause (even if not full support). It's okay to save yourself some energy (in particular for the most important causes). Some things might have to run their course for people to understand they were valuable, and we will probably have to eat some frogs as a consequence. Don't lose you sanity ;) (As the saying goes, "Don't you dare go hollow.")

  • "or the culture shifts to reinterpret the thing"

    Yes. You see it already.

    "Actually it is good that I can't run programs that haven't been approved by Google on my own device."

  • There is precedent of Google making changes in light of "security" that break ad blocking Chrome extensions. See chome extension manifest 3.

    So this concern cannot be dismissed with just "slippery slope falacy", it's a new vector of the same power grab strategy.

  • This is a useless argument since there is no way to measure what case is this and what is not.

    You can say "Classic slippery slope fallacy." to whatever seems like that to you.

    This is an antipattern to scientific thinking as you can frame something x and then say all x are like this, look I created this framework to think about x. But in reality there is no empirical basis for this thought. And it serves no purpose other than doing more argument or winning arguments.

    In the end what you wrote equates to "I don't think all of this will happen".

    Chaning many possibilities makes the outcome less and less likely obviously.

    Also the same principle applies to most religions I know of, for example:

    - Assume there is God

    - Assume it did create universe.

    - Assume x

    ...

    Then this also fits the same pattern and be called the "x fallacy" but it is useless to create an argument like this. This is useless mainly because this thinking pattern is ubiquitous in any world view.

    More productive discussion might be to pick some steps in the theory they chained together and argue on that imo.

  • I don't know which timeline you live in, but in mine I've stopped counting how many slippery slopes ended up exactly where the critics said they would.

  • Just look at the world around you, the slippery slope "fallacy" stopped being a fallacy long ago.

  • Is it a fallacy if you've said before that Google is aiming to create a walled garden, Google itself has already started saying it wants a walled garden and they've already implemented several such steps?

This is not malware. It's an official part of Google Play Services.

  • It all depends on how you define malware. If malware is software doing something that is contrary to the user's interests, then for many users it is indeed malware.

    • Too much hedging in this comment.

      Malware is something that maliciously breaks your computer.

      This maliciously breaks my computer so it's malware. There's no difference between this and the ILOVEYOU virus, except the delivery mechanism.

      1 reply →

    • >this malevolent process has exactly one goal: to block you from running software by developers who haven’t been approved centrally by Google.

      This claim is made by FDroid with no evidence. They make this scary claim which goes against everything Google has claimed so far. They are a biased party, and I can't trust their opinion. I would appreciate if they shared a more in depth investigation or a way to verify there big claim.

      3 replies →

I understand not being happy about what Google is doing, but it seems like F-droid can’t be trusted not to heavily spin things.

  • If the companies would keep their own word and never overreach maybe nobody would overreact. How many times did we hear in the past "It's just for..."

    • If companies play nice, people will stop making stuff up about them? I don’t believe that for a second, and it’s a poor excuse for making stuff up.

      1 reply →

  • There is no spin here. Google is pulling up the ladder.

    There won't be an open web, there won't be user installs, there won't be anonymity.

    Everything will be identified, attested, and allowed only when Google permits it.

    Nevermind them choking startups and small biz out of the oxygen they need to survive.