The Android verification is such a broken experience. Recently I decided to purchase a dev account for my company, so far:
1) Provided my company DUNS number etc. once to create the payment profile. I did this some times ago, don’t remember the details but it was an involved verification process and it is marked as verified business payment profile.
2) Later on the payment step verified myself with a passport and bank statement to be able to actually pay with a proper HSBC bank card. Not shady pre-paid card or something, those are not accepted anyway.
3) After I paid I was told that now I need to verify my identity once more but this time with the passport and the incorporation certificate or some other company document.
fingers crossed that in few days it will be verified. While waiting, it tells me that there are still website and email verification to do once the previous step is done. I already verified my e-mail a few times before paying.
It’s painful, slow and annoying because if you fail at a step(i.e. needs verification that takes days and you are told about it at the payment step) you have to start again with the forms.
I just remembered why I never use Android. It seems like no one owns the process and as a result you get unpolished shitty experience that fulfills the requirements of god knows how many people who work in the same company but don’t talk to each other.
That sounds a lot like my experience as an Apple Developer too, with the added bonus (unclear from your description if you experienced this too) that they took my money before the verification process was finished and wouldn't refund it once their AI couldn't connect my face to my ID and wouldn't let me connect with a real person (the first dozen times were on them, but after that it was maybe my fault for including a middle finger in the photographs).
Going through hell with Apple Developer too. I didn't have to do much in terms of verification (probably because I created an account as an individual) but app submission is another story:
- first time I got rejected for mentioning a name of a third party in my app description. The app description said: DISCLAIMER: not affiliated with xxx
- after fixing the app description I got rejected for using my app name(?!), multiple back and forths with the reviewer got me nowhere, they just copy pasted the same response not addressing my messages at all
- filled the app store review board appeal, it's been 5 days and I've got no response.
At this point I'm seriously considering rewriting the app for MacOS and distributing myself. I can't imagine going through all of this with every app update, it's beyond ridiculous.
Develop only Web applications, that are mobile friendly, notice I said mobile friendly, not PWA.
However, thanks to many of us that only favour Chrome like IE of yore, and ship it alongside their "native" applications, the Web is nowadays ChromeOS Application Platform, so we are only a couple of years away of Google owning that as well.
You might not have a way to actually file a complaint against them but quite often, their legal department will just have a quick look at your case and just give you what you want without bothering to tell you anything. Worth a shot.
I am doing leatherworking as well as woodworking. No idea if it is possible to actually make money with this¹, but damned if I'm not giving it a go just to have skills in an area where AI is not a threat for the coming decade. At the very least these crafts allow me to make things which do not exist and cannot be purchased off the shelf.
1: I mean, it is, certainly. I'm just not sure if I can make money by making leather gear.
1) Re-submit an app after it was rejected and labelled a gambling app (it wasn't even close - a 15 second look by a real human would have seen that. This one was even appealed and the support was utterly useless. I ended up changing one word and re-submitting the app, approved no problem.
2) An existing app, in the Play store for years but a nice app - only about 500 installs. I had to submit a new version for no reason whatsoever... Except to keep the customers developer account active.
Those are just issues I've dealt with in the last month or two.
Every single time, Google Support is completely useless - including the appeals process, which is an absolute joke.
Not to mention if you made one app in college and then didn't keep up with the SDK updates, Google perma-closes the entire Play account such that the only way to publish a new app is by creating a brand new gmail account
Forcing people to keep up with SDK updates is a bad thing in itself. Let people target the earliest possible feature set and make the app run on as many phones as possible rather than showing scary messages to people due to targeting an older API.
I think the problem is that older SDK versions allowed you to do things like scan local WiFi names to get location data, without requiring the location permission.
So bad actors would just target lower SDK versions and ignore the privacy improvements
The newer Android version could simply give empty data (for example, location is 0,0 latitude longitude, there are no visible WiFi networks), when the permission is missing and an app on the old SDK version requests it.
Of course, they don't like this because then apps can't easily refuse to work if not allowed to spy.
Phone companies are required to make sure 911 works on their phones. Random people on the internet aren't required to make sure 911 works on random apps, even if they look like phones.
If this is a business account why do they want your passport? And why are you paying with a personal bank card rather than a business one? Or do I misunderstand?
They may want proof that you, the human filling out this form, are authorized to publish apps, communications, etc. as the company you say you represent.
How does a passport solve that? Most small private companies are entirely opaque. A government ID doesn't help you determine authorization. It won't even help you determine ownership since anyone doing things sensibly will be using a registered agent to hold the company on his behalf.
The correct approach here (AFAIK) is to punt the trust decision to the bank by requiring payment with a method that you can confidently trace to the company.
Yeah I would imagine that the value the get out of a passport is not anything to do with validating a company (they’re cheap and easy to make anyway) but validating the person (which is not a throwaway entity)
However that invites those bad scenarios where someone gets blacklisted by BigTech in some manner, later gets hired by a small business, the new employer adds an association to the blacklisted account, and suddenly the company app is banned from the app store seemingly without reason. At least a few such stories have appeared on HN over the years.
I feel like pay to play ought to be sufficient because in addition to being a barrier to entry it also provides funds for moderation efforts.
>suddenly the company app is banned from the app store seemingly without reason. At least a few such stories have appeared on HN over the years.
Which is not that unreasonable even. If a person is flagged for making scam apps, them having publishing rights in a reputable place makes taints the reputation of such place.
You should be able to appeal of course and the oauth should not be towards google in the first place, but being associated with known fraudsters and scammers is not what you want.
There are better ways to do it but Google has long demonstrated they’re not primarily concerned with accuracy or user experience, but instead, whichever solution can be automated and effective.
My government ID card expired and I was too lazy to renew it but I had my passport at hand so why not?
BTW both the id card and the passport have cryptographic authentication and you are able to open a bank account or use govt services completely online by scanning it with the phone Rfid . They could have make me scan that, scan my face and be done with the identity verification. My identity is already verified and tied to my company the same way and also
listed in the companies registry which means they could have had skipped all the other company verification stuff too.
That all makes perfect sense but consider that if they simply punted to the bank as I described they would still get the same benefits only with even less complexity. The bank fundamentally has to do robust identity verification. Any party that needs to handle payments while also lacking a reason to be good at performing in house identify verification really ought to make use of the bank because you are highly unlikely to be better at it than they are.
The entire cumbersome process you describe can be viewed as Google doing a significantly worse job of verifying your identity than the bank would have.
As an aside, I suspect that leaving it to the bank would also provide additional legal protection. Specifically anyone attempting deception will most likely be forced to commit fraud against the bank which will probably be taken much more seriously than otherwise.
The bank has to perform the authorization and identity checks, but the bank will not make them for you, they do them for themselves based on their own risk analysis. The scope of authorization could also be different based on who it's presented to.
The authorization is not transitive so to say.
>As an aside, I suspect that leaving it to the bank would also provide additional legal protection
If it would, they will have to pay the bank for it and the bank should also be willing to accept the liability (spoiler alert -- the will not be willing to accept the liability)
That's all fine, they can want their wants, but then, once the bad cop writes them strongly worded letter and they start throwing tantrums over "regulation".
I agree, in Europe(EU, UK, Turkey and other countries) banks are considered perfect for proof of ID. In UK a bank statement is as good as an ID, in Turkey for example, you can sign in into the government portal through your online banking and it is considered higher level secure authentication and you can take high risk actions(like signing legally binding contracts) that you can't do by signing in just with password and 2FA.
I believe you can’t. BTW Apple allows you to pay for a developer account with in app purchase from the developer app on your iPhone. Still has limitations and you may be rejected depending on your payment method and some other factors but even the fact that it’s possible makes it 1000 better than Google’s way of handling it.
What you're describing is not "broken", it's the process and it appears it hasn't even failed for you.
My experience with getting a verified "business" developer account from Google mirrors the experience as getting one from Apple, except it's a one-time fee and much less than Apple.
Yes there are hoops to jump through, identification usually requires some hoops, but pretty it's straightforward. I am not commenting on the requirements of these hoops, yes, it's BS that they exist but it's their platform so it's their rules.
What type of "experience" are you expecting to have anyway?
With Apple I filled the forms, accepted the agreements, entered the DUNS and paid with a card on my name and that was it.
How does that mirror uploading my passport many times, entering company details many times, typing my e-mail and phone numbers many times both because I had to start over and because I was asked many times even if I provided these some steps back? Now I paid and waiting, hopefully I will later be verifying my e-mail address or something that I verified a few times prior.
> What type of "experience" are you expecting to have anyway?
The Apple experience. An experience that is well thought and streamlined, that doesn’t keep me entering the same information over and over again. I don’t mind paying a little more for well designed products. The $75 difference is nothing to justify this charade, I don’t think that that Google was short of $75 and designed this low quality experience, I think it’s engraver in their DNA.
> However, our recent analysis found over 90 times more malware from sideloaded sources than on Google Play
Google has seemingly never seen an elderly person's phone, where it is completely infected with crap including literal popup ads (that somehow overlay other apps), yet all of it was downloaded from GPlay.
100.00% this take. Google is redefining "malware" to fit their corporate narrative so ads-with-ads-with-tracking is labeled as fine wine. It simply cannot be malware because that truth would decimate their shareholders. Malware by any other definition remains software that disrupts the user's ability to operate the device:
Both things might be true. Sideloaded apps are probably way more likely to be malicious, but also most installed malware/crapware is quite likely coming from Google Play.
To be honest the limited popularity of F-Droid also helps it be less targetted by bad actors. If it was more popular I would bet the situation would surely be different
This argument can be refuted by considering Debian repositories. No malware exists there despite it being a good target. It's the FLOSS that solves the malware problem, with a bit of moderation.
F-Droid still works the same as it did before. This just means that McDonald's can distribute its apps on its website without showing a scary warning on install on Google's Android builds.
What % of Android users actually want this? Do they know or care?
I've been using Android since 2010 because it was open in ways that the Apple ecosystem wasn't. I do not want this and imagine hardly any other power users (for lack of a better term) do. I'm already using a mostly deGoogled device but this really seals the deal. I have been longing for a true Linux phone for years and now seems like a good time to get serious about the search and migration plan.
When you jay walk you take the risk of being hit by a car, causing injuries to you, to the driver, and to other nearby people.
So I don't understand your analogy? Are you suggesting that pedestrians own the streets and should do what they please, as users own their phone and should have the right to do as they please? Or something else?
The term jaywalking was invented (or possibly hijacked) by automotive lobbyists as part of a campaign in 1910s and 1920s to convince the public and the lawmakers that crossing streets outside designated points is bad and should be made illegal. Before then, it was generally considered basic human right to walk anywhere on a street. Whether you agree that jaywalking is bad or not, that's the history of the term.
Grandparent is saying that the term sideloading was invented in a similar fashion to delegitimize a previously completely normal way to use an electronic device.
"Jaywalking" is one of those things that's uniquely American. Most other countries have realized that the risk of being hit by a car is its own deterrent. Or restrict the legal ban on crossing to highways, not all streets.
The UK Highway Code has a RFC-like use of MUST/SHOULD; MUST parts are legally binding, the parts relating to pedestrians are SHOULD.
Yeah, I'm willing to use my brain and look at incoming cars and just walk when it's empty and safe to do so? Where's the problem in that? I have eyes and can judge distance and speed?
Yeah. Computing freedom to have a root shell and do as I please is the entire reason I put up with Android. Google is positioning Android to just be nothing more than a worse iOS. There's pretty much no point to it anymore.
Same. If Google does this, my next phone will be an iPhone. Freedom is the only reason to put up with Android's shittiness. If they turn it into a walled garden, then we'll choose the better kept garden and it sure as hell isn't Google's.
I switched from iOS to Android about three years ago. I saved all the APKs for everything I installed (or updated) on that first phone. When I got a new phone last fall it was pleasantly like getting a new PC. I imported my SMS and contacts from my last backup (taken with an open source took I'd installed from an APK), then installed all the apps I use and imported or manually set any settings I wanted to customize.
Every non-stock app on my phone was installed from an APK directly downloaded from the manufacturer or open source developer's site / Github releases. I've never had a Google Play account and have never used any Android "app store".
The biggest pain was having to manually logon the couple of sites I allow to keep persistent cookies since device owners aren't allowed to just import/export cookies from mobile Chrome.
It has been a very nice experience. I appreciate the feeling of sovereignty and ownership of my device (even though it does have a locked bootloader and I don't actually have root).
I did something similar. Wanted a Pixel with Graphene OS but the screen hurt my eyes. Went with a Motorola with an IPS screen. Uninstalled or disabled all the crap. Never logged into Google. Went with Obtanium and F-Droid for most software. Aurora for a couple of apps that were only on the Play Store. Used NetGuard with a whitelist to lock it all down.
After all that was done, the phone felt like mine in a way that my iPhone doesn't. Was a good feeling. With luck, the Motorola + Graphene partnership will produce phones with screens better than the Pixel and I can keep doing this.
I ended up with a Motorola phone, too (albeit with an AMOLED screen so not the model you have). I got hooked on Motorola phones because of the "chop/chop" flashlight gesture. I don't think I can use a phone without that gesture ever again! >smile<
I'm hopeful, too, re: Motorola + Graphene. I wanted to use Graphene last fall wehn I got the new phone but I was committed to not giving Google any money.
That is true but they are also some of the most vocal advocates of certain systems. It is a king of trust errotion that doesnt show up for a very long time but by the time it does it is too late to reverse.
Tge flipside of that is that Google and Apple have no viable alternatives. It would take years to build what they have.
It took Huawei about 5 years with Harmony OS to do it but odds if that making it far out side of China is limited.
A large portion of which are using it in a feature phone capacity. Many only use smartphones because it’s what their carrier gave them after their old candybar dumbphone either broke or became unable to connect to cell towers.
The other groups are those who use it identically to how they would iOS (and don’t root or sideload), those that use it as computer replacement, and those who just like to tinker. Those last two groups are a tiny, tiny sliver relative to the others.
Especially once you start counting car entertainment systems, POTS terminals, digital signage, and hundreds of other classes of devices that are not genera-purpose toys.
The share of power users on iOS might be larger than expected because a lot of people working in tech fight computers for a living and prefer their phones to be simple appliances assigned to a relatively focused set of tasks.
You are talking not about Apple's walled garden. Don't confuse a skilled power user with a pesky celebrity who always prefers one button over two buttons because of complexity issue.
> What % of Android users actually want this? Do they know or care?
If Apple announced that they were going to allow installing apps like how you can install APKs you will have a whole group of people on here arguing against it because they want Apple to have control over everything. You could have seen those people in action on the Epic v. Apple and Digital Markets Act discussions.
Not sure why your observation was received poorly. It's true. If they actually wanted to fight bad actors they could (for example) introduce a voluntary verification program where an app cost $$$ per year to list, is permitted only a fixed number of updates per year, and the uploads are manually audited by an actual person. This would add a second tier to the app store.
Just to drive the point home. Not that you would do this but you _could_ even implement such a system fully anonymously - with uploads via tor and payments via XMR - and it should still work just as well.
Add in a third even more expensive tier for those providing source code to the auditor where google verifies a signed deterministic build the same way fdroid does. Now clearly mark the three different tiers in the app store.
And if they went this route the next logical step for highly sensitive stuff like banking and password management would be a fourth licensed and bonded tier where a verified individual located in a friendly country took on liability for any fraud or other malpractice. That tier would be the equivalent to the situation for civil engineers.
Instead we're stuck in a reality where I don't trust sourcing password managers (among other things) from the play store. Those only ever come from fdroid for me - you know, an actually secure model for how to do app distribution and verify builds.
Financial incentives aside, a higher assurance tier on the app store would enable me to tell my relatives "all apps that handle money or government details will always have this mark next to them" among other things. Whereas the current situation has me actively investigating moving them over to graphene.
Google/Android don't want AI bots spamming marketplaces with dodgy apps.
Tie in the app to a verified identity/individual and it makes the audit process easier as well as engagement with authorities from the user's country if required (e.g. app facilitating child abuse).
I'm going to go on a limb and say that the amount of apps dedicated to facilitating child abuse is close to 0, and the popular apps from verified developers being used for child abuse is close to 100%.
Do we think that maybe the 3,732 people who responded to a poll on Mastodon by an account centered around one side of this disagreement might potentially not be a representative sample of all Android users?
It's a bit hard to poll 4 billion devices, but out of all 4 billion devices I think it's safe to assume that the percentage of users who do care can be rounded up to maybe 1% at most.
Developers and enthusiasts are an extreme minority that's incredibly vocal. I think most people here disagree with Google's approach but too many people are pretending like their interests and use cases are significant on a "half the planet" scale.
Perhaps. And yet … 98% opposition from 4K respondents? I'd be very surprised to see any other poll that tilts the other way, regardless of sampling bias.
This change on its own doesn't make Google Android builds less open. It does the opposite. Now people can download apps directly from the websites of the publishers without getting a scary warning on Google Android builds. That's all this does.
Separately, they're going to increase friction the first time you allow installing apps outside of the Play Store or via this mechanism and also decrease friction on subsequent times, also on Google Android builds.
But but but it is for your security! You need to be protected!
Android isn't open source for a while. They started by pushing device certification which crippled any abilities of OEMs to make a better framework. Then they took many of the opensource packages out of android and redistributed as applications that they controlled via play services.
Then they made it harder to publish packages and created tons of rules that they can arbitrarily decide to cut ties with you or remove your remuneration.
What they are effectively doing now is to remove any ability of individual developers to push applications. Some will say the costs ain't that high, but (1) maybe not in USD dollars for Americans and (2) both Google and Apple will push those numbers way up high soon.
Even if that is not the case, if you don't agree with anything and you decide to have your own version of your family wiki, messenger or anything, they will be able to tell the authorities about it.
Android is becoming more Apple-ized everyday; it's horrible and more and more APIs get neutered or disappear, further limiting functionality available to developers.
Significantly larger than the number of users wanting to sideload.
There are millions of people affected by targeted scams every year, significantly outnumbering the non-developer sideload community. Especially when you take into account that the sideload community doesn't all use Google Android and isn't affected by this.
> What % of Android users actually want this? Do they know or care?
Bold of you assuming they're doing for users. It's fear-mongering at its finest - using the threat of security to install more control that has little to no protection against the said threats.
Now you might say it's going to raise the bar for the scammers, but nobody is going to be spending time on writing scam or malware for a few bucks. When the reward is high, they can just pay out already verified developers to distribute their builds under their accounts, or just find a workaround (fake ids?) which could be still way cheaper than the potential revenue potential of a successful attack. It's just an inconvenience that didn't existed before.
This is just a policy directly targeting the legit developers distributing apps to work around some of the platform's limitations (ie. uncrappifying youtube). They were previously free to share the workarounds they've developed for themselves since it was just as easy as sharing your APK. Now with added threat of losing your developer account and probably being perma-banned from google, those devs are less likely to continue distributing their workarounds.
It's not about users, it's about a single judges idiotic ruling that Google play store is a monopoly, and the Apple app store is not.
Different judge you say? You're right. But when Google in their appeal asked the judge why the app store isn't a monopoly, the judge told Google with a straight face
"You can't be anti-competitive if you have no competitors."
People will erroneously complain about all sorts of things. Doesn't mean you should act.
Anyway in this case it's nothing more than a thinly veiled excuse to justify making ecosystem changes that are in their favor. They aren't acting in good faith.
Do people complain about being scammed with Windows or macOS? Apparently not. So they probably also don't complain about Android. The security seems more an excuse to become more closed. Like iOS.
> Do people complain about being scammed with Windows
They do. They absolutely do. Where have you been in the last 20 years? Windows has had a reputation as an unsafe ecosystem for decades. Even amongst non-tech people. And even with the various exploits the biggest source of viruses on windows was always that, lacking a proper channel to distribute applications, they had trained their users to double click any .exe on the internet and the next>next>next in whatever installer. I don't agree with the tightening of developer account requirements, but this argument doesn't hold at all.
> They do. They absolutely do. Where have you been in the last 20 years?
The last time I heard these complaints were before Windows XP Service Pack 2, which added automatic Windows updates and ended the flood of viruses like Sasser or MyDoom.A. That was more than 20 years ago. On top of that, Windows Vista later added an integrated virus scanner and UAC dialogues, which gave you a big warning whenever you wanted to open an executable file. I haven't heard of any widespread viruses since. Nowadays most people don't even need to install software because most things are SAAS/cloud and run via the browser now.
Now the biggest "security issue" seems to stem from not-so-bright users being convinced by phone scammers to transfer them money or something like that. I don't think this is a problem with Windows.
Saying that computer/OS manufacturers should prevent malware is effectively equivalent to saying that they should not sell general purpose computers to the public. A general purpose computer is one that can run any program the users tells it to, which necessarily includes one that's malicious.
That doesn't necessarily preclude helping the user to notice when they're doing something dangerous, but a waiting period before the computer becomes general-purpose seems pretty extreme.
> Saying that computer/OS manufacturers should prevent malware is effectively equivalent to saying that they should not sell general purpose computers to the public.
(in Gilbert Huph (Wallace Shawn) voice) Yes, precisely!
The general consumer does not care about the distinction of if a product is technically a "general purpose computer" or not. They care about if the device is able to do what they want from it, providing them value.
>Companies shouldn't wait to solve issues like this
Unless you built your house yourself, you should expect the construction company to be responsible for verifying the identities of anyone entering your house. Asking for a passport and a one time payment, just in case the person who rings the bell may not be a friend.
That should be proactively helping you in case you're a vulnerable homeowner. Not checking in on every visitor would be evil, no?
I lived in an apartment building, and one of the upsides was that the building had a security system and a front desk that helped control who could be wandering down my hall.
But we, owners, collectively choose that. We choose the security company, we pay then, we can vote them out. Most importantly: the construction company has zero say in this.
Also, no one actually check the IDs of my friends, and they don't have to pay the construction company when they first come.
I give the codes, they ring, I open. I hire a company to monitor the building but I can kick then out any day.
> Companies shouldn't wait to solve issues like this - they should be proactively helping their most vulnerable users.
I think they should help their median users and empower their power users, and they should absolutely throw a few "most vulnerable" users under the bus if that's necessary. Otherwise you think about banning kitchen knives to protect the "most vulnerable users" who are too stupid to handle a knife. No, we shouldn't do that. Their stupidity should be their problem, not our problem.
Some degree of collateral damage must be accepted to maximize the expected value of a product or service. Minimizing risks can't be the top priority. Don't ban kitchen knives. What you are effectively arguing for is transforming both Windows and macOS into a closed iOS. Don't do that.
Pretty much everyone would hate it if a relative lost their life savings to a scammer, though they may not know it yet.
The idea isn't to protect the power users or average users. It's to protect the most vulnerable. Android is for everyone. Us power users will have a minor speed bump, but we can deal.
Android is for everyone, provided they submit to Google exclusively. It's not about power users, and that isn't a speed bump. You can protect vulnerable users without centralizing power like they did, but that's not their motivation so here we are.
> Android is for everyone. It’s built on a commitment to an open and safe platform. Users should feel confident installing apps, no matter where they get them from.
This intro immediately tells me that whatever comes after will be horrible for users and developers. Surprise surprise, I was right. Software to "verify" side loaded apps is a bad, anti user idea.
I pay for YouTube Premium and I have an alt app on my phone because the user experience is just better. You're supposed to have background play in the regular YouTube app, but videos regularly pause until you return to the yt app to reload.
It all worked perfectly fine back on my iPod touch, pre-premium bs. Tech is regressing.
I'm on a family plan (cheap) and I use it for the music player for the inevitable question of why I'm doing this.
If they're taking on verification, are they also taking on liability? Do we get to sue them if grandma gets scammed through an app they allow onto their phone?
> Starting in April, Android Developer Verifier will be installed on devices.
so they're rolling out a system app that will call home to check whether any sideloaded apps have been "verified" with the developer's government ID? and this process will happen regardless of whether the user has enabled the "advanced flow" in Developer settings?
Good of a reason as any to go google-less on my Graphene pixel, I guess. But man it sucks, mostly for all the people who can't. I can manage my financials and 2FA from my laptop, that was my last real reason to have google play installed, but it's just a convenience. (I know it's mandatory for others.)
I wonder how that sys app will be handled in GrapheneOS's google play sandbox?
That essay about being licensed to use a debugger was supposed to be an absurdist over-extrapolation for the sake of making a deeper point about software freedoms ... right? Seems more like they're using it as an instruction manual.
> It’s only when a user tries to install an unregistered app that they’ll require ADB or advanced flow, helping us keep the broader community safe while preserving the flexibility for our power users.
So, we have a sideloaded app now. Which has been increasingly tricky for our users to install. The warning they get is hard to understand. Does this mean essentially the end of sideloading?
If you get 'verified' by Google and sign your app, sideloading shouldn't change. That means money and ID checks, or a free 'hobbyist' carve out if you have <20 users.
If you don't want to play their game, sideloading will get substantially harder.
That's seriously horrible. There are 5+ open source android apps that I use and want to continue using that are not available on Play Store, but rather through alternative stores (like Zapstore, Obtainium).
If I get a phone with preinstalled Graphene OS (like the upcoming Motorola phone), then does it avoid this stupidity? Or even with Graphene it prevents me from installing apks?
F-Droid is in fact what an app store concerned about user safety looks like. Nobody gets hoodwinked into installing apps that track them or sell their data or otherwise abuse them on F-Droid.
That article's premise is that the Android security model is something that I want. It really isn't.
The F-Droid model of having multiple repositories in one app is absolutely perfect because it gives me control (rather than the operating system) over what repositories I decide to add. There is no scenario in which I wish Android to question me on whether I want to install an app from a particular F-Droid repository.
The section you linked in particular is a load of editorialized bullshit IMO. As far as I can tell the only legitimate complaint is that there is (or was?) some sort of issue with the signing methodology for both APKs and repository metadata. Specifically they were apparently very slow to replace deprecated methods that had known issues. However it's worth noting that they appear to have been following what were at one point standard practices.
The certificate pinning nonsense is particularly egregious. APT famously doesn't need TLS unless you're concerned about confidentiality. It's the same for any package manager that securely signs everything, and if there's ever a signing vulnerability then relying on TLS certainly might save you but seems extremely risky. On top of that the Android TOFU model means none of this matters in the slightest for already installed apps which is expected to be the case the vast majority of the time.
As far as I'm concerned F-Droid is the best currently available option. That said of course there are places it could improve.
Can you describe the threat model / specific attack under which... any of the supposed flaws on that page matter? (Most of the particular section you've linked appears to be about extra defenses that could be added, but which are unlikely to make a difference in the face of Android's TOFU signature verification on installed APKs.)
F-Droid is so irrelevant that it doesn't even begin being targeted by supply chain and scam attacks. Being obscure always help with this, but pretending that it's the same threat model is absolutely false.
I am part of the team running keepandroidopen.org and corralling the signatures for the open letter opposing this program. We've been trying to get Google to reverse course on this program ever since it was announced.
As it stands, Android Developer Verification (ADV) is a death sentence for F-Droid, Obtainium, and other competitors to the Google Play Store, both commercial and non-commercial. We are disappointed that they are still trying to steamroll this through in the face of overwhelming public opposition.
There are numerous reasons to object to the program, but a few of the top ones are:
1. You own your computer, and you should be the sole decision-maker for what software you can install on it.
2. "Malware" means whatever Google says it means, and their terms and conditions change daily; today malware is banking scams, tomorrow it is … ad-blocking? VPNs? Their decisions are un-reviewable and opaque, and they have obvious commercial incentives to block certain kinds of (otherwise-legal) software.
3. Centralizing global developer registrations through a US corporation makes it subject to the rules (and whims) of the current regime. Citizens of sanctioned countries or members of sanctioned entities (like the International Criminal Court) will be legally barred from registering, blocking them from creating and distributing software _anywhere_ in the world (not just the US).
4. Scenarios that Google claims ADV will protect against — such as high-pressure phone calls manipulating vulnerable users into installing scam apps — have _already_ been addressed by incremental improvements to Android security over the years, such as "Enhanced Fraud Protection" introduced in Android 13 (and expanded in Android 15). Android has incrementally improved its security features over its near 20 years of existence. There is no evidence that anything has suddenly changed to justify such a disproportionate and extreme lockdown.
5. Being required to pay Google for the privilege of uploading your government identification so that you might be permitted to contribute to the Android software ecosystem is such an abominable insult to the developers that helped build the platform. It deserves all the utter contempt that has been heaped upon it thus far, and begs regulatory scrutiny from those few countries that still have the courage to stand up to these bullies.
We emphatically recommend against developers signing up for this program or endorsing it in any way.
Is there any information about how the "advanced flow" will be implemented? According to keepandroidopen.org, this is going to be handled by Google Play Services. Does it mean it will be automatically installed via the silent, always-on GMS update mechanism and I should root my devices and remove GMS altogether if I don't want this?
tl;dr how to install an app from unverified developer ("advanced flow")
1. enable developer mode
2. confirm you aren't being coached
3. restart your phone and reauthenticate
4. come back after 24 hours and unlock device
5. install app from unverified developer, option of enabling for 7 days or indefinitely
This is apparently a one-time process. Advanced flow for users launches globally August 2026. Verification requirement kicks in September 2026.
Personally I am hopeful that people work toward a completely new, non-Android OS. 15 GB of space on my phone, and 1.5 GB of RAM, is dedicated to Android OS alone. This design, and the control this company (and the mobile providers, and device manufacturers) have over the mobile world, is ridiculous. Let's start over.
>15 GB of space on my phone, and 1.5 GB of RAM, is dedicated to Android OS alone
The original Droid phone I used had only 256mb of memory, and could still multitask and run multiple apps at once with that limited memory. Its crazy how bloated things have become over the years.
I mean, I’m sure “Fortnite with infinite vbucks.apk” has a much worse malware rate than the play store, but I’m almost certain that fdroid has a lower malware rate than the play store and I honestly suspect even “random apks off github” might have a similar rate to the play store
Older Androids which are fully rootable and unbrickable are cheap (maybe even monetarily free) and will let you continue to have freedom despite what Google wants.
"Those who give up freedom for security deserve neither."
Good job google. You just convinced our entire business to abandon our app (utilities company) and only target web. We are done with this shit. All our resources the next two weeks will be to fill in the gaps in our web clientzone so our thousands of customers can still buy electricity and pay water bill and have a similar experience than the app (it's 90% the same anyway).
Oh and my three personal apps that I installed via adb (not released on playstore) - the moment they stop working on my phone or hassle me about verification, I will get in my car and go buy an iPhone.
Next will be to degoogle the rest of my life, which is luckily only gmail. Guess how long it will take me to port out? Less than two days.
I only let companies violate me once. Then I'm out.
Play store is the biggest piece of trash malware system that exists today, but us normal businesses have to pull teeth and spend days jumping through hoops to get an app out, but the playstore is filled with infinite garbage that rot childrens brains.
At this point, I think I would prefer to carry a dumb flip phone for SMS and phone calls, and a smartphone-shaped generic touchscreen linux computer for everything else. It's becoming disturbingly impossible to find the former, and practically impossible (IME) to find the former.
Does anyone here have experience using Ubuntu Touch? That's the closest thing I've seen to "generic touchscreen linux" for mobile phone hardware. I'd love a device that works for multimedia, navigation, web browsing, and a handful of APKs like various chat apps (and really anything can can arbitrarily use the hardware), but it seems like tying a cellular modem to this ends up fucking up the whole dream because of carrier and manufacturer motivations/compensations.
>What Android versions will the developer verification requirements be enforced on? It will apply to all certified Android devices running Android 7 or higher. These updates are delivered through Google Play services to help maintain consistent security across the ecosystem. Last updated: March 23, 2026
I would genuinely like to know more about these supposed users who are side loading things and getting hoodwinked. It seems high enough friction that you have to have something of an idea of what you're doing to begin with. Everyone I've known who is side loaded anything has been reasonably technical.
My dad on the other hand, who worked for Control Data in the 1980s regularly installs some of the scummiest apps imaginable, and they're all from the Play Store proper.
Launchers that don't actually launch things and serve ads. Apps that launch full screen ads while you're doing things saying your device is infected. Absolute trash.
Like maybe just maybe put some energy into going after the stuff in the Play Store first. As the Play Store exists now, it is unsafe.
Have you seen those YouTube videos of people punking scammers? Scammers will convince people to drive to Target, buy gift cards, and read the credentials out over the phone. Those same people can surely talk you through tapping out a dialog flow.
That's presumably why there's a lockout period - it keeps a scammer from reasonably holding the line until they can pressure you to finish it.
> Have you seen those YouTube videos of people punking scammers? Scammers will convince people to drive to Target, buy gift cards, and read the credentials out over the phone. Those same people can surely talk you through tapping out a dialog flow.
...if the scammer can get the victim to physically drive to Target a buy a bunch of gift cards, what makes you think they need to install anything on your phone? Having RCE on a human is more useful than RCE on a device.
Their deception often relies on remote-controlling a PC, modifying a bank balance to show a fake number using basic "inspect element", and convincing the victim that they "accidentally" received a refund that's too high (often by having the victim type out the "refund" amount in their notepad-looking "refund system" and adding a couple of zeroes).
By making the victim believe that they're to blame for this innocent worker losing his job, they convince these people that they need to go outside normal financial systems to get the money back before anyone notices. Alternative scam scripts also have scammers pretend to be government officials threatening with fines and lawsuits, but the end goal is often to get into the victim's bank account in a way that the victim will tell the bank that everything is fine when fraud detection systems catch wire transfers or suspicious behaviour.
If the victim at any point opens up their official banking app, which scammers cannot control, they'll see that they never received the supposed "refund". With banks moving more and more functionality to apps, scammers can't pull the same tricks if they don't have access to your phone.
Scambaiting Youtubers have shown to be able to throw scammers of their guard by doing the most basic things. Disabling "inspect element" and cmd.exe will stop a scammer right in their tracks, because suddenly their phone script doesn't work any more.
If the victim needs to wait a full day, they'll be more likely to talk to someone. There are plenty of interviews with victims where they will say they realized their mistake hours or even minutes after it's too late. Stress and constant pressure is one of the primary means scammers employ to prevent people from thinking rationally so their obvious and ridiculous lies don't get spotted.
While I think developer verification is monumentally stupid and won't stop any serious scams, I do believe that the timeout measure Google makes people jump through does help.
So, anyway, how do we make sure that our phones don't turn into a pumpkin on a set date? I suppose it's all shit long term, but at the very least I don't want to be forced to look for a solution before I need a new phone. So, what do you do? Can you just disable android updates somehow and it will solve the issue? Or it is already a ticking bomb that will be activated on the set date no matter what?
> our recent analysis found over 90 times more malware from sideloaded sources than on Google Play
So what's the solution then? At the same time, I'm curious how this ends up happening to end users. Enabling unknown sources is trivial in a way (it's just one check box and if you try to install an APK from, say, Firefox, it'll take you right there), but how are people even getting to that point??
I'd say Hackernews knows enough people at Google to raise a stink about this, but it's not going to do any good. Sometime at the last WEF or Bilderberg meeting it was decided that KYC level identity verification should be required to use a computer or the internet, with more stringent requirements to program one. This, and much worse, is going to happen whether we like it or not.
If I do software for Windows, Linux or FreeBSD I don't need verification. And potential users aren't required to get software only from a certain app store.
This is a case of companies forcing things on us "for our own good" and them knowing better than us what is good for us or not.
I really want to like the concept of Jolla / a European mobile alternative but I see no reason why they're closed source SW in 2026. Open source everything, let the community help develop, and sell your hardware (and support/deals for B2B).
A single for-profit company owning the full HW and SW stack? My trust in companies lately is at a lifetime low. It just leaves a bad taste in my mouth.
I don't see a way out of this except government regulation. The EU has the most motivation to do it, as a huge economic bloc with a lot of motivation right now to become as independent from the US as possible.
I guess I can sort of manage to keep my head above water and keep buying secondhand phones which I unlock and install a supported version of LineageOS. But it's cumbersome, it gets more difficult and more restrictive every time. And I literally have a doctorate in computers for crying out loud! Is there any hope for Granny? For a kid? For >99% of people? Of course not.
This is so clearly a matter for government oversight: prevent abuse, monopolies, protect the citizen's safety, rights, welfare, etc. It's not reasonable to expect consumers to figure out if the meat they buy is tainted, just as it's not to figure out if their phone spies on them, manipulates information, or sells their data (especially when there's a duopoly). That's why we have laws and food inspectors, paid for by the public, working for the public. Same thing with digital rights.
> I don't see a way out of this except government regulation.
IMHO governments are partially behind those initiatives so they are unlikely to regulate themself- reason in last few years they intensified work on Digital ID, Age Verification, Chat control, KYC, etc.
EU is schizophrenic enough that it often produces very conflicting directions, opinions and policies.
One thing EU loves is regulation though, so I expect they will introduce preemptive regulations to enforce strict ID verification as well as regulations to fine big companies for breaching user privacy with strict ID verification policies.
"Next up in the ongoing trilogue, lawmakers will negotiate whether messenger and chat services, as well as app stores, will be legally obliged to implement age verification."
For the limits on side-loading in particular, there are a few southeast asian nations (I can't recall, Vietnam? Thailand?) where almost all internet access is via Android, including banking. And social engineering fraud, where they call someone up, pretend to be the bank, and get them to side-load malware, has become a major financial, and political problem.
AIUI, they have told Google to find a fix, or else.
> pretend to be the bank, and get them to side-load malware, has become a major financial, and political problem.
I been living in SE Asia for few years each in Thailand, Malaysia, Indonesia, Vietnam and really didn't notice that this is supposed to be like major political problem.
'Fraud' is the same smoke screen and excuse as 'protect the children from social media or pedophiles'.
I can't find it now, but the article I read seemed to say that the gov was specifically upset about the banking issue, and might tell the banks they can't allow apps anymore.
There are different governments and different subdivisions within any given government. The only thing you need to get a government that had been pushing Chat Control to do some trust busting is to get more votes.
"This is so clearly a matter for government oversight: prevent abuse, protect the citizen's safety, rights, welfare, etc. It's not reasonable to expect consumers to figure out if the meat they buy is tainted, just as it's not to figure out if the APPS THEY INSTALL spies on them, manipulates information, or sells their data"
Do you see how quickly that argument can be flipped to support what google is doing here? Honestly I wouldn't be surprised if half the reason to to lock down phones is because governments keep pressuring them to do so.
But what motivation has the EU to promulgate these regulations?
* Chat control is toothless if users can simply side-load an app without snooping.
* The EU companies who successfully lobbied for regulations against Apple now see that the 15% tax is worth it when they can A/B test the counterfactual. So those companies no longer care if Google will do the same thing.
* The EU is now in an awkward position that it is ok for a newspaper to sell your personal info via pay-or-consent, but not for a social network to do it. Some will keep yammering on about "gatekeepers", but it's sort of an emperor has no clothes moment.
* Declaring that iPadOs is a gatekeeper (after it failed to meet the quantitative criteria for such) was another such emperor has not clothes moment. The whole "gatekeeper" narrative has turned into a farce.
* The people commenting on this forum are not even a rounding error in the EU electorate.
> It's not reasonable to expect consumers to figure out if the meat they buy is tainted, just as it's not to figure out if their phone spies on them, manipulates information, or sells their data (especially when there's a duopoly).
Indeed! Neither would it be reasonable for the sellers of meat to demand anonymity! If one sells tainted meat, he should be held accountable! We should identify him!
Yet, the creators and sellers of software for a General Purpose Computer (remember, that is the argument why phones should be regulated) demand that they should be above the law, anonymous and unaccountable!
Schrodinger's computing device: The one which is so vital to everyday life that we must not prohibit the user to run whatever software he likes, yet so unimportant that we have not a care in the world to identify any fraudster who might wish to distribute software.
I'm wondering if the EU is complicit in this somehow, despite claiming that they want to fight back against tech companies.
The EU Commission is currently pushing the shitty EU Identity Wallet for mandatory age verification, and it requires GooglePlay Services to be installed for "anti-tampering". That also means a ban on non official versions of Android like LineageOS and GrapheneOS.
On the DMA, I have said that it does not go far enough, the Operating System (OS) market should be opened up, with a regulation in place so that alternative mobile and non-mobile OSes can be installed by the end user, notably by the mandatory registration and publication of technical hardware specifications, unlocking of bootloaders, etc...
30 years ago, the Linux community fought the pre-installed Windows tax and mostly lost that fight.
The "anti-tampering" excuse lands flat when sideloaded apps on stock Android can still touch the same sensitive data through Play Integrity, and the only people it shuts out are the ones technical enough to care about their own OS. That is vendor lock-in. For a bloc that spends half its time scolding Big Tech, the Comission looks weirdly happy to route age checks and state ID through Google Play Services.
The thing is, the EU needs to be able to not only sell that the regulation they propose is good to the public, but also not piss off the US administration.
Most people are too non-technical to understand why this is a bad thing even when it's explained to them. Plus, whatever administration is in power in the US has a lot of influence.
Trump has already said that he wouldn't tolerate regulation that affects American companies [1], painting regulation that happens in another country as something that will affect US citizens. (I mean if you use the GDPR as an example, it's not wrong. Think of cookie pop ups while browsing the web in the US)
I would like the the EU would go harder with their regulations, because it usually results in other countries or states following their lead, but I dont see that happening. Regulation has been painted as "bad", and we have at least 3 more years until that changes.
> rump has already said that he wouldn't tolerate regulation that affects American companies
This lays bare the stupidity of applying the pay-or-consent law to only Facebook and not everyone. Every important newspaper in Europe has pay-or-consent. It does not matter that each one individually is smaller, the effect is the same.
The law was carefully crafted to ensure European businesses (newspapers) are not "gatekeepers" while ensuring American businesses (social networks) are. That fact did not go unnoticed in the rest of the world.
So? There is a fundamental difference. The app stores have effectively become utility companies through the Android-iOS duopoly and it is neigh-impossible to make a new competitive ecosystem. Utility companies are regulated because they can distort the market with their power otherwise. E.g. if the power lines are owned my a single company (which is the case in many countries), if they were not regulated, they could pretty much ask any price. What are you going to do to compete? Roll out a completely new power grid? The Android/iOS duopoly is the same, the fact that they could ask for an insane 30% (!) of every transaction before the regulatory squeeze started should tell you enough.
The newspaper market is very different, because there are many players and you can always go to a competitor. There are even newspapers that make all content available and ask an optional donation (e.g. Taz in Germany or to some extend The Guardian, who do not seem actively block ad blockers).
Google freaked out that Apple had a better reputation and went all in on fucking their Android store up. Everything about it is worse now than it was before. So tiring.
Don't love it but (1) it's addressing a serious problem and I'm not sure what the alternative is and (2) if you all remember the starting place, it was staggeringly, dramatically worse, practically a death sentence for F-Droid and seemingly testing the waters for if they could simply power through and do it despite objection.
This is a major course correction that doesn't kill F-Droid. A one time 24 hour hoop to jump through and then never again is monumentally better than losing F-Droid forever.
Is it a serious problem that you can run whatever software you want on your computer? Should we make it so that no one can do that without permission to protect them?
I recommend Cory Doctorow's talk on why this is a serious problem for society:
Not enough people give a shit about "general purpose computing" to matter. They use computers for a few things and as long as they can do those things they're fine with it. My wife loves all her Apple gear. It provides her with a wonderful, curated experience. Okay, maybe it hasn't been so good with recent iOS releases but it still beats Android or Microslop. Being able to hack, modify, or install arbitrary stuff on your device is something only a minority of a minority care about, statistical noise in the quarterly sales figures. When you compare that to the harm done by malware, illegal or indecent material, and the negative blowback to YOUR OS's reputation—or worse, the "felony contempt of business model" enabled by a general-purpose OS (piracy, ad blocking, etc.)—it's a no-brainer to implement restrictions.
Yes, lots of vulnerable users get harmed by modern tech. E.g. people have lost their minds using AI, their livelihoods using smartphones, their life savings using the Internet. In general, I prefer a solution where any mental health issue (age-related infirmity, ADHD, etc.) result in protection from modern exploitative tech like this.
Every application use for such people should be supervised by a government official trained to ensure you are not hurting yourself.
This way people who want to use AI, smartphones, or the Internet can do so if they’re healthy and the mentally disabled can be protected. We know that this need exists because even on this “Hacker” News forum everyone gets very upset when a mentally disabled person gets injured after AI use.
It's pretending to address a serious issue while giving Google significant power to limit distribution of apps Google doesn't like, which could sometimes include legal apps that certain governments don't like such as the recently famous ICEBlock.
Google says they don't intend to do that, but even if I believe that's their current intention, they have a strong incentive to do otherwise in the future. Incentives predict outcomes more reliably than intentions.
I say it's pretending because scammers are good at shifting tactics. If convincing users to install malware ceases to be the path of least resistance, they'll convince users to install legitimate remote access utilities, hand over credentials directly, or some other scheme I haven't thought up because I'm not a scammer.
> they have a strong incentive to do otherwise in the future.
The reality is far worse than that. Remember FBI vs Apple? That defense came down to Apple not having software in place that could facilitate the demand being made of them. If they'd had such a system they would presumably have been required to comply.
The government can presumably get an illegal app forcibly removed from an app store but at present you could still install it yourself. With this system they could compel Google to block it entirely.
F-Droid has spent many years trying to step out of the "only for technical/power users" into the "This is a tool that normal phone users should have and use". A one time 24hr wait moves back to the "F-Droid is only for technical users" big time.
Bought a new phone? Moved from iPhone to Android? Want help from your friend/family member/librarian/other to setup your new phone for getting apps? Sorry, you need to come back a day later before you can actually use it.
Guess what the normal/non-tech user does in this 24hr period? Go to Play Store, install a bunch of apps, forget that you had the desire to use an alternative.
This indeed does make F-Droid no longer a tool for normal people, but only a tool for those willing to do a bunch of "Advanced" things on their phone. By definition, not regular users.
It really seems like they are doing a lot to appease the tiny minority of us power users, adb load unaffected, one time toggle in settings to opt out, no change to alternative app stores as long as the apk was built by a verified developer. Crazy how harsh the sentiment is here, there are real people being harmed by scam apps intercepting sms one time codes and this will reduce the rate of that happening. It's not like we can't sideload anymore, though a lot of comments here seem to be implying otherwise.
Because this is a glide path to what they really want, look at Apple and running unsigned apps on your Mac, how it started, simple right click, how is it going, near impossible.
Crazy idea, maybe they shouldn't be using those then. Maybe they should use email? Or god forbid a TOTP app. Or perhaps webauthn via the platform provided authenticator.
They very clearly aren't behaving in good faith. That's why the harsh sentiment.
But that "tiny minority" are the people developing apps, which all their other users use... if you drive away devs from wanting to develop on your platform that's not going to go well for you (of course, they may still be forced to develop for Android if they want a wide audience, but you're driving away hobbyists with new ideas)
I still don't get how they are driving away devs. It's super easy for us to click the setting. If I urgently need to test my app during the 24 hour waiting period, I can just adb it on my device.
Based on the reaction here, it's obvious I'm missing something here, but I just don't see any real reason devs are feeling like they are being driven away. It's hardly more of an inconvenience than enabling developer mode, and I feel like we all get why they hide the developer settings menu behind that.
Really, there are apps that will intercept and exfiltrate your bank one time code sms that are just sitting on the play store? First I'm hearing of this, what's the name of one?
1) Provided my company DUNS number etc. once to create the payment profile. I did this some times ago, don’t remember the details but it was an involved verification process and it is marked as verified business payment profile.
2) Later on the payment step verified myself with a passport and bank statement to be able to actually pay with a proper HSBC bank card. Not shady pre-paid card or something, those are not accepted anyway.
3) After I paid I was told that now I need to verify my identity once more but this time with the passport and the incorporation certificate or some other company document.
fingers crossed that in few days it will be verified. While waiting, it tells me that there are still website and email verification to do once the previous step is done. I already verified my e-mail a few times before paying.
It’s painful, slow and annoying because if you fail at a step(i.e. needs verification that takes days and you are told about it at the payment step) you have to start again with the forms.
I just remembered why I never use Android. It seems like no one owns the process and as a result you get unpolished shitty experience that fulfills the requirements of god knows how many people who work in the same company but don’t talk to each other.
Is there a way around this shitocracy?
- after fixing the app description I got rejected for using my app name(?!), multiple back and forths with the reviewer got me nowhere, they just copy pasted the same response not addressing my messages at all
- filled the app store review board appeal, it's been 5 days and I've got no response.
At this point I'm seriously considering rewriting the app for MacOS and distributing myself. I can't imagine going through all of this with every app update, it's beyond ridiculous.
However, thanks to many of us that only favour Chrome like IE of yore, and ship it alongside their "native" applications, the Web is nowadays ChromeOS Application Platform, so we are only a couple of years away of Google owning that as well.
Companies operating in Europe must provide a clear way to appeal automated decisions: https://www.edps.europa.eu/data-protection/our-work/publicat...
You might not have a way to actually file a complaint against them but quite often, their legal department will just have a quick look at your case and just give you what you want without bothering to tell you anything. Worth a shot.
Refuse to play. Switch to technologoy that the shitocracy has not gotten around to yet, or, eventually, pick up woodworking.
1: I mean, it is, certainly. I'm just not sure if I can make money by making leather gear.
Recent things I've had to do:
1) Re-submit an app after it was rejected and labelled a gambling app (it wasn't even close - a 15 second look by a real human would have seen that. This one was even appealed and the support was utterly useless. I ended up changing one word and re-submitting the app, approved no problem.
2) An existing app, in the Play store for years but a nice app - only about 500 installs. I had to submit a new version for no reason whatsoever... Except to keep the customers developer account active.
Those are just issues I've dealt with in the last month or two.
Every single time, Google Support is completely useless - including the appeals process, which is an absolute joke.
So bad actors would just target lower SDK versions and ignore the privacy improvements
Of course, they don't like this because then apps can't easily refuse to work if not allowed to spy.
Consider - it's a voip dialing client which has a requirement to provide location for E911 support.
If the OS vendor starts providing invalid data, it's the OS vendor which ends up being liable for the person's death.
e.g. https://www.cnet.com/home/internet/texas-sues-vonage-over-91...
which is from 2005, but gives you an idea of the liability involved.
And you can manually force only the voip dialing apps instead of everyone
The correct approach here (AFAIK) is to punt the trust decision to the bank by requiring payment with a method that you can confidently trace to the company.
However that invites those bad scenarios where someone gets blacklisted by BigTech in some manner, later gets hired by a small business, the new employer adds an association to the blacklisted account, and suddenly the company app is banned from the app store seemingly without reason. At least a few such stories have appeared on HN over the years.
I feel like pay to play ought to be sufficient because in addition to being a barrier to entry it also provides funds for moderation efforts.
Which is not that unreasonable even. If a person is flagged for making scam apps, them having publishing rights in a reputable place makes taints the reputation of such place.
You should be able to appeal of course and the oauth should not be towards google in the first place, but being associated with known fraudsters and scammers is not what you want.
BTW both the id card and the passport have cryptographic authentication and you are able to open a bank account or use govt services completely online by scanning it with the phone Rfid . They could have make me scan that, scan my face and be done with the identity verification. My identity is already verified and tied to my company the same way and also listed in the companies registry which means they could have had skipped all the other company verification stuff too.
The entire cumbersome process you describe can be viewed as Google doing a significantly worse job of verifying your identity than the bank would have.
As an aside, I suspect that leaving it to the bank would also provide additional legal protection. Specifically anyone attempting deception will most likely be forced to commit fraud against the bank which will probably be taken much more seriously than otherwise.
The authorization is not transitive so to say.
>As an aside, I suspect that leaving it to the bank would also provide additional legal protection
If it would, they will have to pay the bank for it and the bank should also be willing to accept the liability (spoiler alert -- the will not be willing to accept the liability)
That is you, for tax and legal purposes in the jurisdictions within which you reside, an individual, operating a business by yourself as yourself.
My experience with getting a verified "business" developer account from Google mirrors the experience as getting one from Apple, except it's a one-time fee and much less than Apple.
Yes there are hoops to jump through, identification usually requires some hoops, but pretty it's straightforward. I am not commenting on the requirements of these hoops, yes, it's BS that they exist but it's their platform so it's their rules.
What type of "experience" are you expecting to have anyway?
How does that mirror uploading my passport many times, entering company details many times, typing my e-mail and phone numbers many times both because I had to start over and because I was asked many times even if I provided these some steps back? Now I paid and waiting, hopefully I will later be verifying my e-mail address or something that I verified a few times prior.
> What type of "experience" are you expecting to have anyway?
The Apple experience. An experience that is well thought and streamlined, that doesn’t keep me entering the same information over and over again. I don’t mind paying a little more for well designed products. The $75 difference is nothing to justify this charade, I don’t think that that Google was short of $75 and designed this low quality experience, I think it’s engraver in their DNA.
Being told upfront what is required to complete the process so you don't have to start over again multiple times?
What would you consider broken?
Google has seemingly never seen an elderly person's phone, where it is completely infected with crap including literal popup ads (that somehow overlay other apps), yet all of it was downloaded from GPlay.
https://en.wikipedia.org/wiki/Malware
https://www.ibm.com/think/topics/malware
https://www.cloudflare.com/learning/ddos/glossary/malware/
https://www.cisco.com/site/us/en/products/security/what-is-m...
https://www.britannica.com/technology/malware
https://www.fortinet.com/resources/cyberglossary/malware
https://www.kaspersky.com/resource-center/threats/what-is-ma...
https://www.mcafee.com/learn/malware/
https://www.trendmicro.com/en_us/what-is/malware.html
https://www.t-mobile.com/home-internet/the-signal/internet-h...
https://www.merriam-webster.com/dictionary/malware
Google doesn't care about F-Droid one way or the other. It's a niche project that barely registers on the scale of all Android users.
I've been using Android since 2010 because it was open in ways that the Apple ecosystem wasn't. I do not want this and imagine hardly any other power users (for lack of a better term) do. I'm already using a mostly deGoogled device but this really seals the deal. I have been longing for a true Linux phone for years and now seems like a good time to get serious about the search and migration plan.
So I don't understand your analogy? Are you suggesting that pedestrians own the streets and should do what they please, as users own their phone and should have the right to do as they please? Or something else?
Grandparent is saying that the term sideloading was invented in a similar fashion to delegitimize a previously completely normal way to use an electronic device.
The UK Highway Code has a RFC-like use of MUST/SHOULD; MUST parts are legally binding, the parts relating to pedestrians are SHOULD.
In the cities? Yes, absolutely.
Every non-stock app on my phone was installed from an APK directly downloaded from the manufacturer or open source developer's site / Github releases. I've never had a Google Play account and have never used any Android "app store".
The biggest pain was having to manually logon the couple of sites I allow to keep persistent cookies since device owners aren't allowed to just import/export cookies from mobile Chrome.
It has been a very nice experience. I appreciate the feeling of sovereignty and ownership of my device (even though it does have a locked bootloader and I don't actually have root).
Of course Google would take this away. >sigh<
After all that was done, the phone felt like mine in a way that my iPhone doesn't. Was a good feeling. With luck, the Motorola + Graphene partnership will produce phones with screens better than the Pixel and I can keep doing this.
I'm hopeful, too, re: Motorola + Graphene. I wanted to use Graphene last fall wehn I got the new phone but I was committed to not giving Google any money.
Tge flipside of that is that Google and Apple have no viable alternatives. It would take years to build what they have.
It took Huawei about 5 years with Harmony OS to do it but odds if that making it far out side of China is limited.
The other groups are those who use it identically to how they would iOS (and don’t root or sideload), those that use it as computer replacement, and those who just like to tinker. Those last two groups are a tiny, tiny sliver relative to the others.
If Apple announced that they were going to allow installing apps like how you can install APKs you will have a whole group of people on here arguing against it because they want Apple to have control over everything. You could have seen those people in action on the Epic v. Apple and Digital Markets Act discussions.
Just to drive the point home. Not that you would do this but you _could_ even implement such a system fully anonymously - with uploads via tor and payments via XMR - and it should still work just as well.
Add in a third even more expensive tier for those providing source code to the auditor where google verifies a signed deterministic build the same way fdroid does. Now clearly mark the three different tiers in the app store.
And if they went this route the next logical step for highly sensitive stuff like banking and password management would be a fourth licensed and bonded tier where a verified individual located in a friendly country took on liability for any fraud or other malpractice. That tier would be the equivalent to the situation for civil engineers.
Instead we're stuck in a reality where I don't trust sourcing password managers (among other things) from the play store. Those only ever come from fdroid for me - you know, an actually secure model for how to do app distribution and verify builds.
And Google benefits financially from the problem.
Tie in the app to a verified identity/individual and it makes the audit process easier as well as engagement with authorities from the user's country if required (e.g. app facilitating child abuse).
I'm going to go on a limb and say that the amount of apps dedicated to facilitating child abuse is close to 0, and the popular apps from verified developers being used for child abuse is close to 100%.
2%, according to the keepandroidopen.org poll[^1]
[^1] https://techhub.social/@keepandroidopen/116251892296272830
Developers and enthusiasts are an extreme minority that's incredibly vocal. I think most people here disagree with Google's approach but too many people are pretending like their interests and use cases are significant on a "half the planet" scale.
Separately, they're going to increase friction the first time you allow installing apps outside of the Play Store or via this mechanism and also decrease friction on subsequent times, also on Google Android builds.
Android isn't open source for a while. They started by pushing device certification which crippled any abilities of OEMs to make a better framework. Then they took many of the opensource packages out of android and redistributed as applications that they controlled via play services.
Then they made it harder to publish packages and created tons of rules that they can arbitrarily decide to cut ties with you or remove your remuneration.
What they are effectively doing now is to remove any ability of individual developers to push applications. Some will say the costs ain't that high, but (1) maybe not in USD dollars for Americans and (2) both Google and Apple will push those numbers way up high soon.
Even if that is not the case, if you don't agree with anything and you decide to have your own version of your family wiki, messenger or anything, they will be able to tell the authorities about it.
This is insane....
There are millions of people affected by targeted scams every year, significantly outnumbering the non-developer sideload community. Especially when you take into account that the sideload community doesn't all use Google Android and isn't affected by this.
Bold of you assuming they're doing for users. It's fear-mongering at its finest - using the threat of security to install more control that has little to no protection against the said threats.
Now you might say it's going to raise the bar for the scammers, but nobody is going to be spending time on writing scam or malware for a few bucks. When the reward is high, they can just pay out already verified developers to distribute their builds under their accounts, or just find a workaround (fake ids?) which could be still way cheaper than the potential revenue potential of a successful attack. It's just an inconvenience that didn't existed before.
This is just a policy directly targeting the legit developers distributing apps to work around some of the platform's limitations (ie. uncrappifying youtube). They were previously free to share the workarounds they've developed for themselves since it was just as easy as sharing your APK. Now with added threat of losing your developer account and probably being perma-banned from google, those devs are less likely to continue distributing their workarounds.
Different judge you say? You're right. But when Google in their appeal asked the judge why the app store isn't a monopoly, the judge told Google with a straight face
"You can't be anti-competitive if you have no competitors."
Google took note.
Anyway in this case it's nothing more than a thinly veiled excuse to justify making ecosystem changes that are in their favor. They aren't acting in good faith.
They do. They absolutely do. Where have you been in the last 20 years? Windows has had a reputation as an unsafe ecosystem for decades. Even amongst non-tech people. And even with the various exploits the biggest source of viruses on windows was always that, lacking a proper channel to distribute applications, they had trained their users to double click any .exe on the internet and the next>next>next in whatever installer. I don't agree with the tightening of developer account requirements, but this argument doesn't hold at all.
The last time I heard these complaints were before Windows XP Service Pack 2, which added automatic Windows updates and ended the flood of viruses like Sasser or MyDoom.A. That was more than 20 years ago. On top of that, Windows Vista later added an integrated virus scanner and UAC dialogues, which gave you a big warning whenever you wanted to open an executable file. I haven't heard of any widespread viruses since. Nowadays most people don't even need to install software because most things are SAAS/cloud and run via the browser now.
Now the biggest "security issue" seems to stem from not-so-bright users being convinced by phone scammers to transfer them money or something like that. I don't think this is a problem with Windows.
Companies shouldn't wait to solve issues like this - they should be proactively helping their most vulnerable users. That is the "do no evil" motto.
I don't know enough to say whether this method is the right approach however.
That doesn't necessarily preclude helping the user to notice when they're doing something dangerous, but a waiting period before the computer becomes general-purpose seems pretty extreme.
(in Gilbert Huph (Wallace Shawn) voice) Yes, precisely!
Unless you built your house yourself, you should expect the construction company to be responsible for verifying the identities of anyone entering your house. Asking for a passport and a one time payment, just in case the person who rings the bell may not be a friend.
That should be proactively helping you in case you're a vulnerable homeowner. Not checking in on every visitor would be evil, no?
I can't think of a better approach.
But we, owners, collectively choose that. We choose the security company, we pay then, we can vote them out. Most importantly: the construction company has zero say in this.
Also, no one actually check the IDs of my friends, and they don't have to pay the construction company when they first come.
I give the codes, they ring, I open. I hire a company to monitor the building but I can kick then out any day.
I own the place, you see?
I think they should help their median users and empower their power users, and they should absolutely throw a few "most vulnerable" users under the bus if that's necessary. Otherwise you think about banning kitchen knives to protect the "most vulnerable users" who are too stupid to handle a knife. No, we shouldn't do that. Their stupidity should be their problem, not our problem.
Some degree of collateral damage must be accepted to maximize the expected value of a product or service. Minimizing risks can't be the top priority. Don't ban kitchen knives. What you are effectively arguing for is transforming both Windows and macOS into a closed iOS. Don't do that.
The idea isn't to protect the power users or average users. It's to protect the most vulnerable. Android is for everyone. Us power users will have a minor speed bump, but we can deal.
This intro immediately tells me that whatever comes after will be horrible for users and developers. Surprise surprise, I was right. Software to "verify" side loaded apps is a bad, anti user idea.
And that launch country list is most likely the countries where cracked YouTube Premium is most common.
App piracy is huge by copying around modded APK's, and everyone's grandma is doing it.
It all worked perfectly fine back on my iPod touch, pre-premium bs. Tech is regressing.
I'm on a family plan (cheap) and I use it for the music player for the inevitable question of why I'm doing this.
> Starting in April, Android Developer Verifier will be installed on devices.
so they're rolling out a system app that will call home to check whether any sideloaded apps have been "verified" with the developer's government ID? and this process will happen regardless of whether the user has enabled the "advanced flow" in Developer settings?
I wonder how that sys app will be handled in GrapheneOS's google play sandbox?
GOS have already said users won't be impacted by this clampdown.
So, we have a sideloaded app now. Which has been increasingly tricky for our users to install. The warning they get is hard to understand. Does this mean essentially the end of sideloading?
If you don't want to play their game, sideloading will get substantially harder.
If I get a phone with preinstalled Graphene OS (like the upcoming Motorola phone), then does it avoid this stupidity? Or even with Graphene it prevents me from installing apks?
F-Droid has not meaningfully improved since that piece was written, either. No one should use F-Droid.
The F-Droid model of having multiple repositories in one app is absolutely perfect because it gives me control (rather than the operating system) over what repositories I decide to add. There is no scenario in which I wish Android to question me on whether I want to install an app from a particular F-Droid repository.
The section you linked in particular is a load of editorialized bullshit IMO. As far as I can tell the only legitimate complaint is that there is (or was?) some sort of issue with the signing methodology for both APKs and repository metadata. Specifically they were apparently very slow to replace deprecated methods that had known issues. However it's worth noting that they appear to have been following what were at one point standard practices.
The certificate pinning nonsense is particularly egregious. APT famously doesn't need TLS unless you're concerned about confidentiality. It's the same for any package manager that securely signs everything, and if there's ever a signing vulnerability then relying on TLS certainly might save you but seems extremely risky. On top of that the Android TOFU model means none of this matters in the slightest for already installed apps which is expected to be the case the vast majority of the time.
As far as I'm concerned F-Droid is the best currently available option. That said of course there are places it could improve.
https://news.ycombinator.com/item?id=47354917
As it stands, Android Developer Verification (ADV) is a death sentence for F-Droid, Obtainium, and other competitors to the Google Play Store, both commercial and non-commercial. We are disappointed that they are still trying to steamroll this through in the face of overwhelming public opposition.
There are numerous reasons to object to the program, but a few of the top ones are:
1. You own your computer, and you should be the sole decision-maker for what software you can install on it.
2. "Malware" means whatever Google says it means, and their terms and conditions change daily; today malware is banking scams, tomorrow it is … ad-blocking? VPNs? Their decisions are un-reviewable and opaque, and they have obvious commercial incentives to block certain kinds of (otherwise-legal) software.
3. Centralizing global developer registrations through a US corporation makes it subject to the rules (and whims) of the current regime. Citizens of sanctioned countries or members of sanctioned entities (like the International Criminal Court) will be legally barred from registering, blocking them from creating and distributing software _anywhere_ in the world (not just the US).
4. Scenarios that Google claims ADV will protect against — such as high-pressure phone calls manipulating vulnerable users into installing scam apps — have _already_ been addressed by incremental improvements to Android security over the years, such as "Enhanced Fraud Protection" introduced in Android 13 (and expanded in Android 15). Android has incrementally improved its security features over its near 20 years of existence. There is no evidence that anything has suddenly changed to justify such a disproportionate and extreme lockdown.
5. Being required to pay Google for the privilege of uploading your government identification so that you might be permitted to contribute to the Android software ecosystem is such an abominable insult to the developers that helped build the platform. It deserves all the utter contempt that has been heaped upon it thus far, and begs regulatory scrutiny from those few countries that still have the courage to stand up to these bullies.
We emphatically recommend against developers signing up for this program or endorsing it in any way.
Perhaps your team should promote GNU/Linux phones instead, which do not depend on a megacorp.
Sent from my Librem 5.
Personally I am hopeful that people work toward a completely new, non-Android OS. 15 GB of space on my phone, and 1.5 GB of RAM, is dedicated to Android OS alone. This design, and the control this company (and the mobile providers, and device manufacturers) have over the mobile world, is ridiculous. Let's start over.
The original Droid phone I used had only 256mb of memory, and could still multitask and run multiple apps at once with that limited memory. Its crazy how bloated things have become over the years.
Mobian, PureOS, postmarketOS already exist. Sent from my Librem 5.
Has anyone seen the report for that analysis. I bet most people here would love to read it too.
"Those who give up freedom for security deserve neither."
Oh and my three personal apps that I installed via adb (not released on playstore) - the moment they stop working on my phone or hassle me about verification, I will get in my car and go buy an iPhone.
Next will be to degoogle the rest of my life, which is luckily only gmail. Guess how long it will take me to port out? Less than two days.
I only let companies violate me once. Then I'm out.
Play store is the biggest piece of trash malware system that exists today, but us normal businesses have to pull teeth and spend days jumping through hoops to get an app out, but the playstore is filled with infinite garbage that rot childrens brains.
Wake up.
Does anyone here have experience using Ubuntu Touch? That's the closest thing I've seen to "generic touchscreen linux" for mobile phone hardware. I'd love a device that works for multimedia, navigation, web browsing, and a handful of APKs like various chat apps (and really anything can can arbitrarily use the hardware), but it seems like tying a cellular modem to this ends up fucking up the whole dream because of carrier and manufacturer motivations/compensations.
Will bypassing this bureaucracy be just a matter of buying a Chinese Android phone?
>What Android versions will the developer verification requirements be enforced on? It will apply to all certified Android devices running Android 7 or higher. These updates are delivered through Google Play services to help maintain consistent security across the ecosystem. Last updated: March 23, 2026
My dad on the other hand, who worked for Control Data in the 1980s regularly installs some of the scummiest apps imaginable, and they're all from the Play Store proper.
Launchers that don't actually launch things and serve ads. Apps that launch full screen ads while you're doing things saying your device is infected. Absolute trash.
Like maybe just maybe put some energy into going after the stuff in the Play Store first. As the Play Store exists now, it is unsafe.
That's presumably why there's a lockout period - it keeps a scammer from reasonably holding the line until they can pressure you to finish it.
...if the scammer can get the victim to physically drive to Target a buy a bunch of gift cards, what makes you think they need to install anything on your phone? Having RCE on a human is more useful than RCE on a device.
By making the victim believe that they're to blame for this innocent worker losing his job, they convince these people that they need to go outside normal financial systems to get the money back before anyone notices. Alternative scam scripts also have scammers pretend to be government officials threatening with fines and lawsuits, but the end goal is often to get into the victim's bank account in a way that the victim will tell the bank that everything is fine when fraud detection systems catch wire transfers or suspicious behaviour.
If the victim at any point opens up their official banking app, which scammers cannot control, they'll see that they never received the supposed "refund". With banks moving more and more functionality to apps, scammers can't pull the same tricks if they don't have access to your phone.
Scambaiting Youtubers have shown to be able to throw scammers of their guard by doing the most basic things. Disabling "inspect element" and cmd.exe will stop a scammer right in their tracks, because suddenly their phone script doesn't work any more.
If the victim needs to wait a full day, they'll be more likely to talk to someone. There are plenty of interviews with victims where they will say they realized their mistake hours or even minutes after it's too late. Stress and constant pressure is one of the primary means scammers employ to prevent people from thinking rationally so their obvious and ridiculous lies don't get spotted.
While I think developer verification is monumentally stupid and won't stop any serious scams, I do believe that the timeout measure Google makes people jump through does help.
So what's the solution then? At the same time, I'm curious how this ends up happening to end users. Enabling unknown sources is trivial in a way (it's just one check box and if you try to install an APK from, say, Firefox, it'll take you right there), but how are people even getting to that point??
This is a case of companies forcing things on us "for our own good" and them knowing better than us what is good for us or not.
I stuck with Android for years as a dev as I once did Android apps and occasionally do tinker.
This is my last Android phone and Jolla is my next phone.
A single for-profit company owning the full HW and SW stack? My trust in companies lately is at a lifetime low. It just leaves a bad taste in my mouth.
I stopped because Pixel AOSP phones were actually decent.
Now I guess i'll be buying phones based on which I can flash with custom roms again.
I guess I can sort of manage to keep my head above water and keep buying secondhand phones which I unlock and install a supported version of LineageOS. But it's cumbersome, it gets more difficult and more restrictive every time. And I literally have a doctorate in computers for crying out loud! Is there any hope for Granny? For a kid? For >99% of people? Of course not.
This is so clearly a matter for government oversight: prevent abuse, monopolies, protect the citizen's safety, rights, welfare, etc. It's not reasonable to expect consumers to figure out if the meat they buy is tainted, just as it's not to figure out if their phone spies on them, manipulates information, or sells their data (especially when there's a duopoly). That's why we have laws and food inspectors, paid for by the public, working for the public. Same thing with digital rights.
IMHO governments are partially behind those initiatives so they are unlikely to regulate themself- reason in last few years they intensified work on Digital ID, Age Verification, Chat control, KYC, etc.
One thing EU loves is regulation though, so I expect they will introduce preemptive regulations to enforce strict ID verification as well as regulations to fine big companies for breaching user privacy with strict ID verification policies.
https://www.patrick-breyer.de/en/end-of-chat-control-eu-parl...
"Next up in the ongoing trilogue, lawmakers will negotiate whether messenger and chat services, as well as app stores, will be legally obliged to implement age verification."
AIUI, they have told Google to find a fix, or else.
I been living in SE Asia for few years each in Thailand, Malaysia, Indonesia, Vietnam and really didn't notice that this is supposed to be like major political problem.
'Fraud' is the same smoke screen and excuse as 'protect the children from social media or pedophiles'.
Do you see how quickly that argument can be flipped to support what google is doing here? Honestly I wouldn't be surprised if half the reason to to lock down phones is because governments keep pressuring them to do so.
* Chat control is toothless if users can simply side-load an app without snooping.
* The EU companies who successfully lobbied for regulations against Apple now see that the 15% tax is worth it when they can A/B test the counterfactual. So those companies no longer care if Google will do the same thing.
* The EU is now in an awkward position that it is ok for a newspaper to sell your personal info via pay-or-consent, but not for a social network to do it. Some will keep yammering on about "gatekeepers", but it's sort of an emperor has no clothes moment.
* Declaring that iPadOs is a gatekeeper (after it failed to meet the quantitative criteria for such) was another such emperor has not clothes moment. The whole "gatekeeper" narrative has turned into a farce.
* The people commenting on this forum are not even a rounding error in the EU electorate.
> It's not reasonable to expect consumers to figure out if the meat they buy is tainted, just as it's not to figure out if their phone spies on them, manipulates information, or sells their data (especially when there's a duopoly).
Indeed! Neither would it be reasonable for the sellers of meat to demand anonymity! If one sells tainted meat, he should be held accountable! We should identify him!
Yet, the creators and sellers of software for a General Purpose Computer (remember, that is the argument why phones should be regulated) demand that they should be above the law, anonymous and unaccountable!
Schrodinger's computing device: The one which is so vital to everyday life that we must not prohibit the user to run whatever software he likes, yet so unimportant that we have not a care in the world to identify any fraudster who might wish to distribute software.
The EU Commission is currently pushing the shitty EU Identity Wallet for mandatory age verification, and it requires GooglePlay Services to be installed for "anti-tampering". That also means a ban on non official versions of Android like LineageOS and GrapheneOS.
We need an urgent upgrade of the DMA v2.O, in the fast paced Omnibus package.
Feel free to post proposals here.
30 years ago, the Linux community fought the pre-installed Windows tax and mostly lost that fight.
And Google thinks it can pull this ridiculous stunt.
Most people are too non-technical to understand why this is a bad thing even when it's explained to them. Plus, whatever administration is in power in the US has a lot of influence.
Trump has already said that he wouldn't tolerate regulation that affects American companies [1], painting regulation that happens in another country as something that will affect US citizens. (I mean if you use the GDPR as an example, it's not wrong. Think of cookie pop ups while browsing the web in the US)
I would like the the EU would go harder with their regulations, because it usually results in other countries or states following their lead, but I dont see that happening. Regulation has been painted as "bad", and we have at least 3 more years until that changes.
[1] https://www.cnn.com/2026/01/12/tech/us-eu-tech-regulation-fi...
This lays bare the stupidity of applying the pay-or-consent law to only Facebook and not everyone. Every important newspaper in Europe has pay-or-consent. It does not matter that each one individually is smaller, the effect is the same.
The law was carefully crafted to ensure European businesses (newspapers) are not "gatekeepers" while ensuring American businesses (social networks) are. That fact did not go unnoticed in the rest of the world.
The newspaper market is very different, because there are many players and you can always go to a competitor. There are even newspapers that make all content available and ask an optional donation (e.g. Taz in Germany or to some extend The Guardian, who do not seem actively block ad blockers).
This is a major course correction that doesn't kill F-Droid. A one time 24 hour hoop to jump through and then never again is monumentally better than losing F-Droid forever.
I recommend Cory Doctorow's talk on why this is a serious problem for society:
https://en.wikisource.org/wiki/The_Coming_War_on_General_Com...
https://www.youtube.com/watch?v=HUEvRyemKSg
Unfortunately. I talked about this a bit on LWN: https://lwn.net/Articles/1063741/
The problem is very, very real. I don't doubt that Google also has ulterior motives, but in this case they _are_ justified at least partially.
Every application use for such people should be supervised by a government official trained to ensure you are not hurting yourself.
This way people who want to use AI, smartphones, or the Internet can do so if they’re healthy and the mentally disabled can be protected. We know that this need exists because even on this “Hacker” News forum everyone gets very upset when a mentally disabled person gets injured after AI use.
Google says they don't intend to do that, but even if I believe that's their current intention, they have a strong incentive to do otherwise in the future. Incentives predict outcomes more reliably than intentions.
I say it's pretending because scammers are good at shifting tactics. If convincing users to install malware ceases to be the path of least resistance, they'll convince users to install legitimate remote access utilities, hand over credentials directly, or some other scheme I haven't thought up because I'm not a scammer.
The reality is far worse than that. Remember FBI vs Apple? That defense came down to Apple not having software in place that could facilitate the demand being made of them. If they'd had such a system they would presumably have been required to comply.
The government can presumably get an illegal app forcibly removed from an app store but at present you could still install it yourself. With this system they could compel Google to block it entirely.
You take a step forward.
He takes a step back.
"Meet me in the middle" says the unjust man.
Bought a new phone? Moved from iPhone to Android? Want help from your friend/family member/librarian/other to setup your new phone for getting apps? Sorry, you need to come back a day later before you can actually use it.
Guess what the normal/non-tech user does in this 24hr period? Go to Play Store, install a bunch of apps, forget that you had the desire to use an alternative.
This indeed does make F-Droid no longer a tool for normal people, but only a tool for those willing to do a bunch of "Advanced" things on their phone. By definition, not regular users.
Newspapers should only report news at a minimum 7 days after the fact to ensure accurate reporting.
Toasters should lock everything in until it's completely room temperature to avoid accidental burns.
These are serious problems.
How it's going: almost everything is signed, even pirated apps.
????
Crazy idea, maybe they shouldn't be using those then. Maybe they should use email? Or god forbid a TOTP app. Or perhaps webauthn via the platform provided authenticator.
They very clearly aren't behaving in good faith. That's why the harsh sentiment.
Based on the reaction here, it's obvious I'm missing something here, but I just don't see any real reason devs are feeling like they are being driven away. It's hardly more of an inconvenience than enabling developer mode, and I feel like we all get why they hide the developer settings menu behind that.