Google will allow users to sideload Android apps without verification

Posted by erohead 3 hours ago

Google will allow users to sideload Android apps without verification(android-developers.googleblog.com)

345 points | 127 comments

svat 2 hours ago|

From the very first announcement of this, Google has hinted that they were doing this under pressure from the governments in a few countries. (I don't remember the URL of the first announcement, but https://android-developers.googleblog.com/2025/08/elevating-... is from 2025-August-25 and mentions “These requirements go into effect in Brazil, Indonesia, Singapore, and Thailand”.) The “Why verification is important” section of this blog post goes into a bit more detail (see also the We are designing this flow specifically to resist coercion, ensuring that users aren't tricked into bypassing these safety checks while under pressure from a scammer), but ultimately the point is:

there cannot exist an easy way for a typical non-technical user to install “unverified apps” (whatever that means), because the governments of countries where such scams are widespread will hold Google responsible.

Meanwhile this very fact seems fundamentally unacceptable to many, so there will be no end to this discourse IMO.

thisislife2 58 minutes ago||

I don't buy this argument at all that this specific implementation is under pressure from the government - if the problem is indeed malware getting access to personal data, then the very obvious solution is to ensure that such personal data is not accessible by apps in the first place! Why should apps have access to a user's SMS / RCS? (Yeah, I know it makes onboarding / verification easy and all, if an app can access your OTP. But that's a minor convenience that can be sacrificed if it's also being used for scams by malware apps).

But that kind of privacy based security model is anathema to Google because its whole business model is based on violating its users' privacy. And that's why they have come with such convoluted implementation that further give them control over a user's device. Obviously some government's too may favour such an approach as they too can then use Google or Apple to exert control over their citizens (through censorship or denial of services).

Note also that while they are not completely removing sideloading (for now) they are introducing further restrictions on it, including gate-keeping by them. This is just the "boil the frog slowly" approach. Once this is normalised, they will make a move to prevent sideloading completely, again, in the future.

cesarb 27 minutes ago|||

> Why should apps have access to a user's SMS / RCS?

It could be an alternative SMS app like TextSecure. One of the best features of Android is that even built-in default applications like the keyboard, browser, launcher, etc can be replaced by alternative implementations.

It could also be a SMS backup application (which can also be used to transfer the whole SMS history to a new phone).

Or it could be something like KDE Connect making SMS notifications show up on the user's computer.

thisislife2 11 minutes ago||

That's all indeed valid.

> One of the best features of Android is that even built-in default applications like the keyboard, browser, launcher, etc can be replaced by alternative implementations.

When sideloading is barred all that can easily change. If you are forced to install everything from the Google Play Store, Google can easily bar such things, again in the name of "security" - alternate keyboards can steal your password, alternate browsers can have adware / malware, alternate launcher can do many naughty things etc. etc.

And note that if indeed giving apps access to SMS / RCS data is really such a desirable feature, Google could have introduced gate-keeping on that to make it more secure, rather than gate-keeping sideloading. For example, their current proposal says that they will allow sideloading with special Google Accounts. Instead of that, why not make it so that an app can access SMS / RCS only when that option is allowed when you have a special Google Account?

The point is that they want to avoid adding any barriers where a user's private data can't be easily accessed.

Lammy 2 hours ago|||

Google have their own reasons too. They would love to kill off YouTube ReVanced and other haxx0red clients that give features for free which Google would rather sell you on subscription.

Just look at everything they've done to break yt-dlp over and over again. In fact their newest countermeasure is a frontpage story right beside this one: https://news.ycombinator.com/item?id=45898407

svat 1 hour ago|||

I can easily believe that Google's YouTube team would love to kill off such apps, if they can make a significant (say ≥1%) impact on revenue. (After all, being able to make money from views is an actual part of the YouTube product features that they promise to “creators”, which would be undermined if they made it too easy to circumvent.)

But having seen how things work at large companies including Google, I find it less likely for Google's Android team to be allocating resources or making major policy decisions by considering the YouTube team. :-) (Of course if Android happened to make a change that negatively affected YouTube revenue, things may get escalated and the change may get rolled back as in the infamous Chrome-vs-Ads case, but those situations are very rare.) Taking their explanation at face value (their anti-malware team couldn't keep up: bad actors can spin up new harmful apps instantly. It becomes an endless game of whack-a-mole. Verification changes the math by forcing them to use a real identity) seems justified in this case.

My point though was that whatever the ultimate stable equilibrium becomes, it will be one in which the set of apps that the average person can easily install is limited in some way — I think Google's proposed solution here (hobbyists can make apps having not many users, and “experienced users” can opt out of the security measures) is actually a “least bad” compromise, but still not a happy outcome for those who would like a world where anyone can write apps that anyone can install.

Zak 41 minutes ago||

I would like a world where buying something means you get final say over how it operates even if you might do something dangerous/harmful/illegal.

ashleyn 14 minutes ago||||

yt-dlp's days are fairly numbered as Google has a trump card they can eventually deploy: all content is gated behind DRM. IIRC the only reason YouTube content is not yet served exclusively through DRM is to maintain compatibility with older hardware like smart TVs.

Aurornis 1 hour ago||||

You’re still proving the point above, which is ignoring the fact that the restriction is specifically targeted at a small number of countries. Google is also rolling out processes for advanced users to install apps. It’s all in the linked post (which apparently isn’t being read by the people injecting their own assumptions)

Google is not rolling this out to protect against YouTube ReVanced but only in a small number of countries. That’s an illogical conclusion to draw from the facts.

unsungNovelty 1 hour ago||

Its my device. Not google's. Imagine telling you which NPM/PIP packages you can install from your terminal.

Also, its not SIDE loading. Its installing an app.

freefaler 1 hour ago|||

Well... it would be good if this was true, but read the ToS and it looks more like a licence to use than "ownership" sadly :(

da_chicken 1 hour ago||||

Yeah, let's ask the Debian team about installing packages from third party repos.

I'm not on the side of locking people out, but this is a poor argument.

cookiengineer 1 hour ago||

> Yeah, let's ask the Debian team about installing packages from third party repos.

Debian already is sideloaded on the graciousness of Microsoft's UEFI bootloader keys. Without that key, you could not install anything else than MS Windows.

Hence you don't realize how good of an argument it is, because you even bamboozled yourself without realizing it.

It gets a worse argument if we want to discuss Qubes and other distributions that are actually focused on security, e.g. via firejail, hardened kernels or user namespaces to sandbox apps.

xnx 1 hour ago|||

I agree, but I don't see why Google gets more critical attention than the iPhone or Xbox.

charcircuit 2 hours ago|||

You would still be able to adb installs them. They wouldn't die.

gblargg 1 hour ago|||

Somehow I think having to use ADB instead of something like F-Droid with automatic updates would put a damper on things.

gdulli 1 hour ago||||

Developers of these apps would have little motivation if the maximum audience size was cut down to the very few who would use adb. The ecosystem would die.

userbinator 52 minutes ago||

Or someone comes up with an easy adb wrapper and now it becomes the go-to way to install apps.

xyzzy_plugh 4 minutes ago||

Shizuku[0][1] already exists, it would certainly suck but it wouldn't be the end of the world.

Of course I would be much happier if I didn't need to use Shizuku in the first place.

[0]: https://play.google.com/store/apps/details?id=moe.shizuku.pr...

[1]: https://shizuku.rikka.app/

AuthError 2 hours ago||||

how many people ll do this though? i would expect sub 1% conversion from existing users if they had to do that

tomrod 1 hour ago|||

I bought the hardware, therefore I have the right to modify and repair. Natural right, full stop. That right ends are your nose, as the saying goes.

kccqzy 1 hour ago|||

Consider whether your natural right argument might not stand in several other countries’ legal systems.

The era of United States companies using common sense United States principles for the whole world is coming to an end.

orbital-decay 1 hour ago||

Okay, but currently it's the opposite: an US company is forcing the principles of these few legal systems for the whole world.

ashikns 1 hour ago||||

Yeah then you have the choice to not buy the locked down hardware, you don't have a right to get open hardware FROM Google.

Of course there are no good options for open hardware, but that is a related but separate problem.

orbital-decay 55 minutes ago||

It's not a separate problem, Google are actively suppressing any possibility of open mobile hardware. They force HW manufacturers to keep their specs secret and make them choose between their ecosystem and any other, not both. There's a humongous conflict of interests and they're abusing their dominating position.

colordrops 15 minutes ago||||

I don't think it's illegal to do whatever you want with your phone. That doesn't mean google legally is required to make it easy or even possible. That being said I ethically they should allow it, and considering their near monopoly status they should be forced to keep things open. In fact there should be right to repair laws too.

Aurornis 1 hour ago|||

> Natural right, full stop.

You’re still missing the point the comment is making: In countries where governments are dead set on holding Google accountable for what users do on their phones, it doesn’t matter what you believe to be your natural right. The governments of these countries have made declarations about who is accountable and Google has no intention of leaving the door open for that accountability.

You can do whatever you want with the hardware you buy, but don’t confuse that with forcing another company to give you all of the tools to do anything you want easily.

brazukadev 1 hour ago||

That's deflection, there's Google blocking users from installing apps and there's OP insinuating that it might be because of governments coercion but there's no evidence to support this. Scammers pay Google to show ads to install apps, that's what the governments are holding Google responsible and it won't change with blocking installing apps.

xg15 53 minutes ago|||

> there cannot exist an easy way for a typical non-technical user to install “unverified apps” (whatever that means), because the governments of countries where such scams are widespread will hold Google responsible.

You can also view this as a "tragedy of the commons" situation. Unverified apps and sideloading is actively abused by scammers right now.

> Meanwhile this very fact seems fundamentally unacceptable to many, so there will be no end to this discourse IMO.

I get that viewpoint and I'm also very glad an opt-out now exists (and the risk that the verification would be abused is also very real), but yeah, more information what to do against scammers then would also be needed.

LoganDark 1 hour ago|||

It's not possible to provide a path for advanced users that a stupid person can't be coerced to use.

Moreover, it's not possible to provide a path for advanced users that a stupid person won't use by accident, either.

These are what drive many instances of completely missing paths for advanced users. It's not possible to stop coercion or accidents. It is literally impossible. Any company that doesn't want to take the risk can only leave advanced users completely out of the picture. There's nothing else they can do.

Google will fail to prevent misuse of this feature, and advanced users will eventually be left in the dust completely as Google learns there's no way to safely provide for them. This is inevitable.

edent 31 minutes ago||

Android could have, for example, a 24 hour "cooling off" period for sideloading approval. Much like some bootloader unlocking - make it subject to a delay.

That immediately takes the pressure off people who are being told that their bank details are at immediate risk.

hattmall 10 minutes ago|||

The people gullible enough to fall for a scam like that are also gullible enough to follow more instructions 24 hours later. I think if you could force a call to the phone and have an agent or even AI that talks to user and makes sure no scam is involved then gives an unlock code based on deviceID or something. But that would cost money and scammers would work around it anyway.

cesarb 20 minutes ago|||

> Android could have, for example, a 24 hour "cooling off" period for sideloading approval.

And, to prevent the scammer from simply calling back once the 24 hours are gone, make it show a couple of warnings (at random times so they can't be predicted by the scammer) explaining the issue, with rejecting these warnings making the cooling off timer reset (so a new attempt to enable would need another full 24 hours).

m463 49 minutes ago|||

this is an unresolvable issue

  security = 1/convenience

or in this case:

  security = 1/freedom  or agency

Aurornis 1 hour ago|||

> because the governments of countries where such scams are widespread will hold Google responsible.

This is the unsurprising consequence of trying to hold big companies accountable for the things people do with their devices: The only reasonable response is to reduce freedoms with those devices, or pull out of those countries entirely.

This happened a lot in the early days of the GDPR regulations when the exact laws were unclear and many companies realized it was safer to block those countries entirely. Despite this playing out over and over again, there are still constant calls on HN to hold companies accountable for user-submitted content, require ID verification, and so on.

raincole 1 hour ago|||

Yes. The same goes with payment processing. I hate visa/mastercard as much as the next person. But if the court says they're accountable for people who buy drug/firearm/child porn, then it seems to be a quite reasonable reaction for them to preemptively limit what the users can buy or sell.

The government(s) have to treat the middlemen as middlemen. Otherwise they are forced to act as gatekeepers.

jacquesm 1 hour ago|||

These two things are not the same. The GDPR afforded rights to common people. Those companies that would pull out are the ones that were abusing data that was never theirs and could no longer do so.

jacquesm 1 hour ago|||

That's a disingenuous argument though: they are in that position because they chose to make themselves the only way that a 'normal' user is able to install software on these devices. If not for that these governments wouldn't have a point to apply pressure on in the first place.

wmf 1 hour ago||

Or maybe Google just has empathy for people losing millions to scams?

jacquesm 1 hour ago|||

No, then the results of many google web searches would not put scam sites at the top over the official sites. Google is fine with people being scammed. As long as they get their cut. Large corporations don't have empathy.

spaqin 1 hour ago||||

From what I've seen, millions lost to scams are with social engineering; through cold calls masquerading as the authorities, phishing, pig butchering; plenty of scam apps on the Play store harvesting data as well, but not a single real life instance of malware installed outside the officially sanctioned platform.

tjpnz 50 minutes ago|||

The same scams Google's ad network facilitates and Google in turn profits from?

xyzzy_plugh 7 minutes ago||

> we are building a new advanced flow that allows experienced users to accept the risks of installing software that isn't verified. We are designing this flow specifically to resist coercion, ensuring that users aren't tricked into bypassing these safety checks while under pressure from a scammer. It will also include clear warnings to ensure users fully understand the risks involved, but ultimately, it puts the choice in their hands.

As long as this is a one-time flow: Good, great, yes, I'll gladly scroll through as many prompts as you want to enable sideloading. I understand the risks!

But I fear this will be no better than Apple's flow for installing unsigned binaries in macOS.

Please do better.

Aachen 2 hours ago||

Edit: be sure to read geoffschmidt's reply below /edit

The buried lede:

> a dedicated account type for students and hobbyists. This will allow you to distribute your creations to a limited number of devices without going through the full verification

So a natural limit on how big a hobby project can get. The example they give, where verification would require scammers to burn an identity to build another app instead of just being able to do a new build whenever an app gets detected as malware, shows that apps with few installs are where the danger is. This measure just doesn't add up

jacquesm 1 hour ago||

And of course: you need an account, rather than simply allowing you to tell your OS that yes, you know what you're doing.

geoffschmidt 2 hours ago||

But see also the next section ("empowering experienced users"):

> We are building a new advanced flow that allows experienced users to accept the risks of installing software that isn't verified

Aachen 2 hours ago|||

Oh! I thought I had found the crucial piece finally after ~500 words, but there's indeed better news in the section after that! Thanks, I can go sleep with a more optimistic feeling now :)

Also this will kill any impetus that was growing on the Linux phone development side, for better or worse. We get to live in this ecosystem a while longer, let's see if people keep damocles' sword in mind and we might see more efforts towards cross-platform builds for example

ryandrake 2 hours ago||

Let's take the "W". This is pretty good news!

catlikesshrimp 1 hour ago|||

I am not english native. Is "The W" a synonym for "A Win", described as a positive outcome after a contest? Is there more nuance or context than that?

thristian 1 hour ago||

I think it's from people reporting sports statistics for a player or team as "W:5 L:7" meaning "five wins and seven losses".

https://knowyourmeme.com/memes/l-and-w-slang

benatkin 1 hour ago|||

This isn't a "W", but I am finding my own "W" from this by seeing others distrust Google, and remembering to continue supporting and looking for open alternatives to Google.

rrix2 1 hour ago||||

it's probably just gonna be under the Developer Options "secret" menu

metadat 1 hour ago||||

So.. all this drama over an alert(yes/no) box?

Wow, this really pulls back the veil. This Vendor (google) is only looking out for numero uno.

cesarb 53 minutes ago|||

> So.. all this drama over an alert(yes/no) box?

A simple yes/no alert box is not "[...] specifically to resist coercion, ensuring that users aren't tricked into bypassing these safety checks while under pressure from a scammer". In fact, AFAIK we already have exactly that alert box.

No, what they want is something so complicated that no muggle could possibly enable it, either by accident or by being guided on the phone.

Zak 26 minutes ago||

I imagine what they're going to do involves a time delay so a scammer cannot wait on the phone with a victim while they do it.

Aurornis 1 hour ago|||

> So.. all this drama over an alert(yes/no) box?

The angry social media narratives have been running wild from people who insert their own assumptions into what’s happening.

It’s been fairly clear from the start that this wasn’t the end of sideloading, period. However that doesn’t get as many clicks and shares as writing a headline claiming that Google is taking away your rights.

devsda 28 minutes ago|||

> The angry social media narratives have been running wild from people who insert their own assumptions

There may have been exaggerations in some cases but these hand wavy responses like "you can still do X but you just can't do Y and Z is now mandatory" or "you can always use Y" is how we got to this situation in the first place.

This is just the next evolution of SafetyNet & play integrity API. Remember how many said use alternatives. Not saying safetynet is bad but I don't believe their intentions were to stop at just that.

gumby271 1 hour ago||||

Sorry what? Their original plan absolutely was the end of sideloading on-device outside of Google's say so. That's what the angry social media narratives were that you seem upset about. Anyone being pedantic and pointing out that adb install is still an option therefore sideloading still exists can fuck off at this point.

kcb 1 hour ago||||

What are you talking about? This change for "experienced users" was only just announced and not part of any previous announcement. It has not been clear from the start at all.

Superblazer 56 minutes ago|||

Have you missed the plot entirely? This is absurd

gblargg 1 hour ago|||

Let me guess, a warning box that requires me to give permission to the app to install from third-party sources? Is that not clear enough confirmation that I know what I'm doing? /s

themafia 2 hours ago||

> Keeping users safe on Android is our top priority.

I highly doubt this is your "top" priority. Or if it is then you're gotten there by completely ignoring Google account security.

> intercepts the victim's notifications

And who controls these notifications and forces application developers to use a specific service?

> bad actors can spin up new harmful apps instantly.

Like banking applications that use push or SMS for two factor authentication. You seem to approve those without hesitation. I guess their "top" priority is dependent on the situation.

klabb3 38 minutes ago||

> > intercepts the victim's notifications

> And who controls these notifications and forces application developers to use a specific service?

Am I alone in being alarmed by this? Are they admitting that their app sandboxing is so weak that a malicious app can exfil data from other unaffiliated apps? And they must instead rely on centralized control to disable those apps after the crime? So.. what’s the point of the sandboxing - if this is just desktop level lack of isolation?

Glossing over this ”detail” is not confidence inspiring. Either it’s a social engineering attack, in which case an app should have no meaningful advantage over traditional comms like web/email/social media impersonation. Or, it’s an issue of exploits not being patched properly, in which case it’s Google and/or vendor responsibility to push fixes quickly before mass malware distribution.

The only legit point for Google, to me, is apps that require very sensitive privileges, like packet inspection or OS control. You could make an argument that some special apps probably could benefit from verification or special approvals. But every random app?

Zak 22 minutes ago||

> Are they admitting that their app sandboxing is so weak that a malicious app can exfil data from other unaffiliated apps?

An app can read the content of notifications if the appropriate permissions are granted, which includes 2FA codes sent by SMS or email. That those are bad ways to provide 2FA codes is its own issue.

I want that permission to exist. I use KDE Connect to display notifications on my laptop, for example. Despite the name, it's not just for KDE or Linux - there are Windows and Mac versions too.

BrenBarn 2 hours ago|||

Their top priority is making money.

hekkle 30 minutes ago|||

BINGO! Google doesn't care at all about user security.

- Just yesterday there was a story on here about how Google found esoteric bugs in FFMPEG, and told volunteers to fix it.

- Another classic example, about how Google doesn't give a stuff about their user's security is the scam ads they allow on youtube. Google knows these are scams, but don't care because they there isn't regulation requiring oversight.

gpm 11 minutes ago||

> Just yesterday there was a story on here about how Google found [a security vulnerability that anyone running `ffmpeg -i <untrusted file> ...` was vulnerable to] in FFMPEG, and told [the world about it so that everyone could take appropriate action before hackers found the same thing and exploited it, having first told the ffmpeg developers about it in case they wanted to fix it before it was announced publicly]

Fixed that for you. Google's public service was both entirely appropriate and highly appreciated.

shirro 1 hour ago|||

Making money and complying with the law. They are obligated to do both. In many countries laws are still enforced.

Protecting their app store revenues from competition exposes them to scrutiny from competition regulators and might be counter productive.

Many governments are moving towards requiring tech companies to enforce verification of users and limit access to some types of software and services or impose conditions requiring software to limit certain features such as end to end encryption. Some prominent people in big tech believe very strongly in a surveillance state and we are seeing a lot of buy in across the political spectrum, possibly due to industry lobbying efforts. Allowing people to install unapproved software limits the effectiveness of surveillance technologies and the revenues of those selling them. If legal compliance risks are pushing this then it is a job for voters, not Google to fix.

boxedemp 2 hours ago|||

Only a few things in life are for sure. Death, taxes, and corpospeak.

_factor 2 hours ago||

Hey, sometimes the dumbest people it works on are also the ones with the decision making ability. What a world to live in.

ajkjk 1 hour ago||

this is an absurd rant. they invest, like, billions into security. It's not as perfect as you want it to be but "completely ignoring" is a joke. if you've got actual grievances you should say what they are so that we can actually get on your side instead of rolling our eyes

asadotzler 1 hour ago|||

They absolutely eo completely ignore many security and privacy things because they're very selective in what they focus on, particularly around how those things might impact their ad revenue.

How much they spend is no indicator of how and where they spend it, so is hardly a compelling argument.

wmf 1 hour ago|||

I'm not the OP but we know that SMS is not secure. Google should try banning that first.

Ms-J 6 minutes ago||

Google still hasn't changed anything but took the opportunity to again insult their customers within the first headline, titled "Why verification is important".

Google goes on to say how taking away one of your last remaining rights is good for you, if you like it or not.

It is clear to everyone why Google is partnering with governments around the world to remove our rights to installing apps. Laws are not on your side and must be reevaluated on an individual level to move forward. You decide your own terms, you have the power.

Only we can stop this together.

sipofwater 1 hour ago||

* "Android Developer Verification Discourse" by agnostic-apollo (https://github.com/agnostic-apollo), Termux app (https://github.com/termux/termux-app) developer: https://gist.github.com/agnostic-apollo/b8d8daa24cbdd216687a... (gist.github.com/agnostic-apollo/b8d8daa24cbdd216687a6bef53d417a6) and https://old.reddit.com/r/termux/comments/1ourtxj/android_dev... (old.reddit.com/r/termux/comments/1ourtxj/android_developer_verification_discourse/)

* "Android Developer Verification Proposed Changes" by agnostic-apollo (https://github.com/agnostic-apollo), Termux app (https://github.com/termux/termux-app) developer: https://issuetracker.google.com/issues/459832198 via https://old.reddit.com/r/termux/comments/1ourtxj/android_dev... (old.reddit.com/r/termux/comments/1ourtxj/android_developer_verification_discourse/)

sipofwater 1 hour ago|

Android Debug Bridge (https://developer.android.com/tools/adb) using two Android smartphones and Termux (https://github.com/termux/termux-app):

* Search for "Smartphone-1 to Smartphone-2" "adb tcpip 5555" in "Motorola moto g play 2024 smartphone, Termux, termux-usb, usbredirect, QEMU running under Termux, and Alpine Linux: Disks with Globally Unique Identifier (GUID) Partition Table (GPT) partitioning": https://old.reddit.com/r/MotoG/comments/1j2g5gz/motorola_mot... (old.reddit.com/r/MotoG/comments/1j2g5gz/motorola_moto_g_play_2024_smartphone_termux/)

* Search for "termux-adb" in "Motorola moto g play 2024 Smartphone, Android 14 Operating System, Termux, And cryptsetup: Linux Unified Key Setup (LUKS) Encryption/Decryption And The ext4 Filesystem Without Using root Access, Without Using proot-distro, And Without Using QEMU": https://old.reddit.com/r/MotoG/comments/1jkl0f8/motorola_mot... (old.reddit.com/r/MotoG/comments/1jkl0f8/motorola_moto_g_play_2024_smartphone_android_14/)

BrenBarn 2 hours ago||

The key question for me is whether this "advanced flow" will allow the practical use of entirely separate app stores (like F-Droid) or if they're going to throw up tons of barriers for every individual app install.

sowbug 15 minutes ago||

If I were designing the advanced flow, I'd require the decision to be made at phone setup time. Changing your mind later requires a factory reset.

Real sideloaders (F-Droid users, etc.) know at setup time that that's how they'll be using their phone, so it works for them. But ordinary users who are targets for sideloading malware will become a lot less attractive if attackers must convince them to wipe their phone to complete the coercive instructions.

Aliexpress has a similar approach to protect their accounts from takeovers. If you change or forget your password, all your saved payment methods are erased. This makes the account less valuable to an attacker, at the cost of a little pain to authentic account holders.

201984 1 minute ago||

No, that's ridiculous. If I want to send an app to someone, now they have to wipe their phone to install it? That would kill installing non-Play apps far more than Google's original proposal.

tadfisher 1 hour ago|||

There's a second path, whereby F-Droid registers as an "alternative app store", which is a new category of app created in the fallout of Epic Games v. Google [0]. This is interesting because it applies to all regions and will necessarily need more elevated permissions than the typical REQUEST_INSTALL_PACKAGES permission used today. No idea what requirements Google will impose on such apps.

[0]: https://en.wikipedia.org/wiki/Epic_Games_v._Google

NewJazz 2 hours ago|||

If F-Droid is no longer part of the android community, then neither will I.

I'm not too worried. My employer should be, though.

AndrewDavis 1 hour ago|||

It all depends on how the flow is implemented.

If it's a one time unlock, eg like developer mode then hopefully it'll just work.

If it's a big long flow per install... Yikes, that's not much better than adb install

andrepd 1 hour ago||

Correct me if I'm wrong but doesn't the EU digital markets act mandate this?

gumby271 1 hour ago||

Isn't Apple technically complying with this even while forcing notarization? Seems like Google could get away with the same scheme.

gpm 50 minutes ago||

Apple says they are. The EU says they aren't. They're fighting over it.

uneven9434 8 minutes ago||

There are many real-world sideloading abuse cases in China. Attackers often trick victims with plausible stories—e.g., claiming a flight is delayed—and ask them to sideload an app (a remote‑meeting or remote‑control tool) to share their screen. Once installed, the attacker can view the victim’s screen and intercept SMS 2FA codes for online banking or other sensitive accounts.

Other schemes include impersonating sex workers to lure victims into nude video chats, then persuading them to install an app that harvests private content and contacts for blackmail.

Spivak 2 minutes ago|

Yes, this is called malware and isn't the fault of being able to install software on your device.

bilsbie 2 hours ago||

I don’t like to see the word “allow” in the same sentence with a device I own.

edoceo 1 hour ago|

It's a device you own, sure. But you've licensed the software.

EMIRELADERO 1 hour ago|||

This is misleading though. There is simply no other choice if you want to use mainstream apps. It could be argued (successfully in my view) that any agreement is null and void due to its acceptance under duress.

Users have an inherent legal right to unconditionally access the full advertised functionality of devices they purchase. Any agreement after that is inherently suspect and I wouldn't be surprised to find out it was ruled unconscionable by some court if it came to that.

devsda 50 minutes ago||||

If there is an alternative software that can run on the device without going through extraordinary hoops, I may agree that it is licensed.

If there is no other alternative, buying hardware and licensing software are not two different steps. Its just buying a device.

flagos10 1 hour ago|||

We need a free-as-in-freedom version of Android.

wmf 1 hour ago||

GrapheneOS

pabs3 7 minutes ago|

> When the user logs into their real banking app, the malware captures their two-factor authentication codes

That seems like a severe security bug in Android APIs or sandboxing or something else.

> bad actors can spin up new harmful apps instantly

Why are harmful apps possible at all?

More comments...