Google will allow users to sideload Android apps without verification

Posted by erohead 5 hours ago

Google will allow users to sideload Android apps without verification(android-developers.googleblog.com)

345 points | 127 commentspage 2

xg15 2 hours ago||

So there was the very concrete problem that F-Droid could not continue to function with the verification requirements, because they rebuild every app and so would have to know every key.

Do the changes here do anything for F-Droid?

gpm 4 hours ago||

8 days ago Google and Epic announced a proposed settlement and modification of a permanent injunction that Epic won, I believe this proposed settlement would likely have prohibited Google's plan to forbid installation of third party apps (excluding app stores from the definition of apps) unless those app developers had paid google a registration fee. The proposed settlement is here [1], the relevant portion is

> 13. For a period beginning on the Effective Date through June 30, 2032, Google will [...] and will continue to permit the direct downloading of apps from developer websites and third-party stores without any fees being imposed for those downloads unless the downloads originate from linkouts from apps installed/updated by Google Play (excluding web browsers).

6 days ago the court expressed skepticism as to the proposal and announced that they'd have a hearing, with testimony from expert witnesses, as to whether it would prevent the market harms that the original injunction was trying to cure [2].

Today Google announces this, effectively confirming that they're backing down from their requirement that third party app developers pay google prior to distributing their apps.

Nothing (yet) is explicitly tying these together, but I can't help but suspect that this move is in large part being made to convince the court that they're actually intending to honour this portion of the proposed injunction even though Epic would have little reason to enforce it.

[1] https://storage.courtlistener.com/recap/gov.uscourts.cand.36...

[2] https://storage.courtlistener.com/recap/gov.uscourts.cand.36...

dgoldstein0 2 hours ago|

Did we read the same thing? I think Google here said there would be a $25 fee per developer (for those who can't fit in their limited distribution category). I suppose it's much better than a fee per paid install but it's not nothing.

gpm 2 hours ago||

See the "Empowering experienced users" section.

They announced the $25 "verification" plan awhile ago. The new part in this article is that they're going to have it remain possible to install software that didn't do that "verification".

> Based on this feedback and our ongoing conversations with the community, we are building a new advanced flow that allows experienced users to accept the risks of installing software that isn't verified.

nunez 2 hours ago||

Glad to see Google come to their senses on this. Disabling it entirely would have basically guaranteed an exodus of power users over to iOS. If your only choices are walled gardens, you might as well pick the easiest, prettiest one.

gowthamgts12 1 hour ago|

it's not

> "Google come to their senses on this"

it's

> "Google was forced to their senses on this"

Sytten 4 hours ago||

In the end when supporting the non tech people in the family, what I would really like is to setup their device so they can install anything on Fdroid but nothing from the play store (unless approved by me) nor direct from an apk.

rpdillon 2 hours ago||

This is exactly what I do. Works pretty well. I've never needed to restrict the play store. I just tell them not to use it.

wmf 3 hours ago||

I wonder if MDM can do that.

erohead 5 hours ago||

Sounds like they're rolling back the mandatory verification flow:

Based on this feedback and our ongoing conversations with the community, we are building a new advanced flow that allows experienced users to accept the risks of installing software that isn't verified. We are designing this flow specifically to resist coercion, ensuring that users aren't tricked into bypassing these safety checks while under pressure from a scammer. It will also include clear warnings to ensure users fully understand the risks involved, but ultimately, it puts the choice in their hands. We are gathering early feedback on the design of this feature now and will share more details in the coming months.

gowthamgts12 1 hour ago||

> Sounds like they're rolling back the mandatory verification flow

absolutely no. this is for the user side. but if you're a developer who is planning to publish the app in alternative play store/from your website, you have to do verification flow. please read the full text.

Ajedi32 33 minutes ago||

That's only if you don't want your users to have to jump through whatever hoops are needed to bypass the verification requirement.

Ajedi32 25 minutes ago|||

I'm a little nervous about what this advanced flow is going to look like, given that sideloading already requires jumping through a bunch of hoops to enable and even that apparently wasn't enough to satisfy Google.

I'm cautiously optimistic though. I'm generally okay with nanny features as long as there's a way to turn them off and it sounds like that's what this "advanced flow" does.

silisili 4 hours ago||

I feel like if safety was really their top priority, they would have done this long ago and not bothered with this mandatory signing nonsense to begin with...

Still, it seems like good news, so I'll take it.

zzo38computer 3 hours ago||

If adb is unrestricted and can work with the Linux command shell (something I seem to remember I had read about before; you will need to enable the developer mode to use it), which is aparently a separate system but runs on the same device, although if it has the ability to communicate with the main Android system using adb (which it might be reasonable to require that to be explicitly enabled with another setting, for additional security in case you do not use adb), then this would help since you do not require another computer that would be compatible with adb in order to do it.

However, I think there are other things they should do as well (in addition to the other things) if they want to improve the safety, such as looking at the apps in Google Play to check that they are not malware (since apparently some are; however, it says they do have some safeguards, so hopefully that would help), and to make the permission system to work better (e.g. to make it clear that it can intercept notificatinos; there are legitimate reasons to do this but it should require an explicit permission setting to make this clear).

sprior 3 hours ago||

This brings back memories of "sure you can root your phone, but if you do secure apps like payment won't run anymore"

spaqin 3 hours ago|

I can only imagine that allowing "unverified" apps to run would also disable payment/banking apps. Just in case, you know. For your own good.

lern_too_spel 6 minutes ago||

That should be up to the bank to decide, and it already is. https://developer.android.com/privacy-and-security/safetynet...

None of my banks have complained to me because I'm running a patched YouTube app.

seandoe 2 hours ago||

This is great news to me. I'm going to celebrate it. As evil as everyone thinks they are, they did the right thing here. Thanks google.

gowthamgts12 2 hours ago|

so still distributing with f-droid is messed up? i now have to pay a fee to develop an open-source app via f-droid to everyone?

this is a misleading title. they only allow side-loading unverified apps only on fewer devices.

More comments...