Top
Best
New

Posted by drewfax 16 hours ago

Android Developer Verification: Threat masquerading as protection(f-droid.org)
1406 points | 581 commentspage 2
StingyJelly 11 hours ago|
We finally live in an age when I can tell a clanker that I want an app that does something that I need, connect the phone with adb and in half an hour have a working solution for my tiny problem while knowing little about android development. This is something google should embrace, not kneecap.
WarmWash 3 hours ago||
Then tell the courts to stop fining them and start fining all the closed platforms.

There is a clear legal asymmetry where allowing competitors on your platform makes you liable if they complain, but blocking out everyone except for yourself is a totally ok and legally rosy way to do business.

cryptonym 10 hours ago|||
What's their interest in you building side-loaded apps instead of using their data hungry services?
thewebguyd 3 hours ago|||
Their interests shouldn't matter. If they matter that much to restrict, then they are abusing monopoly power and need broken up.
titzer 8 hours ago||||
Or buying some crappy app off the app store, from which they take a cut.
zeumo 10 hours ago|||
They do also sell the data-hungry side-loaded app builder.
int_19h 7 hours ago||
Sure, but the real profits to be had there, if any, are package deals with other megacorps, not hobbyists.
hurfdurf 8 hours ago||
Installing via adb is not affected.
StingyJelly 8 hours ago||
That's great but I want to be able to share such app with my family members coleagues
gruez 5 hours ago|||
Are they such new/fleeting friends that they can't wait 24 hours? Otherwise, it might be a good thing that people can't be persuaded to install an app because a "friend" told them to, and it's somehow so urgent that they can't wait 24 hours.
__MatrixMan__ 5 hours ago|||
So install it via adb?
wolfi1 12 hours ago||
I'm still a little bit confused why the EU does not take action in this. This is definitely a monopolist overreach which has to be shutdown from the beginning
hurfdurf 12 hours ago||
But they did. EU formally allows all these measures by Google in the name of "security" as described in Digital Markets Act Art. 6 (4) fourth paragraph.

https://www.eu-digital-markets-act.com/Digital_Markets_Act_A...

IshKebab 10 hours ago||
They're allowed to do it "to the extent that they are strictly necessary and proportionate ... provided that such measures are duly justified".

It remains to be seen whether the EU decides that this measure is strictly necessary, proportionate and duly justified. They sometimes do the right thing but I'm not getting my hopes up.

int_19h 7 hours ago||
EU will likely want something like this for ChatControl (or whatever it's called in its current draft iteration) enforcement anyway. And Google will no doubt be happy to have its highly paid lobbyists testify on how it will help catch child predators and terrorists.
ajb 12 hours ago|||
Indeed. I wonder if it falls foul of labour law. Blacklisting is illegal and whitelisting (certification) is normally done with multiple competing third party certifiers.
Aachen 11 hours ago|||
They'd have had to start with Apple which is more locked down and has comparable market power. Apple fans (iirc like 30% of the voter population) already scream bloody murder when compatibility increases due to legislation and Apple pushes some marketing about how terrible this is

We've accepted that OS vendors can do this for decades. I think that was our mistake: relying on Google as the only available vendor. We can't make a law that punishes Google for having been open all these years. Yes, of course I (like any 'HN' hacker, I'd think) would be in favor of forcing Apple to be open as well, but then it seems that the powers that currently run the EU (and a lot of voters) kinda likes their remote DRM attestation for this digital identification project that you'll soon need for anything not suitable for toddlers and not reachable via a darkweb

FabCH 10 hours ago||
They did? There is the whole "alternative app stores" kerfuffle going on right now between Apple and the EU.
Aachen 6 hours ago||
Marginally. Apple still approves every app that runs there and can block whatever they don't like for whomever they don't like (or are told to block by a US court, for example). And if you go on holiday abroad and want to take your phone, Apple refuses to tell you what the grace period is during which you're allowed to use the apps on the device.

It's as hostile as they can make it because people apparently keep buying that, even when there's no semblance of the freedoms we have on Android, Windows, Linux, BSD, etc. Google saw that this suffices for the EU and does half a step towards it and people are, unsurprisingly, appalled because the whole FOSS community is here now. I still think it started with Apple demonstrating how successfully hostile you can be in a duopoly where the cards have been dealt.

Few commercial entities will happily re-implement their apps for a third, new, upcoming platform. Google and Apple will never get outcompeted so long as their software ships on the hardware that people want. Even Microsoft (Windows Mobile predated both OSs) threw in the towel, I wouldn't know who else stands a chance. Regulating these entities seems the only path when Google has evidently decided there's no point trying to compete on openness (also demonstrated by the widespread acceptance of GrapheneOS in the FOSS community: people would rather be kept safe than be free - https://news.ycombinator.com/item?id=48758146)

r_lee 12 hours ago||
this is something the EU would love, it's part of the whole Transparency thing where you dox yourself to everyone

HNers (especially Americans) are super naive and think the EU is some bastion of freedom. no. it just wants to be a huge nanny state but in a wholesome way, where you can do whatever you want as long as it's approved

nirui 10 hours ago||
Emotional talk aside, there's not many good solution to this problem, unless of course F-Droid starts to make their own phones.

But then, Librem 5 Phone was just failed few years ago, telling the story that people who care about their rights are still sensitive to how much they would pay (which is a form of rights too).

Also but, there is the thing, making a phone is not easy. If you reach deep enough, you'll eventually reach the layer where you realize how solid the monopolization has become. The global telecom standards if you read them is in the hands of few companies, Boardcom, Motorola, Huawei, Nokia and such. They'll control whether or not your phone can access the network. Then there's telecom companies who runs the network, and they might have to approve your device/modem as well since they got their channel allocation from the government.

It's not easy, and it's not just the software problem.

Oh and yes, we also have the software problem. Linux, if you want to go that route, cannot be used as a mobile OS, as least not for the public, because the average people don't know how to properly secure their system, and Linux is not a restrictive-by-default system. It will be a malware nightmare if you ship Linux on a phone as is.

The best hope for now I think is for geek vendors to make more mobile/4/5G enabled Fairphone or uConsole-like product to the enthusiast market, and then you can load whatever OS on it as you want.

KJs6ZxELzQM37O 9 hours ago||
There is a good solution. A big disclaimer and the user accepting the risk of running the software they want. The same solution they've been doing for years that did not need change. The new developer program is only here because it is more convenient to Google and governments.
IshKebab 9 hours ago||
We've known for literally decades that that doesn't actually work, for several reasons:

1. People are conditioned to ignore warnings. There are way too many benign warnings in the world; you can't read them all.

2. Even when people wouldn't ignore them, in cases where they are being tricked by scammers it's easy for the scammer to talk people into accepting them.

3. Those sorts of warnings aren't actionable. You're installing a new app. It appears legit. You want to use it. You get a warning like "this app hasn't been verified; it might be malware!". What can you do with the information? Absolutely nothing. 99.9999% of users have zero way of doing any deeper check to see whether it actually is malware. Their only options are to give up and go home, or just hope that the warning is wrong. Even I - a highly technical user - get zero value from things like Windows' smart screen. "The app you're running hasn't been signed! It might be malware!". Err yeah sure. I'm not going to reverse engineer it to check am I?

I think their solution of allowing you to disable the restriction with a one-time one-day delay is actually a really reasonable solution. As long as they don't go further than that - the risk is that it is just a temporary placation and they'll ditch that option in a few years.

thewebguyd 4 hours ago|||
It's 2026. This technology has been out for how long?

We can't keep catering to the lowest common denominator of user. We have lost many computing freedoms over the decades as a result of this. Sorry, but its unacceptable.

If they really want such locked down experience to be the default, they could also just as easily put out a ROM everyone else can flash that has no restrictions. You still get to cater to the lowest common denominator but without taking freedoms away from anyone else that wants to keep them, with official support. No scammer is going to convince someone to plug their phone into their laptop and flash a new ROM in order to scam them. If they can, there's no protections that would have helped in the first place.

jonathanstrange 8 hours ago|||
The problem is easy to solve by making 99% of all apps normal apps that don't get any special privileges and don't require any developer certification, and having a certified developer program with heavily locked down run mode for the 1% of high security apps like banking and payment apps. It's not hard to attest unambiguously to the user in some way whether they are running one of these rare secure apps or a normal one, a restricted API suffices but you could also just add an LED for it.

You can't possibly convince me that Google couldn't develop something like that if they wanted to.

gruez 5 hours ago|||
>and having a certified developer program with heavily locked down run mode for the 1% of high security apps like banking and payment apps.

How do you determine/enforce whether an app is a "payment app" without a centralized developer program? They don't require any special privileges. After all, most banking apps have web equivalents.

IshKebab 5 hours ago|||
How does Android know if an apk that nobody has ever seen before is a payment or banking app?

You could probably restrict "risky" APIs like draw-over-other-apps, but tbh I think that would be a worse solution than just making people wait 24 hours once.

m4rtink 9 hours ago|||
The Librem phones do exist and people use them.

Did it take the world by storm ? No.

But it exists, has users & is building the case (together with Sailfish OS and others) that having an abusive mobile OS duopoly is not the desirable state of matters.

grosswait 8 hours ago|||
I was surprised to hear Librem failed, but a quick search show this is not true. Quite alive and hopefully well.
einpoklum 8 hours ago||
> because the average people don't know how to properly secure their system, and Linux is not a restrictive-by-default system. It will be a malware nightmare if you ship Linux on a phone as is.

Linux is a kernel. A Linux-based distribution decides what the defaults would be. Why, in your opinion, would a Linux distro targeting phone-ish ARM64 hardware be problematic? Why would it be a "malware nightmare"?

gadders 12 hours ago||
I just launched an app in the Google Play Store. I did find it a bit weird that I had to provide my physical home address to get my app listed. Not sure what I would do if someone turned up to complain. Make them a cup of tea?
r_lee 12 hours ago||
well they can swat you, order pizza, send you packages (who knows with what inside), spread false info about you if you've given out more info etc...

all it takes is one guy who gets too mad for some reason

and it's gonna be a lot more costly for you to do anything about it vs. that guy who gets to be completely anonymous about it

gadders 10 hours ago|||
Not sure how well swatting works in the UK, and pizza deliveries are all pre-paid.

But yeah, you could have a loony turn up.

Arnt 11 hours ago|||
How? I don't see the address published.

They can sue you and Google will give your address to the court, clearly. But swat? Send packages? How?

wiseowise 11 hours ago|||
Don’t know about US, but in EU you legally have to publish your address and it will be shown on the store page if your app has ads or in-app purchases.
Arnt 7 hours ago||
I see. I looked at https://play.google.com/store/apps/details?id=eu.faircode.em... and saw nothing.

I can see why your address is shown if you offer something for sale. Ads, that puzzles me.

nicce 3 hours ago||
> I see. I looked at https://play.google.com/store/apps/details?id=eu.faircode.em... and saw nothing.

I can see?

FairCode B.V. marcel+play@faircode.eu <redacted>

Anyway, ads are just a sidechannel for purchase. There is a product advertised, someone buys it and developer gets the cut from the seller of the product. This is how ads work.

Izkata 2 hours ago||
Just in case they're looking in the wrong place (looks like they moved where this information was since I last looked), you have to expand it in the sidebar on the right.
gadders 11 hours ago|||
You need to put a literal physical address and not even a PO Box is allowed.
Izkata 11 hours ago|||
It's because of a law in California. Don't remember the reason behind it, but Google decided to apply it everywhere. It's also why I let my app die years ago instead of publishing the updated version.
someonebaggy 12 hours ago|||
This is so that you can be sued or prosecuted if the app is malicious.
Imustaskforhelp 10 hours ago|||
This is a somewhat good reason to make an US LLC with a mailbox rather than sharing your actual address. It can be much more privacy oriented.
realusername 12 hours ago|||
There's no such requirement for publishing a website
someonebaggy 11 hours ago||
There is - every server host does KYC and so does every domain registrar (by law). If you're found to have provided incorrect details, it allows them to immediately remove your server or domain without notice.
realusername 11 hours ago|||
No there isn't, Google's requirement is to put that information publicly for everybody to see. That's not nearly the same thing as being available on court request.

With that policy, Google encourages stalkers and put developers in danger.

Izkata 2 hours ago||
A California law around a decade ago started it (a consumer protection law I think, something like requiring customers to have an address they can contact any seller at), and Google lazily applied it to everyone.

I would have been fine just preventing Californians from downloading my app, but that wasn't an option so I just let my app die.

Natfan 9 hours ago|||
does GitHub require KYC for .github.io pages? does neocities? does 111freewebhosting?
einpoklum 8 hours ago||
You should not distribute apps via the Google Play Store. Using alternative means, including F-Droid as relevant. And it was a mistake of you to register, because you're helping Alphabet exert more pressure and control on others.
foxrider 13 hours ago||
This would be the line for me. If at some point I'm unable to build an .apk and install it on my phone without Google letting me, I'm moving to Huawei.
aerzen 12 hours ago|
Does Huawei not use android or Google play services?
animuchan 12 hours ago|||
It's Android but without Google's services, there's an alternative app store.

The irony of Chinese vendors providing a breath of fresh low-DRM air.

pjmlp 11 hours ago|||
Partially true, HarmonyOS NEXT is its own thing, with a Typescript based language ArkTS.

https://developer.huawei.com/consumer/en/arkts/

And now they are adding yet another one, AOT compiled, Cangjie

https://cangjie-lang.cn/en

Using Android fork has been a transition step.

animuchan 11 hours ago||
Neat, thanks for this correction! Interesting, an entire new programming language.
pjmlp 10 hours ago||
And a microkernel based OS with capabilities.

Another example that microkernels actually do have market share.

aerzen 11 hours ago||||
It seems like China is becoming the "freedom superpower" while USA is getting "corporate superpower" vibes. Huh
surajrmal 5 hours ago||
I'm curious why you think China is actually more open in this regard. The CCP has direct influence over the apps that are allowed to be installed on these phones. There is nothing more free about them.
Aachen 11 hours ago|||
Low DRM? I looked at Huawei devices because I figured they'd have to sell them here super cheap because of this downside most Europeans people will even see as a showstopper ("how will I install my precious WhatsApp??"), but

- they're among the most expensive (I could afford that if needed though)

- they don't allow hardware unlock (ehh.. what's the point, then, if I get a locked-down device with Chinese surprises!)

animuchan 11 hours ago||
OK yeah I didn't know they stopped allowing to root. Normal levels of DRM then, my mistake, you're right.
tsimionescu 12 hours ago||||
No, Google is barred from providing any services to them by the US government.
koolala 12 hours ago||||
not like that no, some US carriers don't allow them though like AT&T blocks you to google or apple phones. for them only pixel supports a way out with graphene.
foxrider 12 hours ago|||
No, they use AppGallery and HMS.
codedokode 5 hours ago||
I wanted to use an alternative mobile OS, but they only support expensive devices like Pixels or outdated models. So I am planning to port some open Android variant. Obviously, all Google Services will be removed and most proprietary apps too. I also want to be able to manually edit permissions and remove Internet access from most of the apps, even open source. It is inconvenient that Android actually has "Internet" permission but doesn't allow the user to revoke it.

I do not need Google Play (a collection of spyware, covertly collecting Wifi points and cell towers location in my country and sending them abroad), I do not need bank apps (I have a laptop for that) so I guess I will be fine. Obviously there will be no developer verification on my device as well, and I mostly use apps from F-Droid anyway.

Good thing about F-Droid is that they build apps themselves and you can always get the sources - unlike Google Play and Apple Store that provide no sources and unlike PyPi/NPM which allows sources to not match the binary distribution.

sneak 4 hours ago|
You do need Google Play, or a suitable replacement, because most android apps won't work without it.
codedokode 4 hours ago||
F-Droid apps do not need Google Play Services. OSMand (offline maps) and other apps works without it. Telegram probably should work too, but I did not test.

AI also says that it is possible to have push notifications without Google.

geokon 10 hours ago||
> looming requirement that all Android developers register themselves centrally

Does this somehow also apply to developers in China? Are Chinese OSs (Vivo/Honor/Oppo/etc.) entirely forked off of Google's Android?

Is the solution to just a Chinese phone without the Play Store?

bouncycastle 12 hours ago||
Does this mean that apks that i've built and installed through adb will stop working? That would be a real damn shame.
3r7j6qzi9jvnve 15 hours ago||
related: https://keepandroidopen.org/ previously on hn

- https://news.ycombinator.com/item?id=47935853 (2 months ago, 889 comments)

- https://news.ycombinator.com/item?id=47139765 (4 months ago, 378 comments)

- https://news.ycombinator.com/item?id=47778274 (3 months ago, 68 comments)

krunck 7 hours ago|
Would this also be a strategy to get all Android users to have a Google account? Once you are locked in to using Google's Play Store then can then require login to even install apps. I don't have a Google account. I never will. If I am required to get one to use my phone(Fairphone4, eOS) then I will cease using the phone. There is nothing in my life that requires me to have an Android phone.
renegat0x0 7 hours ago||
Governments plan to use google play for government services. It is just a matter of time before it is required for you to use it.

https://news.ycombinator.com/item?id=48730729

More and more sites require you to use it be it github, or even fdroid (via gitlab).

terminalbraid 7 hours ago||
Banking has slowly been transitioning in this direction as they close brick and mortar places. I'd have to drive 20 minutes to cash a check (which is still sadly common in the US in certain industries).
More comments...