Top
Best
New

Posted by drewfax 18 hours ago

Android Developer Verification: Threat masquerading as protection(f-droid.org)
1472 points | 606 commentspage 3
pimeys 11 hours ago|
Btw. This whole debacle made me to stop installing any Android updates. I've done my best to avoid installing even the security updates, so my diabetes apps continue working in the future.

I really need to take the time and go with Graphene OS in this device. My bank N26 kind of still allows it, but they made it harder and harder to use with certain custom checks. Looks like in the future I need a separate banking phone and my daily driver.

The device works right now how I want it. I don't want anything to change.

0x000xca0xfe 10 hours ago||
I have an old $70 test device with stock Android/Google that hasn't seen security updates in half a decade yet all banking apps, electric car charging, Google services, you name it, work absolutely fine.

Meanwhile the daily driver phones of my privacy-aware family members running up-to-date Lineage or Graphene OS with recent kernels and frequent updates constantly run into apps refusing to work for "security" reasons. It's a complete joke.

Gander5739 4 hours ago||
To pass MEETS_STRONG_INTEGRITY a device needs to have a security patch within the last year. Most apps don't check for storng integrity, though.
Gander5739 4 hours ago|||
Google Play Services is independent of Android releases and will update itself automatically, though I believe you can disable this by uninstalling a specific system app with adb.
patcat007 9 hours ago||
[dead]
RandyOrion 11 hours ago||
Android developer verification program, together with recent reCAPTCHA push [1], and Manifest v2 force depreciation on chrome [2], make one thing crystal clear. When companies like GOOGLE talks about things in the name of "your security", it's a sign that they want you to sacrifice your own things, e.g., privacy, freedom, etc., for their own security. And if you trust them and show your consent by doing nothing, you pay the price.

[1] https://news.ycombinator.com/item?id=48067119

[2] https://news.ycombinator.com/item?id=48555244

geocar 10 hours ago||
Google has been attempting to license the right to write.

There are a lot of poor people, mostly brown people, who do not have the ability to get one of these licenses.

Some of them are feeding themselves with their ability to write, and Google is literally stealing that food from their mouths.

duskdozer 8 hours ago|||
I think this argument isn't likely to go far, considering its use of a type of condemned speech (DEI). Part of the purpose of having ID verification for developers is to ensure that Google can provide information to the authorities so that developers can be held accountable for promoting such anti-government and terroristic ideology.
birdsongs 10 hours ago||||
Can I ask what you mean when you say "write"? Are you talking about literature / articles, or software?

This is new to me, want to stay on top of it.

MSFT_Edging 9 hours ago||
I think the commenter is alluding to writing software, as software is considered speech in some places.
like_any_other 9 hours ago||||
Careful about demanding that dystopia not discriminate against anyone. Because you just might get it, and it'll still be a dystopia.
noosphr 8 hours ago|||
[flagged]
Forgeties79 8 hours ago||
This is a textbook “bad faith” argument.

Just because someone is part of a particular demographic doesn’t mean they are suddenly incapable of harming them.

noosphr 8 hours ago||
You were so close to realizing class is the only thing that matters. But thankfully a good western education make that thought impossible.
lern_too_spel 6 hours ago||
Article got developer verification completely wrong. The point of developer verification is to be able to install apps outside the app store without warning, which brings Google Android builds in compliance with the antitrust ruling. Third party Android builds can choose other trust roots or disable ADV completely and require warnings for everything because they are not subject to the judgment.

Separately, the process of installing apps that are outside a system app store and aren't verified has also changed, but this is not required by the developer verification feature, and the result seems like a wash to me. The first time you enable installing apps from other sources is harder, but this setting then persists across device upgrades, so the subsequent times go away completely. This now requires developer mode, but apps that check developer mode (I haven't found any in the US) can be mollified with a Tasker task to disable developer mode when launching those apps and enable it again after.

troyvit 6 hours ago||
That's only the consumer side of it though. As the post states:

> Should a developer[...] elect to register themself with Google as a “verified” developer, they should expect to sign up for an account and pay a fee, surrender detailed personal information and upload government-issued identification, and then proceed to register the identifiers and signing keys for all the apps they intend to distribute (now or ever).

Those are big impediments to open development. The agreement developers sign states:

> 6.5 If You violate any of the Terms or if You distribute malware or other harmful applications, Google may terminate Your access to the ADC…

But they don't actually define "malware" anywhere in the document. Search HN if you want to hear horror stories about how google handles loose definitions and peoples' accounts.

lern_too_spel 6 hours ago||
This is no different from before. If you want consumers to be able to install your app without a warning on Google builds, you have to jump through verification hoops. The only thing that ADV changes for developers is that now they can distribute their apps outside the system app stores without a warning as well, which is a new benefit, not a new restriction.

The correct thing to complain about is requiring developer mode for unverified installs, which doesn't seem necessary, not ADV. If you complain about ADV, of course the legislators are going to ignore you. ADV makes Google builds strictly more open and resolves the complaints of the state.

troyvit 5 hours ago||
Oh man thank you for the clarification <3
WarOnPrivacy 16 hours ago||
My Android 15 handset doesn't have com.google.android.verifier process. It could be a Ulefone thing. They're especially pro-user (ex:root friendly).
EspadaV9 16 hours ago||
Checked my Pixel 7 XL Pro and the app is installed and running (Version 1.0.866414232 com.google.android.verifier). I was able to force stop it, and disable it. Will check later to see if reenables itself.
Aachen 12 hours ago||
Ex means "example" here right? Or do you mean ex as in the dictionary meaning of ex, as in, "formerly"?
WarOnPrivacy 3 hours ago||
> Ex means "example" here right?

Yes. eg would have worked too. ie didn't seem like a good fit.

mghackerlady 4 hours ago||
I've just stopped using smart phones. If they aren't going to give me more freedom than a dumb phone, I have no reason not to use one
TheRealPomax 4 hours ago|
It's nice that you have that luxury, but that makes you an anecdote in a world where folks need a smartphone just to access banking or government services.
binarysneaker 5 hours ago||
After many years of Android freedom and choice, this'll likely be the reason I switch back to iOS/Apple. If I'm forced into a walled garden, it may as well be the best one.
BatteryMountain 6 hours ago||
If they go through with this, I will make it my life's mission for the coming months to de-google my personal life and break any dependencies on google at work. Done with this nonsense. Shouldn't take more than a month to remove the tumor.

On my android phone:

My own launcher

My own keyboard

My own sync tool for local net

My own net tools to WoL some devices on my lan.

My own tool to control 3 proxmox servers

My own tool that parses groceries slips

My own tool that keep tracks of my vehicles events/lifecycle/purchases etc.

If they break my launcher/keyboard and my ability to use my phone in my customized way, they will NEVER see me as a client again. None of these apps are in the Play Store, they are signed with my own signing keys, which have never been uploaded to google, in fact, no google account is linked to these apps. These apps are also privacy-oriented (even the keyboard, I ship a 1mb dictionary with and it learns my own words, never transmits anything).

I will not give google my ID , neither Persona or anyone else. I'm very happy to go back to using bank card + chip + pin than use google wallet. Trust me I will walk away. I already move 4 family members off of Windows in the last 2 years, I will get them off google too.

bobbean 4 hours ago|
I started de-googling a few weeks ago. I don't really know what I'm doing but it's kind of enjoyable to learn. Graphene OS with F-Droid and I'm most of the way there.

I still use the play store for some apps unfortunately. Also google maps, gmail, google messages (for rcs) and google fi. I'm not sure if theres anything close to the quality of traffic reporting as google maps, so it's hard to give up. The rest I will eventually move away from... Hopefully.

I have a home server with a reverse wireguard proxy for self hosting photos, calendars, etc.

I also have firefox with noscript blocking everything by default, but that's a big pain for an average person. Also it doesn't seem like firefox does a good job of anti-fingerprinting, but I haven't looked too deeply into that.

I even bought a tv that has adb access, and I removed a bunch of bloat, but it doesn't seem possible to remove the google launcher without causing huge system instability. I might just firewall it off.

There are a ton of open source alternatives to google products now, way more than the last time I tried moving away. It's time to leave.

noisy_boy 6 hours ago||
I have already migrated my government and banking stuff off Gmail. I'm fine losing my access to HN but Google can't be trusted with serious shit.
pjmlp 13 hours ago||
This kind of speech will only go with fellow technical users, most folks buying phones at the usual phone operators won't care less.
Timwi 11 hours ago||
How does this affect the Fairphone? If I buy a Fairphone now (which I've been considering for months now) will I continue to be able to run F-Droid and load arbitrary apps, or does it come with “official” Android that will contain the restrictions?
microtonal 9 hours ago||
I would in general recommend against getting a Fairphone. They traditionally have a lot of hardware issues. Some of the early issues on the FP6 (fried logic board while charging and broken volume button) are not user replaceable. Many people have had to wait a month before they get a reply from customer support and even longer to get their hardware fixed. They also completely fail to communicate about issues.

They also have a bad reputation when it comes to updating their software. E.g. their initial Android 15 builds for FP4 had bad memory management issues, with a result that many people could only have one app in memory at the time, which made it impossible to switch between e.g. an app/browser and a password manager/payment app. Some of their updates would cause boot loops when there were fingerprint reader issues, etc. Currently a lot of users are dealing with an issue where apps hang when used over WiFi because IPv6 gets misconfigured when a router sends an IPv6 router advertisement with lifetime 0 (which e.g. Fritz!Boxes that are popular in Europe do). The issue has been there for over three months without any acknowledgement or fix from Fairphone.

Also, even though they do Android Security Bulletins and major releases (though very late), their phones often run ancient kernels and firmware with many known vulnerabilities. This is also the case if you run an alternative OS, because pretty much all of them use upstream trees. Also their firmware has Chinese TCL image processing blobs (might be a security/privacy issue for some people).

I think many of these issues stem from the fact that the development of both the hardware and the software is largely outsourced to a Chinese ODM (T2Mobile), who maintain everything, so there is a lot of delay in everything. My guess is that Fairphone as a company is mostly a PR/support/supply chain auditing (as in minerals/labor, not software supply chain) company, with all the development outsourced.

boudin 11 hours ago||
It depends of the operating system you install. Fairphone by default comes with a pretty standard Android version with Google Play serices, so it will be impacted.

If you either buy a Fairphone from Murena (with /e/ OS) or from Iode (with Iode OS) or if you buy a standard one and install a version of Android without Google Play Services (like /e/ os or Iode), then you can still use FDroid.

economistbob 9 hours ago|
It would seem to me that the best hse of resources here would be ensuring LineageOS ports to more devices than Pixels ASAP. Yet no one works on that angle.
More comments...