Top
Best
New

Posted by drewfax 19 hours ago

Android Developer Verification: Threat masquerading as protection(f-droid.org)
1526 points | 635 commentspage 4
stavros 16 hours ago|
I don't understand how this is legal in the EU under the DMA, does anyone know?
pimeys 16 hours ago||
I already contacted the DMA authorities and complained how this has an effect on German diabetes communities and they replied that I am not the first one who approaches them on this and they are already investigating it.

Google is just trying how far they can push this.

kodebach 1 hour ago|||
Since Apples App Store is DMA compliant, the EU won't do anything against this far less restrictive change from Google.
sebastiennight 15 hours ago||||
Do you have any pointers on how to find the correct authority and reach out? I'd like to inform my EU audience.
pimeys 15 hours ago||
Yes. From here: https://digital-markets-act.ec.europa.eu/contact-dma-team_en
stavros 16 hours ago|||
Excellent, I emailed them too but no reply yet. Yeah, given that we should be able to choose what app store to install, this seems wildly illegal.
hurfdurf 15 hours ago|||
https://www.eu-digital-markets-act.com/Digital_Markets_Act_A... Art 6 (4). Read it to the end. That's how.
tsimionescu 14 hours ago||
I don't get what part of that your think enables them to deny access to third parties distributing their apps on alternate stores. If you're referring to the last paragraph, that very explicitly says that any such security must be an optional setting that is not default. So unless users opt into verified only apps, Google can't force that, according to the DMA.
hurfdurf 14 hours ago||
Maybe not, but reading their blog posts about ADV next to the DMA text, that's certainly the angle they are trying. And it will be years if it ever comes to a court hearing.

And the setting is "optional", just do the 24h-waiting song and dance to change it, or use ADB. /s

surajrmal 8 hours ago|||
The same way Apple is allowed to do it presumably.
stavros 7 hours ago||
It's not.
murderfs 10 hours ago||
This is arguably required by Article 30 of the EU Digital Services Act.
t1234s 9 hours ago||
This is just getting us ready for the coming police state in the US. Choose your ankle monitor: apple or google.
jzer0cool 12 hours ago||
As user wouldn't you like knowing there is a non-verified app? Is it restricting And still providing way to override if you choose?
kodebach 1 hour ago||
Google already announced the "Advanced Flow" that lets users override the verification. Yes, it's quite complicated, but it shows Google isn't trying to completely close down Android (yet). All this outcry is just lead to a boy who cried wolf situation. ADV is gonna become active, 90% people won't notice the rest will (begrudgingly) use the Advanced Flow. If Google then changes their mind actually does what F-Droid claims right now, nobody's gonna listen.

IMHO F-Droid is just mad because their store model of "developer publishes source code, F-Droid builds and signs the APK" would put immense liability on F-Droid. After all with that model F-Droid owns the private signing keys and now has to register them with Google. If they let a single malware app slide through, Google might designate F-Droid as a malware provider and block everything ever published on F-Droid. (Sidenote: Last I checked F-Droid had nothing in their policies that forbids publishing malware, just that it has to be open source) If you ask me this store model was always stupid and completely missed the point of having signed APKs. I think they also have a newer model where they don't own the private keys anymore, but there's still tons of legacy apps.

Of course Google might have been open to talks about some kind of verified app store program allowing F-Droid to operate under different terms. But that's certainly out the window after all the fear mongering, hyperbole and straight up propaganda F-Droid has put out in recent months.

terminalbraid 10 hours ago||
Is that not already the case today? Everything on the play store is verified. Anything outside of that is not by google and you are shown something.

The whole point out of this outrage is alternative stores (like f-droid) can wholly and entirely be shut down on a whim without recourse.

mindaslab 8 hours ago||
It's high time we ditch evil Android and switch to something libre.
xylon 10 hours ago||
Why not replace F-Droid with a catalogue of links to open-source apps hosted in play store?
stankondrat 10 hours ago|
Most F-Droid apps are built from source. A link to Google Play may point to a newer version that has changed and could contain undesirable behavior.
johnathan101 14 hours ago||
The frustrating part is that security features often look like malware from a technical perspective. The intent is different, but the capabilities can overlap.
linuxhansl 15 hours ago||
What Google is doing is shameful. One of the promises of Android was being more open than the restrictive Apple ecosystem.

Now that they reached penetration they do the switch - under the guise of security.

Just let me do with my hardware what I want to do it. Let it be my responsibility to install whatever I want (and stop calling it "side-loading", as if I am doing something shady from the "side").

We need to resist this! Alas, from the broader response it seems that most people just do not care.

WarmWash 8 hours ago||
Epic games sued both Apple and Google for anti-competitive behavior.

Apple was found not guilty.

Google was found anti-competitive.

In the appeal, Google asked the judge why Apple wasn't anti-comptitive and the judge told them that Apple wasn't anti-competitive because there were no competitors on their platform to compete with.

Google lost the appeal, an inflection point in tech was created, and Google wondered why the hell they tried being open when xbox, playstation, nintendo, apple, all get to do whatever they want on their closed platform.

It's incredible how little coverage that ruling gets despite how damning and detrimental to tech it's implications are.

matheusmoreira 12 hours ago|||
It's not just shameful, it's stupid. Freedom was the whole point of tolerating the shittiness of Android. If they get rid of that, then there is no point, and I'll just buy an iPhone instead. If I must be in a walled garden, I'll choose the better kept garden, and it sure as hell isn't Google's.
palata 11 minutes ago|||
I like Android a lot better. And I really, really like the fact that Android is open source, so that 1) I can read the sources and 2) projects like GrapheneOS can do it right.

Apple does not remotely allow that.

int_19h 10 hours ago||||
Pragmatically speaking, I doubt that the percentage of users currently choosing Android over iOS for this reason would add up to even 1%. Android dominates worldwide by and large because of cost, and unless Apple pulls another Neo this shall remain regardless of how locked down they make it.
mirsadm 10 hours ago||
An older iPhone is already better than most new cheaper Android phones.
Gander5739 6 hours ago||
Many people disagree.
VeejayRampay 11 hours ago|||
you think it's shitty, but it's a personal opinion that you're phrasing as some kind of widely accepted view

be sure that it's not, lots of people actually PREFER Android

sscaryterry 14 hours ago|||
This is worse than Apple. With Apple you knew where you stood day 1.
Grombobulous 10 hours ago|||
If you go back far enough, the original iPhone didn’t even promise to give you the ability to install apps.
devsda 10 hours ago||||
Its worse in a different way.

I mean when people complained about Apple, the standard reply was "if you don't like Apple use Android,it's open! ".

Now when people complain about Android doing the same, the answer is how is it wrong if Google does it, when Apple has been doing this forever.

fizzbuzzdizz 9 hours ago||||
lol my god the apple shills are out in full force. this is implementing a tiny fraction of control over probably less than 1% of android users (hint for the hn crowd: you dont represent real people and you need to remember that) in an effort to stop a very real problem that far far far more than the people affected by this face. yet they are worse than apple who has been doing this since day one to 100% of users. you’re an unserious person
sscaryterry 3 hours ago||
I just made a comment. Whether or not you consider it serious or not is for you to decide.
pjmlp 14 hours ago||||
Ah so the Do No Evil wasn't serious after all?! /s
zx8080 14 hours ago|||
It was indeed! And Google removed it in 2018.

- https://en.wikipedia.org/wiki/Don%27t_be_evil

breppp 13 hours ago||
and it is still there

https://abc.xyz/investor/board-and-governance/google-code-of...

leonidasrup 11 hours ago||
Section "2. Competition Laws"

https://www.nytimes.com/2024/11/20/technology/google-antitru...

frollogaston 13 hours ago||||
"Don't be evil" would be some evil company's motto in like Lego Movie 3
callmeal 10 hours ago|||
It's "Do More Evil" now.
frollogaston 14 hours ago|||
[flagged]
ankurdhama 13 hours ago|||
AFAIK you can still install any random APK but the process will require enabling developer mode and one time 24 hour wait period. But the problem is many stupid Apps check that developer mode is on and refuse to work.
Liquid_Fire 11 hours ago|||
> many stupid Apps check that developer mode is on and refuse to work

Do you have some examples? I have developer mode enabled and have never seen any apps complaining (and I have used a lot of different banking apps).

istoleabread 10 hours ago||
Almost all banking apps in my country do this, absolutely ridiculous on their behalf obviously
geokon 13 hours ago||||
An FDroid desktop client that adb installs APKs would actually be lovely. I pretty much exclusively use FDroid, but I gotta say I unfortunately find all their frontends to be rather buggy and with very little user feedback when things break (repo updates are hard to observe, downloads hang, updates mysteriously fail)
greeniskool 13 hours ago||
I feel you about the frontends being buggy. Right now I've settled with Droid-ify[1] for doing my F-Droid browsing.

[1] https://droidify.app/

IIsi50MHz 4 hours ago||
Droidify sometimes does a weird thing when installing apps:

1. Ensure Droidify is not running. 2. Launch it. 3. Tell it to install or update to an app. 4. Receive an Android system prompt to approve the install/update. 5. Approve it. 6. Tell Droidify to install or update another app. 7. Reveive a system prompt to approve the action of step #3 again. 8. Approve it. 9. Receive system prompt to approve step #6. 10. Repeat #6 through #9 for more apps.

Workaround: Do steps #1 through #5.

Foxy Droid doesn't have this problem, but won't auto-download updates for you.

nutjob2 13 hours ago||||
How long before they take that option away?
AussieWog93 11 hours ago|||
I'm not aware of any apps that check for developer mode, that's mainly root.
avra 14 hours ago|||
> We need to resist this!

I agree. What do you suggest? How can we contribute to the resistance?

devsda 13 hours ago|||
Raise it at whatever level we can.

I've seen more outrage on HN posts about license changes than those related to this. I mean we are in the midst of one of the biggest rug pull of our lifetime and the response was not even remotely proportional. I wish it was a atleast a fraction of what it was during the SOPA act.

Not even businesses that could be hurt by entrenching Google more in the mobile space are acknowledging the issue.

That makes me think may be all the outrage at the SOPA time was probably "promoted" because it aligned with their commercial interests or may be Google is all too powerful and too deeply entrenched that nobody wants to upset them.

linuxhansl 13 hours ago||||
Not much one can do I fear...

Install f-droid and all kinds of 3rd part apps now.

Install GrapheneOS. (I'm guilty of not having that done that,yet :( )

Sign the petition (https://keepandroidopen.org/).

black_puppydog 13 hours ago||
Wow, the link to the petition is buried halfway down the page. How is this not part of the first visible content?
lta 11 hours ago||
Fwiw it's also linked in the article, so it's not exactly a surprise :)
microtonal 12 hours ago||||
If you are in the EU, send a message to the DMA Team. Be polite, explain how Google is using its oligopoly power to shut out competing app stores and applications that can be installed outside the Play Store. Explain how it affects you.

An app becoming unavailable through remote attestation? New recaptcha? Document every case and send an e-mail to the DMA team.

rahidz 11 hours ago||||
I'm sure there's plenty of Google employees on here, some quite high up.

Push back against these types of decisions internally. Rally your coworkers against them.

And if you're brave enough, talk to a journalist, or pull a mini-Snowden. Lord knows the company has secrets. I bet there's at least one email chain from some exec bragging about how this policy will squash Revanced, ad-blockers, etc.

murderfs 10 hours ago||
I guarantee you that there are zero email chains from execs bragging about a policy that'll block the dozens of users running Revanced.
Arnt 14 hours ago||||
This started with phishing, poor people being tricked to install apps that then drained their bank accounts. So to resist, maybe focus on that evil? Better international cooperation, better prosecution?
stymaar 13 hours ago|||
> This started with phishing

It didn't.

Phishing is just a pretext. Google didn't care about Phishing for the first 20 years of Android. Why do they now? Because it serves as argument to close their platform a little more (which is a trend that has been going on for years).

Arnt 12 hours ago|||
I think they care now because of pressure from the governments of the countries involved.

And perhaps because ten and twenty years ago, the sums stolen were small. Now they're in the billions.

LtWorf 11 hours ago||
How do you explain that all the scammers I've entertained used apps that are already on the store?
Arnt 10 hours ago||
I think there's a misunderstanding here.

The attack in question doesn't use apps on the store, or even any attempt to get them on the store. There are also other attacks, but the one that prompted this change uses social engineering to get people to tap the build number seven times, sideload something and get a keylogger that then picked up their banking details and used them. Several governments raised the issue, Google acted. (The actions are to slow down the tap-seven-times process, so it becomes harder for the scammers to keep their victims fooled until the keylogger is installed, and also to tweak the timings, so the scammers can't outrun the app-banning process.)

If you haven't had your bank account drained, the scammers you met were different ones. (And I'm sorry that you've been scammed.)

LtWorf 10 hours ago||
But it is suspicious they want to defend vs attacks that don't happen while doing absolutely nothing to stop the attacks that do happen. Seems like security isn't a goal here?

(I didn't get scammed, I sometimes am curious on what the scam is so i lead them on a bit)

Arnt 9 hours ago||
Are you in Brazil, Indonesia, Singapore or Thailand? Those were the four worst-affected countries IIRC. Although I seen to remember Ecuador or Bolivia as well?

(They do something about other scams too. There was another thing they published recently, I didn't pay attention since no side effect of that concerned me, something to do with caller ID.)

frollogaston 13 hours ago|||
I do think it's about Google trying to squeeze profits out of Android, but is there more direct evidence of this? Cause I always have to wonder if it's something else like KYC.
Arnt 12 hours ago||
Of course Google generally tries to squeeze profits out of… whatever it does, but eh, by closing something? Google is the company that makes a million in profit from the openness of the web in the time it takes me to write this paragraph, why would that company think that closing something improves its competitive stance?
frollogaston 6 hours ago||
By imposing Google Play, rather than letting people use Android without any of Google's ecosystem.

About Google squeezing profits out of everything, yes but that's a kinda new thing, mostly starting 2023. They did their first mass layoffs ever, then started cutting costs and milking products more. I'm not saying they were better before or something, it's just that it was growth time before. That was also the same time they started talking about locking down Android, and even WEI.

LtWorf 11 hours ago||||
All scams attempt I received from "hot asian ladies" involved putting my savings in apps that are already on the google app store.

The scam apps are already in there. Please stop repeating google's propaganda.

iririririr 13 hours ago||||
or how about don't allow government and banks and telcos to use abusive apps to provide essential services?

those people fall for this because for everything poor people do, they need an app that is provided by sleazy vendors and that require tons of permission, and face scan and what not. they were primed so those business could save in operating costs.

that's the problem. won't solve it with slightly less sleazy vendors.

mschuster91 14 hours ago|||
We can't even get India and Turkey sanctioned for evading the anti-Russian sanctions... good luck holding them accountable for the scam callcenters.
geocar 12 hours ago|||
Stop using Android.
lta 11 hours ago|||
We don't have a lot of choices right now, especially regarding banking apps :'(
Micrococonut 7 hours ago||
Your bank doesn't have a website?
palata 8 hours ago|||
GrapheneOS is good.
altairprime 14 hours ago||
Shame isn’t an applicable concept for a corporation.
nehal3m 14 hours ago|||
Maybe we need an economic system where it is. Shame should come packaged with legal personhood.
altairprime 13 hours ago||
Better to pass state bills modifying all of that state’s articles of incorporation to compel adherence to B-corp standards.
stymaar 13 hours ago|||
Shame has ceased to be an applicable concept for anyone “important” enough to get free media attention.
slayernominee 7 hours ago||
Imo the best way to act against this is promoting custom ROMs like Graphene OS in your circle
nsim 14 hours ago||
So, what's a good Linux tablet? I was thinking of trying an old Surface Pro.
1970-01-01 11 hours ago|
All talk, no solutions from F-droid. What are they actually doing to solve it? Why not stand up their own vetting system? I'd love some technical solutions, instead this is just childish.
titzer 11 hours ago||
By analogy, would complaining about any organization ridiculously more powerful than you (e.g. a government) without having a complete alternative ready to go also be "childish"?
1970-01-01 2 hours ago||
If the underdog is directly involved in the -alt business, yes, it is very childish!
terminalbraid 10 hours ago|||
Because as designed they have to live under whatever google puts into Android because they have inordinate control over the whole ecosystem? I'm not sure why or how you would possibly describe that as "childish".
Zopieux 5 hours ago|||
At this point, the only "solution" is anti-compete legislation.
LoganDark 9 hours ago||
Solutions from F-Droid? There are none. Like they said, it's an unremovable system service.
dingaling 7 hours ago||
They could register as a corporate developer, but they decline to do so because _"that would effectively seize exclusive distribution rights to those applications."_ But it wouldn't - the course code is still available for anyone who wants to build and distribute the apps themselves.
More comments...