Top
Best
New

Posted by drewfax 21 hours ago

Android Developer Verification: Threat masquerading as protection(f-droid.org)
1551 points | 666 commentspage 5
1970-01-01 13 hours ago|
All talk, no solutions from F-droid. What are they actually doing to solve it? Why not stand up their own vetting system? I'd love some technical solutions, instead this is just childish.
titzer 13 hours ago||
By analogy, would complaining about any organization ridiculously more powerful than you (e.g. a government) without having a complete alternative ready to go also be "childish"?
1970-01-01 4 hours ago||
If the underdog is directly involved in the -alt business, yes, it is very childish!
terminalbraid 12 hours ago|||
Because as designed they have to live under whatever google puts into Android because they have inordinate control over the whole ecosystem? I'm not sure why or how you would possibly describe that as "childish".
Zopieux 6 hours ago|||
At this point, the only "solution" is anti-compete legislation.
LoganDark 11 hours ago||
Solutions from F-Droid? There are none. Like they said, it's an unremovable system service.
dingaling 9 hours ago||
They could register as a corporate developer, but they decline to do so because _"that would effectively seize exclusive distribution rights to those applications."_ But it wouldn't - the course code is still available for anyone who wants to build and distribute the apps themselves.
vrighter 14 hours ago||
isn't this like the ps3's otheros thingie? Where the advertised functionality of the device was crippled after the customers bought them?
charcircuit 13 hours ago|
In the PS3 case the feature was removed fully where in this case you just have to go through a new flow with warnings to reenable sideloading unverified developer's app.
LoganDark 11 hours ago||
I think it's funny that they look at the phrase "malware or other harmful applications" and then only have an issue with the definition of "malware" rather than "harmful". Like, wouldn't "harmful" be FAR easier to apply in literally any case you feel like? "malware" sounds like it'd need some proof of malicious intent but "harmful" needs no such thing and is much looser.
slowmovintarget 20 hours ago||
> Disguising itself as the innocuously-titled “Android Developer Verifier” (ADV) process, this trojan horse runs surreptitiously in the background as a system service with full root privileges, quietly awaiting an activation signal. The service cannot be blocked, disabled, or removed. Unlike a commonplace bit of malware, this extraordinary strain won’t be detected and neutralized by Play Protect (the malware scanning and remediation service that is installed on all Android Certified devices). In fact, Play Protect is itself the vector through which this virus is transmitted and installed.

> That is because it is Google themselves who is propagating ADV. And once activated, this malevolent process has exactly one goal: to block you from running software by developers who haven’t been approved centrally by Google.

The rest of the article is a claim that Google's new terms of service amount to "malware is any software we [Google] don't like."

It seems like Google is aiming for its own walled garden.

dwoldrich 16 hours ago||
This is more than enshittification, it feels like purposeful brand destruction.

Are governments going to institute more lockdowns? Is this some topdown control thing?

I will root this POS android phone I have and forego any Google Play services and just use it as web browser and a phone. Fuck these guys!

einpoklum 13 hours ago||
The temerity of Alphabet to claim to protect users from malware/spyware, when they are known to share all of your personal information and communications with the US government (Snowden revelations), is the epitome of hubris. And, also, in the world we live in, just another Thursday.

But even ignoring this - it is not for Alphabet/Google to decide whether, and how, I want protections. I want to be able to pick a sequence of bytes and install that as an application on my phone, without Alphabet having any say in whether that happens or not, and in fact without them knowing about it. It's my phone, not theirs, and the software should help me do what I need/want, not help them provide me their often-questionable services.

titzer 12 hours ago|
It's even worse when Google believes they have a legally defensible justification that your data has been "anonymized". E.g. "anonymized" location data directly from your phone that just so happens to be accurate to the meter. Such data just cannot be anonymized.
skybrian 17 hours ago||
I understand not being happy about what Google is doing, but it seems like F-droid can’t be trusted not to heavily spin things.
cuvert 16 hours ago||
If the companies would keep their own word and never overreach maybe nobody would overreact. How many times did we hear in the past "It's just for..."
skybrian 16 hours ago||
If companies play nice, people will stop making stuff up about them? I don’t believe that for a second, and it’s a poor excuse for making stuff up.
xboxnolifes 14 hours ago||
People's only complaint with Valve seems to be lootboxes and their inability to make a 3rd game in a series, and thats true. So... maybe?
echelon 17 hours ago||
There is no spin here. Google is pulling up the ladder.

There won't be an open web, there won't be user installs, there won't be anonymity.

Everything will be identified, attested, and allowed only when Google permits it.

Nevermind them choking startups and small biz out of the oxygen they need to survive.

skybrian 17 hours ago||
What are talking about? Android Device Verification has nothing to do with what websites browsers can access.
Timshel 17 hours ago|||
It does with reCaptcha: https://www.androidauthority.com/grapheneos-google-apple-app...
skybrian 16 hours ago||
Yes, Google could do a lot of things, in theory. Doesn’t mean they’re doing it.
0x_rs 14 hours ago|||
They are doing it now. You can already see that captcha around online, and cannot get past it without surrendering your identity to them.
notrealyme123 15 hours ago||||
As android shows: they are doing it
Hugsbox 13 hours ago|||
The point is, they are doing it...
kuschku 15 hours ago|||
Recaptcha already requires a Google-certified Android device today. That does heavily restrict what websites a browser can access.
paulnpace 8 hours ago||
A threat being masqueraded as protection is a deception. I now think this has been Google's modus operandi the entire time.
wazoox 16 hours ago||
I've already disabled Play Protect ages ago because it kept removing apps I had installed through F-Droid. Actually, I almost only install apps via F-Droid. I wonder if the ADV will install with Play protect disabled ?
Pxtl 9 hours ago|
Maybe I've too much faith in Google, but a part of me wonders if Google doesn't want to get sued for this change. After all, their competitors have similar systems. While Microsoft's is circumventable with a few click-throughs, it's particularly nasty in that their code-signing certs are comparatively brutally expensive, too much so for hobbyist projects generally.

If Google is looking at a world where all of their competitors are using first-party-controlled signing, it makes sense for them to wonder "why not us". And if they get sued for this, that would set the precedent for all of their competitors too.

At that point the playing field would be level and platforms would be properly open.

More comments...