Google is Trojans all the way down. What is the true intent of almost every Google product? Data harvesting.
Every single product is spyware of some kind. They've even managed trojanize TVs by subsidising manufactuers to ship their spyware.
Someone needs to create a Linux based mobile OS foundation - Google's domination is contrary to many large companies interests, and if Meta and many other such companies were approached, they may well donate large sums of money in their own strategic interests.
With such an article, many (including perhaps google) get the ammo to disregard what fdroid says, by branding them as childish/not to be taken seriously. for eg: no reputable news org is going to post this.
PS: https://keepandroidopen.org/ is better done.
- https://news.ycombinator.com/item?id=47935853 (2 months ago, 889 comments)
- https://news.ycombinator.com/item?id=47139765 (4 months ago, 378 comments)
- https://news.ycombinator.com/item?id=47778274 (3 months ago, 68 comments)
Now that they reached penetration they do the switch - under the guise of security.
Just let me do with my hardware what I want to do it. Let it be my responsibility to install whatever I want (and stop calling it "side-loading", as if I am doing something shady from the "side").
We need to resist this! Alas, from the broader response it seems that most people just do not care.
> That is because it is Google themselves who is propagating ADV. And once activated, this malevolent process has exactly one goal: to block you from running software by developers who haven’t been approved centrally by Google.
The rest of the article is a claim that Google's new terms of service amount to "malware is any software we [Google] don't like."
It seems like Google is aiming for its own walled garden.
Once Google feels like there is sufficient stability and compatibility with hardened memory allocator and tagged memory (and when they can get Qualcomm to support it across their range), they will make harder, until impossible, for Graphene.
An old article [1] but:
> Google’s Android—and [Open Handset Alliance] members are contractually prohibited from building non-Google approved devices
So to compete you'd have to create a compatible Google Play Services as well as find a supporting manufacturer. Samsung managed their own competing apps and store [2] for a while along with Tizen, likely for leverage or theoretical pivot. But has since dropped that effort.
[1] https://arstechnica.com/gadgets/2018/07/googles-iron-grip-on...
[2] https://arstechnica.com/tech-policy/2021/07/google-bought-of...
Which supports only Pixel devices.
https://www.eu-digital-markets-act.com/Digital_Markets_Act_A...
We've accepted that OS vendors can do this for decades. I think that was our mistake: relying on Google as the only available vendor. We can't make a law that punishes Google for having been open all these years. Yes, of course I (like any 'HN' hacker, I'd think) would be in favor of forcing Apple to be open as well, but then it seems that the powers that currently run the EU (and a lot of voters) kinda likes their remote DRM attestation for this digital identification project that you'll soon need for anything not suitable for toddlers and not reachable via a darkweb
HNers (especially Americans) are super naive and think the EU is some bastion of freedom. no. it just wants to be a huge nanny state but in a wholesome way, where you can do whatever you want as long as it's approved
all it takes is one guy who gets too mad for some reason
and it's gonna be a lot more costly for you to do anything about it vs. that guy who gets to be completely anonymous about it
Google is just trying how far they can push this.
I agree. What do you suggest? How can we contribute to the resistance?
Doesn't GrapheneOS supports only Google Pixel smartphones now? For most of the users, that would mean changing their phones beforehand. And if we're talking about common people (especially not in US), it's not even everyone who can afford that. Moreover, in my opinion, by buying Google phones you're feeding Google, and I, personally, would like to avoid that.
I bought a /e/os Fairphone instead.
(For those who haven't been following along: this whole affair started with phishing. People were social-engineered into installing an app and a little later their bank accounts were empty. A big issue in various poor countries.)
Long term I would probably have more hopes in https://postmarketos.org/
Does this somehow also apply to developers in China? Are Chinese OSs (Vivo/Honor/Oppo/etc.) entirely forked off of Google's Android?
Is the solution to just a Chinese phone without the Play Store?
If Google is looking at a world where all of their competitors are using first-party-controlled signing, it makes sense for them to wonder "why not us". And if they get sued for this, that would set the precedent for all of their competitors too.
At that point the playing field would be level and platforms would be properly open.
24 hour waiting time? Big outcry.. Anticompetitive permission system where apps can do not that much more than websites? Nah, it's fine..
Unless you unlocked the bootloader, you were NEVER able to install apps you want, as Google had the final say what those apps could do (the anticompetitive permission system where user is the third class citizen, vendors are second-class citizen and there's only one first class citizen - Google). We need to fight for the right to unlock the bootloader and then not be restricted by the actual malware that is Play Integrity.
Are governments going to institute more lockdowns? Is this some topdown control thing?
I will root this POS android phone I have and forego any Google Play services and just use it as web browser and a phone. Fuck these guys!
Could one stop this by disabling OS updates?
Android making another step in this direction is bad. But, let's not kid ourselves: we are neck deep in this cyberpunk serfdom, and have been for decades. If we were to get this Android win, it would be only a small win. I'm saying this not to be defeatist, but to remind us of the bigger fight.
How does this feudal goliath meet its end? When is enough enough?
https://www.androidauthority.com/grapheneos-motorola-partner...
Billions are spend right now to make sure the glasses also run Android or iOS. So far, Google, Samsung, Magic Leap, RealWear and Vuzix are working with/on Android XR, and obliviously Apple is working on AR/VR iOS.
Meta and a couple of smaller startups are doing something in-house, but I don't give them much chances to get an ecosystem going.
* (March 2026) Motorola announces a partnership with GrapheneOS Foundation - https://motorolanews.com/motorola-three-new-b2b-solutions-at...
e.g. first one in the list:
> Support for using alternate operating systems including full hardware security functionality
GrapheneOS wants users to lock the bootloader (≈enable Secure Boot) after install by providing user signing keys (avb_custom_key) -- that already seems to leave only Pixel, Nothing and Fairphone.
Yes. For example if you install an apk from an unknown source (like a random website via browser or messenger) it will warn you what you are about to do and what effects that has.
You don't need to block stupid behavior. Just make sure users are well aware of their actions as long as they actually read warnings.
I use a Samsung too. The bloat, dark patterns and enshitification with every update are even worse.
But then, Librem 5 Phone was just failed few years ago, telling the story that people who care about their rights are still sensitive to how much they would pay (which is a form of rights too).
Also but, there is the thing, making a phone is not easy. If you reach deep enough, you'll eventually reach the layer where you realize how solid the monopolization has become. The global telecom standards if you read them is in the hands of few companies, Boardcom, Motorola, Huawei, Nokia and such. They'll control whether or not your phone can access the network. Then there's telecom companies who runs the network, and they might have to approve your device/modem as well since they got their channel allocation from the government.
It's not easy, and it's not just the software problem.
Oh and yes, we also have the software problem. Linux, if you want to go that route, cannot be used as a mobile OS, as least not for the public, because the average people don't know how to properly secure their system, and Linux is not a restrictive-by-default system. It will be a malware nightmare if you ship Linux on a phone as is.
The best hope for now I think is for geek vendors to make more mobile/4/5G enabled Fairphone or uConsole-like product to the enthusiast market, and then you can load whatever OS on it as you want.
I do not need Google Play (a collection of spyware, covertly collecting Wifi points and cell towers location in my country and sending them abroad), I do not need bank apps (I have a laptop for that) so I guess I will be fine. Obviously there will be no developer verification on my device as well, and I mostly use apps from F-Droid anyway.
Good thing about F-Droid is that they build apps themselves and you can always get the sources - unlike Google Play and Apple Store that provide no sources and unlike PyPi/NPM which allows sources to not match the binary distribution.
I really need to take the time and go with Graphene OS in this device. My bank N26 kind of still allows it, but they made it harder and harder to use with certain custom checks. Looks like in the future I need a separate banking phone and my daily driver.
The device works right now how I want it. I don't want anything to change.
On my android phone:
My own launcher
My own keyboard
My own sync tool for local net
My own net tools to WoL some devices on my lan.
My own tool to control 3 proxmox servers
My own tool that parses groceries slips
My own tool that keep tracks of my vehicles events/lifecycle/purchases etc.
If they break my launcher/keyboard and my ability to use my phone in my customized way, they will NEVER see me as a client again. None of these apps are in the Play Store, they are signed with my own signing keys, which have never been uploaded to google, in fact, no google account is linked to these apps. These apps are also privacy-oriented (even the keyboard, I ship a 1mb dictionary with and it learns my own words, never transmits anything).
I will not give google my ID , neither Persona or anyone else. I'm very happy to go back to using bank card + chip + pin than use google wallet. Trust me I will walk away. I already move 4 family members off of Windows in the last 2 years, I will get them off google too.
- SailfishOS: still linux based and seems fairly community inclusive, but the UI part of the stack is closed source. Is the only one officially allowed to run android apps, via emulation. Has existed for a very long time, it's lightweight and I think the most stable/bug-free in this list.
- Ubuntu Touch: fully open source and community driven, it uses snap packages for security, you might be able to run android apps. Last time I run it also seemed fairly stable/bug-free.
- PureOS: fully open source and privacy focused. I think it's the only one that, released with the Librem 5, can avoid using proprietary blobs for interfacing with the hardware. Seems less stable than SailfishOS and Ubuntu Touch. You would need to buy a fairly expensive-but-old phone(librem 5) to run it.
- PostmarketOS: fully open source, focused on being lightweight and revive old phones, has a huge amount of phones it has been tested on, is based on Alpine.
- Mobian: mobile version of Debian, it's fairly new on this list.
There are many more linux mobile OSes, but as far as I know these are the main ones. There might also be some inaccuracies on this post, I tested some of these a long time ago, and I never actually run the last 2.
For good reasons. Most other devices arent secure enough to guarantee privacy. Especially not if loaded with a custom operating system (most devices don't allow to verify the boot chain with a custom OS)
> And if we're talking about common people (especially not in US), it's not even everyone who can afford that.
You can get a new Pixel 9a here in europe for around 350€ and it will be supported at least until April 2032
> Moreover, in my opinion, by buying Google phones you're feeding Google, and I, personally, would like to avoid that.
Google phones are surprisingly open and work well. Google takes a pro-user stance here that is extremely rare in the ecosystem, so why not support this product?
Rolling the dice on a new technology could wind up being much more favorable.
Convincing developers, especially bank and gov apps, is near impossible and won't scale well. Going after Alphabet for not meeting DMA obligations seems the easier path. Might not go anywhere but worth a shot.
[1] https://privsec.dev/posts/android/banking-applications-compa...
This is also the argument they use to try to convince app vendors to add their keys to the allowlist, because the app makers can trust that their DRM will be active (if Netflix sets a "no screen recording" flag, you the user cannot circumvent it by e.g. reading /dev/fb0). It should have broader compatibility than other FOSS Android builds (when running the officially signed version of course, you can't compile it yourself and expect such apps to run there)
If we ask their fine search engine, the AI helpfully explains malware to be software designed to gain unauthorized access to disrupt, extort payments and/or hijack devices.
If you still think the shoe doesn't fit, imagine what would happen if one managed to create an app with the same capabilities. Google would remove it immediately for being malware. Obvious malware.
You can only run LineageOS on smartphones that allow unlocking the bootloader (which is more and more rare), and properly release the kernel source-code (many still don't, especially low-end MTK-based phones...)
but I can totally see Google banning developers and removing their apps for political reasons, where some lobbying group bombs them with emails
because with this they're explicitly saying they're now choosing who gets to be in or out, there's no way for them to say we can't do anything about it
I do think this would improve security, but I also think it's sort of a Trojan horse to lock down the ecosystem
all OSes have malware level capabilities. it's literally the definition of an OS
But even ignoring this - it is not for Alphabet/Google to decide whether, and how, I want protections. I want to be able to pick a sequence of bytes and install that as an application on my phone, without Alphabet having any say in whether that happens or not, and in fact without them knowing about it. It's my phone, not theirs, and the software should help me do what I need/want, not help them provide me their often-questionable services.
It remains to be seen whether the EU decides that this measure is strictly necessary, proportionate and duly justified. They sometimes do the right thing but I'm not getting my hopes up.
But yeah, you could have a loony turn up.
I've seen more outrage on HN posts about license changes than those related to this. I mean we are in the midst of one of the biggest rug pull of our lifetime and the response was not even remotely proportional. I wish it was a atleast a fraction of what it was during the SOPA act.
Not even businesses that could be hurt by entrenching Google more in the mobile space are acknowledging the issue.
That makes me think may be all the outrage at the SOPA time was probably "promoted" because it aligned with their commercial interests or may be Google is all too powerful and too deeply entrenched that nobody wants to upset them.
There is a clear legal asymmetry where allowing competitors on your platform makes you liable if they complain, but blocking out everyone except for yourself is a totally ok and legally rosy way to do business.
Did it take the world by storm ? No.
But it exists, has users & is building the case (together with Sailfish OS and others) that having an abusive mobile OS duopoly is not the desirable state of matters.
Linux is a kernel. A Linux-based distribution decides what the defaults would be. Why, in your opinion, would a Linux distro targeting phone-ish ARM64 hardware be problematic? Why would it be a "malware nightmare"?
https://news.ycombinator.com/item?id=48730729
More and more sites require you to use it be it github, or even fdroid (via gitlab).
I still use the play store for some apps unfortunately. Also google maps, gmail, google messages (for rcs) and google fi. I'm not sure if theres anything close to the quality of traffic reporting as google maps, so it's hard to give up. The rest I will eventually move away from... Hopefully.
I have a home server with a reverse wireguard proxy for self hosting photos, calendars, etc.
I also have firefox with noscript blocking everything by default, but that's a big pain for an average person. Also it doesn't seem like firefox does a good job of anti-fingerprinting, but I haven't looked too deeply into that.
I even bought a tv that has adb access, and I removed a bunch of bloat, but it doesn't seem possible to remove the google launcher without causing huge system instability. I might just firewall it off.
There are a ton of open source alternatives to google products now, way more than the last time I tried moving away. It's time to leave.
Not impossible though, my bank and govt eID app did do safetynet, but after enough users complained in both apps you can now skip a warning and use it without issues
One of the core tenets of truly free software is that I as user must be able to run, access, edit, and view everything.
https://www.reuters.com/world/europe/kremlin-demands-explana...
That still wouldn't affect projects like Debian or Arch, but going even further, they can't push through updates anyway. Nothing forces me to install updates, it's an active choice to do so.
They can sue you and Google will give your address to the court, clearly. But swat? Send packages? How?
The irony of Chinese vendors providing a breath of fresh low-DRM air.
Install f-droid and all kinds of 3rd part apps now.
Install GrapheneOS. (I'm guilty of not having that done that,yet :( )
Sign the petition (https://keepandroidopen.org/).
Meanwhile the daily driver phones of my privacy-aware family members running up-to-date Lineage or Graphene OS with recent kernels and frequent updates constantly run into apps refusing to work for "security" reasons. It's a complete joke.
There are a lot of poor people, mostly brown people, who do not have the ability to get one of these licenses.
Some of them are feeding themselves with their ability to write, and Google is literally stealing that food from their mouths.
Separately, the process of installing apps that are outside a system app store and aren't verified has also changed, but this is not required by the developer verification feature, and the result seems like a wash to me. The first time you enable installing apps from other sources is harder, but this setting then persists across device upgrades, so the subsequent times go away completely. This now requires developer mode, but apps that check developer mode (I haven't found any in the US) can be mollified with a Tasker task to disable developer mode when launching those apps and enable it again after.
Because they will pull the rug here one day too. Why on earth should we trust them to keep this approach to their hardware?
If you either buy a Fairphone from Murena (with /e/ OS) or from Iode (with Iode OS) or if you buy a standard one and install a version of Android without Google Play Services (like /e/ os or Iode), then you can still use FDroid.
They also have a bad reputation when it comes to updating their software. E.g. their initial Android 15 builds for FP4 had bad memory management issues, with a result that many people could only have one app in memory at the time, which made it impossible to switch between e.g. an app/browser and a password manager/payment app. Some of their updates would cause boot loops when there were fingerprint reader issues, etc. Currently a lot of users are dealing with an issue where apps hang when used over WiFi because IPv6 gets misconfigured when a router sends an IPv6 router advertisement with lifetime 0 (which e.g. Fritz!Boxes that are popular in Europe do). The issue has been there for over three months without any acknowledgement or fix from Fairphone.
Also, even though they do Android Security Bulletins and major releases (though very late), their phones often run ancient kernels and firmware with many known vulnerabilities. This is also the case if you run an alternative OS, because pretty much all of them use upstream trees. Also their firmware has Chinese TCL image processing blobs (might be a security/privacy issue for some people).
I think many of these issues stem from the fact that the development of both the hardware and the software is largely outsourced to a Chinese ODM (T2Mobile), who maintain everything, so there is a lot of delay in everything. My guess is that Fairphone as a company is mostly a PR/support/supply chain auditing (as in minerals/labor, not software supply chain) company, with all the development outsourced.
The whole point out of this outrage is alternative stores (like f-droid) can wholly and entirely be shut down on a whim without recourse.
Personally, I do not use Android apps on the Librem 5, but Waydroid is available in the PureOS repository. Waydroid is a container-based approach to boot a full Android system on regular GNU/Linux systems running Wayland based desktop environments (like PureOS).
PureOS also provides convergence via Phosh. Convergence means here that the same app can be used on a phone and on a big screen, the GUI adjusts to the available screen size.
Phosh aims to provide a daily-usable, robust and easy to use graphical user environment for mobile devices running mainline Linux. Phosh was originally initiated by developers from Purism for the Librem 5 phone but is nowadays used on many different devices covering smartphones, tablets and convertibles. It has even been seen on laptops.
That's debian based with gnome and seems to be built by capable people. Also, it can run android apps.
And the setting is "optional", just do the 24h-waiting song and dance to change it, or use ADB. /s
those people fall for this because for everything poor people do, they need an app that is provided by sleazy vendors and that require tons of permission, and face scan and what not. they were primed so those business could save in operating costs.
that's the problem. won't solve it with slightly less sleazy vendors.
If you are running Android 8 or higher, a virus has been installed on your device and is silently awaiting remote activation. Over the past few months, devices around the world have been infected with this novel strain, with as many as 4 billion Android handsets and tablets estimated to have already been contaminated, meaning that around half of all humanity may be at risk from this threat.
Disguising itself as the innocuously-titled “Android Developer Verifier” (ADV) process, this trojan horse runs surreptitiously in the background as a system service with full root privileges, quietly awaiting an activation signal. The service cannot be blocked, disabled, or removed. Unlike a commonplace bit of malware, this extraordinary strain won’t be detected and neutralized by Play Protect (the malware scanning and remediation service that is installed on all Android Certified devices). In fact, Play Protect is itself the vector through which this virus is transmitted and installed.
That is because it is Google themselves who is propagating ADV. And once activated, this malevolent process has exactly one goal: to block you from running software by developers who haven’t been approved centrally by Google.
We first raised the alarm about the Android Developer Verification program last September (“F-Droid and Google’s Developer Registration Decree”) shortly after it was first announced. Google’s looming requirement that all Android developers register themselves centrally is rationalized as a solution to help stem the spread of malware. However it doesn’t actually feature any capabilities to prevent a malevolent actor from distributing malware in the first place; the only alleged benefit of ADV is that it may help slow the actions of an already-identified recidivist by requiring that they create (or buy) another account in order to continue distributing their malware with a new signing key.
For this fairly narrow threat vector of malware recidivism, a variety of considerably less draconian solutions have been proposed. Play Protect itself could be enhanced to scrutinize more closely those newly-installed apps that have elevated permissions or that were obtained through suspect channels, continuing with their recently touted advances in on-device security capabilities. Or a system of federated verifiers might be implemented (as proposed in “DCM: A Developers Certification Model for Mobile Ecosystems”, 2023) that would empower end-users to select their own trusted curators and authorities for ex-ante approval. Instead, Google has used this minor vector as a pretext to radically re-engineer the entire Android ecosystem by fiat, upending a 18 year tradition of open software development and positioning themselves as the world’s sole gatekeeper for which apps are permitted to exist.
Should a developer — contrary to our recommendation — elect to register themself with Google as a “verified” developer, they should expect to sign up for an account and pay a fee, surrender detailed personal information and upload government-issued identification, and then proceed to register the identifiers and signing keys for all the apps they intend to distribute (now or ever).
But the most diabolical stage is the compulsory agreement to the Android Developer Console Terms of Service. There are numerous causes for disquiet in this document, but the most concerning of all ought to be:
6.5 If You violate any of the Terms or if You distribute malware or other harmful applications, Google may terminate Your access to the ADC…
This reasonable-sounding clause begs the question: what exactly is meant by “malware”? No definition of the term is to be found anywhere in the document. With the absence of any formal definition, standard, or guideline, it implicitly states:
…and “malware” means whatever we say it means.
As we discussed in “What We Talk About When We Talk About Sideloading”, beware the dangers of allowing the terminology of debate to be defined by those who don’t have your best interests at heart. Malware being synonymous with “software we don’t like” means that they can unilaterally dictate — driven either by business incentives or by being compelled by a sufficiently powerful government — what the malware-du-jour definition is to be.
For precedent, personal content filtering in the form of “ad blockers” has long since been banned from the Play Store, and they have even classified some instances as malware. How long before they designate all ad-blocking software as malware, block installation on all Android certified devices worldwide, and permanently designate all developers of this class of software as malware creators? Such a move would certainly be aligned with their commercial incentives as the global ad-tech monopolist, and would be completely in accordance with the language of their ADC Terms and Conditions.
In terms of voluntary developer uptake, they recently claimed that “over 99% of [Play developers’] apps have been registered” suggests that ADV is somehow a popular and widely-accepted dictate. That couldn’t be further from the truth: those 99% of developers were auto-opted-in without their informed consent due to being already bound by their Play Store agreements.
In fact, hundreds of thousands of people have signed a petition opposing ADV. The Open Letter at keepandroidopen.org denouncing the program has been signed by over 70 organizations around the world, including the EFF, FSF, FSFE, ACLU, and the inestimable Forbrukerrådet. Any internet search, chatbot query, or social media poll will confirm that the opposition to this program is overwhelming and the condemnation is universal. 90% of viewers of the developer roundtable video where they attempt to defend the program registered a dislike of the spectacle, and even Google Gemini responds to inquiries about the popularity of the program with:
Aside from Google itself, finding full-throated, enthusiastic support for the mandatory Android Developer Verification program in the tech community is virtually impossible.
The backlash is overwhelmingly dominant—headlined by the “Keep Android Open” coalition of civil rights and open-source groups fiercely opposing the central registration requirement.
And yet their lockdown blitzkrieg proceeds apace. Legislators and regulators have thus far been unreceptive to the outcry. Our own position as a bastion of software freedom and respect for user rights and privacy is in extreme jeopardy. The F-Droid model of security and trust through open-source transparency is fundamentally at odds with the “trust me bro” security model of the closed-source commercial app stores. And while these two models have been able to co-exist for the past 16 years of F-Droid’s existence, it appears that Google intends to establish a regime where they alone have a monopoly on the definitions of “security” and “trust”.
We do not yet know the exact failure mode to expect when the ADV activation is triggered on September 30. If you are one of the 580 million people living in Brazil, Indonesia, Singapore, or Thailand, know that these are the first four targets of the ADV lockdown according to their published timeline (global rollout is ominously predicted to then occur throughout “2027 and beyond”).
There are many things we don’t know about what to expect on September 30. Some common questions that we do not yet have the answer to, for those in the afflicted regions, are:
We have reached out to the malware vendor with our inquiries. In the coming weeks and months leading up to the lockdown, we will be publishing more guidance and support for those due to be impacted by ADV.
AI also says that it is possible to have push notifications without Google.
After all, it might rain tomorrow - but you should still go outside today.
1. Provide or find pro bono legal resources deeply familiar with EU DMA and similar antitrust regulations, willing to proof-check and improve this report, and perhaps advise on better channels to submit it.
2. Locate more affected end-users, including applicable members of the GrapheneOS Foundation and developers behind other distributions, make them aware of these efforts so that hopefully we submit a joint complaint. (Might get more traction, though AFAICT reporting is limited to EU citizens).
Happy to fork this into its own repository if it helps with collaboration.
UI/UX is costly, and most FOSS projects cannot get it right without massive investments from enterprises (e.g., Red Hat's UX designers heavily contributed to GNOME) or startups (e.g., Zed, Element, Bluesky).
Projects without that backing are mostly unusable, at least from a Gen Z perspective.
https://developer.huawei.com/consumer/en/arkts/
And now they are adding yet another one, AOT compiled, Cangjie
Using Android fork has been a transition step.
- they're among the most expensive (I could afford that if needed though)
- they don't allow hardware unlock (ehh.. what's the point, then, if I get a locked-down device with Chinese surprises!)
It didn't.
Phishing is just a pretext. Google didn't care about Phishing for the first 20 years of Android. Why do they now? Because it serves as argument to close their platform a little more (which is a trend that has been going on for years).
Google has changed the game on something you already own. I'm sure their lawyers have done their homework, but in some jurisdictions this is certainly actionable.
1. People are conditioned to ignore warnings. There are way too many benign warnings in the world; you can't read them all.
2. Even when people wouldn't ignore them, in cases where they are being tricked by scammers it's easy for the scammer to talk people into accepting them.
3. Those sorts of warnings aren't actionable. You're installing a new app. It appears legit. You want to use it. You get a warning like "this app hasn't been verified; it might be malware!". What can you do with the information? Absolutely nothing. 99.9999% of users have zero way of doing any deeper check to see whether it actually is malware. Their only options are to give up and go home, or just hope that the warning is wrong. Even I - a highly technical user - get zero value from things like Windows' smart screen. "The app you're running hasn't been signed! It might be malware!". Err yeah sure. I'm not going to reverse engineer it to check am I?
I think their solution of allowing you to disable the restriction with a one-time one-day delay is actually a really reasonable solution. As long as they don't go further than that - the risk is that it is just a temporary placation and they'll ditch that option in a few years.
This is new to me, want to stay on top of it.
> Should a developer[...] elect to register themself with Google as a “verified” developer, they should expect to sign up for an account and pay a fee, surrender detailed personal information and upload government-issued identification, and then proceed to register the identifiers and signing keys for all the apps they intend to distribute (now or ever).
Those are big impediments to open development. The agreement developers sign states:
> 6.5 If You violate any of the Terms or if You distribute malware or other harmful applications, Google may terminate Your access to the ADC…
But they don't actually define "malware" anywhere in the document. Search HN if you want to hear horror stories about how google handles loose definitions and peoples' accounts.
With that policy, Google encourages stalkers and put developers in danger.
https://abc.xyz/investor/board-and-governance/google-code-of...
But I prefer this to the feeling that I'm being limited on what I can do on Android/Apple, and the worry of being in a duopoly that allows the companies to worsen their products without ever fearing competition(as far as they do it in small chunks).
Also the bank should not require apps (instead they can offer hardware key support or desktop apps) and in fact some - at least in Germany - offer a different authentication possibility. Also the app for the German ID is published on fdroid and does not rely on Google services.
I do not have any bank apps on my phone (it is not even connected to the Internet) and I have no problem.
They likely wont specify 100k people or 10% of population or whatever email/petition but it at least records the requirement that other OSes exist and requires a process to support
HN commenters will not let it go
Most HN readers have multiple computers, including multiple phones
There is no requirement that one has to run a closed-source banking or government ID app on the same phone as open-source apps, e.g., apps from F-Droid
And it ignores countless people who do not and will never use banking or government ID apps
I tested a banking app for depositing a paper cheque and it was incredibly convenient. At the same time, the app tried to make a plain, unencrypted HTTP connection to www.google.com
I blocked these connection attempts and the app still worked, with plenty of phoney error warnings. I would not be comfortable leaving one of these apps installed on a phone that's charged, powered on and has a cinnection to the internet
Every user is different but it makes no sense to argue on HN of all places that these closed-source banking apps are essential for everyone. Many HN users are never going to use these apps, and rightfully so
They have few devices of their own (new one coming out this October) and they officially support many Sony Xperia devices. There are also many community ports.
- https://ubuntu-touch.io - https://devices.ubuntu-touch.io
They have 33 supported devices, some are being shipped directly with the OS or have an official agreement with the phone maker, while others are community ports. Even if community ports, they all seem to have high hardware support, and is all very clearly documented.
- https://puri.sm/products/librem-5 / https://pureos.net
They focus just on the Librem 5, and not everything is fully working but as I said they prioritised privacy and FOSS. The phone is old but the OS is still in active development.
- https://postmarketos.org - https://wiki.postmarketos.org/wiki/Devices
They focus on supporting as many devices as possible, currently they don't have "main" devices they support, but they plan to. They too have a very clear documentation on features available for each device.
- https://mobian.org - https://wiki.debian.org/Mobian/Devices
They target devices made with the intent of running linux, but also have a few ports to android devices.
---
You'll notice that there are a few devices that are more "linux-friendly" and that are supported by many of these OSes. Phones from Pinephone and Fairphone being the main ones.
We can't keep catering to the lowest common denominator of user. We have lost many computing freedoms over the decades as a result of this. Sorry, but its unacceptable.
If they really want such locked down experience to be the default, they could also just as easily put out a ROM everyone else can flash that has no restrictions. You still get to cater to the lowest common denominator but without taking freedoms away from anyone else that wants to keep them, with official support. No scammer is going to convince someone to plug their phone into their laptop and flash a new ROM in order to scam them. If they can, there's no protections that would have helped in the first place.
You can't possibly convince me that Google couldn't develop something like that if they wanted to.
The correct thing to complain about is requiring developer mode for unverified installs, which doesn't seem necessary, not ADV. If you complain about ADV, of course the legislators are going to ignore you. ADV makes Google builds strictly more open and resolves the complaints of the state.
It's not perfect, but far from useless. Some use it as a daily driver.
Depending on your country, it can be super doable. There are also lots of indie native apps.
Many banks gate features like mobile check deposit behind the native app. The nearest ATM is 20 minutes away from my house, so unfortunately I consider this feature essential.
Many services won't work at all.
Which device you need to be more secure depends on your needs and which device you put sensitive data on, but a mobile device is going to provide far better privacy and security than any desktop hardware or OS is currently capable of.
How do you determine/enforce whether an app is a "payment app" without a centralized developer program? They don't require any special privileges. After all, most banking apps have web equivalents.
You could probably restrict "risky" APIs like draw-over-other-apps, but tbh I think that would be a worse solution than just making people wait 24 hours once.
Perhaps the antiquity of the US banking system is finally coming in handy. I’ve still got my checkbook ready to go!
But as a Plan B, why aren’t we emulating Android on these devices (or is it the Secure Enclave that’s the spicy bit that these apps need)?
Ride hail app? Transit fare app? Government ID app? Airline app? Maybe you don't need them yet, but the best way to model this future is to consider what you'd do if you didn't have a phone at all, and the amount of friction this will generate as the expectations are only entrenched and expanded.
I'm glad people are saying no. It's good to do it as long as we can. But the final outcome seems inevitable now and to me it feels very close.
This makes emulation basically impossible.
These might not be very common, but they're still not really rare in society either.
I blame it on the fact that the US doesn't have a free electronic bank transfer system like the rest of the developed world.