FreeDroidWarn

228 comments

·September 2, 2025

zx8080

This story with restricting users is a similar one to Manifest V3 in Chromium.

But we don't have anything like FF as an alternative to go from Android. Especially considering banks require "certified OS".

Hackbraten

I switched to a Linux smartphone because I've had enough of the duopoly.

I also switched banks so I can use my bank card as the 2FA device, similar to CAP. [0]

[0]: https://en.wikipedia.org/wiki/Chip_Authentication_Program

jwrallie

Probably in the long run the only way to go will be to own/carry two devices. A long supported phone with stock firmware and apps you are "forced" to use to interface with the world around you, and a second Linux portable machine where you have your freedom.

subscribed

No, it's not "long supported" phone fallacy.

Google and by extension banks, are claiming that the phone on, Android 9, without security updates AT ALL since 2009 is perfectly safe and secure to use.

Meanwhile, really well locked OS, hardened so well some of the improvements were later picked up upstream (both by Google and Apple), running _the_ latest AOSP version and releasing new security updates within hours is not considered safe and secure, despite assuring full chain of trust (including locked bootloader, verified boot, etc).

This is what Play Integrity does.

Of course Android supports better scheme, hardware attestation, but od course Google enforces their iron grip on the ecosystem, and instead uses the outdated, flaved system that certifies only the devices with preinstalled Google services running in the privileged mode. Snooping on everything you do and have.

Thats the reason.

dTal

I've been doing this for years already, except I split it further to three devices:

1) an old iPhone with 0 personal data on it and in no way linked to my identity, which is used for completely untrustable commercial apps, and rarely even leaves the house.

2) a LineageOS Android which is my daily smartphone for things like camera and GPS, running almost exclusively open source apps, except for unavoidables like WhatsApp which are run in an separate profile

3) a GPD Micro PC running Void Linux, which is roughly the same size as the phone and a true swiss army knife. Its purpose is to reliably do what I want, when I want it. No systemd, for it does not spark joy. It is used for web browsing, note taking, light productivity, and playing movies on the TVs of friends who have overinvested in streaming and dongles only to find that $CHOSEN_MOVIE is not on any of their services.

I am not entirely happy with this state of affairs - too many devices, and still not enough siloing of closed apps like WhatsApp.

CalRobert

You won’t be able to do much with the second. Web sites will force login with google, etc. and only work for attested browsers.

anonzzzies

I wish I had enough clout / money to get a chinese tablet maker to allow me to install Linux. Luckily I could root it which is great, but outside that i'm lost. Hope someone will make my dream device with linux some day.

bityard

Someone already does, check out the StarLite tablet. It even runs coreboot firmware.

russnes

Which one?

Hackbraten

It’s a Librem 5. I’m looking for a more powerful model that can also run mainline(-ish) Linux.

seviu

Out of all the models I saw, SailfishOS is the only one that ticks all the boxes for me.

Wish there were other alternatives. PinePhone Pro got discontinued. This is truly a duopoly.

yonatan8070

What if we collectively decide to use the web alternatives for banking? We lose some convinience since they are generally desktop oriented, but they don't check who signed my kernel

thombles

My bank recently made it that app-based MFA must be used for every single web login. Unless I and many others are willing to swap banks in the vain hope that the new bank won't do the same thing (I am not), then we're cooked.

lrvick

Just say you do not have a compatible device. Special undocumented alternatives appear every time in my experience.

dingnuts

fuck it back to cash

MathMonkeyMan

I uninstalled banking related apps from my phone years ago. I used it so infrequently that every time I did use it, it was as if it had been newly installed and didn't remember anything about me. Now I use a desktop web browser for anything finance (and it's Firefox on Linux, so thankfully that works for now).

pastage

The phone will be used as MFA, and that will have requirements especially on Android versions. So it is going to be harder to escape it, it is darn comfortable using Android as a MFA. Many banks still use a custom device for MFA here but is is slowly going away.

BankID in Sweden and similar in other European countries.

homebrewer

It's getting repetitive to come with the same message over and over and over again, but in many countries you can no longer interact with your bank through the web browser. The banks' applications are either required for 2FA, or are the only way to use remote banking at all.

The last one applies in my country. You can of course go to the bank branch for every little financial operation, which is bad enough by itself for us living in cities, but is practically impossible for my relatives in the rural area, who would have to drive 100 km to the nearest bank branch, and then back just to move some money between two accounts.

Even if you don't care for anyone else but your country, it will come to you also, I promise.

PeterStuer

Many banks are slowly phasing out their websites to go app only.

Gigachad

In Australia they aren't phasing out web, but anything high risk like a transaction to a new contact and you have to approve it on the app. The app is considered a significantly safer environment.

derwiki

Which ones?

null

[deleted]

1gn15

Also, use ATMs if you can instead. Don't use propietary code on your own machine; run it on theirs instead.

falcor84

I don't understand the sentiment - how does relinquishing control of the hardware help us? I see a possible future where the banks/governments give the people devices to use for these things, and I don't like this future, as these would surely become spy instruments.

PeterStuer

ATM's are disapearing. There used to be one at every corner. Now, I have to travel to the next village that has just one left at the train station.

Cash is positioned as suspicious. In 10 years, it might very well be illegal.

tim1994

Ain't gonna happen (unfortunately). Somehow people (outside of HN) seem to like to use apps for everything. EVERYTHING.

lifthrasiir

Except they did in several countries, typically using activeX.

sfdlkj3jk342a

It's too late for that. In many Asian countries, most of the banks have completely removed access via a browser.

wafflemaker

Most banks worth their salt accept GrapheneOS.

DNB in Norway does for sure. Same for BankID , national electronic identity authorization provider. There are good programmers out there that know their stuff. Find a bank that has a hacker culture like DnB.

I remember that I chose them just by comparing uMatrix output between them and SpareBank - the other big player. DNB had no 3rd party trackers showing, while SpareBank had a lot.

Sayrus

Same in France, I would have switched to another bank that supports GrapheneOS if mine didn't. In my case, I doubt it's hacker culture but more of a sovereignty and accessibility issue which made them choose to not rely on Play Integrity.

uyzstvqs

I use several European banks, GrapheneOS works just fine.

FYI, I know that Revolut is a Europe-wide bank which does not use Play integrity. In case anyone needs it.

I've only had one non-banking app trigger the "used Play integrity" warning, though that app apparently does not care and still works fine.

safety1st

I live in Thailand which is very mobile first and the main way to pay for things here is through your banking app, you scan a QR code, it fires up the app and you make a transfer.

The convenience is great but increasingly businesses now begin to offer this as the ONLY way to pay.

I keep telling people because I'm seeing it begin. This is how it happens, this is the endgame for freedom, democracy and life as you know it. Give the West 20-30 years, it will happen in some developing countries sooner.

They will require the approved app to buy and sell. Without it you will be outside the financial system, and maybe will starve.

They will require the approved app to only run on the approved operating system. You will have 2-3 options for the approved operating system but total surveillance will be a mandatory feature on all of them.

Finally, they will punish you for wrongthink when your surveilled device detects you writing or saying it.

As the world gets worse political leaders will become more authoritarian until one finally checks the last box on that list, and that's the end.

There will be no escape except for death.

All the pieces are coming into place. Every time you hear them talking about better security for XYZ you can see how it's one of the pieces on the board, being moved one square.

I don't think there is one guy who has this master plan I think it's the inevitable end state for surveillance capitalism that's as pervasive as ours.

I am an atheist, I think the Bible is all fairy tales, and yet the "Mark of the Beast" vibes I get from where the world is going are out of control. The mark on your hand or your forehead that will be required to buy or sell, that was what you'd be forced to accept once the Antichrist took over, or whatever. The 2,000 year old fairy tales were not wrong they are starting to set it up now, you carry the device in your hand, they will do it through payments and banking.

hans_castorp

I am curious: how do tourists pay? Will they be forced to install those apps as well without having a bank account in Thailand?

safety1st

The government and one of the largest banks collaborated to release an app which lets tourists make payments through the QR based system this year: https://www.tatnews.org/2025/03/tourist-e-wallet-tagthai-eas...

homebrewer

When traveling to China, which is also a very mobile-first country, you're expected to install AliPay and WeChat. A couple of years ago AliPay started accepting foreign bank cards, which you add to your account (in addition to lots of other information including photos of yourself and scans of your government id), and then pay through the AliPay application everywhere. Cash has been made extremely inconvenient or even impossible to use, foreign cards are also often not accepted.

darkwater

> I am curious: how do tourists pay?

Cash or normal credit/debit card, but I guess that for native having a credit/debit card costs more money and cash well, it's cash like everywhere else with its pros and cons.

stavros

This has been happening for a while. I've seen plenty of card-only shops in the UK and US.

fluidcruft

Here's what I think Google should do: I really like the Work Profile feature. It essentially sandboxes Work from personal and it adds nice little briefcase badges to mark apps that are in the Work Profile.

Another solution might be to to add an optional Uncertified Profile that if turned on allows unregistered apps but sandboxes them and marks them with a "dangerous" badge. That might ensnare these trojans and malicious apps that pose as legit. That might be enough to scare grandma and let people who know what they are doing do what they want.

Although, frankly I'd just prefer google just made a "Secure Profile" to keep bank apps and other high-security apps away from everything else.

throwaway290

> allows unregistered apps but sandboxes them and marks them with a "dangerous" badge

Surely apps are sandboxed on android by default?

userbinator

The alternative is older versions of Android, from before these hostile changes. The propaganda that it's "unsafe" is just that, propaganda. Perhaps Google will realise once enough of the population refuses to put on the noose.

russnes

the majority of the population will happily put on the noose and they will join in on pressuring you to do it too. Don't kid yourself. However, a successful resistance movement only requires like 3% of the population or something

zx8080

It's totally unfeasable for those using stock deviced. Refusing to upgrade takes lots of attention even from experienced users like developers. Regular user just doesn't have any chance to avoid accidentally clicking or intentionally accepting the annoying permanent notification to upgrade OS.

userbinator

It's the norm for the huge number of users with devices where there is no newer upgrade available from the original manufacturer. Back when Android was great(tm) there were far more of those than today.

saidinesh5

The problem is not the propaganda, it is the businesses restricting the freedom and choices of users because of this propaganda.

So many apps even refuse to be installed on older versions of iOS/Android.

userbinator

So many apps even refuse to be installed on older versions of iOS/Android.

That's because they see older versions of Android decrease in usage so they think it's fine to lock them out and potentially lose customers[1], but they're not going to do that to the majority of them.

If the majority stops falling for the propaganda and "upgrading" to a worse experience, other businesses will follow.

[1] I have told businesses that changes to their site have made me no longer want to do business with them, and seen responses ranging from complete dismissal to quick reversion.

PeterStuer

The bank app, mandatory updated to the latest version, does not run on old android.

seviu

I don’t need a bank for my daily driver and I can have a backup phone. You can get fairly recent Android devices at a fraction of the cost of a new one.

And if you still can, use the website.

I also had enough. Switching to Linux pretty soon.

scotty79

What about GrapheneOS?

zx8080

I'm not going to buy Pixel feeding Google further with my pennies just to use GrafeneOS.

fzorb

Well you can always buy second hand/refurbished.

immibis

Maybe you should buy good devices from any vendor, and the market will do what economists say it should do, and keep making those devices. (As if!)

preisschild

But Google is one of the rare Android smartphones vendors that allows you to install a custom operating system, while still allowing the same security as with the default one (ie allowing bootloader re-locking with a custom key)

zx8080

Is it a joke? Have you seen the list of supported devices?

https://grapheneos.org/releases

(Pixels only)

falcor84

Is there anything about GrapheneOS that limits it to only Pixel devices, or was it just a prioritization decision?

stein1946

Again, technological measures against this kind of attacks on ownership rights fall short and are probably what conglomerates want since it keeps the tech people busy in a self-satisfying "fight" against the big corporation.

You need legislation.

1gn15

This is the social solution. It's making users aware of the issue and pressuring them to not upgrade, and in the long run pressuring legislators to forbid such monopolistic practices if the average person dislikes it.

ajb

This.

You can have a popup, but it must have a call-to-action. Explain to users how to fight this.

that_guy_iain

It's open source... We don't need legislation; you are free to do whatever you want, and open source provides those freedoms. You just want it to be the way you want it instead of it being the way that benefits the most people.

This "fight" will always be lost, because the other side is 99% of the population and they want to stop scammers more than they want to enable you to publish software to a personal tracking device anonymously...

cubefox

99% of the population doesn't fall for scam apps outside the Play Store. They don't want to stop app scammers, because they don't have any issue with them. It's only a small minority which does, and which is supposed to justify the new restrictions in Android.

that_guy_iain

99% of the population wants to fight scammers; they don't want their grannies scammed. It 100% justifies it. Only entitled nerds think their silly edge cases matter more than everyone else.

debugnik

> This library is licensed under the GPLv3.

If the intention was to make it easier to spread the word, you've already failed.

Anyway, this whole library should have been a copy-pastable snippet for a dialog or toast (what's with the duplicate code?); the only value added is the translation, which most app devs already have a pipeline for.

The code part is so trivial that I suspect it doesn't even meet the legal bar for copyright protection in many jurisdictions.

rollcat

> Anyway, this whole library should have been a copy-pastable snippet for a dialog or toast

People under-value copy-pasting. I'd rather copy/vendor a thousand lines of code (with license+credit intact) than add it as a dependency.

I'm working on a side project, and needed a CPIO library for Go. CPIO is a fixed thing, a good implementation is "done". U-root[1] has a really decent implementation, so I've vendored 2500+ lines of code, as otherwise I'd have to (indirectly) depend on almost 700.000. Great value.

[1]: https://github.com/u-root/u-root

woheller69

changed to Apache V2.0 license

lptome

Yeah this is very

    npm i is-even

silverliver

OP, I recommend switching to the LGPLv3. It ensures users remain in control over your part of the code while avoiding this type of reaction.

debugnik

Not really, it would have maybe avoided the first paragraph. I actually really like copyleft, but I assume the social statement here is more important than the code, thus making it easier to rally around it should be the priority.

A CC0 copy-pastable snippet, plus maybe this helper library with a permissive licence. The only way this would go popular is through slacktivism, so you need to remove any friction.

woheller69

changed it to Apache V2.0 license

tempodox

> Google has announced that, starting in 2026/2027, all apps on certified Android devices will require the developer to submit personal identity details directly to Google. Since the developers of this app do not agree to this requirement, this app will no longer work on certified Android devices after that time.

I don’t have any hope that this will sway Google, but at least the users are being warned.

johannes1234321

GPLv3 seems like a quite restrictive license for such a project. I would assume they want that note to be spread everywhere and while about user's freedom, the freedom for that code may be less relevant.

woheller69

changed to Apache V2.0 license

RobertEva

Nice timing. I’d probably just ship a simple in-app dialog instead of a whole dep, but the message matters. For non-root users, will ADB + “Unknown sources” remain the escape hatch once the new checks roll out?

juliangmp

If this library is licensed under GPL, you can't really use it without relicensing your entire project, right?

woheller69

changed to Apache V2.0 license

ducktective

Didn't Google say that they're gonna provide an escape hatch for students and hobbyists? So, best case scenario, we just need to tap some label 5 times to enable side-loading again.

rollcat

We have different definitions of an "escape hatch". A user is not an IT specialist. Ordinary people need unobstructed access to lifeboats.

Apple allows developers to self-sign a handful of apps (exclusively from source!) with short-lived certs - it's a complete PITA to maintain a simple app for personal use, and you still need an account. Google is heading in the same direction.

charcircuit

You are able to get a limited number of app installs for your package for free.

https://developer.android.com/developer-verification/guides/...

rcxdude

Which still requires ID verification.

Y_Y

> You'll need > Your legal name and address. These need to be verified by uploading official identity documents.

I don't have a "legal name". Sounds like some sovcit bullshit. I go by several names, none of which is canonical. Maybe other countries formalize this idea, but the countries where I am a citizen/resident do not.

> A private email address and phone number for Google to contact you. These will need to be verified using a one-time password

I love that email OTP is good enough for this, but apparently not for anything else, where I'll need an approved verified secure attested super official app.

charcircuit

>I don't have a "legal name". Sounds like some sovcit bullshit.

Considering every country has passports and passports all have the person's legal name on them. And thst the passport standard only supports having one name with a primary and secondary identifier. You must be mistaken.

Tade0

All this has me wondering: what's the future of chroot-based tools like proot-distro? No app store here, just PPAs. Can largely run whatever the hell I want, provided it's distributed for the OS I'm currently running.

charcircuit

The future I see is that it gets rearchitected such that each app will correspond to an android app that way it follows the Android model properly. The current model of shoving everything into the same app is going to continually run into problems and is not the right way to do it long term. So essentially there will be a tool to easily convert a freedesktop Linux application to an android one.

In regards to this new package name registration whoever is running the repo of such packages would register a new package name for each app.

kikokikokiko

A little bit overkill to use a dependency to just show a dialog. I agree that Google ia making Android less and less free with every new release, but show a damn dialog, no need to use this.

Kwpolska

It's also pretty sloppily coded, with the same code repeated in both branches of the `if`...

https://github.com/woheller69/FreeDroidWarn/blob/master/libr...

kikokikokiko

If it was 2023 I would say someone just vibecoded a trivial android piece of code. But nowadays Android studio comes with Gemini agent integrated, and I doubt it would produce such terrible redundancy on a code so simple.

Barbing

Sounds right. Though may aid in spreading the practice if it accumulates stars, goes viral on places like this?

nagamsreekar

[dead]

scotty79

I think creation of this repo is more of a statement than creation of utility.

ethersteeds

I would say it's both a statement and a way to encourage other developers to "speak with one voice". Like handing out printed signs at a protest.

Hackbraten

The library features localized warnings.

bubbi

[dead]

Krasnol

Wouldn't it be nice if, in this time of feeding our IDs to the machine, there would be someone who would also offer some nice and easy way to identify ourselves digitally? Maybe someone who sits on all that unverified advertisement tracking data already and somebody who has an AI agent to feed?

I'm sure everybody would profit from that...

https://blog.google/products/google-pay/google-wallet-age-id...

politelemon

Fascinating that the same company producing zero knowledge proof implementation didn't think to use it for the purpose they mention here. Do these departments not talk to each other?

rippeltippel

It's Google we're talking about. Likely the left hand has no idea of what the right hand is doing. And it's got far more than two hands.

IshKebab

What property would they prove? The whole point (supposedly anyway) is they know your actual identity in case you publish malware.

camdroidw

What would be my options as an end user who does not want to root his device

sjogress

Perhaps a Fairphone 6 with /e/OS (which is a de-googled Android)?

https://shop.fairphone.com/the-fairphone-gen-6-e-operating-s...

aydyn

Cry in a corner ig?

zx8080

Maybe use iphone? There will be not much advantages left on Android side after that shit gets go.

politelemon

Even without side loading there are several advantages and freedoms that Android has unmatched.

scotty79

I might just move to whatever Chinese come up with. By 2027 their tech should be clearly superior in every way.

userbinator

who does not want to root his device

Why not? Freedom isn't a given --- you need to fight for it.

psychoslave

You can't expect people to go into fight mode for every single chunk of social interaction they engage into, and still be able to enjoy any moment of freedom.

A society which value freedom should of course give a lot of it to its citizen, and expect them to defend and improve it for everyone.

A society where freedom is never a given, is not going to foster much of it.

Kwpolska

Rooting a device will usually cause banking apps to stop working.

userbinator

There are still workarounds. The way to win is to keep fighting.

immibis

Then go to your bank and say hey, fix this or close my account

captainepoch

For now, there isn't an alternative. Maybe a Pixel phone and GrapheneOS with the sandboxed Play Store would be the only choice, but for now, nobody knows.

preisschild

Google Pixel + GrapheneOS

If you want to know if your Banking App is compatible: https://privsec.dev/posts/android/banking-applications-compa...

add-sub-mul-div

I assume my S20+ won't get this because it's stopped getting anything but security updates. Sometime next year I'll look for the latest phone that's too old to get the new behavior.

rickdeckard

I assume this will not be rolled out as an OS-upgrade but as a Play services update, so it will be enrolled by Google directly to nearly all devices on the market.