A theoretical way to circumvent Android developer verification
68 comments
·October 31, 2025asimops
closeparen
The same EU that's doing Chat Control?
rf15
The same EU of which parts are trying to make chat control work and are once again abandoning it. Politician get this particular fancy idea every other year in all kinds of countries, not just EU. Overreach out of desperation for a problem that cannot simply be solved is wrong but understandable.
thaumasiotes
> I hope we can get the EU to fund a truly open Android Fork.
How are things in the EU on whether it's legal to buy a SIM card without showing ID?
asimops
A secure OS is a prerequisite for secure digital services. We can agree on that, right?
The task, therefore, is to convince enough politicians to establish an independent unit that can address this issue without direct political influence.
Fund the unit with enough money so that it can take care of the cybersecurity and sovereignty of all citizens.
A side effect of this would hopefully be that these politicians would then be digitally literate enough to recognize nonsense such as chat control as such and reject it outright. I hope that most politicians would not really want such omnipotent surveillance tools if they could truly grasp their scope.
remix2000
It is neither illegal nor hard to obtain such a prepaid SIM card.
kube-system
That very much depends on the country, many require ID.
sigio
In many EU countries you can walk into many a supermarket or phone-store and just buy a simcard with cash without questions asked.
WhyNotHugo
> How are things in the EU on whether it's legal to buy a SIM card without showing ID?
It varies per country. In some you can just buy one (or more) SIM cards at a supermarket without any ID.
jraph
I'm confused, how are those two things related?
semolino
The commenter you replied to was implying that the EU does not respect the privacy/freedom of mobile device users.
peterhadlaw
Nanny state
singpolyma3
What's wrong with lineage?
hilbert42
You have to get some of the big names to unlock the bootloader first. The trend towards locking it off permanently is alarming.
Edit: Google could ultimately use that as a lever in licensing deals with manufacturers. It'd marginalize everything.
ianbutler
I think this means we need to rely on web technologies more. PWAs are looking pretty good on mobile devices these days and you can publish any web app you want with no reviewing authority. The web has a bunch of crazy APIs now that let you build crazy things and for everything else you're a hosted server away somewhere that can run more complex jobs.
I believe devices I own should let me do whatever I want with them and I agree that the verification is BS, but I'll work around it in the ways I can which means building more for the web.
If that ever drops the open pretense (since both traffic and trust authority are largely centralized and thus easily controllable) then I'll only write for self hosted linux boxes.
We as individuals can only do so much. We'd need actual organization and some measure of political power to do anything more since normal people do not care about this.
rs186
Bad news for you, Google happens to have a tight grip on the entire web ecosystem -- browser, search, ads etc.
nine_k
You need native apps to access specific hardware, and to run some native code. WASM may help but it's limited, too.
Wowfunhappy
I thought Brent Simmons did a great job laying out why PWAs don't work: https://inessential.com/2025/10/04/why-netnewswire-is-not-we...
The tl;dr is that a PWA implies an app which is based in the cloud. So suddenly you need a server, and you need to store user data, which means costs and dealing with privacy and security.
teraflop
That explanation doesn't really make sense to me.
If something could be built as a native app without depending on a central server, it could also be built as a PWA without a central server. You don't need to store user data centrally at all, just because it's a webapp. You can just have the clients use localStorage or IndexedDB or whatever.
You still have to host the static files for the webapp itself, but that can be made very cheap.
Of course, API feature parity between native and web apps is a separate issue. But the argument about server costs doesn't seem like a good one.
Wowfunhappy
Isn't localStorage limited to 5 MB of data?
Telaneo
While neat, it glosses over the actual problem, while maybe not even solving it (depending on what you deem the problem to be in the first place). It solved the immediate problem today, but not in a way that's going to remain solved.
I'd imagine Google would plug any major holes in their soon to be closed garden, assuming that is their intention. So this and any other fix to the problem of 'install app through not-Google Play' that goes via technical means that Google can just cover up after a month or two doesn't actually move the needle any meaningful amount.
In the same vein, using adb isn't a real solution to that same problem for most people, since having to use adb is a massive jump in required effort that's going to leave all the normies behind, with only the super-dedicated willing to go through the hassle, and an equivalent amount of developer effort is going to be left behind as well, since their audience just got decimated, and they themselves might not even bother to develop something that even their dad or sister is going to bother/be able to install. Anything that's much more complicated than 'go to website, download thing, run thing, click your way through' doesn't solve for this.
The actual problem is to have Google not be knobheads about it, and the only way that's realistically going to happen is through the law, but that's not looking all that likely in my view.
andrewcchen
So like LiveContainer[1] which works around ios's signing requirements
IgorPartola
Whoa that is neat! How does that not get shut down by Apple?
Wowfunhappy
They don't allow it in the app store, so you have a chicken-and-egg problem...
fsmv
Just use adb. You can do adb wifi on device. You don't have to distribute a signed apk just sign it fresh on device.
Retr0id
This is the way. You can also do adb-over-webusb with a second device.
gruez
Sounds like the UEFI shim loader that's signed by Microsoft but can load an arbitrary EFI executable (with some signing checks). The difference is that the UEFI shim loader is endorsed/condoned by Microsoft. What about Google? This seems easily patchable, ostensibly for "security purposes" (eg. disabling loading dynamic code).
p_l
Microsoft also forces manufacturers to provide an option to reset Platform Key aka SecureBoot "root of trust" key - which is supposed to be not possible in spec-compliant UEFI system.
They don't do it out of goodness of their hearts, which is why it's more solid than relying on goodwill - Microsoft simply has an offering that depends on that for certain high profile clients.
XorNot
I suspect it's also a defense against antitrust law suits - lock in was how they got sued for things circa Internet Explorer.
Frankly they should still be getting sued for the way Edge and Cortana are bundled.
leptons
Then Apple should get sued for bundling Safari, and also for forcing all browser engines on iOS to use Safari - which is way worse than anything Microsoft ever did with IE.
antiloper
This will not work because the goal of android developer verification is to prevent running Google-sanctioned code. If you actually tried to publish this, Google will revoke the signature on the loader APK.
p1mrx
I suggested this a couple months ago: https://news.ycombinator.com/item?id=45084296
Android may ultimately win the arms race, but if they want to be evil, we should make their task as tedious as possible.
neuroelectron
Google doesn't need to make an argument to ban apps or developers.
Gander5739
Doesn't https://github.com/Katana-Official/SPatch-Update already handle this, and also support Xposed on top?
t_mann
> verified loader apk, which in turn dynamically loads any apk the user wants
Wasn't this kind of solution considered and sort of dismissed (because of too much centralization iirc) by F-Droid (can't find the reference now)? It seems like something that's worth trying, but in the end it's just a band-aid. If it gets any traction Google will shut it down. The real disease is dependence on a duopoly of (quasi)-proprietary OS for the dominant computing platform of our time.
kevincox
I see a handful of problems.
1. The loader will just get banned.
2. The application ID and permissions are that of the loader. To have different applications with separate data and permissions you would need multiple copies of the loader.
3. You miss out on other android security features such as application signing validation for updates.
zb3
Well, I'd rather verify myself with the government identity than accept a stock OS that literally woke me up with a fake message promoting Gemini despite me spending almost 2 hours turning every possible privacy-invasive setting off.
To me, the attention to these verification changes seems misplaced. We need to defend the ability to unlock the bootloader, pressure Google to revive AOSP and then encourage people to switch to a more user-friendly OS.
You're already unable to install what you want on a stock OS due to Android permission model treating you as a third-class citizen, after Google and OEMs.
asimops
In my opinion, the only solution while keeping Google and Apple as the developing entities is regulation.
Despite that, there are some things that should not be for profit in my opinion. A good OS platform is one such thing.
cageface
I agree but I also think any meaningful regulation is off the table for the next few years in the USA at least.
userbinator
Or you could just tell everyone out there that there are already tons of older Android devices which will never get any of these hostile updates, and if you're a developer, make sure your app runs on those older versions. Spread the word about how hostile the newer devices are, and let the lazy masses do what they're best at doing. Of course there will always be rabid bootlickers who will gladly pay to put Google's noose around their necks, but if they become the minority, and the majority just stops upgrading, it could very effectively pull control of Android away from Google. Giving everyone yet another reason to not upgrade, especially given the huge Android marketshare in poorer countries, could become a powerful force.
blueg3
If this is an acceptable solution, just run a modern uncertified Android instead.
Aeglaecia
i thought google was going to push this as an update to play services , thus affecting all models
Random09
Good luck with unsecure phone This is clearly a bad idea.
While it is technically feasible, it is not a good idea to try and find a technical solution to a people/organisation problem.
Do not accept the premise of assholes.
I hope we can get the EU to fund a truly open Android Fork. Maybe under some organisation similar to NL Labs.
--- edit ---
Furthermore, the need for a trustworthy binary to be auditable to a certain hash or something would make banning this a simple task if Google would want to go that route.