Google wants to make sideloading Android apps safer by verifying developers’ identities
122 points by lonami
122 points by lonami
This feels exceedingly pointless, Google Play Protect already gives them all the tools necessary to filter for malware at the device level.
I’ve already had to deactivate my old Google Play Developer account and create a new one over their previous round of doxxing developers, not looking forward to them suddenly deciding to make information public from this endeavor as well.
It’s far from pointless. It’s just that the point isn’t to protect users, but to ensure that everyone uses their app store and gives them a cut.
And they aren’t even trying to do anything to actually proactively counter malware. They’re very explicit that no new check or scanning of any sort are included, all this gives them is some ability to track malware back to the “source” after the fact. It’s very unclear how this is any actual security improvement, and not just shifting blame/liability.
Not that I think this proposal is reasonable or proportionate, but mitigations are about making exploitation harder / more expensive, and send cops to the hackers door absolutely raises the cost of exploitation.
The issue is that we already know this does absolutely nothing, because Google already requires identity verification for advertisements, and I still see several malicious ads per day.
I know we’re supposed to use original headlines when posting to lobsters, but this one feels straight out of Google’s marketing/public relations department. Using “safer” in the headline somewhat undermines android authority’s presumed neutral actor status.
I won’t say the current headline definitely shouldn’t be used here. But I will say that it’s got my PR senses tingling, and the article itself is wholly uncritical of Google’s move. It makes me think android authority are preserving diplomatic relations with Google in exchange for future scoops.
I think any Android user who sideloads has a lot to worry about here, and I figured android authority would be on their side.
The whole article reads like it is copied directly from Google’s press release. Stuff like this just feels ungenuine
Unfortunately, malicious developers take advantage of this openness and hide behind a curtain of anonymity when distributing malware.
Still, with Google’s own analysis finding 50 times more malware from internet-sideloaded sources than from the Play Store, it’s hard to argue this change won’t do some good.
It’s particularly bad timing, as it’s announced on the same day as yet another report of malware being downloaded from the Play Store. Since ActiveX, we’ve known that ‘having a valid certificate’ and ‘is not malware’ are not the same thing. Certificates allow identity-based policies, but they don’t give any security on their own. Since we know that having a valid certificate and passing the Play Store’s approval process doesn’t prevent malware, the idea that doing the half of this that doesn’t require any inspection of the payload would do so is nonsense.
Should be “safer”. This isn’t safer, this is Google trying to be more like Apple, and attempting to exert more control over users devices.
They can’t even remove the huge amounts of malware that exists in Google Play.
Even worse the malware that vendors shove into their provided Android versions that is impossible to remove.
This feels like it’s likely to break the back of the already anemic open source app ecosystem.
I’d love to be corrected if someone knows otherwise, but my reading of the documentation makes it sound like this will essentially make it impossible to do a local build of an open source app that can be installed at all. There’s no way to install without signing, and the signature is bound to the registered identity of the owner of the app package name. Each developer wanting to be able to build would essentially need to fork the app under a new package name, register themselves as a developer, and register the new name to their own identity to be able to install a local build signed with their own keys on their own device.
My assumption is that adb install will bypass this, just like the dangerous permission restrictions. If you’re building locally, using adb is presumably not an issue.
Things like F-Droid will be hit hard though, since they like making their own builds.
It actually does not bypass those checks. Vendors like Xiaomi already have the ability of locking ADB install behind developer mode and signing up at their portal. It also does not bypass the Play Protect checks (again, depending on vendor configuration).
This kinda makes me ditch mobile phones fully. I bought into the android ecosystem (and especially google devices) knowing that I could install my own apps and install custom roms. With google removing device trees on newer pixels one was already gone(or made a lot more complex for rom developers), now the other one is gone as well.
Google is turning Android into a user-hostile walled garden. These are deliberate steps to exert more control over what users are allowed to run and who is allowed to ship software. Mobile ecosystems are not a pleasure to do personal computing on and they are becoming even less so over time. More than ever, we need a mobile ecosystem that is functional and fully serves the user of the device, without any projected power by megacorporations.
Yes. At that point I will switch over to Apple because I want my cage to look and feel nice at least.
Very glad all my Android devices run LineageOS.
I wonder, for how many years will that still be possible? I’d expect Google to close off alternative OSs within the decade.
They don’t even need to close off alternative OSes. They just need to encourage large companies to start requesting remote attestation for their apps and websites. It’s not overtly monopolistic that way.
Not just large companies. Czech Ministry of Interior has been salivating over the prospect of mandatory remote attestation for years. I have been personally told by multiple public servants there that they are not even interested in the possibility of people operating their own devices, they are only interested in large vendors such as Huawei. In their viewpoint, users being able to install whatever software they like on their devices enables fraud, because people are stupid and will install whatever application promises them something nice while stealing from their bank accounts and eventually transferring ownership of their homes and thus people must be prevented from running whatever software they wish and any device that makes it possible is to be quarantined.
It’s already worse, at least where I live it’s impossible to have a bank account without a phone with Google Play installed with a Google account. And governments are starting to go the same way.
I’m always skeptical of statements like this. How hard did you try to find a bank that would let you do banking in person?
Will this be the end of F-Droid, Obtainium, and other ways of distributing Android apps without Google involvement (outside of Android forks)?
Very much doubt that alternative YT/YT music clients, ReVanced, and various other kinds of apps not allowed in the Play Store will want the legal risk of Google knowing about them through verification.
If Google wanted to sue them they could already do it even without having their identity, they’d just need to file a John Doe suit and subpoena whatever they know of their identity, like GitHub.
Basically, no additional legal risk, but it adds an avenue for them to try to ban it (which would probably run afoul of the DMA as a major player abusing their platform to protect their own products)
In my country, if you sell a phone that does not have WhatsApp, you are not going to sell more than a handful of phones.
There are many problems, but to me one of the biggest ones is the use of having proprietary locked protocols embedded deep in our lives. The DMA was supposed to make WhatsApp interoperable in Europe, but it’s been a long time and I have not seen anything.
All essential services should be available to open source devices. (At present, I think having a phone requires at least closed firmware blobs, but well.) And having big companies dominate and control everything is bad for consumers.
I don’t fool myself that if having Linux phones be viable (because they can access WhatsApp and use stuff via the web) would change things significantly, but it would help.
All essential services should be available to open source devices. (At present, I think having a phone requires at least closed firmware blobs, but well.)
It’s a lot easier to argue “even if I have to do a lot of work myself, it should be possible to use an essential service without having to be at the mercy of a gatekeeper” if you don’t bring the whole “firmware blob” thing into it, because generally the former just requires open specifications and documentation, with a great selection of open source libraries, while the latter stumbles into the world of embedded low-level code, which is fraught with NDAs, complicated licenses, and very little freely licensed code.
Oh, yes, we have to be pragmatic. The hardware situation should also improve, but it’s likely more efficient to focus on other stuff first.
This makes it much harder to publish “pirate” versions of Android apps. There’s a world of APKs which are existing apps modded to work differently. ReVanced is a well known one: YouTube modded to not show ads. Google has been trying to exterminate it for years. Now if you want to run a binary on Android you have to provide ID to Google so anything that skirts the edges of contract law will no longer be feasable.
This move also just gives Google yet more control. Android hasn’t been meaningfully open source in years, but this lockdown feels like an ugly change. EU anti-trust law may have something to say.
I hadn’t realized that, I wouldn’t be surprised if they were doing all of this just to block stuff like ReVanced and NewPipe.
I’m not familiar with ReVanced, but NewPipe is a FOSS app that would not be affected by this for the reasons nelson suggested ReVanced would. I’m sure Google doesn’t like NewPipe and does things to negatively impact its use, but it’s not a modification of a proprietary app.
Are the NewPipe authors willing to identify themselves to Google with legal documents? If so you’re right, they may qualify under the terms of the program. Assuming Google doesn’t decide to just not verify apps they don’t like.
Isn’t that essentially at Google’s discretion, though? The policy may only be officially targeted at things like ReVanced, but even without doing any evaluation of the content, they can just single out NewPipe to be uninstallable.
This makes me want to move over to Pinephone, but it feels like it’s a long way until all the apps I need to function are available.
It’s a very horrible feeling to be locked into ecosystems like this, and especially how my country forces it because all banking and tax errands require verification using an app only available on Android and iOS.
This is upsetting because there aren’t viable alternatives to running your own software on your own mobile devices without asking for permission from these vendors while keeping access to regular everyday software (banking apps, etc.).
We really need a “Linux” moment in the mobile ecosystem (Android didn’t live up to its promise).
It’s crazy how society ticked just fine before all the smart phones. I am happy where I live is very cash-first (at least from small vendors / maw-n-paw shops—the corpos & government are still trying to set up national centralized cryptocurrency). Average Joe can still choose to use/prefer cash where possible to show vendors there is still demand for analog currency in a overly-digital world—with the bonus of not sharing their purchase history simultaneously to the government, the banks, & some tech firm during your day.
…But that isn’t gonna help with say ride-sharing that undercut, ran out taxis, then jacked up prices. The preferred ride-sharing app here doesn’t allow root or custom ROMs either (& some cities sadly don’t even have motorcycle taxis anymore).
Recently, I’ve found I can use Uber in a mobile browser but Lyft won’t even let me manage my account in a desktop browser! Years ago, I remember it was the opposite: I could use Lyft in a browser buy Uber insisted on an app. All that to say: I refuse to use services that require proprietary apps and haven’t had the Play Store on my devices for almost three years now.
EDIT: I recognize that’s a privileged position and it’s harder to do in some countries. At least in the US, WhatsApp doesn’t have a stranglehold and I’ve been able to do all my banking in a mobile browser.
WhatsApp provides an APK on their website. You can also get signal this way and it auto-upgrades. I haven’t run play store for over 10 years now
WhatsApp is still proprietary (and while the app may be open source, I consider Signal to be a proprietary service).
Even with the OS’s obvious flaws, I am happy I moved my primary device away from Android to Sailfish OS (with Nix’s home-manager) as the hostility towards developers & those wanting the basic freedom to install what they want on the device they own has continued to escalate.. If only we hadn’t have moved every service to a mobile “app”… but it’s also been increasingly difficult to go without the Android/iOS duopoly as there aren’t folks taking emails or phone calls or having paper forms for the Luddites (respectably) that don’t want these invasions of privacy/freedom. Many of us chose Android in the first place since it was the hacker-friendly, FOSS-friendly option, but it really isn’t anymore. I guarantee that this’ll be yet another thing nannying banking apps will scan for: “Does this user have any side-loaded or hobbyist/student apps installed? If yes, deny access”. It’s basically a lock that I will need to carry 2+ devices—& I have already massively scaled back my phone usage as is as well as moving all comms that I can to privacy/freedom respecting platforms like XMPP. But Thanks Google—really keeping us “safer”.
Yeah, I’m feeling like I will be needing a completely stock low-end Android for things like banking and proprietary 2-factor schemes, but a flip phone for communication.
I’d really like to read a detailed blog post about using Sailfish day to day, if you ever felt like writing one. I’ve just found out Jolla released a new phone of their own and it’s got me curious.
I had picked up a Sony Xperia 10 V (OLED, microSD, and headphone jack) having read they dropped beta ISOs for free/testing. The beta label should have been alpha as we have some pretty obvious issues: headphone jack doesn’t work right when inserted the on-call small speaker plays (sadly, Bluetooth or USB-C dongle do), fingerprint reader doesn’t work, camera doesn’t work, battery indicator doesn’t update after boot (there is an app for that). The filesystem only having 5 GB for the root can be very limiting, & resizing partitions can be pretty darn scary to even experienced tech folk; I needed to create a new partition for /nix so I had to do resizing but hindsight even 1 or 2 more GB on root would have helped. It was also a bummer f2fs-tools wasn’t provided despite kernel support (I like it over ext4 personally). The Wi-Fi & hotspot works but the 5G was really wonky so I just disabled it which is more stable anyhow. I would comment on GPS, but I haven’t really messed with it. Battery usually ends the day at 50%.
For hardware: Sony tends to play fairly well with devs it seems—& the Xperia line is the only OLED + headphone jack device on the market with an unlockable bootloader & ‘not abysmal’ performance (Xperia 1 & 5 are flagships, 10 is mid-range, but Jolla only supports the 10). The bad part is Sony devices are expensive & not very popular.
There are apps, but quality is pretty hit-or-miss with a lot missing—but Whisperfish (after raising the issue of account linkage requiring the camera for QR being not a good design considering device state) is a good Signal client, Tooter is a serviceable Mastodon client, but no even halfway decent XMPP client with OMEMO support (I was using my self-hosted Movim instance as a work around, but browser doesn’t support notifications). The first-party apps are equally of hit-or-miss quality with the email app being the worst offender for quality where I think “pedestrian” must be the target audience (no plaintext view/preference, no monospace font option, no reply all, no clear reply text, no bottom-posting option, no unsubscribe, no PGP integration). Also the browser is still on Firefox 91 ESR which so many websites are starting to drop support for (including Lobsters where upvoting doesn’t work) but the browser port is apparently pretty involved getting Gecko in Qt (over the default of Webkit); you can make modifications to the user.js & userContent.css to get some modifications, but without add-on support, it is rough using the web without uBlock Origin. Mentioning Qt, Sailfish OS is still not ported to Qt6. These bad things said, phone, alarms & CalDAV/CardDAV sync work perfectly. The biggest saving grace was a more recent updates landed Android support (F-Droid & Aurora Stores work) where I was able to install Cheogram for XMPP, my cryptocurrency exchange app, a translation app, & a GBC emulator to kill time—where even OS-level “share” works; these made the device go from basically unusable to usable & drain only a little more battery than normal (we’ll see how this new Google policy affects the Android ecosystem tho).
It seems at least the bare minimums are met for developing applications + documentation on their features, but I haven’t yet bothered to try to make anything since I have a hunch there’s going to be issues running the SDK + Qt Creator fork on NixOS. There are 3 store fronts: the official Jolla Store, Storeman (for OpenRepos), & Chum using MS GitHub + Actions to try to package the world—like Nixpkgs, but a lot less packages & maintainers, but occasionally some actual compiler optimizations specific to the SoCs from Sony (unlike Nixpkgs that sets the lowest common denominator). I added Nix via home-manager as I want to carry over configs, & I am more comfortable in Nix—it’s just a shame that installing a Qt app doesn’t “just work” due to scaling & other issues else I could have the universe of packages. It seems the community-preferred way is to use a Patch Manager for settings to make modifications to the OS—which you totally can just do with root access since it’s much more “GNU/Linux” than Android/Linux (I made some custom keyboard layouts).
So the shorter version: it’s a bit of a shit show at least on this “beta” device—but if your needs/expectations aren’t high, it can function as daily driver that you can reasonable hack on. I hear the non-beta devices have most if not all basic hardware thingies working so, assuming funding continues, there isn’t reason to expect support to not come (especially with Xperia 10 III being supported & IV + V using very similar hardware). If you load up on Android apps, you are probably okay as well so long as your app isn’t looking for the SafetyNet BS. Really the biggest looming issue I see is upgrading that Gecko version (after reading about how the last upgrade went)…
The filesystem only having 5 GB for the root can be very limiting, & resizing partitions can be pretty darn scary to even experienced tech folk; I needed to create a new partition for /nix so I had to do resizing but hindsight even 1 or 2 more GB on root would have helped.
You can solve this issue without touching the partitions by mounting ~/nix over /nix at startup with a nix.mount file. It’s what I did and it works well
Are you in the US? I’ve read that most/all of the supported phones don’t have the US frequency bands available (and Jollla won’t even ship their device to the US) and as a result get poor or no service.
Would love to try Sailfish, but don’t want to buy a device only to find it’s a brick that won’t talk to the network.
Finally. Now we can have a real conversation about this. Now people can’t claim Android is a refuge from Apple’s censorship. It never was, and now it’s obvious.
Android can be a refuge. Google Android has been getting more and more iOS-like in its restrictions, but there are plenty of folks using Android without any Google involvement. But yes, don’t trust Apple or Google.
There’s no Android totally without any Google involvement, even if you run AOSP with no Google Play Services, because Google decides what will be in AOSP and throws it over the wall. One example of this is that over the course of the last 4 or so versions of Android, it has gotten gradually harder to run applications that legitimately need access to the whole filesystem. Not impossible yet - there’s still a permission for it, that if your app uses it means it can’t be in the Play Store, but if the author doesn’t care about that, you’re fine. For now.
Sure, but what’s stopping a hard fork if it came to that? I am excited for things like postmarketOS, but I think Google-free Android derivatives will be a decent option for a long time yet. I think the most important thing is to stop buying new devices that require the use of increasingly closed software and making the mountains of existing hardware work for our needs instead.
What an odd marketing campaign from Apple.
Uh, apple has always been doing this wdym
Yes, and for many people sideloading and Android being “somewhat open” was a big factor. I don’t really care about phones, so if they close it down just like Apple, I may as well choose Apple and not be potentially stuck with a phone without security upgrades 1y after buying (fuck you to Motorola here).
I only use a phone for banking, plane tickets, playing pirated music. It’s quite dreadful though. I guess it is time to explore Chinese cellphone ecosystem.
I am a bit surprised you can’t buy a tablet or a very small screen (4in) with middling performance but a sim slot. You could use third rate hardware and many would buy it. I guess the blockwr is new android versions requiring more performance than it could deliver?
That sort of bottom of the barrel cheap hardware seldom gets android updates… so you likely don’t have to worry about performance, but do have to worry about all the unpatched security issues. Not to mention that many of those low end vendors intentionally ship stuff that’s basically malware right out of the box. And sticking with better hardware that is just out of its support update lifecycle would probably get you the same results wrt this policy change, anyway.
I like using PinePhone (non-Pro) with the snap-on keyboard, but I’d say modern web strains it pretty easily… I want different use out of it anyway, but I suspect this acts as a limiting factor of how low can you go.
The PinePhone community is amazing, in spite of the hardware being quite underpowered. I’ve been hoping for a newer device with the same idea for a long time now (since I got my first PinePhone almost 4 years ago) but so far nothing has appeared. Now they even announced that they will stop shipping new Pro phones once their current stock ends.
There seems to be the Furi Phone. It’s not exactly the newest or highest end hardware, but it is newer than the PinePhone Pro, and they seem to have done a bit of work to integrate the OS (Debian + Phosh). It also seems to optionally run Android apps in a container (probably Waydroid), though of course that won’t help with apps that require attestation.
Another option is to get a used/refurbished phone that is seeing active development with postmarketOS, like the OnePlus 6. I use a OnePlus 6 with LineageOS (no Google) as my main phone, but I have a couple spares I plan to load pmOS onto. It has the added benefit of reducing e-waste and slowing consumerism.
False security, and identities can get hijacked, sold, mistakes happen. Verifying an identity does not make the application safe.