Google's dev registration plan 'will end the F-Droid project' The F-Droid project, which distributes open source apps for Android, will end if Google goes ahead with its plans to enforce developer registration for app installation, according to the project's board member Marc Prud'hommeaux. If it were to be put into effect, the developer registration decree will end the F-Droid project …
That's nothing new. I honestly cannot think of a single Android device that I considered to be a step forward from my very first: an HTC Desire circa 2010. Literally ever step or ratchet since that HTC has come across to me as a bad thing or a worse thing.
Ultimately, I use my mobile for calls and texts and the fact that it has a GPS sensor is convenient just as long as that sensor is only ever used based on my initiative to find my location and draw a dot on a map, showing it.
That venerable HTC Desire could do that. Technically, so could any Android device of today but the problem is what they CAN ALSO do, not what they can no longer do. Newer devices are much like newer cars: ruined by software and ruined by software nobody's wanting.
Facebook installed out the box and hard to remove. Automatic updates put all the bloat back. Locked bootloaders. First voice assistants (always listening, sometimes could be "disabled" but never properly or permanently and never actually removed) and now likely AI versions of the same.
My car (VW Golf) is the same: four wheels, engine, steering vaguely-circular-input-device – exactly like my Open Astra back in 2002. Yet the VW also slams on the brakes upon a whim on the open road for no reason. It beeps like it's going to go nuclear just to flash up massively bright red icon (too fast to see if your eyes are on the road) at random intervals without rhyme nor reason. It sends telemetry to VW with its built-in mobile SIM.
I learned to drive in Africa and I drive with my eyes on the road because I learned to drive in a place where *anything* could actually happen and being surprised was a slow way to react. Driving the VW is insanely triggering because it literally shreds my attention to notify me of something that's clearly unimportant because although I've been suffering with this behaviour for five years, now, I *still* haven't worked out what it is trying to tell me or why it's doing that. Service mechanic just waves it off as known-bad software.
Now, if you can't even sideload unapproved stuff or make a bad situation a little less bad by sourcing software from F-Droid, Android is even worse. This is just another ratchet, though.
The problem is that there isn't really another option.
"Try LineageOS"
Using non-Google ROM images leads to a game of whack a mole with banks and other secure apps, including things that want to read your passport, that might or might not work with your ROM distribution.
Interaction or communication with your government or bank might become extremely difficult.
I know in some countries you have to use a smartphone, but the application should be also available outside of the playstore if it's mandatory to use it to access certain govt. services.
For example, last time i checked in Hong Kong the govt apps are available on Google Play store, Huawei store and as APK.
I know it's a pain, but you might file a formal complain if you must use a certain app but you cannot do it without a google account.
For the banks it's easier, pick a banck that doesn't require an app or do not use their app (you probably shouldn't anyways)
On-line banking I do from my Debian (Linux) machine.
I do too. And experienced that for some of them that seems to be "an issue". I was "told" that I could not "be verified". Eventually I moved elsewhere, but, as always, it took a lot of time and effort, a lot of "compliance" and little "customer service and convenience", while it is uncertain how long things will keep working. I suppose a next step towards "resistance is futile"...
Similar to my problem - one bank in particular does not trust Linux and mandates verification from their app (Android or iOS) before letting you log in through Linux. It's ****ing ignorant, if you ask me.
If they were actually serious about security, they'd allow my to verify with a Yubikey, which works just fine in Linux.
Sigh. I'm well aware of 2FA/MFA. This bank is quite happy to 2FA via SMS code (which isn't secure - it's phishable - but they do it anyway) as long as you're logging in via Windows, Mac, Android or iOS. However, if you're on Linux, that's not enough. You _must_ use push notification in their app - where you're obviously already logged in to the app - which essentially defeats the purpose of logging in again in a browser. It's clear (and they actually say so in their Ts&Cs) that they consider Linux to be a special case.
Sigh (again). Tried that and a bunch of other things - alas, the login dialogue won't display with user-agent switchers (with which I have long experience) or even plain Firefox using strict privacy settings. Works perfectly in Chromium, though.
Perhaps I should have led with me having been a sysadmin and system/network engineer before I retired ... I'm sure I'm not that rusty ...
I wasn't really looking for advice, merely venting my frustration at non-sensical "security theatre".
I wasn't really looking for advice, merely venting my frustration at non-sensical "security theatre".
Absolute, 100% recognition here. Fun fact though. When I asked, absolutely neutral, polite, and genuinely interested, why "Linux banking" was an issue for them, I too got all kinds of vague "security", "industry grade" answers back. Asking further brought in the "IT Director" (PFY) who started talking louder and waiving his mobile at "yet another pensioner". When I asked him whether he was familiar with the governmental initiative on digital independence, I was told that was not his problem, but me not being able to bank was mine. With that I asked him whether he could help me out with a plastic bag. Question mark on face. Why? Because that would enable him to put the cash of my account in it because I was canceling it. Panic...
Now am happily with a bank that has no issues with Linux AND supplies a special Yubi key-kind of devices to log in. Meanwhile "commercial app pushers" are looking with bums clenched towards initiatives, that based on article 3 of the German Constitution argue that people can not be discriminated/ denied services (e.g. banks, public transport), or, as supermarkets and so on tend to do, financial advantage, because they don't have a device/ account or don't want "digital coercion" (https://digitalcourage.de/digitalzwang, German).
Meanwhile the local city centre branch (yes, really, not closed yet) of my bank encourages customers visiting the branch to use the app while they're there. The building has terrible 'phone signal but that's not a problem as they have free WiFi, which requires no password....
"Using non-Google ROM images leads to a game of whack a mole with banks and other secure apps, including things that want to read your passport, that might or might not work with your ROM distribution.
Interaction or communication with your government or bank might become extremely difficult."
Hmmmmm, the world trying to tell you something?
The vast majority of Android devices have "non-Google ROM images", from Samsung, Xiaomi, Fairphone and so on. And yet they all work with banking and goverment apps. Enough of the FUD, please. I've been using LineageOS/microG for several years and never had a problem.
LineageOS/microG
For <reasons> I've installed Lineage without microG, without play services, without a Google account. I don't use banking apps, but offspring does and that just doesn't work for them. It's beginning to look as if I might have to reinstall that phone with microG, though there's no guarantee the app will work even then.
Hurumph.
M.
I can't. I can't unlock the bootloader because I'd need a key from Huawei and they won't give me one. Why use a Huawei device? Because that's the thing I have and there's no way in hell I'll throw good money after bad buying another phone until this brick no longer functions at all so that's it.
There's absolutely nothing wrong with it. In fact, even the battery still works and the OLED screen is glorious compared to just about any "cheap phone" I could replace it with. But that's the thing, isn't it? The hardware is GREAT but it is not mine. If it were mine, I would be able to run whatever, without needing a key from customer support to unlock the bootloader – the bootloader would never be locked in the first place.
Which brings us back to the article: how are Google going to implement this verification because the only way to do so would involve either a PKS approach where Google must sign *every* APK ever shipped or some kind of verification approach where devs sign their own APKs and Android won't run them until it has first asked Google whether the public key associated with the signature is valid for some verified developer and hasn't been revoked.
This – sure as eggs are eggs – makes Google the gatekeeper for *everything* you might ever want to run on Android hardware and that, in my mind, constitutes EVIL just like a locked bootloader or DRM.
Microsoft would like this power on the desktop if they could have it: that's what TPM 2 really is about. First, they get TPM 2 into every desktop by E.O.L. Windows 10 and get everyone to enable it; next: expect Windows >= 11 to have just this kind of "verification" feature as a hard requirement to run any software: either Microsoft has to sign it or the O.S. must ask for some kind of permission and the TPM 2 uniquely identifies the workstation so that authorisation cannot be transferred or shared. The TPM 2 also encrypts the request to run the software such that it cannot be modified and any response – allowing or denying – from Microsoft is useless on any other box.
well, there are alternatives, not just as cool or as convenient.
LineageOS or other flavours of Android can be installed without depending on google.
I use one and t's not a big deal...Of course if your main iemail account is Gmail it's inconvenient.
Use proton mail as your main account and install their mail/calendar application. Use openstreetmap instead of google maps. Aurorastore (or other 'tools' like apk pure) to get the apps that are only available in play store etc.
As for VW, if my memory serves, on Passat at least, the spy module should be located under passenger seat, can be disconnected. I'm fairly sure the other sensors can be 'manipulated' in a way that stops the nagging (check with your insurance if that's ok/ what kind of 'manipulation' is acceptable).
Search for the supported devices first, then buy used.
Once installed a clean Rom performances are way better, so a phone that's few years old is no issue.
That's what i did, bought dirt cheap a "phablet" (ugh, "phone" with big screen to use as a tablet) with a shot battery. Changed it myself for cheap, installed custom ROM. Profit!
Yea...
Started using Android over a decade ago because it was supposedly free and open. Thought I was savvy leaving the walled garden behind. That turned out to be true only with constant significant personal effort and the help of a enthusiast community that Google has done f-all to support past farming talent. All the while "don't be evil" has been chipping away at any real alternatives to anything they think they can profit from in their sphere of control on Android. Allowing the rest to gather the scraps and boiling us frogs slowly so we don't jump as they close off and lock down critical APIs in the name of "security". Ha.
I have been a fool for too long.
My next phone is going to be an iPhone again. If I'm gonna be coaxed into a walled garden, I'll go with the company that isn't seemingly incompetent in that regard and at least tries to respect my privacy and choices.
I absolutely hate Apple's opinionated approach to things, but Google is somehow actually way worse now.
Google doesn't care about you and any other Android users who might switch to Apple based on a similar "if I can't have real freedom with Android what's the point" mindset.
Anything that makes third party app stores or de-googlefied Android phones less viable is a good thing in their book. They'll pull more of those Android using Google refuseniks into their arms than they'll lose to Apple. They would have done it sooner but I think they had hope that things could change allowing them to take back China from the non-Google Android flavors, but they have finally accepted China is a lost cause so they're consolidating everything outside of China.
I wonder if this is an unintentional consequence, or actually the main purpose of this change?
Imagine if a bank said it was closing all its cash machines and card machines because certain people had been writing the PIN on their cards and leaving them around unattended in public.
If a user installs an unknown client and clicks "allow this app full access to my phone, sms, and call logs" then whose fault is it other than themselves?
To be fair to Google, the media carries a lot of the blame. In the first example, the headline would be "Idiot tells the world their PIN, and doesn't know how all their money was withdrawn", in the second it would be "Android phone spends all users money on premium numbers and texts behind their back".
Of course, if a sideloaded app exploits a bug to do evil things, then that is on Google - the system is meant to provide a sandboxed (sorry, "sandpitted" for us Brits!) environment to installed apps.
Mind you, Google removing the "allow this app internet access" permission, and setting it to always-on is on THEM, and we all know why that restriction was removed.
@Google: No, you don't have any business to tell me what I can and cannot download and start my device. If I decide to download an APK from whatever source I make that decision, not you.
That said, the examples where you cannot load/run state- or bank-mandated apps on non-certified Android clones like LineageOS are numerous in the EU.
Will be interesting to see how the EU will react to Google enforcing a Gatekeeper position for itself between the EU member states and their citizens.
> That said, the examples where you cannot load/run state- or bank-mandated apps on non-certified Android clones like LineageOS are numerous in the EU.
Make it the bank's problem.
Hiring and training cashiers costs more than having you use their website.
And to make it a double-win scenario, you get to see a real human's face that you can talk to rather than your own reflection with a googlogo superimposed on it.
> Hiring and training cashiers costs more than having you use their website.
They don't. My credit union and all my friend's banks have ONE line. They don't give a shit how long that line is. You'll wait there because you have to.
And I assume you wait quietly in that line? Why not start a LOUD conversation about how the credit union is too cheap to hire decent programmers and is now too cheap to hire cashiers and decent branch managers.
Repeat.
YMMV
AAC
>> the code is available to audit by anyone
But not anyone is competent to do that. And even if they are competent, that doesn't mean they will do it.
This is the mythological "community" in the open source world. I get it - I don't expect everyone to be a programmer. When Bob says "the community checks it", he means he thinks somebody other than him is checking it.
That's true, but on the other hand with the current behaviour on the Play Store is that you send a binary, and this is a mix of Java byte code (which is trivial to check) and compiled libraries (not so trivial to check), and as recent news have shown, Google scanners are not very good at picking up malware (and otherwise crap as it's mostly automated).
The registration change will not change any of this for Google and Android. You will still have random malware on play store and you will still have open source apps for which close to no one will see the code (I do check on occasion but on the other hand I don't have many apps installed, OSS or not).
What Google wants to change is that for you to make an open source app (or closed source, doesn't matter) and to share it with someone you will have to register with google even if you don't plan ever to submit it to the play store. Though you can still use adb to install said app.
Its clear to me that these changes have nothing to do with Google wanting to protect Android users from side loading malicious apps, but purely as a way to kill off third party app stores and force all devs to register with Google and host their app on Google Play.
This definitely something the EU DMA should be looking into if they aren't already.
I'm a hobbyist developer, I write apps for myself and I side load them onto my personal Android devices. They're not available through the Play store, mainly because they're a bit rough around the edges but also because I'm not doing it for anyone else.
As I understand it, I won't be able to do this any more. I won't be able to write my own code and run it on my own devices, because Google says so.
I've already bought myself some web space and I'm going to start moving all of the stuff I've done to date to web apps. I wonder how many other hobbyists will be affected by this. How many of those might in time have made positive contributions to the Android ecosystem but now won't?
It's not entirely clear. It's possible that local installation of unsigned apps over ADB will still be supported, but it's also quite possible that you will have to register with Google. They have stated they intend to waive the rather small fee for this process, but it still means identity verification to Google's satisfaction before you can distribute anything and periodic checks or your permission will be removed.
A lot of apps are written by a single person with a good idea. But now they won't be able to distribute them unless they are a registered developer.
So they have to jump through whatever hoops are put in their way to get this status - invest their time, (and money?) and navigate the bureaucracy to get registered.
Before they know if there is any interest whatever in their new app.
They can't even give it to their friends to try out an early test version to see if it's worth them continuing, and to ask for ideas.
Looks like the only new apps will be from existing big companies.
To be fair, iPhone is even more restrictive and the developers all jump through the hoops. It's an annoyance but not a deal breaker.
I think that Google have realized that generally allowing sideloading apps is making them look bad on the security point of view without having significant advantages on the freedom point of view. They even lost a lawsuit against Fortnite when Apple won the same exact lawsuit, possibly because Apple could claim that their restrictive rules were needed for security and Android couldn't say the same.
I rely on an 'app' provided by my bank. Sensibly, the bank has protections in place against unauthorised access to my accounts. This 'app' wouldn't work on a version of Android stripped of Google paraphernalia. Therefore, Google rules the roost.
What's more, Google is insinuating itself into resources available on devices using other operating systems. Many mainstream WWW sites have adopted 'login via a link to Google'. Taking this route, which can be the only option, leads into the nightmare world of two-factor verification, which can push into overdrive when a VPN is deployed. Into the mix comes Cloudflare with its obsession with Captchas.
If your bank doesn't offer access through a regular web site, change bank and tell them why. Likewise, if a web site doesn't let you log in with Google, wean yourself off that website.
Yeah, it's annoying, which is why we should all support that call (above) for action from the regulators, but we don't yet live in a society where you have to be registered with a (foreign) corporation in order to exist and to judge from the trends it seems that the only way to stop that happening is to kick up a stink about it.
change bank and tell them why
It's touching you think they might care. They really don't.
My UK bank recently channeled customers to make credit card applications via their app. It doesn't work, the applications get stuck in some internal workflow and customer service staff can see only that they're stuck but not why and are powerless to intervene, though a credit card application appears on applicants' credit history. There seems to be no internal process where this can be made visible to management.
If major business processes can fail without anyone in a position of responsibility being aware, I'm afraid the loss of individual customers is not going to be on anyone's radar. It's cheaper to lose customers than address their problems. Cost is all that counts now.
"It's touching you think they might care. They really don't."
Agreed.
My bank recently changed something in their infrastructure used to general monthly statement PDF which resulted in those PDFs now being barely viewable on my machines - most of the text appears in a chunky bold very blurred font.
From checking both old and new statements I can see that older (viewable) PDFs used both Type 1 and Truetype fonts (3 of them embedded, the other not) whereas the new PDFs use only Type 3 fonts which are embedded and the names of those fonts are *not set*.
Basically the several PDF viewers on my machine, or the OS itself, do not appear to support Type 3 fonts. However those PDF viewers also cannot make a "sane" decision as to which alternative local font to fallback to as the document's fonts have no name.
Type 3 fonts are rarely used for PDFs in general (I checked a lot of PDF statements from other institutions and found a very small number *partly* using Type 3 fonts) for various reasons, not just compatibilty-related, and I've seen some mention of discussions to remove Type 3 font support from the PDF Specifications.
So this bank has decided to *reduce* its PDF documents compatibility in general by switching to Type 3 fonts.
I went down the "waste of time" complaint route, dealt with someone with no technical knowledge who relayed info back and forth with their IT team (i.e. he was designed to be a combined information firewall and information mangler) and as expected they basically don't care.
It kills my "w3m" access completely.
Sometimes, hacking away in the CLI. a quick Google from the command line is much faster than fiddling with a GUI browser.
Though I note that Google itself, which used to pride itself on its simple uncluttered home page won't work with text browsers any more, so it's https://lite.duckduckgo.com/ I use now) :
"Update your browser
Your browser isn't supported any more. To continue your search, upgrade to a recent version. Learn more"
"Google ... won't work with text browsers any more."
FWIW, lynx seems to work fine with Google search. The interface can be a bit confusing at first. But it'll definitely do searches, display results, and display web site text if the website isn't an intractable mess of Javascript.
At least, it worked for me as recently as last week.
I tried lynx just now. Same thing.
It was only 3 or 4 days ago it stopped working for me. Can you try lynx again please, to see if it's just me?
I tried from UK and French Ip addresses, btw.
cheers.
From my French server: " Mettez jour votre navigateur
Votre navigateur n'est plus pris en charge. Pour poursuivre votre recherche, passez une version r ente. En savoir plus"
:-)
Same here, not longer supported, blah, blah. Both lynx and links.
Text browsers worked for a while, demonstrating Google's hypocrisy – if Search worked in a text browser they could obviously send the same plain HTML to a GUI browser. That's probably why they were killed, not a technical reason.
Been using LineageOS for many years now. Not a simple install and probably a bit too techie for many non-techie people but doable. Didn't install the Google stuff that came with it because the whole point was to be free of Google. I never use my phone for internet browsing or any online account activity. It does have a VPN to connect to a home server. 2FA is OTP for a select few. The problem so many now face is having become 'married' to the Google method, 'divorce' is going to be messy and inconvenient for them.
At the end of the day, it's a phone - it's really good for calls and texts, on offline portable calendar and cooking timer. I apologise if I sound smug - that's not my intention but it would seem the choices I made years ago were good ones.
I've used Android because it's had the app ecosystem I'm used to (through F-Droid, I don't use most default apps). I'll admit I'm not Google's ideal user since I've been using Lineage for a year and rooted, de-googled Android before that, but at least it's been some flavor of Android with the play store present, but without F-Droid there's no reason for me to stay with Android in any form. I've held off on exploring stuff like Plasma Mobile because I'm too lazy, but I guess now it's either go full dumb-phone or spend an afternoon trying a few things.
Honestly I don't know why I've stuck with it this far, it's not like I have anything not available elsewhere on my phone, and for the work stuff that has to be android I've got an old pixel kicking around a desk drawer for 2FA and teams.
This is to brutally kill off AOSP. Google always say they're crippling Android for security, but it's never about security.
Google restricts which APIs apps in Play Store may use. They keep the apps a bit crippled to force more usage of Google services and Google data collection. App stores like F-Droid also check what an app is doing, but only for security and privacy. They have no interest in crippling phones.
A mandatory Google developer license in every app from everywhere gives Google the power to silence any developer using APIs that Google doesn't like. You created an efficient peer-to-peer filesystem that makes Google Cloud look stupid? You might find that suddenly your license is dead and all your apps are dead. For security, of course. Google can make it so nobody even bothers contributing to AOSP anymore.
I'll never again buy another phone with a locked bootloader. Google and Android are dead to me.
I suspect that they can burble along about how it's all about security, but sinking suspicion is that F-Droid remains the one place that end-users can access alternative clients to Google services.
Once that's locked down, they'll be free to tighten the screws, once again. First lock down the customers, then squeeze the businesses on that platform, then all the advertisers, so that all of that delicious, delicious surplus can go straight to Google's coffers.
And the hardware space is, as far as I can see, even worse than it used to be when I was dabbling with AOSP-based distributions, deGoogled or not. For the low-end or mid-tier phone, there's no way in hell you'd be able to get a way to install an OS that only you can control, and more apps these days demand that you don't use rooted or de-Googled devices.
The fact that the US courts basically let Google go with a slap of the wrist signals that Google can pretty much do anything they want, too, so that doesn't help. I guess there's really no way to buy your way out of a shitty environment.
Yes you can inspect it, but pray tell : how many of the Android based (or other platform) phone users can actually read code ? or have the technical skills to deep dive into the program logic to find attack vectors ? 1% ? 0.1% ? 0.01% ?
Having the source means nothing to those people. You can own an entire library of books, but if you only watch tv it does you no good.
Having the source is a false safety argument. It only applies to a very small minority. I don't deny it's good. It's very nice the code is available. But for the overwhelming mass of Android users it means nothing. They can't read it, understand it, let alone fix it.
That is why there needs to be accountability and registration of the developers. The world is 99+% non-developers.
I bought a Fairphone 6 with /e/ OS yesterday evening because of this. I mean, I really want my device to do stuff that I want it to do. That's why I bought it. To make my life easier. I didn't buy it for a company to tell me what I can/must do with it. I mean, let's be real here, if they could, Google would make Android just display a big button reading "give all your worldly and intellectual possessions to Google" and that is all it can do.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
