Rogue devs of sideloaded Android apps beg for freedom from Google’s verification regime Soon, developers who just want to make Android apps for sideloading will have to register with Google. Thirty-seven technology companies, nonprofits, and civil society groups think that the Chocolate Factory should keep its nose out of third-party app stores and have asked its leadership to reconsider. The signatories, …
Sadly, this train isn't stopping until everyone is identified in everything they say or do.
Whether it's age gating the web, or forcing FOSS devs to have a DUNS number to get a code signing cert, the masters won't be satisfied until they know who you are, your life history, and everything you say or do.
This is a potential PITA. I'm using a popular Android app that can talk to various blood glucose monitoring devices and get data from them. That's all great and legit and the developers might not be too upset about one of them having to sign/certify builds.
However, some of the medical devices (one very popular manufacturer) only output encrypted data and so it's necessary to have an additional package running that decrypts the data before it gets to the main app.
Is anybody going to be willing to sign/certify that additional package? I'm worried that the odds are fairly low since there's a possible risk with DMCA. If nobody will sign it then a huge number of people will no longer be able to use the app and will end up having to use the manufacturer's own cr*ppy app :(
This is my major worry too. I use xDrip+, Android APS, and the BYOD version of the Dexcom G6 app, all working together just to keep my from not dying. But if Google implement this stupid idea, what do I do?
I'd have to change my pump system to be able to use a manufacturer approved closed loop app, with less flexibility to manage my diabetes in the way I want to and need to.
With AAPS, as I have to build the app myself, do I need to register as a developer just to be able to compile the prewritten code and package it up as an APK to install only on my own phone? Or do the team of volunteers that maintain the code on GitHub need to do that?
Really code use some clarity from Google on this, and how this is going to work in the future. I'm really not looking forward to changing pretty much everything about my diabetes management so that Google can lock down what was supposed to be an open platform.
Wow, dude, that is intense. But yeah all kinds of people have been using Android to deliver apps in what was a very appealing and reliable way. Not being able to use blood sugar monitoring apps could kill people.
My business almost died when AutoSMS was taken out of the G Play store. It enabled auto-replies to SMS and missed calls. I still have no replacement. My old Samsung Galaxy S8 just left the network with the shutdown of 3G cellular connectivity in New Zealand, so even if I wanted to use that very old phone for auto-replies, I now can not. Google pushes some bullshit "RCS Messaging" functionality that I do not want or use, and recently disabled due to my friend who has no data never gets my internet-sent messages until we realised the cause.
This can all be solved with a series of warning modal dialog boxes reminding peeps not to install apps from unverified devs and to be careful about malware. And then to continue and install and work properly.
I once thought that android could be a cool and useful version of Linux to target apps to. Clearly that is wrong. Linux and KDE Plasma is the way forward. Wayland compositor be your new kiosk pane me thinks. Google means well, but seems to have it's head stuck up it's arse. The road to hell is paved with good intentions. My Pixel 7 Pro should be the best phone ive ever used but I found it to be surprisingly horrific and disappointing. Remote control via VNC - cut... ES File Manager - gone burger. MemoryMap disk usage tool - axed. WheresMyDroid ability to trigger location from any other phone via sms password - destroyed. Luckily they replaced with nifty "GPS Flare" that sends phone location to my email before battery dies - works well enough. Firing up an ssh tunnel via my phone? I don';t think so. IP Camera app - one of the best written apps I've ever seen or used.... doesn't work!! Try to turn phone off by holding the power button? No, it launches some stupid AI chat so I can abuse it and swear about how I wish to turn my phone off. Holding power button does not even trigger a soft / hard reset and when my screen got broken i could not silence thephone so I stuck it in a drawer to wait for the battery to die. It still sits like that, while I use a Samsung A06 instead - at least VNC server works, but is so slow.
Well, for a *start* we've found somebody who doesn't code for a hobby and just wants to run their own apps without handing their ID over...
Definitely not somebody who believes that youngsters should be free to learn how to code for the devices they carry around all day long. No verifiable identity (driver's licence at 13?), no learning for you.
It’s up to me to buy a “certified Android device”, it is also up to me whether I install app’s from any specific App Store.
I suspect what Google are actually saying: Android with Google Play Services will no longer support side loading. However, to avoid saying this they will allow Google verified vendors to install their apps from places other than the Play store.
For this to work, I suggest Google will require developers to use a Google issued certificate for code signing etc…
Reasonable?
How many regular, everyday android users, do you feel are not using the Play Store outside of China where it's not allowed?
Most don't use third party stores, fewer still will be looking for apps outside what's also available on the Play Store and therefore already signed up.
The amount of people this "security" feature is protecting is infinitesimally small and, in all likelihood, using these alternative stores for good reason and because they're technically savvy enough to know the risks.
Given the premise falls short of reality, there's clearly another reason that Google are doing this, one they don't want to admit publicly, and that should be a very big red flag.
1) Expense: Why should a developer have to pay Google when Google will be providing no actual services to the developer? These are apps distributed and managed outside the Play store.
2) Vulnerability: Some two piece chicken mcnobody launches a spurious claim against the developer about one of their apps. The developer license is suspended for investigation, if not permanently. This kills every other app by the developer immediately.
2b) This affects legitimate developers who might have been breached to publish something under their license, or push a bad update.
3) Pointless: Google claims it will stop proliferation of bad apps. Outside of the play store, not only is it the business of the app store operator to manage their offerings, but often one must actively and deliberately seek said apps. If they do so unwittingly, they are otherwise so susceptible to "go here and install this" schemes that trying to secure them is futility defined, they will always find a way to stick the fork into an electrical socket.
3b) Bad actors will probably pony up $25 without hesitating because they stand to greatly profit. So the socket remains available for being forked, and can be accidentally forked by people who think being Google Verified is an automatic sign of trustworthiness.
> 3) Pointless: Google claims it will stop proliferation of bad apps.
Only outside of the Play store, from the various reports about bad apps, it seems there are far too many already in the Play store that Google is happy to do zero about.
> 3b) Bad actors will probably pony up $25 without hesitating because they stand to greatly profit.
Given the number of bad apps already in the Play store, I suspect the bad actors are already profit focused and prepared to jump through hoops, because this action just reinforces the idea the Play store only contains good apps, so download and grant all the permissions requested because Google have done the due diligence…
Let's say I want to sell you a washing machine and you want to buy it off me and we've agreed a reasonable price we're both happy with. My old machine, your house. Simple, no?
Except now Google say that we need their permission because their contractors built your house. Oh and I also have to pay them.
Where is the part that's reasonable?
Equating software with physical things makes no sense as there is only one old washing machine, while infinite copies can be made of existing software.
There is no need for an analogy provided you make sure to avoid repeating corporate propaganda.
Lets say you want to exercise freedom 0, by installing (yes install, "sideloading" is corporate propaganda) software onto what should be your device from the file manager.
Except google's installer says no, because security™ and you can't do anything about it, as it's google's device.
How is any part of that reasonable?
How an .apk even needs a signature to install, with no bypass available is unreasonable in of itself, let alone a signature that is only granted with dox and payment.
It made sense to 12 people so far. Everybody understands washing machines and houses. Nobody cares about "freedom 0" or knows what "sideloading" is and if "device" was common parlance nobody would need to have this discussion. Everybody can be expected to understand what "installing" means in the context of white goods. Software not so much.
Comparing a device that's actually owned by yourself but practically owned by Google to a house that's lived in by you but built by someone who still claims rights over it is something we can all understand. The idea that Apple and Google still own people's devices is an alien concept to most people because most people don't understand computing devices and software but they do understand physical lumps of stuff they can hold in their hand.
An analogy is like using something people do understand to help explain something they don't so yes, there is a need for one. No wait that's exactly what an analogy is.
And the fact that software can be infinitely duplicated is irrelevant in this case, analogy or no. Stop trying to interject GNU into everything. It's like a vegan complaining in a steak bar.
Anyone who has ever used a computer and has ever installed something, knows what installing is.
Although, people don't have a clue what sideloading is meant to be.
It's best to describe things how such are, without using an analogy, as the significant differences between different things means a high chance of confusion.
It's really not that hard to tell people that apple and google dictate what you are allowed to install and use built-in malicious features to spy on you, which means clearly the device is not yours - which is not at al confusing.
I didn't even mention GNU?
It's more like a vegan complaining about the existence of a cannibalism bar.
I would trust Cory Doctorow's views on sharing in tech in 2026 about as much as I would trust a dead toaster in 2018. Even in 2008, when Little Brother was 'published', it was an outdated and bizarre take on trust relationships in tech, more suited to the 1980s than a world after 'The Matrix' and the general adoption of technology by the wider populace.
Especially 'larping'.
The developers are considered rogue because they refuse to totally obey google unquestionably (any action that does not serve corporate interests is considered a rogue action).
All I can say is that if you aren't successfully gaslit into ignoring your nose, you'll realize it's not chocolate that is coming out of that factory.
"We genuinely hope that Google will listen to the overwhelming community opposition against their threatened lockdown of the Android platform and take this opportunity to reverse course and start rebuilding their reputation as a faithful steward of Android."
Google... a faithful steward of Android?
Surely an oxymoron?!!!
I'm sure the EU will be investigating this in the not too distant future....
The EU aleady fined google for forcing device manufacturers to sell only device with google software (or none with it at all)
But if you do not have google crap software some/many government applications WILL NOT WORK because the "device integrity" is verified by the google software.
As a matter of fact, if your government mandate the use of some apps for certain services its delegating google to decide if you can or cannot access them.
Form this standpoint Hong Kong government is better since (last time I checked) you can download their apps from Google Play store, Apple App Store, Huawei store and government websites (.apk file)
So, in the EU we have a case of "left hand doesn't know what the right one is doing": if they put some limit to google's plans they have to force member states not to exclude user with 'clean' androids.
who think that everyone that owns a smart phone is simultaneously an idiot who doesn't know what they're doing AND technically savvy enough to be able to identify when an app is either fake, a scam, does what it says on the tin but also scans and scrapes your screen & keyboard.
The worst thing is that some of these guys screaming for the anyone and everyone aspect of app stores are the same idiots who will happily load up any and every extension into visual studio code because the name is vaguely similar or uses their personal machine for work & refuse to run anti virus on it because "it slows my machine down"
Make your product so invasive and unpleasant that you drive people away to custom ROMs where no Google influence is essential?
The irony is that people who have the knowledge to sideload (as already mentioned, "install") apps are likely to have the tech knowledge to avoid problems.
This is just Google overreach, all too common in today's corporate world. "Don't be evil" is long since dead.
This is par for the course in the current "civilized" world. Bad guys do bad things and don't follow rules. Good guys don't really do bad things but maybe things happen but they still follow the rules. Authority implements more restrictive rules. Good guys get (un)intentionally punished. Bad guys don't follow rules and figure out new ways to break new rules. Good guys continue to suffer. Authority doesn't fix problem but uses new found control to make life harder for good guys. Nobody wins but bad guys and authority. It starts looking like bad guys and authority are both just bad guys.
Pick your cause/problem.
I suspect quite a few FOSS devs will just give up on making stuff for others rather than be identified.
People who have deliberately chosen not to go by their government name for their online work aren't exactly going to be the most persuadable.
And why should Google care? Their cut of a free, open source app is zero.
