I support spreading this message, and fuck Google, but…what’s actually happening is they are making harder to install apps, not removing the ability to do so.
After massive pushback. Their original plan was basically full control. It still is, but they’ll allow you to install something if you ask nicely first.
The other issue is the timing. They can claim this is for security all they want, but it was announced suspiciously close to the courts ruling that Google needed to open up their ecosystem to other app stores. This is a blatant attempt to keep control of the app ecosystem by forcing devs to go through Google regardless of where they intend to release.
They can claim this is for security all they want, but it was announced suspiciously close to the courts ruling that Google needed to open up their ecosystem to other app stores.
The courts ruled that users need to be able to install competing app stores without any warning, which is different from how it works today. Obviously allowing installation without any warning would be a boon to malware authors, so they added a way for third party app developers (including app store app developers) to verify themselves and distribute apps outside the Play Store without a warning on installation. Now Epic can verify with Google and distribute its app on its own website without needing to tell the user how to dismiss a scary warning, and the same is true for Safeway and Proton and other developers that might want to self distribute. On top of that, now GrapheneOS can implement its own verification system using the same OS-level APIs. Maybe app authors can distribute apps themselves for users of GrapheneOS by registering their repo with a verification system that runs an automated security audit on the repo and ensures reproducible builds.
Now that there is a way to distribute apps safely outside the system app store, that probably prompted them to look at what was causing malware problems with the current unverified app installation flow, and they came up with that system. Saying it’s some massive conspiracy won’t force them to change their minds, especially since there aren’t enough users who care to make a dent in their revenue. Proposing a less onerous way to stop malware and bringing that in front of a judge on behalf of the app developers who are harmed will.
I’m not happy with the change, but let’s at least get the facts straight, so we can argue our position better. Their original plan included a way to install apps from unknown sources, but it did not describe how that would work.
First - if anyone complains they can always say there exists a bypass, no matter how idiotically unworkable and annoying the process might be.
Another aspect is that devs will probably want to test their apps easily and quickly - App stores are notorious for updates taking a few days to be approved. Even for Google, full-on lockdown might seem overkill. They don’t want to bother with speeding up their update approval process so devs can push test builds through the Ecosystem. Giving some route towards sideloading is a much saner solution.
I still say fuck them and push back and that total control is there end goal.
However. I agree with what they’re putting in place at this time. It’s a one time 24 hour hold before you can install apks from unknown places.
Unfortunately, a lot of people are pieces of shit, and I know for pretty much a fact that making this move will prevent old people from getting scammed. Especially for more targeted attacks where you can use ai to fake one of their relatives voices. It pumps a brake on scammers getting people to grant access while under a panic.
So if you’re tech savvy, you’ll just have to wait an extra 24 hours before you can start side loading after a phone reset or new phone purchase. Not a big deal if it keeps my pops from having his bank account drained. The guy got in a panic when his Facebook billiards game lost his score data. The guy would have left his phone with someone for a week if they told him they could have gotten it back.
There’s a middle ground between complete disregard and complete lockdown. If you’ve got a better solution to scammers that isn’t going to drain your battery, invade your privacy, or hog up resources, I’m all ears. Grow up a little and maybe stop being so “me” centric.
Lol at what you call “proof”. Also, no one said you had to leave it enabled. Also, also, dev options is a security risk BECAUSE it allows for side loading. Hahaha
The only way it reduces security is by increasing the attack surface. There is no “now anybody can get root on your phone” vulnerability for enabling developer options, and if there were, Google would patch it. I always enable developer options as soon as I get a new device.
Because of this, the audit described in the “Other” link is deprecated.
It’s a holding period so a phone scammer can’t be on the phone with you or over a live chat having you enable and install what they want right away. You’re kind of an idiot if you can’t see that it would work. Cry me a river if you have to wait a day before installing some of your shit.
Do you think putting a 24 h lock on your grandma’s front door will prevent scammers from coming in?
No. No it won’t. Any good scammer will be organized enough to start the scam and release the lock, then return after the timeout to finosh the job.
Do you think people vulnerable to scams will magically notice the scam in 24 hours?
Also, do you think most scams use sideloaded apps? Amazon gift cards are an easier vector. There’s also premium SMS.
Modern scams have nothing to do with security. They prey on people who fall for them. No security measure, save for a trusted friend telling them it’s a scam will work.
What this is is a thinly-veiled attempt to lock users out of using their own devices and to strenghten a slowly-crumbling ecosystem.
Ok? Its still my phone, my hardware, and now I have to wait 24 hours before I can install wahtever I want on the phone that I goddamn paid for with my own goddamn money.
Also, let’s not pretend as if they not eventually going to go back to their original plan once the initial backlash dies down and people get used to the new norm.
For everyone unaware, enabling developer options already makes your OS less secure, so Google is requiring you to make yourself more vulnerable just to have the right to install any software, not just those allowed by Google. This has been among others confirmed by GrapheneOS themselves:
This is supposed to be a simplified message for tech illiterate people. While it may not be fully accurate, the alternative is something that <= 5% of the population will understand.
Additionally, as others have pointed out, this is how the change was originally planned. It was only adjusted due to massive backlash. Apparently the current backlash is not enough for Google to adjust it further.
And more correctly, harder to install apps the first time but easier than it is now to install apps in the future because that setting will now be copied to new phones instead of having to go through the flow again each time.
This was their solution to the massive backlash after they announced removing it altogether. We’re still worse off, and we already know their intentions. They’ll revisit the attempt later on. You feel for their ratchet effect. Stop applauding
Who’s applauding? I’m not rooting for Google, but if you buy a stock Android device with the idea that Google is looking out for you, you’re an idiot. They have shown time and again that they are evil, but you buy a device and think, “Android is for digital outlaws, like me.” you’re delusional.
I support spreading this message, and fuck Google, but…what’s actually happening is they are making harder to install apps, not removing the ability to do so.
https://grapheneos.social/@GrapheneOS/116489468836419322
After massive pushback. Their original plan was basically full control. It still is, but they’ll allow you to install something if you ask nicely first.
The other issue is the timing. They can claim this is for security all they want, but it was announced suspiciously close to the courts ruling that Google needed to open up their ecosystem to other app stores. This is a blatant attempt to keep control of the app ecosystem by forcing devs to go through Google regardless of where they intend to release.
The courts ruled that users need to be able to install competing app stores without any warning, which is different from how it works today. Obviously allowing installation without any warning would be a boon to malware authors, so they added a way for third party app developers (including app store app developers) to verify themselves and distribute apps outside the Play Store without a warning on installation. Now Epic can verify with Google and distribute its app on its own website without needing to tell the user how to dismiss a scary warning, and the same is true for Safeway and Proton and other developers that might want to self distribute. On top of that, now GrapheneOS can implement its own verification system using the same OS-level APIs. Maybe app authors can distribute apps themselves for users of GrapheneOS by registering their repo with a verification system that runs an automated security audit on the repo and ensures reproducible builds.
Now that there is a way to distribute apps safely outside the system app store, that probably prompted them to look at what was causing malware problems with the current unverified app installation flow, and they came up with that system. Saying it’s some massive conspiracy won’t force them to change their minds, especially since there aren’t enough users who care to make a dent in their revenue. Proposing a less onerous way to stop malware and bringing that in front of a judge on behalf of the app developers who are harmed will.
I’m not happy with the change, but let’s at least get the facts straight, so we can argue our position better. Their original plan included a way to install apps from unknown sources, but it did not describe how that would work.
Of course it did.
For two reasons.
First - if anyone complains they can always say there exists a bypass, no matter how idiotically unworkable and annoying the process might be.
Another aspect is that devs will probably want to test their apps easily and quickly - App stores are notorious for updates taking a few days to be approved. Even for Google, full-on lockdown might seem overkill. They don’t want to bother with speeding up their update approval process so devs can push test builds through the Ecosystem. Giving some route towards sideloading is a much saner solution.
I still say fuck them and push back and that total control is there end goal.
However. I agree with what they’re putting in place at this time. It’s a one time 24 hour hold before you can install apks from unknown places.
Unfortunately, a lot of people are pieces of shit, and I know for pretty much a fact that making this move will prevent old people from getting scammed. Especially for more targeted attacks where you can use ai to fake one of their relatives voices. It pumps a brake on scammers getting people to grant access while under a panic.
So if you’re tech savvy, you’ll just have to wait an extra 24 hours before you can start side loading after a phone reset or new phone purchase. Not a big deal if it keeps my pops from having his bank account drained. The guy got in a panic when his Facebook billiards game lost his score data. The guy would have left his phone with someone for a week if they told him they could have gotten it back.
Security should not control us, we should control security. In other words, this is not the right solution.
There’s a middle ground between complete disregard and complete lockdown. If you’ve got a better solution to scammers that isn’t going to drain your battery, invade your privacy, or hog up resources, I’m all ears. Grow up a little and maybe stop being so “me” centric.
This is clearly not designed to keep people secure. If it was, Google would not force you to make your device less secure to install apps of your choice.
Lol at what you call “proof”. Also, no one said you had to leave it enabled. Also, also, dev options is a security risk BECAUSE it allows for side loading. Hahaha
The only way it reduces security is by increasing the attack surface. There is no “now anybody can get root on your phone” vulnerability for enabling developer options, and if there were, Google would patch it. I always enable developer options as soon as I get a new device.
Because of this, the audit described in the “Other” link is deprecated.
That’s great for you, but you and I are not the targets that Google is supposedly trying to protect from supposed scams.
Google is “only” locking you out of using your phone for 24 hours…
For extra security, let’s make it a week. Let’s make it a month. Let’s make it a year.
It’s a holding period so a phone scammer can’t be on the phone with you or over a live chat having you enable and install what they want right away. You’re kind of an idiot if you can’t see that it would work. Cry me a river if you have to wait a day before installing some of your shit.
wtf
Of course it wouldn’t work.
Do you think putting a 24 h lock on your grandma’s front door will prevent scammers from coming in?
No. No it won’t. Any good scammer will be organized enough to start the scam and release the lock, then return after the timeout to finosh the job.
Do you think people vulnerable to scams will magically notice the scam in 24 hours?
Also, do you think most scams use sideloaded apps? Amazon gift cards are an easier vector. There’s also premium SMS.
Modern scams have nothing to do with security. They prey on people who fall for them. No security measure, save for a trusted friend telling them it’s a scam will work.
What this is is a thinly-veiled attempt to lock users out of using their own devices and to strenghten a slowly-crumbling ecosystem.
Ok? Its still my phone, my hardware, and now I have to wait 24 hours before I can install wahtever I want on the phone that I goddamn paid for with my own goddamn money.
Also, let’s not pretend as if they not eventually going to go back to their original plan once the initial backlash dies down and people get used to the new norm.
That’s what they’re doing *so far. * I very strongly doubt this is the last time the deal is altered.
For everyone unaware, enabling developer options already makes your OS less secure, so Google is requiring you to make yourself more vulnerable just to have the right to install any software, not just those allowed by Google. This has been among others confirmed by GrapheneOS themselves:
Other: https://floss.social/@IzzyOnDroid/116261079131226664
Thank you, ''preciate the links
This is supposed to be a simplified message for tech illiterate people. While it may not be fully accurate, the alternative is something that <= 5% of the population will understand.
Additionally, as others have pointed out, this is how the change was originally planned. It was only adjusted due to massive backlash. Apparently the current backlash is not enough for Google to adjust it further.
Doesn’t the new process require the use of Google Play Services?
Removing it would thus render a device unable to install apps at all.
A change I still wholly reject. Everyone should reject this change. No compromises.
And more correctly, harder to install apps the first time but easier than it is now to install apps in the future because that setting will now be copied to new phones instead of having to go through the flow again each time.
But I want to be angry!
This was their solution to the massive backlash after they announced removing it altogether. We’re still worse off, and we already know their intentions. They’ll revisit the attempt later on. You feel for their ratchet effect. Stop applauding
Who’s applauding? I’m not rooting for Google, but if you buy a stock Android device with the idea that Google is looking out for you, you’re an idiot. They have shown time and again that they are evil, but you buy a device and think, “Android is for digital outlaws, like me.” you’re delusional.
I use Android because the phones are dirt cheap. Most of these sort of phones are sold either at cost or at a loss, so it’s hard to complain.