91 comments

[ 3.0 ms ] story [ 153 ms ] thread
Alternative app that's not encumbered by the Play Store's rules: https://f-droid.org/en/packages/com.ghostsq.commander/
Its functionality is hindered by Google in that it can not download and install updates in background as Google Play does.

One has to root the phone and loose access to banking and SSO apps to get enough permissions for F-Droid.

EU anti-competition monkeys should have looked at that a long time ago.

Yes, but f-droid et al cannot update in the background. That's a problem.
(comment deleted)
I consider that a good feature. I decline about half the updates. Some of those "simple" family tools have had "updates" that add nagging and attempts to get you to upgrade to a paid premium version.
Being able to selectively turn auto-updates off is a feature. Not having a choice is not a feature.
That's on F-Droid though...
And they try, but Google makes you root your device to install a service level apps to handle that stuff in the background.

Sorry if I'm appearing snarky but that's the whole point of this thread. Google obstructs third-party app stores.

https://f-droid.org/en/packages/org.fdroid.fdroid.privileged...

This used to be true, but as the comment you've responded to (https://news.ycombinator.com/item?id=31424242) explicitly explains, since Android 12 you don't need to root your device and install the service level app. There's a new API specifically to allow apps like F-Droid to update apps they've installed, F-Droid just didn't get around to using it yet: https://gitlab.com/fdroid/fdroidclient/-/issues/2316
On further reading, that new API seems to only allow updating apps which also support that new API. There might be a good technical reason for that, but it's a barrier to entry that Google doesn't have as a first party.
I think the apps don't have to explicitly support that specific API, they just have to target a modern Android version. Google technically doesn't have that restriction, but nevertheless imposes the same restriction on the Play store.

(Not saying it's appropriate to impose the "devs must update apps for each Android version" requirement this way.)

My OnePlus 6 is rooted (with Magisk) and I do banking with it all the time.
I use something called Insular[1] to install some apps in a work profile so they don't have access to my personal contacts and activity.

A nice unexpected benefit has been that Insular does background installations and updates of APKs. When I click "update" in f-droid, I now choose Insular as the handler and it happens in the background. It's much more reliable than however f-droid does it internally.

[1] https://secure-system.gitlab.io/Insular/

Is this something that only happens with some banks? I have GrapheneOS on my Pixel 6 with F-droid, and the banking app of ABN AMRO from the Play store just works.
In my experience the ING NL app also works perfectly fine on rooted devices. You can usually apply a working Magisk Hide plugin relatively easily for apps that don't support it.

I suspect that some banks use a whitelist rather than a blacklist for certain phones.

Some also check for other signals indicating root - for example, if Samsung Knox shows up as enabled in the build properties, but accessing it fails with an exception, the phone was rooted at least once (even if you re-flash an official firmware and re-lock the bootloader, the Knox Secure Enclave stays dead).

Tricking out these detections is a nightmare.

Yeah, Samsung is pretty bad (or good, depending on your point of view) when it comes to this stuff. I would never root a Samsung phone because of this mess.
The problem is you're effectively stuck with either Google or Samsung if you want decent performance, update availability, spare part support and the security of not having Chinese spyware embedded on order of the Chinese dictatorship. And Google is known for delivering absolute lemons as hardware, with next to zero support to make stuff worse.
KBC and Itsme are hard to trick into working with a rooted phone. I tried and dropped the ball at some point.
My Pixel 5a is not rooted, and I have F-Droid running on it, from which I've installed several apps.
Do theses apps automatically update in the background without you having to do anything?
yes, but you have to manually update those apps
Which is a huge pain because you can’t just spam click update or “update all”. You have to one by one wait for them to download and for the android UI to come up and then wait for the install to finish before starting the next one
According to https://www.xda-developers.com/android-12-alternative-app-st..., it could do it, it's just not implemented.

Given that trying to update a package from the notification just yields an error and this issue hasn't been fixed for 5 years (https://gitlab.com/fdroid/fdroidclient/-/issues/669) and the F-Droid repository is known to update so slowly that most devs recommend adding their direct channel, F-Droid doesn't really feel like a usable alternative.

I think unfortunately the best bet here is to wait for some commercial player to step in and make a decent alternative.

You can also download the Total Commander APK from its own site[0] which includes that functionality, as mentioned in the forum post linked by the article this is only for the Play Store version.

[0] https://www.ghisler.ch/board/viewtopic.php?t=76644

Dev should publish TC via Fdroid. I always check for Fdroid versions first. Fdroid are more honest about app perms and policies than Google are.
Total Commander isn't open source. Since it's freely available, Ghisler could set up an Fdroid repository. I for one would pull it from there if that were an option.

Fdroid is very close to being the "brew" or "apt" of the Android world, being able to pull updates from multiple sources.

Ironically, Ghost Commander is also available on the Play Store.
I had to root my phone and install Magisk with the F-Droid module to get F-Droid to auto-update like Google Play does, though. That could be an issue that Android 12 resolves, but I won't be getting that update on this phone.
I'm confused, I thought the ability to install apps outside of Play is supported by the OS. In fact there's a permissions dialog that pops up when an app tries to install another app. This is critical functionality for, say, the FDroid app store, as well as the browser, which is how most people would acquire FDroid. Seems like a bad omen.
> I'm confused, I thought the ability to install apps outside of Play is supported by the OS.

It is.

What this is doing is forbidding apps that can install other apps from being in the Play store. Basically, if Total Commander wanted to give the finger to Google and refuse to remove the function, Google would remove them from the Play store, meaning you'd likely have to either use your browser to find and download the APK or install it over USB with ADB.

Your browser is also an app. A general-purpose file manager is pretty clearly not trying to become an app store.
(comment deleted)
The difference is that the browser can't install the app, AFAIK. You have to open it in a file manager to do that.
You don't, you can trigger the installation directly from mainstream Android browsers. When the download finishes, there's typically a notification that it finished, and that notification allows you to open the downloaded file directly without having to go through a file manager.
But what if Google says your browser isn't allowed? Then you'd have to use ADB.
Basically google doesn't allow app store competitors on their own app store.
Selectively, at least

If you're mozilla or google then it's fine to publish apps that can download apks from a very convenient interface indeed. If you're total commander, well...

Agent Smith: Tell me, Mr. Anderson, what good is a phone call when you are unable to speak?

Here's why software freedom is about much more than licenses and open source. Positive (enabling) freedoms must match with negative (freedoms from tyranny) if they are to mean anything.

Wonder if they'll block Firefox next since that (like many) allows you to download and install an apk just by opening it
That sounds like a one way ticket to anticompetitive lawsuits from the FTC
As much as I'd this to be true, sadly Google does not care. Easy example that I can think of: access google.com from chrome and Firefox (on Android). At least until a few months back, it still had that ancient UI on Firefox. Changing useragent, of course, made it the "modern" version.

Who will, or even can, bell the trillion dollar cat?

Edit- just tried with Firefox Focus, and sure enough, it's the "old" UI. Screenshot - https://i.imgur.com/dfRvBIW.png (With chrome it's the regular/modern one but I was logged in and couldn't screenshot in incognito)

According to the article this seems allowed:

> [...] This restriction does not apply to code that runs in a virtual machine or an interpreter where either provides indirect access to Android APIs (such as JavaScript in a webview or browser).

Also blocking Firefox to install an APK would be anti-competitive, because Google's own Chrome also allows APK installations.

>Google's own Chrome also allows APK installations

For the time being.

They (like most big tech) don't care because they know nothing will ever be done about it
This is intended functionality. How do you think malware can spread if the browser does not install it automatically ?
> As mentioned previously, your app (APK versions 1031, 1032, 1033, 1034, 1035 and 1036) causes users to download or install applications from unknown sources outside of Google Play.

Google Chrome can download APKs from sources outside of Google Play. By that logic Chrome should also be removed from the play store.

Any antitrust lawyers want to chime in? Why isn't this illegal?

He needs to do this:

"Many apps that let you download and open arbitrary files use this installation method, as it’s easier to simply hand off installation to the system Package Installer, which responds to intents to view and install user-acquired APK files. Apps that are sideloaded via browsers, mail clients, and messaging apps usually use this method, hence they’ll be subjected to Android 13’s restrictions."

"Apps can use Android’s new setPackageSource() API to tell the system that the app came from a user-acquired APK via the parameters PACKAGE_SOURCE_LOCAL_FILE or PACKAGE_SOURCE_DOWNLOADED_FILE. This can be used by apps implementing the session-based package installation API to trigger the same behavior when sideloading arbitrary APK files. For example, the Files by Google app uses the session-based API to install apps even though it isn’t an app store. In order to protect users, Files by Google could use the setPackageSource() API to tell the system Package Installer when apps come from user-acquired APKs, thus subjecting those apps to Android 13’s restrictions."

From: https://blog.esper.io/android-13-sideloading-restriction-har...

I'm very glad the PackageManager API is getting more full-featured - I always welcome parity between Play and any other app store in userland.

That said, that is a really obtuse set of steps you need to go through to enable accessibility features for an app. That's the point, of course, but it is so user unfriendly that it's a little ridiculous.

> Any antitrust lawyers want to chime in? Why isn't this illegal?

It's unlikely to meet an antitrust threshold because it's a single example of incompetence rather than policy - the Google Play store developer guidelines and agreements do permit this functionality, it's just that there is no functioning review process when people cock up.

You would probably have to demonstrate that it was a systemic problem before you could make anti-trust stick.

This is not legal advice. I am an idiot on the internet and I could say anything on my qualifications and you would have no idea if it were true.

It's cold strategic calculation masquerading as an honest policy. They are boiling frogs.
Will this have any implications for f-droid?
No. F-droid isn't on the play store as far as I can see. You go to their site, download the APK yourself, and install it manually. It's outside the scope of Google's Play store rules.
> and install it manually.

But how would you do that? Firefox 'opening' an APK is obviously also able to update itself.

(comment deleted)
What happened to - “don’t be evil”?
They have very obviously not given a shit about that since they reorganized their search page to focus on tricking the unwary into clicking on ads by mistake. Which was over a decade ago.
That was sand in people's eyes, never the real intention. Just like young politicians that throw dirt on old politicians only to do the same when elected. In this case the old one being Microsoft and the new one is Google. Can't you read between lines?
haha, it was scrubbed maybe 10 years ago.
Apples trillion dollar market cap happened.
I am curious why Total Commander is the only one that is signaled out? There are thousand apps that are capable of doing this and TC is the only one that Google have an issue with. I feel that there is something more to the story. I read the article and Dev seemingly didn't do anything wrong but yet something fishy going on since Solid Explorer, F-Droid, Firefox, etc does not receive those notice from Google AFAIK.
Yeah if this was "just" a file manager that could potentially download APKs if you paste in a direct URL or connect to a file share then there's no way automated testing would have flagged this. The changelog seems to mention a "backup/restore" feature for APKs which seems different than just triggering an open intent.
Maybe they've deployed some new scanning tools. Looks like google thinks the code is used by TC to update itself.
Might as well get an iPhone at that point. The fragmentation rate is slight enough to provide for excellent jailbreak support.
Definitely not. It can still theoretically be forked if it gets bad enough and the right people get motivated enough. No reason to jump from the frying pan into the fire.
What can be forked? Android isn't blocking anything, Play Store and Total Commander are closed source.
The entire android ecosystem. F-droid is free and works. You're way less free using iOS which you have 0 control over vs. Android which things can be rebuilt on. iOS could disappear tomorrow forever and there's not a single thing you could do about it.
Google simply needs to be broken up.
The logical conclusion of applying this rule evenly is a scenario where you can't install apps except via the Play store, even if third party app installation is technically "allowed" on paper, because you can't actually install an app that will install apps. This is (yet another) stupid decision by Google, and Hanlon's Razor might not apply since they have a vested interest in the Play store being the only place to get Android apps.

"Of course the OS allows you to install third-party apps. We totally respect your freedom! Now, you'll have to install those with a third party installer, which aren't allowed on the Play store. And any app that would allow you to download and install the third party installer also isn't allowed."

A file manager which opens files should be allowed to open APK files.

Yeah, doesn't seem different from browsers in this case. Malware apps known to misuse sideloading usually seem to come from different categories like torches/cameras/social apps. There should be an exception for file managers and browsers.
(comment deleted)
An app on google play can't update itself...except if the app was made by google (YouTube updates itself almost weekly, all server side).

That's why it's called google play, because it's where google plays with all of us.

PWAs are basically websites with a home screen icon. But they can be published in the playstore and update everything but the icon and name.
The web apis haven’t become quite good enough to match native apps yet though. Things like inter page transitions and gestures aren’t as nice.

The telegram web app is the best example I have seen so far and it looks like a real app but the gestures fail to recognise or complete a lot of the time.

From a security standpoint, it seems something like this being vetted on the app store is safer than forcing users to download from a browser.

I wonder if this is specifically about anti-competitiveness, or placating governmental censors, or something else.

From a security standpoint, it would be better if no apps could be installed at all. I've hidden the store on my grandma's device before because she was quite likely to just tap anything, shiny or no.

(Every time I'd visit, she'd have managed to turn the carefully laid out homescreen to "simple mode" and she couldn't find half her apps because they were now either on the second screen or off the homescreen altogether. The only logical way to change this setting is long press on an empty area, look around, and press the button with the "simple" keyword. I suppose her thought process was: simple? That sounds good for me! And then not connecting this action to that her OS now looks completely different and just trying to keep using it as if everything is normal.)

But security doesn't come in absolutes and this should absolutely not be enforced as a general policy for everyone. It feels like limiting where people can drive because some roads are more dangerous than others (some have trees, others have distracting ads, imagine we'd let just anyone go anywhere!), and the road owner can legally decide where you can go because all destinations you could possibly want are are on someone else's road (where someone else is a single entity)

Maybe this is the antitrust law we need for app stores: ban owners of app stores from distributing apps by any means if they wouldn't allow an app with the same functionality but written by an arbitrary third party to be distributed in their own store.
The developer could grey out the option, and (upon triggering) advise the user to install Amazon app store (or F-Droid) and reinstall the app from there for full functionality.

I'm sure that Google would (not) love that, but linking to a curated page of apps with enhanced functionality on alternate stores would be useful in the many ongoing antitrust actions against the Play store.

(comment deleted)
I thought that somehow an Android version of RTS game Supreme Commander allowed you to load APKs as mods. Woups!
The problem is not simply the rules on any particular app store. The problem is app stores. Let users curate their own programs.
Google has become toxic nowadays. Fck you Google! They won't stop here, honestly. You can see them fighting Root-Access with their Hardware Attestation, too. Here we go: it will just be another walled Garden at one Point ... just like Apple.

Android used to be cool, customizable and user-oriented. Nowadays it's just another pile of crap. Too bad they keep on ruining it. I would advise everyone who can live with losing some Apps to move to a Linux Smartphone: this is basically the only way to keep our Freedom with our Phones.

Hopefully this recent Action of Google is helping the Linux on Smartphones Community to reach the tipping point, finally. I cannot stand this bullcrap any longer. Like I said: Fck you Google!

There are two versions of Telegram messenger for Android: GP one and a standalone APK. The latter is able to updating itself and, iirc, more relaxed towards content blocking. As Telegram client is open source, I think it would be easy to port self-updating code into Total Commander and release a non-GP unrestricted version.

Update: it was done, here's the link: https://www.ghisler.ch/board/viewtopic.php?t=76644 Not sure about that self-update part though.

TC is by far the best app for file management in the android ecosystem. I've been using it for years, and it's always the first thing I install in a new phone.

This is bullshit play by Google, I don't care how "automated" their process is.