146 comments

[ 3.2 ms ] story [ 200 ms ] thread
Next year digital markets act will go in full power in EU. Google will have to allow alternative app stores on Google Play.

Right now Google does not allow alternative app stores like F-Droid (FOSS), Steam etc. on Google Play.

The important part is that it will be user-friendly install, instead of preinstalled app or hacky dev-like experience.

Looking forward to a new insidious workaround Google and Apple will use to limit the impact of this legislation.
EU Commission has quite extensive and nimble executive powers with regard to gatekeepers like Google and Apple to prevent that.
A simple workaround is region lock - follow the regulation for EU residents only.
That's fine for me as I'm in EU :) .
AFAIK this workaround did not work in case of GDPR so I doubt it will work in case of stores regulation. Basically figuring out who is or not EU resident is complicated and huge legal minifield.
> Google will have to allow alternative app stores on Google Play.

Play is a store. It's used on Android, which allows other stores, of which there are many.

But you can't install the store itself (e.g. fdroid) from Play Store at the moment
Ah right I see what you mean. That's a whole different can of worms.
It's not that complicated to download APK and install it. Most people don't download is because they don't trust other stores the way they trust Google. And Google could definitely make it much more harder to download F Droid in play store by presenting warnings(some of which are legitimate) or even not allowing it on search.
If Google will keep applying taxes on apps on Google Play then other companies will educate users that it's ok to install alternatives the same way it works on Windows with Steam, GOG Galaxy etc.
I think your “not that complicated” threshold is well past what most users are ok with.
>It's not that complicated to download APK and install it

It's not complicated to reset your windows password either, but there are entire careers dedicated to helping average people do it because not everyone is technically inclined.

I practically don't know anybody (except for tech literate guys) who doesn't install non-Play store apps because of security reasons. Also, average guy doesn't know about APK stuff.

If another app store is allowed, people will definitely download apps from there, though I believe percentage would be quite low.

I said due to trust, not due to security reason. Just like people are used to buying on Amazon even though google will literally show a cheaper place in first ad when you search the product.

Also, I think average guy knows how to install APK in Android. It's literally easier than installing Chrome on Windows, and 80% of windows web share usage is from chrome.

Play is a store. Amazon Appstore is a store.

I believing OP was suggesting Google will need to allow the latter to be available in the former, not just allow the latter to be installed on Android.

No, they don't need to allow alternative stores on their store. They need to allow alternative stores on Android - which already exist (Galaxy Store, Amazon Store, F-Droid, et. al.)

They just need to give them fully equal status than Play Store (I think they promised this for Android 13, not sure what the state is.)

what would "fully equal status" mean? for as long as I can remember, as long as you give the store permission to install apps, it works basically the same?
I can only guess, but automatic updates maybe?
The installation process requires extra user intervention vs. Play store.
The big one was the fact that silently installing apps was a privileged permission only allowed to preloaded system apps (with good reason). This prevented 3rd party stores from background updating apps because you had to manually confirm each update via system dialog.

The API seems to have been added in Android 12 actually [1], but I'm not sure if app stores use it already.

[1]: https://developer.android.com/reference/android/content/pm/P...

fdroid doesn't. They still have horrible UX for installing updates and it fails to install more than half of the time.
F-Droid mentions Aurora Droid as an option for people who are not content with the F-Droid UX.
> The big one was the fact that silently installing apps was a privileged permission only allowed to preloaded system apps (with good reason). This prevented 3rd party stores from background updating apps because you had to manually confirm each update via system dialog.

It's been a long time since I last looked at this, but not even Google Play installed apps silently.

IIRC, what Google Play did was to tell the Google Play servers that you wanted to install the app, and the Google Play servers sent a message through C2DM/GCM to a system service on your phone, which downloaded and installed the app. The same thing happened if you opened the Google Play site on your desktop browser, and told it to install an app on your phone.

Obviously, a third party store cannot tell the Google Play server to send that "install this APK" message to your phone; and even if they could, it would have to be one of the APKs available for download on the Google Play servers.

The "system service" you talk about is still part of Google Play Store package. What I'm talking about is an API on PackageManager level (part of OS/AOSP) and not inside Play Store.

The whole mechanism you describe is unrelated to the issue of installing user apps without confirmation for alternative stores.

From the start google has allowed alternative app stores on android, samsung phones come with the samsung app store installed by default and there are many, for example f-droid you can install yourself.
Now they will be forced to allow them on Google Play directly with user-friendly install.
But not through the existing app store, you have to go through what google termed "side-loading" which was pushed to be seen as "very dangerous thing no one should ever do no matter what"
I owned 2 Samsungs and that wasn’t possible on any of them. Either it wasn’t “from the start”, or it wasn’t on all models, or it involved rooting the phone first, which voids the warranty, at which point I wouldn’t count that as “allowed”.
(comment deleted)
Well I guess I'm finally installing F-Droid.
What were you waiting for?
Interesting bit from a linked article:

"With the launch of Blokada v6 last June, Blokada successfully dodged this bullet as Blokada no longer requires a local VPN. Blokada v6 uses Cloud filtering instead; this method does not break Google policies and also provides certain advantages 850 over local VPN filtering since it won’t impact battery life, device speed, or network speed."

Surely this is only a temporary workaround as Google slowly brings this frog to a boil, right?

No, it’s more about getting those pixies out of your closed garden and into the big open net to be processed.

As long as you’re going towards the cloud I bet they’ll affirm it.

What you are looking for is Blokada 5. Blokada 6 is just an entrypoint for their subscription model
“Google is determined to enforce their policy”

Is this is surprise? I understand why people don’t like this but anyone think they made a new rule and weren’t going to enforce it?

I guess I'm mostly surprised they were allowed to persist for so long, with Google being a major provider of those ads. Fortunately there's F-Droid :)
Is anyone else getting a whole bunch of certificate errors?
(comment deleted)
How do VPN ad blockers work? Like do you need to add a trusted CA to your device and the VPN MITMs all of your traffic? I’m not sure I’d have that level of trust in my VPN provider…
Often, VPN blockers operate by simply rewriting DNS requests. They can also simulate DoH servers being down by blocking traffic to them (for scummy apps that bypass the system DNS) or mess with unencrypted content. DNS being an unencrypted protocol helps them block HTTP(S) connections even with technologies such as ESNI/ECH. Without ECH, simple SNI sniffing may also be a way to block connections that made their way past the DNS filter, though there's no reason for scummy ad libraries to use real domain names for their certificates; there's always a risk of spoofing.

Note that the VPN API is just the API of choice to be allowed to mess with network packets. There's no firewall API or network level driver that can do so in any other capacity. In almost all cases, there is no cloud server. Blokada uses some kind of cloud server, probably as a way to bypass Google's restrictions, but other apps work fine without it.

Some blocking apps work with custom, usually locally-generated, CA certificates to intercept HTTPS traffic. They're very spotty at best and very uncommon in my experience. Since Android 7, apps need to manually opt in to using user certificates from the CA store and most of them don't; in fact, most of them seem to be moving towards certificate pinning, meaning that even system-trusted CA certificates (which you will need root access for to inject them yourself) don't pass the validation step. Such a VPN filter would throw TLS errors across all major applications and services, leaving only the browser and the very few apps that opted into user certificates working. Not a great user experience to say the least.

I’d love to know the intersection of people who want this and can’t trivially get around it with side loading
What about updates? Not so trivial to keep the app up to date without an app store.
It is probably the right time to finally install a PiHole :)
I have pihole in my local network, the router defaults to it as the only DNS server. Amazon FireStick still serves ads, even when I set the DNS on the stick to the pihole.

I think the ads are encrypted end-to-end from amazon-ad server to stick, using likely the same channels as the regular video content

> I think the ads are encrypted end-to-end from amazon-ad server to stick, using likely the same channels as the regular video content

I don't think they even need to encrypt them. IIRC pihole is just a DNS blocker essentially. All they have to do is serve them up from the same domain and you can't separate the wheat from the chaff any longer with this method.

Some devices including ones from Google will go to 8.8.8.8 even if you've got adblocking DNS. You'd need to set a firewall rule to redirect all 53/udp traffic to your pihole.
With DNS-over-HTTPS, that workaround will likely soon be history anyway.
DNS over HTTPS (DoH) is the encrypted unblockable future. One of the reasons I hate security and privacy engineering culture is because it's always used as an excuse to remove user control
DoH does nothing but standardise what shit software was already doing. The lack of user control is the result of malicious behaviour of the applications you run. If those applications choose to bypass your DNS settings, be it to opt into or out out of DoH, they're the bad actors, not the people helping you encrypt (and, with the right setup, anonymize) your DNS requests.
You can achieve the same function on your (android) phone by just enabling "Private DNS" in settings and setting it to "dns.adguard.com". This blocks ads on EVERY network you connect to, even cellular.
Just use F-Droid y'all. I promise it doesn't bite. FOSS software on a much more open distribution platform, which can be extended with more repositories if the base selection isn't enough... what's there not to like?

Use Aurora Store for those few irreplaceable proprietary apps, or apps you previously purchased that are linked to your Play account.

What apps do you recommend one to download from F-Droid?
Not OP, but here are a few of my favorites:

RedReader (for Reddit)

AntennaePod (podcasts)

NewPipe (YouTube)

Wikipedia's official app

Voice (audiobook player)

Book Reader

RSS Reader

Twire (Twitch)

Easy XKCD

Ning (network scanner)

Some of these are available from the Play store as well of course, but not all. For random utilities where I want something lightweight that does a basic task it's the first place I go. Ironically it's some of these fdroid apps that are what keep me on Android. I'd love to be rid of Google, but would really miss AntennaePod and NewPipe.

Not everything here will be for everyone and there's obviously a _lot_ more good stuff there, but here's a list of some good apps to look at:

- OsmAnd - offline version of Google Maps

- FreeOTP+ - FOSS 2FA app

- NewPipe and/or SkyTube - Youtube app alternatives. They break every so often when Google changes something, but when they work, the experience is much better than the stock YouTube app

- Simple Gallery Pro - view/manage photos

- OpenTracks - track running/biking/etc.

- MuPDF viewer - view PDFs

- FairEmail - privacy-first email client

- NetGuard - Application-level firewall (can block outgoing network requests)

- Forkyz - downloads and lets you solve daily crossword puzzles

- Gadgetbridge - app to connect/manage wearables

- Aurora Store - replacement for Google App Store

- Barinsta - Instagram client

- Fennec F-Droid - Firefox for Android

- Silence - Text message app

- VLC

(comment deleted)
F-Droid won't help for very long here. The next thing I see Google doing is remotely uninstalling them from everyone's phones by adding them to Play Protect's list of "malicious" packages, just like they did with Vanced Manager.
If they do that, they have a major controversy on their hands. They have the ability to do so, but they reserve that power for actual malware only.
Not only controversy, but probably lots of lawsuits in the EU once their market freedom bill (or whatever it is) goes into effect.
> they reserve that power for actual malware only.

Was Vanced Manager actual malware?

Vanced Manager wasn't remotely uninstalled as far a I know?
Technically, it didn't remotely uninstall it by itself, but it did pop up a box on everyone's devices that said "Your device is at risk" because it's a "harmful app", with only an Uninstall button and no visible cancel button.
I see, I never got that. Must've turned off Google's antivirus at some point. Not that I trusted the Vanced Manager in the first place; I prefer my weird root customisations to be open source.

I suppose it makes sense in a way; Vanced replaced an existing system package with a modified APK through root access. Google's intent was obviously not to protect the user, but the behaviour of the app was sketchy as hell. Especially for a closed source app.

ReVanced does this differently, that modifies the Youtube APK and changes the package name so it doesn't conflict.

Regardless, the notification could just be dismissed and the AV is entirely optional. The warning ("this app tries to bypass Android's security protections") is entirely justified because that's exactly what the app was doing. Anyone pirating anything knows to disable their AV at their own peril and this is hardly something new, at least this time the app wasn't flagged as a trojan with a fake name like most cracks and key generators are.

Lastly, there are tons of people reporting weird behaviour after installing a modified version of Vanced blaming it on the app itself, so the warning wasn't always disingenuous.

There is no need to implement an ad-blocker as a VPN. It provides a strictly worse experience than implementing one via DNS APIs (as Blokada have done).

The only reason one may wish to implement as a VPN instead is to get a lot of data about users to sell. They otherwise provide less control, use more battery, are less reliable, and have privacy issues.

iOS even provides some good APIs for this that apps can hook into so that they don't need to deal with networking at all. Much faster, and the app receives no data about network usage.

Edit: Misunderstood Blokada's comment, they use DNS to do their filtering now.

yeah nextdns has been working just fine for me.
I'm glad to hear, although even DNS level is somewhat unnecessary.
How else would you block ads?
Apologies, I misread the Blokada comment as implying there was another mechanism – I don't know what they mean by "cloud filtering".

iOS provides APIs to do content filtering at the system level, I assumed they were referring to something similar.

seems like it's harder for sites to detect. For a while I was seeing a lot of "disable your ad blocker" messages, now I just don't, and the ads don't load.
Does content-blocking API works for apps? Or only for browser?
Do you have a link to the content blocking APIs to integrate with arbitrary apps? For example, random game apps which show in app ads. VPN adblockers can block the ads there. How do I use a content blocking api to do this?
Which content-blocking APIs are you talking about? Blockada just started hosting a DNS server. Google just made it so that blocking decisions can't be made locally anymore and all my used domain names are sent to a third-party server. Given deployment of SSL and even cert pinning in almost all apps I know of, I doubt the local VPN API allowed them to gather much more info than hostnames either.

EDIT: I see you're affiliated with Google Play. You should've lead with that.

This is false. Blokada uses the Private DNS feature of the phone to block ads. That feature is only available as of Android 9. Any device running Android 8 or lower doesn't have access to it.

I don't believe there is a "content-blocking api". Correct me if I'm wrong.

Using a VPN could technically allow an ad blocker to block based on the full http path instead of blocking based on domain name.

It should also be noted that you can use the VPNService in android to only set a DNS server to use, without actually sending any traffic through a VPN. Using the VPNService in this way is not going to be allowed with the new Developer Policy update. When used this way, the privacy issues aren't there--though there is the potential misunderstanding of end users who might think they are using a full VPN when in reality they aren't.

> Blokada uses the Private DNS feature of the phone to block ads

Oh, good, I had interpreted "Cloud filtering" as some sort of content blocking API. DNS makes sense.

> It should also be noted that you can use the VPNService in android to only set a DNS server to use, without actually sending any traffic through a VPN. Using the VPNService in this way is not going to be allowed with the new Developer Policy update. When used this way, the privacy issues aren't there--though there is the potential misunderstanding of end users who might think they are using a full VPN when in reality they aren't.

That's good if VPN apps aren't always actually implementing a VPN, and it likely eliminates the battery life issue, but the confusion is a problem as users can't tell the difference between an actual VPN and one that is only doing DNS stuff.

In fact an app could say "don't worry we're only doing DNS" but actually be a VPN. That sounds dangerous to me?

> In fact an app could say "don't worry we're only doing DNS" but actually be a VPN. That sounds dangerous to me?

I could be mistaken here, but I believe it's only dangerous if you're using an insecure connection (ie, http (no https) which is already dangerous). Or if you install a custom CA certificate--then the VPN could perform man in the middle attacks on your connection.

Android apps need to opt in before they load user-installed certificates. Browsers commonly do that, but almost all other apps don't bother. If you, as a smartphone owner, install your own certificate and set up a proxy to watch what your phone is doing, everything breaks and even Google will report that there is no internet connection at all (killing all kinds of apps using Google Play Services in the process). You need root access to remount the system partition or overlay an image on top of it containing your certificate.

This assumes apps don't use cert pinning. Many chat apps, social media, some games, and all kinds of external libraries employ certificate pinning so that even when a malicious CA generates a certificate for their domain, their clients will not send secrets to that server. In this scenario that means that Facebook won't work even if you manage to get Symantec's private CA keys loaded onto your VPN because Facebook trusts specific Facebook certificates and nothing else.

For unencrypted connections the MitM risk is there and SNI sniffing can be used to log tons of sensitive information in all other cases. However, I wouldn't portray it as risky as this solution may sound on the desktop where there is a proper firewall API.

That's also the core issue, there is no firewall API on Android. The VPN system is the only API that can filter packets (though Google's and the manufacturer's apps can choose to bypass it) so most ad blocking VPNs are actually just user mode firewalls that need to appear as a VPN to work. Alternative solutions include changing your DNS server (to localhost or their cloud servers, depending on if DoH/DoT needs to be enforced) which works less reliably and has very similar risks.

The risk is definitely there, but in practice the risk is lower.

Blokada does use the VPN functionality…
I use firefox with ublock. But that works only for browsing.
Android has no system-wide content blocking APIs. Furthermore, Google's policy specifically states that VPNs may not "Manipulate ads that can impact apps monetization", proving that this is not about VPNs, but about ad blocking in general.

My solution is a WireGuard VPN to my home network (which is behind PiHole) but a local solution cannot properly block network requests without the VPN API.

Blokada has switched to doing DNS-based blocking through DNS but that's purely to get around Google's arbitrary restrictions on the VPN API.

Users should be able to use whatever network filters they like. If I don't want to send ICMP packets, or DNS packets for certain servers, or any other kind of specific traffic, I should have control over what my device is doing.

Note that the VPN API does not necessitate actually setting up a VPN to a cloud server. The VPN API exposes packets to an Android app so it can decide whether or not to forward the packet, rewrite it, send it through a tunnel, etc. Normally, there is no cloud service when VPN ad blockers are in use. Blokada has switched to a cloud system but only after Google blocked their normal system.

Until Google releases a comprehensive network filter driver API or firewall API there is simply no alternative. The Blokada local DNS server solves one problem (the need for a VPN) but cannot prevent ad libraries from using DoH to work around content blockers.

VPN blocks it on all apps, but generally speaking I agree it's better to do this in this order, where possible:

In-app (browser, css aware)

In-dns (local resolver)

In-network (pihole or IP firewall)

Ex-Network (vpn/proxy)

Since the first option has very sparse universal support (and shrinking) - you need to rely on the less savoury options to achieve proper adblocking.

You should disclose your affiliations in this case.
Blockada 5's VPN runs entirely on the phone. No problems with battery usage.

Using their DNS with Blockada 6? No thank you.

I'm saving the APK and I will sideload it for as long as it will work. The problem is the maintenance of the blacklist. Anyway, a lot of people are interested in blocking ads, a solution will be found.

Is already there an open source app equivalent to Blockada?

Why do you need a custom VPN client to do this?
Basically a VPN running something like pi-hole for you.
But why do I need an app to connect to it when VPN connectivity is part of Android?
Because that's the only way to do ad blocking for all apps without actually connecting to a remote VPN. Blokada works great for that and Google, an advertising company, does not like that.

Same for DNS66:

>The app establishes a VPN service, with routes for all DNS servers diverted to it. The VPN service then intercepts the packages for the servers and forwards any DNS queries that are not blacklisted.

>Custom upstream DNS can be configured. If the feature is turned off, the current connection's DNS servers are used. The app ships are pre-defined list of well known (mostly German) non-logging servers courtesy of the Chaos Computer Club.

https://github.com/julian-klode/dns66#user-content-how-it-wo...

Because VPN doesn't connect to any servers and runs locally, just filtering the traffic between apps and Internet. "VPN" here is not a real VPN client, but an application that can capture traffic created by apps. As I understand, Android doesn't provide other means to implement a firewall.
(comment deleted)
Because the vpn client and server run locally, with no remote dependency. This is how NetGuard and many others work.
As I understand, VPN acts as a firewall replacement.
The VPN is not a separate vpn running on a server, but instead one running locally. The custom vpn client is both a vpn client and the vpn itself.
Android does not expose a firewall API. It does expose a VPN API that lets the developers choose how to handle traffic. This can be useful for VPNs that only want to connect to intranet websites through the VPN and let the rest of the traffic go through the normal route.

Adblockers use this API to block connections, redirect DNS traffic, or possibly even rewrite content for DNS lookups. There is no system wide content blocker and even if there was, there is no way to enforce applications to use a content-blockable network API.

Would this affect UBO?

I would change browsers if so. Ads trigger me. The change would suck since I have developed/use my own Chrome Extensions.

I assume no by VPN vs. extension.

This is getting posted again and again and I don’t understand why.

There are no news here. Ad blockers were never allowed to Play store, here is the relevant policy: https://support.google.com/googleplay/android-developer/answ...

This is exactly why AdGuard ad blocker is not distributed via play store. It was removed in 2014, we learned the lesson and see no reason in trying to abuse Google’s non-existent review process.

Interestingly enough, at first Google used a different rule, some vague stuff about interfering with networks. Later they reworked the rule and added ad blocking to examples of common violations.

Anyways, at least Google allows sideloading so devs can live without Google Play. When Apple pulls something like that we have no choice.

> This is getting posted again and again and I don’t understand why.

It is a click-bait (upvote-bait)?

TFA: ... we've been closely following the situation of the Google Play Policy changes and the company has now entered into the next phase ...

Yeah, they've got inside information. Sure.

> Anyways, at least Google allows sideloading so devs can live without Google Play. When Apple pulls something like that we have no choice.

Being able to sideload apps is the single issue that has kept me on android my entire life. Not being able to install the apps that I want to install on my own phone is a no-negotiation deal breaker for me. I really wish Apple would loosen their white knuckle grip on their precious iOS devices so that I could have options, but they obviously don't respect their users enough to give them that choice.

Agree. If Apple allowed it, I think I would switch.

Android used to be clearly better for a lot of what I wanted my phone to do: more customizable, better app integration ecosystem, less vendor lock in for default apps.

Apple has slowly shored up its software weaknesses, and Android has slowly gotten worse at this (e.g. Google appears to have no plans to make RCS APIs available - they whitelist client APKs - so you're stuck with the stock messenger app). The single thing holding me back now is the walled garden for app installation.

> my phone to do: more customizable, better app integration ecosystem, less vendor lock in for default apps.

> Apple has slowly shored up its software weaknesses

Every time i think about this, i check and see that there is still no way to customise the "desktop", all installed apps are just plastered on it and the best you can do is folders. Having used Nova launcher for like 10 years now i shudder at the thought of that chaos.

Also having to use a work-provided MacBook Pro, I've discovered that Apple's UIs are nice, but UX has a lot of hidden stuff (aka poor UX) and weird rough edges (you're holding it wrong). (If anyone wants examples, having different scroll directions between mouse/touchpad, having DP chaining work over USB-C, customising keys/key combos without installing a keylogger, etc etc etc.). I doubt iOS is different in that regard, so Android it is, imperfect as it is.

There are few unorthodox ways to side-load apps on iOS that don't require a jailbreak:

- AltStore and AltServer

Apple lets every user "side-load" 3 apps, but the caveat is that they expire in 7 days if not renewed on time. AltStore uses a mail plug-in on Mac to sign those apps in the background so you can keep using them indefinitely

- $99/year Apple Developer Program

You can "side-load" apps and they don't expire for 1 year. This is supposed to be for developers to test their app, but Apple may restrict this to stop side-loading in the future

I mean, we know what happens when it's possible. Us techies can handle it, but wave $20 in front of teens with no money and they'll click through any warning or "are you sure" prompt they're told to. https://techcrunch.com/2019/01/29/facebook-project-atlas/
i dont have google logged into my moto android phone. i haven't changed the stock messages/dialer which regularly nag me about "connected features" and "sign in" and i always reject that... point is, they "keep nagging" until you accept and then say "well the user accepted".

why should location require sharing data with google? why? why should i not be able to stop google location sharing and continue using location based apps?

I don't want to be prevented from using my device to its full potential because of what some teenagers might do. Sure, throw up some scary warnings to try to save the kids, but in the end I want control over the device I'm physically holding in my hands. I'm not going to spend $99/year to install apps any more than I'll spend $18/mo on heated seats.
s/device/gun

I agree.

Not a relevant comparison and makes me wonder why I even comment here

- phones cannot be used as weapons during a shooting

- guns don't require a monthly subscription to use bullets not approved by the manufacturer

etc

>phones cannot be used as weapons during a shooting

Theoretically, a phone can absolutely be used as a component of the triggering mechanism of a rigged up firearm.

Yes, there are even extant regulations around that.

The ATF will consider anything that meets the definition of a firearm rigged with an electrically actuated trigger a machine gun by default due to being readily convertible to being fully automatic.

That you don't have the creativity or will to go down these rabbit holes does not in any way mitigate their existence.

More so if you swap change device to gun.
I mean, I agree with you, but that's kind of a non-sequitur? The reason I want control over my software/hardware is not the same as the reason I want to own a firearm.
that's not why Apple locks down the iPhone. They lock it down to make more money through the app store by not facing competition. They say they lock it down to protect users to distract attention from their rent seeking behavior.
Banning side loading for everyone is hardly the solution here.
Then i'm not sure what the solution is.

I would say that we can have different devices for different peoples' needs; I personally want the ability to purchase a device with an absolutely locked-down state where no unauthorized or unaudited code can be ran, and currently iOS gets pretty close to that for me. But that is being taken away by laws like the EU's new sideloading law. Even if, after this is passed, I go out and make my own phone that serves my interests, I am forced to limit how many I sell if I want to keep it operational.

> I personally want the ability to purchase a device with an absolutely locked-down state where no unauthorized or unaudited code can be ran, and currently iOS gets pretty close to that for me.

No one is forcing you to run any "unauthorised" code. What you suggest is that, because you don't want to side load stuff, no one should be allowed to? Doesn't make much sense to me, to be honest.

My threat model is an evil maid attack, ie. someone watches over your shoulder as you enter your passcode, then steals your phone from your hotel room and sideloads malware (that hides the fact that it's been sideloaded).
I'm sure it's possible on Android to install enterprise management or MAM solution that locks down side-loading, locked behind some custom password (not the regular password that the maid would see)
soon enough the digital markets act will force them to
> but they obviously know their users well enough to know most of them don't want that choice, and that the results would not be a net positive.

FIFY.

If you want choice of software to run (sideloaded or not), you are correct, Apple does not make the device for you. They've always been transparent about this. You are buying an Apple phone with apple software, and the option to install some apple-approved third party apps.

Ironically, it was the walled garden that kept me on Apple for so long. Having at least the illusion that apps were safe and secure gave me some confidence that most of the apps are reasonably safe does remove stress and means I don't have to vet things too closely. In truth there are nasties in the Apple world too, but I'm sure it's nowhere near as wild as installing random .apk files.

What made me leave Apple was for a real headphone socket, an SD card slot, and especially USB-C charging. Those were the non-negotiables for me.

> Ironically, it was the walled garden that kept me on Apple for so long.

Ideally Apple can keep it's walled garden for regular users and also let power users unlock their device to side-load apps if they so choose.

> they obviously don't respect their users enough to give them that choice.

This is not necessary. Apple has sold millions of iPhones. If Apple customers did not feel respected they would not buy the product.

Just because a product doesn't have a feature YOU want doesn't mean the rest of us don't appreciate the added layer of security and simplicity.

Freedom to choose is well under the umbrella of respect.

For example, if you respect your girlfriend or wife, you give her the freedom to choose her own clothing at the store and don't force her to wear only what you've authorized for her to purchase.

Feeling respected is not the same as being respected.
I agree with your premise, but I am curious what apps are you side loading. Are these important apps? I value this freedom as well but I have only needed to install blokada. I am a working professional and do not tinker with android as much as I used too.
If you install apps from F-Droid (an alt app store on Android), they are all open source and built by F-Droid themselves. The benefit of this is, zero malware. And much better privacy. It's a nice peace of mind. The Play Store and App Store don't have such a good track record. And there's a lot of great apps on F-Droid (like clients for Twitter, Reddit, Hacker News, etc)
> There are no news here. Ad blockers were never allowed to Play store

This comment is absolutely unacceptable. I understand this isn't your decision, but its a decision I disagree with in the strongest possible terms. Ad blocking is the number one extension I use above all others. So if someone finds some excuse to bring attention to that fact, I say, let them do it.

If my comment makes you think that I support this rule in any way, maybe I should’ve explicitly stated that I do not.

What I am saying is that the title is misleading as it tries to represent an old rule as if it is something new.

Btw: OP is CTO at AdGuard, has built and contributed to a slew of FOSS content blockers. Probably the last person who would support Google's policies on this.
> This is getting posted again and again and I don’t understand why

Maybe because we're majorly affected by this whims of this supranational corporation and the only power we have to respond is to have as-visible-as-possible discussions about it.

At this point I don’t believe that public discussion can change anything. Antitrust can, though, and in my opinion it would be better if the discussion was steered that way.
I agree. I'd go further and say nothing will change it. IMHO companies like this own our (and international) government+the justice system and our votes are meaningless. The same interests control both parties, but I digress.

The EU seems to exercise some control in limited cases, or that privacy law that somehow got passed in California, but those actions are the exception by far.

I wouldn’t say that these are exceptions or that they’re meaningless. EU and US antitrusts are just very slow, but we’ve already seen examples how antitrust authorities in other countries change the situation (see South Korea vs Apple, but there are more). These cases usually affect rules in a single country, but they contribute to the big ones (EU and US) too.
I would say slow is a charitable characterization of US antitrust enforcement, just because I consistently see these huge mergers go through that the Justice department or FTC should have prevented in the first place. We had that case against Microsoft but it was a very long time ago and basically had no effect.

If Justice approves Adobe-Figma you can be sure our antitrust teeth are gone.

How should we pay for the internet, if not via ads? Serious question here.

Somehow the infrastructure and content must get paid for, or it will deteriorate and go away. If not via ads, what's a better plan?

And also - Lots of folks are worried about protecting our personal information from advertisers, which will cause the ads we see (if we see them) to be less relevant, and therefore less valuable. Which in turn means that we need to see more of those less-valuable ads to pay for the resources we are consuming.

Wouldn't it be better to see MORE relevant, more valuable, and overall fewer ads?

I pay my ISP. That should ensure I can communicate with anyone else paying their ISP.

As for content monetization, I host my own site without ads, solely to spread my own views. I take enjoyment in that.

I watch YouTube with uBlock Origin on my laptop, and NewPipe on my phone. If I were forced to watch ads, I'd stop watching. And I wouldn't pay for YouTube, because I believe it is much larger than its competition, and don't want to contribute to a monopoly.

I pay for Nebula, and when the creator also posts there, that is where I watch their videos.

Ads don't pay for the Internet, they pay for content. The problem is that's it's highly intrusive and mostly unimaginative leading to a negative sentiment. It's also pushing content that I haven't asked for, products or whatever.

I'd rather pay cash money for the app that is being advertised, than pay-per-view for ads promoting a free app I'll never download, which itself is funded by more adverts.

"Ads don't pay for the Internet, they pay for content." Not quite sure I agree with this. Who pays for all the routers and servers and CDN and whatnot? I think you mean that you pay for your CONNECTION to the internet, which I agree is true, but there's a lot more "plumbing" that goes into it besides the content generation itself, or your internet connection: <ISP> - <LOTS OF REALLY EXPENSSIVE STUFF> - <CONTENT>

"I'd rather pay cash money for the app that is being advertised" Me too! But I think we're in the minority. When I ask most people about whether they'd pay for content to avoid ads, they say "no, why would I pay when it's free?"

"than pay-per-view for ads..." - Actually I'd LOVE to have literal pay-per-view for content. Can I pay 1 cent or 5 cents or whatever to read that article without any ads or trackers and such? I think that would be a great experience - but again, I think I'm alone on that.

If ads didn't take over the whole screen and use outright false or misleading statements, or attempt to phish information or install viruses, then I don't think most would have a problem. Ads these days are intrusive to the point that certain websites and apps are rendered completely useless by them.
Our smartphones should be as free as our desktops. I'd love to replace Android with a Linux distro but they don't seem to be there yet on ease of installation.