208 comments

[ 2.4 ms ] story [ 85.6 ms ] thread
tl;dr:

- You need to enable developer mode

- You need to click through a few scare dialogs

- You need to wait 24h once

I wonder how long this will last before they lock it down further. There was a lot of pushback this time around and they still ended up increasing the temperature of the metaphorical boiling frog. It still seems like they're pushing towards the Apple model where those who don't want to self-dox and/or pay get a very limited key (what Google currently calls "limited distribution accounts").

Honestly, if coerced sideloading is a real attack vector, then this seems to be a pretty fair compromise.

I just remain skeptical that this tactic is successful on modern Android, with all the settings and scare screens you need to go through in order to sideload an app and grant dangerous permissions.

I expect scammers will move to pre-packaged software with a bundled ADB client for Windows/Mac, then the flow is "enable developer options" -> "enable usb debugging" -> "install malware and grant permissions with one click over ADB". People with laptops are more lucrative targets anyway.

I'm generally OK with this, but the 24 hour hang time does seem a bit onerous.

Most of the apps on my phone are installed from F-Droid. I guess the next time I get a new phone I'll have to wait at least 24 hours for it to become useful.

I'm seriously considering Graphene for a next personal device and whatever the cheapest iOS device is for work.

Most of your F-Droid developers will leave the ecosystem if forced to pay Google to publish outside the Play Store.
The forced ID for developers outside the Play store is already killing open source projects you could get on F-Droid. The EU really needs to identify this platform gatekeeping as a threat. As an EU citizen I should not be forced to give government ID to a US company, which can blacklist me without recourse, in order to share apps with other EU citizens on devices we own.
Seems like a very reasonable compromise. What's the catch?
It's getting harder and harder to be an Android enthusiast. Especially given the hypocrisy of Google Play containing an awful lot of malware.
Those working in Google (AOSP) that write these code should be ashamed of themselves. Eventually they are doing a bad thing for the society.
This is going to hurt legitimate sideloading way more than actually necessary to reduce scams:

- Must enable developer mode -- some apps (e.g., banking apps) will refuse to operate and such when developer mode is on, and so if you depend on such apps, I guess you just can't sideload?

- One-day (day!!!) waiting period to activate (one-time) -- the vast majority of people who need to sideload something will probably not be willing to wait a day, and will thus just not sideload unless they really have no choice for what they need. This kills the pathway for new users to sideload apps that have similar functionality to those on the Play Store.

The rest -- restarting, confirming you aren't being coached, and per-install warnings -- would be just as effective alone to "protect users," but with those prior two points, it's clear that this is just simply intended to make sideloading so inconvenient that many won't bother or can't (dev mode req.).

This is clearly anticompetitive. Hope regulators will figure out, then we won't have it eg not in the EU. However, Google is also abusing their power to e.g. deinstall apps without any option to decide using 'play protect' and blocks whole alternative stores through 'safe browsing' flags. I posted this play protect incident about IzzyOnDroid a few days ago, because I was so outraged: https://news.ycombinator.com/item?id=47409344
I wouldn’t be fully optimistic about the one-day waiting period. Almost certain there will be a pop up showing up with: Process failed try again in 23:59:59.
Another take: People are not getting scammed because of side-loading (or not knowing your demographics/biometrics). People are getting scammed because of ignorance & stupidity & lack of common sense. In a way, its just nature running its course. If I'm able to scam you successfully, don't you deserve it at that point? Doesn't matter what we do, if you are scammable, you will get scammed.

Have these companies sent out their people to old age homes to teach old people how to use their tech and how avoid scams? If you lock the system down at max level, scams will just move offline again or find another way. Same if they build backdoors into encryption or make chats data available to gov agents: all illicit comms will just move off the network or find another smarter way. Its just how nature works, we are seeing tech-evolution in realtime.

One of the first things I do when I buy a new Android phone, like day one, is to enable developer mode. I usually use that simply for the ability to speed up animations so the phone feels a bit more snappy. In all the years I've engaged in this behavior, I've never had an application refuse to work. A rooted phone? Yes. Definitely. But just having developer mode enabled, no.

That said, it may be that I've simply been lucky and have an encountered that yet. So I'll be keeping an eye out for it.

That's a lot of words to explain how to install things on the device I supposedly own.

Wondering how long the blogpost would be if it explained what the flow for corpoloading applications approved by Google's shareholders would be?

Can you set your clock forward or does this also require phoning home to a central server to install an app on your computer?
It'll be interesting to see how the timing is enforced. Can you just set up your own NTP server to fool your phone into thinking it's really the future (and not just you adjusting your phone's clock manually). Will Google run a clock that you have to get a timestamp from (would it be easy to setup your own MITM proxy to get around this?). If the time somehow jumped backwards, would you lose the ability to install apps? Can google remotely disable this after it's already enabled (I think yes)?
I'll say it again: this isn't a problem for Android to solve. Scammers will naturally adapt their "processes" to account for this 24-hour requirement and IMO it might make it seem more legitimate to the victim because there's less urgency.

The onus of protecting people's wealth should fall on the bank / institution who manages that persons wealth.

Nevertheless, this solution is better than ID verification for devs.

It's a little inconvenient for someone setting up a new phone to have to wait a full day to install unregistered apps. But while I can't speak for others, it's a price I'm personally willing to pay to make the types of scams they mention much less effective. The perfect is the enemy of the good.
Give me a break bro. Google are among the biggest crooks in the game and knowingly allow all kinds of fraudsters to use their ad platform. This is all about ensuring their cut.
This 24-hour wait time nonsense is a humiliation ritual designed to invalidate any expectation of Android being an open platform. The messaging is very clear and the writing's on the wall now, there's nowhere to go from here but down.
Am I going to have to wait 24hrs to have Google's malware and spyware forceloaded onto my phone, or is this a different category of malware?
This is eminently reasonable.

Now if only Android would allow for stronger sandboxing of apps (i.e. lie to them about any and all system settings).

The 24 hour wait period is the largest of the annoyances in this list, but given that adb installs still work, I think this is a list of things I can ultimately live with.
24 hour mandatory wait time to side load!? All apps I want to use on my phone are not in the Play Store. So I buy a new phone (or wipe a used phone) and then I can’t even use it for 24 hours?
It's not like the Google Play store hasn't been known to host malicious apps, yet you are not required to wait 24 hours before you install apps from their store.

I suspect they are hoping users just give up and go to the play store instead. Google touts about "Play Protect" which scans all apps on the device, even those from unknown sources so these measures can barely be justified.

Imagine if Microsoft said you need to wait 24 hours before installing a program not from their store, which is against the entire premise of windows.

Computing, I once believed was based on an open idea that people made software and you could install it freely, yes there are bad actors, but that's why we had antivirus and other protection methods, now we're inch by inch losing those freedoms. iOS wants you to enter your date of birth now.

The future feels very uncertain, but we need to protect the little freedoms we have left, once they're gone, they're gone for good.

Do you need a Google account to opt out of the restriction? It says something about authenticating.

I don't have a Google account on my Androids. But I can't remove play services on them, sadly. As an intermediate protection I just don't sign in to Google play, that gives them at least a bit less identifying information to play with.

I hope this can be done without a Google account.

Death, taxes and escalating safety are the only certainities in this tech dominated world. So, be ready for more safety in the next round few months/years down the line. Eventually Android will become as secure as ios. We need a third alternative before that day comes.

It's not a win by any means. I hope that we don't stop making noise.

The goal seems to be breaking the real-time guidance scammers rely on. 24h probably works, but it feels like a heavy tradeoff for legit users.
They give no shit about safety. The real goal is to break NewPipe or YT Vanced and ads/subscription revenue. Google is advertising company foremost.
At this point I'm convinced that there's something deeply wrong with how our society treats technology.

Ruining Android for everyone to try to maybe help some rather technologically-hopeless groups of people is the wrong solution. It's unsustainable in the long run. Also, the last thing this world needs right now is even more centralization of power. Especially around yet another US company.

People who are unwilling to figure out the risks just should not use smartphones and the internet. They should not use internet banking. They should probably not have a bank account at all and just stick to cash. And the society should be able to accommodate such people — which is not that hard, really. Just roll back some of the so-called innovations that happened over the last 15 years. Whether someone uses technology, and how much they do, should be a choice, not a burden.

This isn't about helping people, that's just the cover story.

This is about Google wanting more control over their ecosystem.

You live in a bubble. The roles are inversed. This is "ruining" Android for the 0.001% of power users that install .apk files and improving it for the huge chunk of population that are still getting hit by malicious ads that try to push app installs onto you.
My take is quite different. Every device that I use to do internet banking or things of that nature, I'm very happy to delegate security to companies, and consider that already I trust said bank with my finances. If I want a device I "fully control", then I don't expect a bank to trust it, I don't expect to do internet banking on it or other sensitive stuff of that nature. And that's the status quo even with Google implementing this, open-source OSes still exist, just don't expect internet banking to happen on them.
Consider that you, and most of the community here, wouldn't have jobs if that were the case. XD
I'm not in agreement with most of you, hn. They've found a decent compromise that works for power users and the general population. Your status as a power user does not invalidate the need to help the more vulnerable.

Having to wait a day for a one off isn't a big deal, if they kept it looser then you'd be shouting about the amount of scams that propagate on the platform.

Sure, I believe that the likes of Meta, Google, and god damn Microsoft who enabled mass brutal persecution of millions of people for money (engaged in recording and analysis of phone calls of Palestinians), care about vulnerable individuals, and not just about stuffing their pockets with more and more money by the means of increased control over "their" platforms.

They sure spend billions to "help the vulnerable". Right. Like Meta here: https://github.com/upper-up/meta-lobbying-and-other-findings

I'd rather not have to go through this ritual, but I appreciate that there is a genuine security problem that google are trying to address. I also suspect that they have other motivations bound-up in this - principally discouraging use of alternative app stores. But basically I could live with this process.

Yeah, I know... Stockholm syndrome...

Although I may not have to live with it, as none of my present devices are recent enough to still receive ota updates.

Context: I don't use alternative app stores. I occasionally side-load updates to apps that I've written myself, and very occasionally third party apps from trusted sources.