The consequences of Google requiring developer certification to install Android applications, even outside of Google’s own Play Store, are starting to reverberate. F-Droid, probably the single most popular non-Google application repository for Android, has made it very clear that Google’s upcoming requirement is most likely going to mean the end of F-Droid.
If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all. F-Droid’s myriad users will be left adrift, with no means to install — or even update their existing installed — applications.
↫ F-Droid’s blog post
A potential loss of F-Droid would be a huge blow to anyone trying to run Android without Google’s applications and frameworks installed on their device. It’s pretty clear that Google is doing whatever it can to utterly destroy the Android Open Source Project, something I’ve been arguing is what the rumours about Google killing AOSP really mean. Why kill AOSP, when you can just make it utterly unusable and completely barren?
Sadly, there isn’t much F-Droid can do. They’re proposing regulators the world over look at Google’s plans, and hopefully come to the conclusion that they’re anti-competitive. Specifically the European Union and the tools provided by the Digital Markets Act could prove useful here, but in the end, only if the will exists to use them can these tools be used in the first place.
It’s dark times for the smartphone world right now, especially if you care about consumer rights and open source. iOS has always been deeply anti-consumer, and while the European Union has managed to soften some of the rough edges, nothing much has changed there. Android, on the other hand, had a thriving open source, Google-free community, but decision by decision, Google is beating it into submission and killing it off. The Android of yesteryear doesn’t exist anymore, and it’s making people who used to work on Android back during the good old times extremely sad.
Jean-Baptiste Quéru, husband of OSNews’ amazing and legendary previous managing editor Eugenia Loli-Queru, worded it like this a few days ago:
All the tidbits of news about Android make me sad.
I used to be part of the Android team.
When I worked there, making the application ecosystem as open as the web was a goal. Releasing the Android source code as soon as something hit end-user devices was a goal. Being able to run your own build on actual consumer hardware was a goal.
For a while after I left, there continued to be some momentum behind what I had pushed for.
But, now, 12 years later, this seems to have all died.
I am sad…
↫ Jean-Baptiste Quéru
And so am I. Like any operating system, Android is far from perfect, but it was remarkable just how open it used to be. I guess good things just don’t survive once unbridled capitalism hits.
Safety as a excuse to push this kind of thing is so 2010s… and they still does as if nobody notices what this is really about: increasing control and profit margins. If there’s a single niche, even if 0,2% of their user base, that is outside their reach… they must be broken, harassed and forced inside the cage, they are a menace, and a loss of a million or two for their shareholders (the real customers of these hot garbage that big tech is).
Modern big tech management is a high tech reedition of robber barons.
Google is already hobbling AOSP, leaving me wondering how long it’ll be until projects like LineageOS, /e/OS, and so on become untenable and face choice of discontinuing or evolving into completely different ecosystems.
Enturbulated,
Do you mean continuing to fork android, or something new all together?
I would welcome these projects evolving into a new competing platform, but I’m just skeptical for the viability of an alternative platform that doesn’t have an obvious path to achieving critical mass. Without the users we end up marginalized by publishers, manufactures and other companies who don’t take 3rd parties seriously as a first class target. This is why all competitors to ios and android died off, so my question is what will change next time?
Ideally a 3rd platform could become the new home of FOSS, but without the apps that users want it’s going to stay out of reach for most. Maybe it would not be that far fetched to get boatloads of developers to agree in principal that apple and google have been abusing the market Many may remember the epic lawsuit, which was the face developer protests…
“Fortnite declares war on Apple, Google”
https://www.youtube.com/watch?v=hDup610AIgI
So in theory maybe there could be a push to unite developers…I don’t know though, even if they can agree on the merits, traditionally it’s just hard to get developers to support small platforms. How do we solve the chicken and egg problem?
All we need is for governments to ban usage of hardware attestation that kills competition, such as Google Play Integrity. Then something like a Linux phone might be viable someday. But if you can’t run an Android or iOS app on an alternative OS using some compatibility layer then any competition is impossible. Unfortunately it seems governments would rather have a duopoly that they can control rather than a competitive market.
Magnusmaster,
Interesting suggestion, although personally I’m not against hardware attestation. I run lineageos and I wouldn’t mind a device attestation service working on my behalf instead of google’s. I have to concede that in practice it’s almost never designed with owner interests in mind, unfortunately. But that’s the fault of the tech corporations rather than a fault of the technology itself. If you propose to ban anything, I’d suggest that rather than banning technology, it should be banning the practice of omitting owner from having control over it.
I agree. Google’s integrity service makes it impossible to run some software on alternative platforms regardless of compatibility, which is very harmful. This was a very clever maneuver by google in that it lets them implement strong anti-competitive features simultaneously claiming they’re not responsible for how developers use it. In other words “Google’s not the one blocking the software from running on lineageos, it’s the bank, netflex, etc”.
Yeah,it’s quite evident what’s going on…the US government doesn’t truly care about competitive markets as long as it’s a US monopoly/duopoly.
Sideloading and alternative app stores were always a niche part of the market, but at least we had this freedom and it wasn’t impeded by google. This was a way for android to differentiate itself, at least before now. This change is really devastating to FOSS and owner freedoms especially given the lack of viable alternatives in the duopoly market. Going forward, whether you go with apple or google, It’s becoming a loose-loose situation for openness on mobile.
Sundar Pichai, a younger you would have shunned this. Did the “do no evil” mantra ever mean anything to you? Or were you always manifesting the seeds of corruption and merely exploiting the illusion of innocence to get ahead? Allowing this to take place during your tenure reveals you as a morally bankrupt hypocrite and asshole to FOSS.
I believe this is the main paragraph in the blog post:
>In addition to demanding payment of a registration fee and agreement to their (non-negotiable and ever-changing) terms and conditions, Google will also require the uploading of personally identifying documents, including government ID, by the authors of the software, as well as enumerating all the unique “application identifiers” for every app that is to be distributed by the registered developer. The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications. If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today.
I must admit I don’t really understand it. Yes, I know that Google’s actions are bad. And I would agree that Android cannot be called “free” or be seen as a “general computing” platform any more.
But what stops F-Droid from just adding “org.fdroid.” to all the packages they are hosting in their repo? While some of them are reproducible builds, the majority of F-Droid packages are built by the F-Droid project from source and signed with F-Droid’s keys. Hence, you can’t update an F-Droid app with the Play Store version or the Github APK, and vice versa, all because the developer signature is different (F-Droid’s vs the original developer’s). And in some cases, the F-Droid version of an app is also different in features from the Play Store app (with the same app name), e.g. F-Droid includes Premium features for free or strips out some non-free bits (e.g. my weather app only supports one data source in the F-Droid version). So if F-Droid just adds their own name to all the packages they build, wouldn’t they be the “verified developer” for all these apps? This would also mean that apps where the original developer doesn’t want to doxx themselves, e.g. Newpipe app which harming Google’s ad business, F-Droid can step in as the verified developer for their own “Newpipe by F-Droid” app.
>but what about existing apps, they can’t be updated!
In this case, the F-Droid app can just have the same package available in two versions, with the new (“org.fdroid”) and old (same as Play Store) app ID. “Legacy users” can update their apps using the old ID, new installations will use the F-Droid ID. The F-Droid app will then choose the appropriate version.
j0scher,
The problem isn’t so much about namespaces, but rather the lack of a google signature. Google says “sideloading” mechanisms will only work for software making payment to and being approved by google. Presumably f-droid itself can be signed by google and therefor continue to run on android, but all software installed through f-droid would need to go through the process as well.
Obviously software distributed in google’s app store always had to be approved by google, naturally. But now they’re extending it so that google exerts control over software outside of their store too. It won’t matter whether fdroid has the source code because android itself will require the certificates to run the software to come from google. It’s not just fdroid either, all forms of sideloading are effected. For instance I have a lot of APKs for light stripes, multimeters, dash cam, battery monitors, etc, which I’ve downloaded and achived from manufactuerer’s websites over the years. Those without a google signature will cease to be loadable on future versions of android.
Note I believe this is google’s intention based on what I’ve gleaned in the news, but the news isn’t always technically specific & accurate, so if anyone knows differently then please let me know!
I think that hackers/modders should be able to release AOSP firmwares that don’t enforce this restriction such that fdroid will work there, but what we’re talking about is standard unrooted android phones. The losers are users loosing the ability to sideload on regular android.
>Presumably f-droid itself can be signed by google and therefor continue to run on android, but all software installed through f-droid would need to go through the process as well.
But my point is that F-Droid, who already compiles and signs the apps today, should just be the developer from Google’s point of view. So they can register with Google saying, “Hi I’m a developer, these are my 4,000 apps: …”
> So they can register with Google saying, “Hi I’m a developer, these are my 4,000 apps: …”
It can’t, quite a few apps are both on playstore and fdroid (slightly different versions) .
Also F-Droid won’t do this, because it would take “ownership” from the developers, and it might be a hassle if down the road the developer wants to register himself.
>It can’t, quite a few apps are both on playstore and fdroid (slightly different versions) .
That’s why I said they need to add something like “org.fdroid” to the app ID. Essentially, they “fork” every app from the original developer (even if they don’t change anything) and become the developer of that fork. Then you can have both versions (F-Droid and Play Store) installed at the same time and F-Droid doesn’t need to take ownership from the original developer.
It’s a hassle though, and fuck Google.
They don’t need to take ownership. The problem is that if they change the app IDs people will have to reinstall every app and lose all saved data. Also Google can ban any app they don’t like, but fortunately Google will be fine with most apps in F-Droid.
joscher,
I’d like to have more specific details about how google’s rules will play out in practice. I found a bit of info about the plan for package names here…
https://www.thestack.technology/app-dominance-secure-android-packages-new-sideload-scheme/
Are you suggesting that all of fdroid’s 3rd party developers submit applications through a proxy account? This is an interesting discussion, but it would clearly defeat google’s intentions for the program so I am skeptical it will be allowed. I’m guessing this will be explicitly against google’s terms of use.
I appreciate your goal is to create the best of a bad situation, and not to condone it, but it’s a terrible situation for FOSS.
In cryptographic terms proxy registration seems much worse than letting fdroid be it’s own certificate authority (which google doesn’t allow) to sign sign their own packages since sharing one registration leads to collective punishment (ie revoking one equals revoking all).
Google explicitly demands personal information, and while they promise to keep it private, it’s another instance of hypocrisy: we value your privacy, so long as we have a privacy-defeating exception for ourselves, we’re explicitly banning you from having privacy from us. The identity of fdroid’s developers is fdroid’s business and none of google’s business. While a proxy registration could mask the identity to google, I doubt google will knowingly allow that.
Even if we could assume google doesn’t limit/block proxy registration by fdroid, that doesn’t necessarily solve the more widespread problem for individual sideloaders considering that one of the core tenants of FOSS is everyone including end users having the right to modify software without anyone else’s permission. This tenant will effectively be violated, potentially forever on mobile. So I hope there will be ways for owners to go around these restrictions, but it all depends on google at this point.
The other thing we have to worry about is how much of a “slippery slope” these changes are. Even if google are very lenient during the initial, once they’ve taken away our keys, there is no guarantee that google won’t clamp down further, in fact they’ll be better positioned to. Restrictions are always passed in name of security. Android is turning into IOS. Owners must be protected from their own rights 🙁
This is another example of how all monopolies and duopolies trend towards replacing their original core values with shareholder value. It’s not a Google issue. It is endemic to the public market capital model. Ironically it is in service of our retirement funds etc.. We need public government to mollify private greed. I advocate tax vs penalties. The latter will always be affordable. A tax on anti consumerism would give the leaders of public companies a legitimate reason to do the right thing. I don’t think they are evil people. Just in an evil control loop that selects for behaviours by eliminating non compliant actors. AI could play a role in the evaluation of anti-consumerism. Like a (very) sophisticated calibrated and objective meter. Maybe a job for GPT 10.