Google has been on a bit of a marketing blitz to try and counteract some of the negative feedback following its new developer verification requirement for Android applications, and while they’re using a lot of words, none of them seem to address the core concerns. It basically comes down to that they just don’t care about the consequences this new requirement has for projects like F-Droid, nor are they really bothered by any of the legitimate privacy concerns this whole thing raises.
If this new requirement is implemented in its current form, F-Droid will simply not be able to continue to exist in its current form. F-Droid builds the applications in its repository themselves and signs them, and developer verification does not fit into that picture at all. F-Droid works this way to ensure its applications are built from the publicly available sources, so developers can’t sneak anything nefarious into any binaries they would otherwise be submitting themselves.
The privacy angle doesn’t seem to bother Google much, either, which shouldn’t be a surprise to anyone. With this new requirement, Android application developers can simply no longer be anonymous, which has a variety of side-effects, not least of which is that anyone developing applications for, say, dissidents, can now no longer be anonymous. Google claims they won’t be sharing developer information with governments, but we all know that’s a load of bullshit, made all the more relevant after whatever the fuck this was. If you want to oppose the genocide in Gaza or warn people of ICE raids, and want to create an Android application to coordinate such efforts, you probably should not, and stick to more anonymous organising tools.
Students and hobbyists are getting the short end of the stick, too, as Google’s promised program specifically for these two groups is incredibly limited. Yes, it waves the $25 fee, but that’s about the only positive here:
Developers who register with Google as a student or hobbyist will face severe app distribution restrictions, namely a limit on the number of devices that can install their apps. To enforce this, any user wanting to install software from these developers must first retrieve a unique identifier from their device. The developer then has to input this identifier into the Android Developer Console to authorize that specific device for installation.
↫ Mishaal Rahman at Android Authority
Google does waive the requirement for developer certification for one particular type of user, and in doing so, highlights the only group of users Google truly cares about: enterprise users. Any application installed by an enterprise on managed devices will not need to have its developer certified. Google states that in this particular use case, the enterprise’s IT department is responsible for any security issues that may arise. Isn’t it funny how the only group of users who won’t have to deal with this nonsense are companies who pay Google tons of money for their enterprise tools?
The only way we’re going to get out of this is if any governments step up and put a stop to this. We can safely assume the United States’ government won’t be on our side – they’re too busy with their recurring idiotic song-and-dance anyway – so our only hope is the European Commission stepping in, but I’m not holding my breath. After all, Apple’s rules and regulations regarding installing applications outside of the App Store in the EU are not that different from what Google is going to do. While the EU is not happy with the details of Apple’s rules, their general gist seems to be okay with them.
I’m afraid governments won’t be stepping in to stop this one.
The only way we’re going to get out of this is if we develop an independent libre fork of Android, together with a few decent quality devices that support it.
The open source software movement wasn’t created by people trying to “mod” windows, but rather by visionary individuals who were willing to build independent projects such as GNU, Linux, and Mozilla from scratch.
Companies that currently design computers for Linux users should be able undertake the hardware side of things. We can have Framework Phones and Framework Tablets, for instance. Or TUXEDO InfinityPhones. Given the tens of millions of free software users and privacy-focused individuals out there, there won’t be a lack of customers for such devices.
The problem is that some essential apps likely won’t work on the fork. Like banking apps. Most companies won’t develop for the fork. It’s why Microsoft lost.
It’s going to be dire. I will never buy Apple, so I think I will move to the cheapest Android phone I can find that I only use for banking and the odd essential app and another great phone without Android or Apple for the rest.
Maybe I will finally try Ubuntu Touch or Postmarket OS rather than a degoogled Android phone?
I’ll repeat this at every opportunity that arises:
I’ve been daily-driving a Librem 5 for 2 years and, unless you care a lot about facetubes and instabooks, it works just fine. My bank app works via Waydroid.
And even watching youtube works just fine. The only problem is that battery life is too low for that due to the lack of hardware acceleration.
The situation should be much better in devices with more conventional hardware rather compared to the Librem 5 and its dedicated ICs.
While I’m not a fan of Librem (ridiculous price for hardware that is more than 5 years behind, overpromising company that always underdelivers), that Waydroid looks extremely impressive. Is it a bit like GrapheneOS’s Playstore sandbox. I would already be a lot happier if none of the apps can see any of the data of the other apps and don’t send any data to Google except about the app that is running. That is because I almost have no apps that “phone home”.
What drove me initially to the Librem 5 is the idea of the independent ICs rather than all in the SoC. The goal is tk have the phone fully supported in the mainline kernel meaning it would remain supported even if Purism goes bust.
I agree, though, that they are not the best at keeping promises and their PR is awful.
I use Waydroid for Skype (well, used), Signal and banking. NewPipe works too. And everything except BT and camera.
I decided to go for Apple and switch my Pixel device to GrapheneOS.
At least I’ll have a modern camera in my pocket.
There is no TUXEDO InfinityPhones out there. Are you talking about https://tuxphones.com/ ?
> Isn’t it funny how the only group of users who won’t have to deal with this nonsense are companies who pay Google tons of money for their enterprise tools?
I don’t enjoy the idea of giving Google any money in this situation, but couldn’t we just have F-Droid itself be an enterprise? I’m sure Google would prefer not to approve this, but it’s one of the only ways I can see out of this without Google just dropping the idea entirely.
Another option might be making it so we can all build applications for ourselves in a controlled, easy way. It would require compiling on demand for each device (a little like Gentoo?) but that could be okay.
I’m still looking really hard at the Fairphone to get away from this situation with Google, but we do need an option for all the people who aren’t going to do anything like running libre Android.
benjaminoakes,
We need to consider all such possibilities, so it’s good that we’re talking about it. But don’t android enterprise customers need per seat licenses like on windows? It’s not just a matter of buying windows for the server and desktops, you need “client access licenses” too. For example this reseller sells a 5 pack windows server 2025 CAL for $190…
https://www.trustedtechteam.com/collections/microsoft-windows-server-2025-client-access-licenses
If it works the same way here, it could become prohibitively expensive to run fdroid as an enterprise just so they can reverse these new android application restrictions.
Also, are there side effects of joining an enterprise account? Would this deny admin/policy/privacy rights to the real owner once joining fdroid’s enterprise account? If anyone knows more about this stuff, let us know.
Google could make the process arbitrarily difficult to the point of automation being futile, but in theory you could try and use automation to install software under developer accounts. IIRC apple limited the number of applications that could be installed under developer accounts precisely so that developer accounts wouldn’t be used this way. Google will probably do the same.
You don’t even need for F-Droid to be an enterprise. There’s an app named Dhizuku which can be used to create your own enterprise and use it to install apps. F-Droid can even be integrated to it. Unfortunately it seems you need to sideload it on a clean device but you can still sideload apps on stock Android with that loophole for a while
https://github.com/iamr0s/Dhizuku
From the article…
I was hoping this was a poor interpretation of what google said, however it is what was said in the google video here:
https://youtu.be/A7DEhW-mjdc?t=386
These guys obviously should know how certificate authorities work, including that it works offline, and yet here they designed an online process (unless cached). Being online is NOT a requirement for certificates to be verified!!!!. Normal certificates offer cryptographic security AND privacy I’m concerned that the reason google opted not to use a standard certificate verification scheme is that google wants to better track installations outside of the play store. Of course they may claim this is not the intention, but then they should have designed it to use standard certificate authentication that doesn’t have this privacy weakness in the first place.
Verification works offline, but revocation of compromised certs does not. As has been proven with other code signing schemes, malicious parties always manage to get hold of trusted certs via various means.
bert64,
There’s a lot of solutions that provide more privacy even for revocation. Revocation lists are generally pretty small, you could download them without giving away any information about the package you are installing. Or if that’s too big you could divide the list into smaller buckets and then request the bucket without identifying the package.
I would assume google’s employees are knowledgeable about privacy protecting solutions, but it means a failure to protect privacy is intentional.
I haven’t seen the full video yet, but one thing to note: as a developer, you can upload your APK to Google Play or distribute it yourself without using any cryptographic chains. In fact, when you distribute it yourself, you always sign the APK with a self-signed certificate
https://developer.android.com/studio/publish/app-signing#sign_release
a_very_dumb_nickname,
If it wasn’t a given, we’re all referring to the new process that google intends to roll out next year. In terms of restrictions IMHO it’s not how the certs are generated which is harmful to 3rd parties so much as the fact that google are going to hardcode their own APK censorship process into android.
Google are using the authoritarian playbook, which is as old as time: “We are taking away your rights for your own security”. While the public are largely ignorant about how rights are being taken away over time, google themselves don’t get to use the ignorance card. They know damn well what is happening here whether they acknowledge it or not. They’re letting their paychecks buy their silence on owner rights and advocacy. Hell if I worked for google, who knows whether I’d be a hypocrite too.
Sorry about straying from your comment… I am just really incensed that there may no longer be a major open mobile platform going forward. I find Sundar Pichai personally complicit in taking away ownership rights. As a billionaire I don’t suppose he gives a damn about individual rights, but maybe he cares about his legacy; attacking FOSS and openness will be a stain on it. He’s one of few people who can still stop the collapse of open mobile platforms before it’s too late.
Google would easily resolve most complaints by allowing people to disable this “feature” using the same “oem unlocking” procedure that has existed on their phones for ages.
It seems like there are no more people at Google who think about long-term consequences.
a_very_dumb_nickname,
I imagine there actually are a substantial number of google employees who want android to stay open, but they can only do so much when the chain of command is ordering them to lock android down. Is it worth protesting and risk their careers?
While I don’t know much about how these events went down, Google has a recent history of firing protesters, which may be on employee’s minds.
https://www.androidcentral.com/apps-software/google-lays-off-more-employees-fires-protestors
That’s the crap world that we are living in now. We don’t even own the devices that we paid for.
Changing the rules of the game midway is now the norm, and a prevalent business tactic to squeezy a bit of profit from a saturated market.
What we do need is a way to force manufacturers to release every single bit of documentation about their devices or force them to standardize like the PC.
I haven’t used F-droid, but it seems they (or someone else impacted) should take steps to ask the European Union whether or not this practice is against the DMA, certainly because it makes their work impossible. They will most likely conclude it is against the DMA, The question is whether or not F-droid still exists when there is an answer from Europe.
No it doesn’t make their work impossible from the perspective of the EU. The developers can sign their apps with Google before uploading to F-Droid, or F-Droid can sign the apps for them. This isn’t different than the process Apple requires (and even charges a “Core Technology Fee” for it).
The EU bureaucracy has no problem with centralized control (they are even trying to pass a law that would require platforms to scan private chat messages and hand them to the authorities if asked so, making true end-to-end encrypted chat services impossible), what they have a problem is with OS vendors having a monopoly App Store.
The only recourse here is suing Google for bait-and-switch (since they will backport the change to existing Android devices) in as many courts as possible.
kurkosdr,
I have no idea what the EU will do, if anything, to protect sideloading rights on android. We’ll probably have to learn retroactively after it happens. Google’s official position, that they’re not harming sideloading, is a blatant lie. 3rd party sideloading will no longer be a right owners have by default, but require google permission going forward. Google’s PR is clearly disingenuous, but is it “illegal”? I don’t really know if it is. Personally I cannot predict what regulators will do, it’s a crapshoot. Not only that but sometimes they only address problems years and even decades too late.
I thought it was only new android versions that would get this. Are they really backporiting new restrictions into existing releases that have already been sold? If so, that seems like an unnecessarily risky move by google.
See? That’s the problem here: The EU doesn’t care about any right to sideloading, they care about OS users having access to multiple app stores. For example, Apple doesn’t have to enable sideloading on iOS, they only have to allow alternative (non-Apple-owned) app stores to exist. They don’t mind the OS vendor gatekeeping app signing as long as they aren’t abusing that gatekeep (however “abuse” is defined).
For the record, I think sideloading of unsigned and self-signed apps should be a right, but that’s my opinion, not the EU’s.
It’s in the linked article:
The changes will be backported to older versions of Android through Google Play Protect, though Google says there may be some slight differences because this method leverages an existing app rather than the new, native verifier service built into the OS.
Which is where the bait-and-switch comes into play: When I bought my HTC U11+ (for example), I bought it with the “ability to install unsigned and self-signed apks” feature included.
kurkosdr,
Ok, I don’t really disagree on you with that. I never put blind faith in regulators. The EU does at least seem to go after antitrust abuses more than other governments. So they may be more likely to do something, but I’m not going to bank on it.
Yeah, it’s a natural extension of property rights: the owner decides, period. There shouldn’t even be a debate. The problem is that technology has evolved to the point where the manufacturers can make stuff that preserves their control over your property even after you’ve bought it. This ought to be illegal, but property laws did not evolve alongside the technology so we’re not in this situation where one can own something and yet not be in control over it.
You could be right about that, damn.
Edit:
Doh, typo completely changes the meaning. I need to proof read more before submitting. “Ok, I don’t really disagree on you with that.”, haha .:)
As a dji osmo pocket 3 video camera user I’m worried about this move. The camera requires an app which is not in the play store. If I can’t load it anymore I will have problems to use my camera. This isn’t nice, Google.
I agree that sideloading should be a right, given the existence of devices requiring sideloading.
My only alternative might be to switch to Apple, sadly, or some other non-android phone.
apokalupsis,
I have a lot of sideloaded APKs as well.
Google want to have more control over the sideloading process and alternative app stores. Google’s power grab is being done in the name of security, which has been the go-to game plan for power grabs throughout history. I honestly did not predict google would lock down android sideloading (shame on me), but the way they are doing it is entirely predictable.
I understand the desire to protest google, but I’m not so sure changing to team apple solves anything. We seem to be entering a loose loose situation 🙁
I am in the same boat, I have a DVB-T tuner for Android called “AndroiDTV 78e” from PCTV Systems (Pinnacle’s TV tuner division that was spun off as a separate company and then bought by Haupagge) which requires a free app called “TVCenter for Android” that has long been delisted from the Play Store, but I was able to download it from APK Pure and sideload it.
It’s signed (all Play Store apps are), but will it be the kind of signing the new Play Protect will require? Nobody knows.
Sure, there is a “generic” DVB-T app for Android, and I also have a DVB-T2 tuner from MyGica (which uses a “PadTV” app from Geniatech that’s still listed in the Play Store), but the Pinnacle app is so much better (Pinnacle is the only TV tuner vendor with acceptable software, on Android and Windows).
This is btw why I consider locking down sideloading on existing devices a bait-and-switch.
Apple is just as bad, once an app has been delisted from the App Store, it’s gone forever, because you can’t sideload it anymore, It’s been like that since forever. it’s the reason why iPhones with Flappy Bird installed were sold for way above the price of a new iPhone when Flappy Bird got delisted. Now we may get this “once it’s delisted, it’s gone forever” treatment on Android too.
As an aside, when a free app gets listed from the Play Store, it’s gone from your Play Store library too, even if you’ve downloaded the app using the Play Store and have it currently installed on multiple devices. If you want to install it on a new device, your only recourse is to find the apk in a website like APKMirror or APK Pure and sideload it.
Also, Google will delist an app without the developer’s permission if it targets a “too old” version of Android.
As a developer, the only way to make sure your app doesn’t get removed from your users’ Play Store libraries is to charge a nominal amount ($0.01 or whatever the minimum Play Store allows) since paid-for apps remain in users’ libraries even after they get delisted from the Play Store.
Those idiots keeps breaking everthing every now and then. I can’t think of a single google product that I used and enjoyed. Well, maybe youtube during its early days, right after incompetent ducks from google took it and started breaking. Currently youtube is unusable in its original state, and if you use frontend, those idiots will come out of themselves to break this as well. Man, I hate google. I’ve found permanent workaround for their YT blocking bullshit, for obvious reasons I cannot share it, but we need alternative platforms for what google offers. I self host everything I use for many years now, YT is the last thing I have a remote contact with still.