Android Developer Verification: Are we screwed? (no, doesn't apply to GOS)

Eudyptula

ButtholeBlackhole You make the assumption that it'll stop there. You make the assumption that it won't lead to projects being discontinued. You also make that the user base on other Android distros doesn't affect the grand scheme of things. GrapheneOS won't carry the weight of the open software eco system and all the small-time hobby developers on their shoulders. You're also making the assumption that Google will either provide enough open source code to make bypassing this trivial. Or that it in the future won't become harder and harder.

And again, users outside GrapheneOS matters too. ;)

I think we should worry when we still have the chance to do something about it, rather than not worrying and then become truly screwed with no way back. If we just sit and look, who knows how our devices and our software will look in the future. It's always better to act as soon as possible with these things, rather than just waiting it out because "right now it seems like we'll be sort of fine in the temporary short-term".

Btw., didn't there use to be emojis on this forum? :hmm:

ButtholeBlackhole

Eudyptula Technically you'll still be able to install unverified APKs with this new system via ADB. The check isn't enforced with ADB installs. You can even bypass it on device with something like Shizuku. So there is still a door for unverified 3rd party apps on stock Android. People who sideload on iOS put up with a lot more than this. So I wouldn't count this out.

I would suggest trying to convert as many people as possible to a custom ROM. Granted your mom isn't going to do that but it's doable for power users. Even Lineage is worth using over stock now for non-Pixel owners. There's a lot of Android users nowadays. I'm sure we could at least double the numbers from XDA's heyday.

23Sha-ger

Eudyptula
You are the one making assumptions that developers are going to abandon FOSS apps if they are not easily side-loadable on certified devices, or at least with the same ease as before.
This is largely not true, because the user-base that cares for FOSS apps in the first place, is less likely to run "closed down" stock Android ROMs.
In addition as others already said, there will be an opt out for it. Like signed browser extensions in Chrome as example.

Eudyptula

ButtholeBlackhole Technically, I could fork operating systems too. Technically, one can do a lot of things. I know there are technical alternative paths, at least in the short-term. But that's not the point here.

The point is that we don't want to have to go through ADB to install the apps of our choice. We don't want that to be a necessity for certain users. :) Do you?

Regarding your suggestion:

I've already converted 6 people to GrapheneOS (2 people on the fence).
7 people to Pixel phones (3 people on the fence).
As for Linux, I converted 5 people to Fedora KDE Plasma (3 are on the fence, not the same people from the other fences).

I installed Linux on my mom's and my sister's laptop (second-hand ThinkPads). Now I almost never have to be tech support anymore because it just works and is easy and intuitive to use. I expect the same thing with GrapheneOS (I'll have to help with setup) when my mom finally agrees her phone with 4 years outdated security patches needs to be retired. There are ads in the OEM Android system menus for Christ's sake, but she says the phone still works... -_- It's nightmare fuel.
My mom is absolutely the worst when it comes to tech. She's way worse than my slightly demented grandmother. It's for this exact reason I want her over to GrapheneOS so I don't have to fix all the problems with Xiaomi's dumpster fire of an OEM distro and the system isn't bloated with all sorts of confusing mazes of menus everywhere.

(I agree with your suggestion, but you're preaching to the choir here, friend. ;) )

Eudyptula

23Sha-ger There are developers who have stated this themselves, so no. :) Not an assumption.

But it doesn't matter really, because we know there will be implications from this. You you know how it went with ReVanced. Did you know Google has been found to supressed search results for competitors? We may be safe with our set of configuration, but for how long? And how much does it damage user numbers and donation numbers? Potential bug reports, new developers, hobby tinkering etc. Plus the entire idea that you should be able to just install what you want. I don't want Android to become another iOS.

Anyway, I'm simply expressing concern for the likelihood of it having a damaging effect (without specifying to what degree).

While I do agree that such users we descibe are less likely to run locked down "stock" Android distros, I don't agree with it being unlikely or uncommon. There are many people who (for some reason beyond me) prefer phones like OnePlus, Samsung etc. but still use open source apps from non-Play Store repos and are running all "stock" OS.

And do we not care that it becomes more restrictive to use non-Play Store apps and services for everyone else? I sure do. I also care about where it could go from there in the future. People are already conditioned to the notion that apps installed outside of an official commercial store by a huge mega corporation is called "side loading" and is not the way it was meant to be. That's not a good thing. Again, can we stop calling it side loading?

May I just remind you that we are on the same team here? :) It's strange to me how some people seem to argue against the notion that this is 1) not a good thing that WILL have implications and also consequences for privacy and 2) possibly and likely a bad development which may be a stepping stone to something worse.

schweizer

I do have some understanding that Google (and many users) want app developers to be identified. We live in a world with many hostile actors so installing an app from an anonymous individual or company that you don't know is not a smart thing to do.

I am not that pessimistic. Important actors have started to understand that there must be a way to install apps without PlayStore. I am talking about governments and semi-state entities. Because Google is US controlled and US is controlled by a single person at least some people understand that it is inacceptable to give a foreign individual control who is allowed to use or issue i.e. a voting app.

The real problem is that the majority of users does not care about what is happening with their data and money.

n3t_admin

schweizer I am not that pessimistic. Important actors have started to understand that there must be a way to install apps without PlayStore. I am talking about governments and semi-state entities. Because Google is US controlled and US is controlled by a single person at least some people understand that it is inacceptable to give a foreign individual control who is allowed to use or issue i.e. a voting app.

Quite the opposite, actually. State actors have legislated a minimum baseline that Google can now follow.
This is from the EU's DMA:

The gatekeeper shall not be prevented from taking, to the extent that they are strictly necessary and proportionate, measures to ensure that third-party software applications or software application stores do not endanger the integrity of the hardware or operating system provided by the gatekeeper, provided that such measures are duly justified by the gatekeeper.

Furthermore, the gatekeeper shall not be prevented from applying, to the extent that they are strictly necessary and proportionate, measures and settings other than default settings, enabling end users to effectively protect security in relation to third-party software applications or software application stores, provided that such measures and settings other than default settings are duly justified by the gatekeeper.

As you can see, the EU granted these powers by themselves; with the only restriction being that those measures need to be "justified" - and that's a term up for debate. The DMA is not only beneficial. It sets a dangerous precedent for what companies may and may not do. There is also no doubt in my mind that the DMA was heavily influenced by Apple lobbyists, especially regarding this part I quoted.

Eudyptula

schweizer Sure, I have some understanding for that too. But one could say the same thing about other privacy topics. There are sometimes benefits to mandate identification and it can sometimes increase security. But I think you understand the implications here and why we don't want it enforced like this. Especially not by a mega corporation like Google with multiple monopoly products and services who makes money off of people's data. Plus, GrapheneOS and alternative repos are a conflict of interest for Google's business model.

There are other ways to go about this. Flathub, for instance, will classify apps as safe if they are verified and the developers are known to be the official ones. It will classify them as "potentially unsafe" (orange scary box) if not. There are negatives to this too, as many users will simply assume it's less safe and use a green box app instead beause it feels safer.

We always lived in a world with many hostile actors. And there are more ways than identifying the publisher or developers to determine whether what you install is safe.
I say: Make it optional, mark unverified devs with a scary orange box instead.

I'll ask you this: We know the identity of Facebook/Meta, Google, Samsung, Tencent, Microsoft etc. Do you prefer their apps and services? Do they make you feel safe?
There's a lot of software, services and products with identifiable devs and owners which pave an unsafe path for the user, sometimes not even being on the wrong side of the law.

So. Are you safe? E.g. from Facebook exploiting vulnerabilities in Android to conduct illegal data mining and user tracking? Or these companies illegally selling your data illegally? Employeers browings people's personal data? Or doing social experiments on users? These are some examples of things that actually happened. They are things we know. What do we not know?

I for one feel a lot safer using the many open and privacy respecting softwares and services. Play Store apps are also riddled with malware, trackers and shady actors (some of which are identifiable). We don't need mandated Developer Verification.

schweizer

n3t_admin What you say is not a contradiction to what I say. You will always find bad examples. It is not a secret that the EU is making bad regulation.

Byku

Eudyptula Changes to official Android will trickle down.

I'm not a law person but as long as they use the Linux kernel don't they need to keep Android open-source? They may let AOSP stagnate and keep adding new goodies only to their proprietary software like GPS or GMS.

Viewpoint0232

Byku I'm not a law person but as long as they use the Linux kernel don't they need to keep Android open-source?

No, unless they merge all their code with the Linux kernel. They can have an open source Linux kernel (with whatever changes are needed for Linux) and then build everything around it with a proprietary license.

It's a similar situation with Konqueror browser (GPL license) from which Safari and Chrome, both proprietary, were forked. Apple and Google are forced to have some parts still licensed under GPL but not the whole product.

Byku

Viewpoint0232 Oh, that sucks. Interresting info about Safari and Chrome though. I had no idea they were forks. Guess it figures that those corpo parasites would be unable to create anything without leeching off someone else's work.

Eudyptula

Byku I had no idea they were forks

Oh man, you have no idea. The world is built on open source software. Everything would crumble to the ground without it. In every product or software there's a place where open source licenced software bits are listed. You'll always see a long list. And when you go digging on where software, standards and protocols come from, you'll very commonly see open source origins or components being used as building blocks.

I'm not necessarily opposed to companies leveraging open source software, it's supposed to be open. The problem is when the open source projects are being killed and the proprietary garbage takes over, or when large and rich corporations happily use open source software which sometimes passionate people maintain for free on their free time. And then proceed to spend money suing other companies for infringement or pushing their customers in a corner and bullying them with illegal NDAs or refusing to take responsibility or respecting user's personal data or things like the environment and local health of people. That's leaching. When they don't appreciate or give back or contribute to it. Instead, large corporations often take (sometimes not even complying with the licensing terms), then act entitled to their own rights and needs.

Fun fact: Unix-like operating systems (like Linux) are, with a ridiculously huge margin, the most used operating systems in the world. Near 100 % marketshare in servers and supercomputers, as well as in car infotainment systems. Game consoles, embedded devices, things like coffee machines or machinery. Network devices. A lot of companies and people actually use Linux on their PCs, although Windows dominate the PC marketshare. Open source is truly a gift to the world and a source of optimism.

ButtholeBlackhole

Eudyptula

We don't want that to be a necessity for certain users. :) Do you?

Why do you guys try to gotcha people constantly and put words in their mouth? I have no idea what Google may or may not do in the future. I'm talking about and coming up with solutions for what they're currently doing right now. There's no point in doom posting about what they might do in the future because there's no end to it. Hell, maybe they'll drop Android entirely and move to a completely closed source Fuchsia based OS. Who knows? It's not worth arguing about.

Fay_Wilmont

@Eudyptula

Firstly, Google's recent announcement doesn't apply to GrapheneOS and other uncertified Android distributions.

Secondly, from Google's perspective, it's the right thing to do. The majority of smartphone users are tech illiterate and it's Google responsibility to provide them with an OS that protects them against cybercriminals. They have been improving Android security a lot over the years, and this is just the next logical step.

Thirdly, there's a lot of speculation in reaction to a few things that recently happened in the Android space (unlockable bootloaders on Samsung devices, no more Pixel device trees, developer verification). People speculate about companies' intentions and about what they will do in the future, and present these speculations as if they were facts. People jump to conclusions too quickly, not hindred by a lack of knowledge or facts. It's like they are on an emotional rollercoaster ride. It seems to me you are one of those people.

Doesn't mean you're not right to be worried about the general direction the world is heading in with regards to technology and control. But as you said:

Open source is truly a gift to the world and a source of optimism.

We'll live.

« Previous Page