tl;dr: - You need to enable developer mode - You need to click through a few scare dialogs - You need to wait 24h once I wonder how long this will last before they lock it down further. There was a lot of pushback this time around and they still ended up increasing the temperature of the metaphorical boiling frog. It still seems like they're pushing towards the Apple model where those who don't want to self-dox and/or pay get a very limited key (what Google currently calls "limited distribution accounts").
tadfisher
Honestly, if coerced sideloading is a real attack vector , then this seems to be a pretty fair compromise. I just remain skeptical that this tactic is successful on modern Android, with all the settings and scare screens you need to go through in order to sideload an app and grant dangerous permissions. I expect scammers will move to pre-packaged software with a bundled ADB client for Windows/Mac, then the flow is "enable developer options" -> "enable usb debugging" -> "install malware and grant permissions with one click over ADB". People with laptops are more lucrative targets anyway.
focusedone
I'm generally OK with this, but the 24 hour hang time does seem a bit onerous. Most of the apps on my phone are installed from F-Droid. I guess the next time I get a new phone I'll have to wait at least 24 hours for it to become useful. I'm seriously considering Graphene for a next personal device and whatever the cheapest iOS device is for work.
janice1999
The forced ID for developers outside the Play store is already killing open source projects you could get on F-Droid. The EU really needs to identify this platform gatekeeping as a threat. As an EU citizen I should not be forced to give government ID to a US company, which can blacklist me without recourse, in order to share apps with other EU citizens on devices we own.
2OEH8eoCRo0
Seems like a very reasonable compromise. What's the catch?
9cb14c1ec0
It's getting harder and harder to be an Android enthusiast. Especially given the hypocrisy of Google Play containing an awful lot of malware.
omnifischer
Those working in Google (AOSP) that write these code should be ashamed of themselves. Eventually they are doing a bad thing for the society.
astra1701
This is going to hurt legitimate sideloading way more than actually necessary to reduce scams: - Must enable developer mode -- some apps (e.g., banking apps) will refuse to operate and such when developer mode is on, and so if you depend on such apps, I guess you just can't sideload? - One-day (day!!!) waiting period to activate (one-time) -- the vast majority of people who need to sideload something will probably not be willing to wait a day, and will thus just not sideload unless they really have no choice for what they need. This kills the pathway for new users to sideload apps that have similar functionality to those on the Play Store. The rest -- restarting, confirming you aren't being coached, and per-install warnings -- would be just as effective alone to "protect users," but with those prior two points, it's clear that this is just simply intended to make sideloading so inconvenient that many won't bother or can't (dev mode req.).
teroshan
That's a lot of words to explain how to install things on the device I supposedly own. Wondering how long the blogpost would be if it explained what the flow for corpoloading applications approved by Google's shareholders would be?
cobbal
Can you set your clock forward or does this also require phoning home to a central server to install an app on your computer?
hypeatei
I'll say it again: this isn't a problem for Android to solve. Scammers will naturally adapt their "processes" to account for this 24-hour requirement and IMO it might make it seem more legitimate to the victim because there's less urgency. The onus of protecting people's wealth should fall on the bank / institution who manages that persons wealth. Nevertheless, this solution is better than ID verification for devs.
silver_sun
It's a little inconvenient for someone setting up a new phone to have to wait a full day to install unregistered apps. But while I can't speak for others, it's a price I'm personally willing to pay to make the types of scams they mention much less effective. The perfect is the enemy of the good.
branon
This 24-hour wait time nonsense is a humiliation ritual designed to invalidate any expectation of Android being an open platform. The messaging is very clear and the writing's on the wall now, there's nowhere to go from here but down.
module1973
Am I going to have to wait 24hrs to have Google's malware and spyware forceloaded onto my phone, or is this a different category of malware?
xnx
This is eminently reasonable. Now if only Android would allow for stronger sandboxing of apps (i.e. lie to them about any and all system settings).
occz
The 24 hour wait period is the largest of the annoyances in this list, but given that adb installs still work, I think this is a list of things I can ultimately live with.
summermusic
24 hour mandatory wait time to side load!? All apps I want to use on my phone are not in the Play Store. So I buy a new phone (or wipe a used phone) and then I can’t even use it for 24 hours?
aboringusername
It's not like the Google Play store hasn't been known to host malicious apps, yet you are not required to wait 24 hours before you install apps from their store. I suspect they are hoping users just give up and go to the play store instead. Google touts about "Play Protect" which scans all apps on the device, even those from unknown sources so these measures can barely be justified. Imagine if Microsoft said you need to wait 24 hours before installing a program not from their store, which is against the entire premise of windows. Computing, I once believed was based on an open idea that people made software and you could install it freely, yes there are bad actors, but that's why we had antivirus and other protection methods, now we're inch by inch losing those freedoms. iOS wants you to enter your date of birth now. The future feels very uncertain, but we need to protect the little freedoms we have left, once they're gone, they're gone for good.
dang
Is there an accurate, neutral third party link about this that we can make the primary link instead? https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor... ? Edit: I've put one up there now - if there's a better article, let us know and we can change it again. I put the submitted URL in the toptext.
wolvoleo
Do you need a Google account to opt out of the restriction? It says something about authenticating. I don't have a Google account on my Androids. But I can't remove play services on them, sadly. As an intermediate protection I just don't sign in to Google play, that gives them at least a bit less identifying information to play with. I hope this can be done without a Google account.
Related Discussions
Found 5 related stories in 30.2ms across 3,471 title embeddings via pgvector HNSW
Discussion Highlights (20 comments)
mzajc
tl;dr: - You need to enable developer mode - You need to click through a few scare dialogs - You need to wait 24h once I wonder how long this will last before they lock it down further. There was a lot of pushback this time around and they still ended up increasing the temperature of the metaphorical boiling frog. It still seems like they're pushing towards the Apple model where those who don't want to self-dox and/or pay get a very limited key (what Google currently calls "limited distribution accounts").
tadfisher
Honestly, if coerced sideloading is a real attack vector , then this seems to be a pretty fair compromise. I just remain skeptical that this tactic is successful on modern Android, with all the settings and scare screens you need to go through in order to sideload an app and grant dangerous permissions. I expect scammers will move to pre-packaged software with a bundled ADB client for Windows/Mac, then the flow is "enable developer options" -> "enable usb debugging" -> "install malware and grant permissions with one click over ADB". People with laptops are more lucrative targets anyway.
focusedone
I'm generally OK with this, but the 24 hour hang time does seem a bit onerous. Most of the apps on my phone are installed from F-Droid. I guess the next time I get a new phone I'll have to wait at least 24 hours for it to become useful. I'm seriously considering Graphene for a next personal device and whatever the cheapest iOS device is for work.
janice1999
The forced ID for developers outside the Play store is already killing open source projects you could get on F-Droid. The EU really needs to identify this platform gatekeeping as a threat. As an EU citizen I should not be forced to give government ID to a US company, which can blacklist me without recourse, in order to share apps with other EU citizens on devices we own.
2OEH8eoCRo0
Seems like a very reasonable compromise. What's the catch?
9cb14c1ec0
It's getting harder and harder to be an Android enthusiast. Especially given the hypocrisy of Google Play containing an awful lot of malware.
omnifischer
Those working in Google (AOSP) that write these code should be ashamed of themselves. Eventually they are doing a bad thing for the society.
astra1701
This is going to hurt legitimate sideloading way more than actually necessary to reduce scams: - Must enable developer mode -- some apps (e.g., banking apps) will refuse to operate and such when developer mode is on, and so if you depend on such apps, I guess you just can't sideload? - One-day (day!!!) waiting period to activate (one-time) -- the vast majority of people who need to sideload something will probably not be willing to wait a day, and will thus just not sideload unless they really have no choice for what they need. This kills the pathway for new users to sideload apps that have similar functionality to those on the Play Store. The rest -- restarting, confirming you aren't being coached, and per-install warnings -- would be just as effective alone to "protect users," but with those prior two points, it's clear that this is just simply intended to make sideloading so inconvenient that many won't bother or can't (dev mode req.).
teroshan
That's a lot of words to explain how to install things on the device I supposedly own. Wondering how long the blogpost would be if it explained what the flow for corpoloading applications approved by Google's shareholders would be?
cobbal
Can you set your clock forward or does this also require phoning home to a central server to install an app on your computer?
hypeatei
I'll say it again: this isn't a problem for Android to solve. Scammers will naturally adapt their "processes" to account for this 24-hour requirement and IMO it might make it seem more legitimate to the victim because there's less urgency. The onus of protecting people's wealth should fall on the bank / institution who manages that persons wealth. Nevertheless, this solution is better than ID verification for devs.
silver_sun
It's a little inconvenient for someone setting up a new phone to have to wait a full day to install unregistered apps. But while I can't speak for others, it's a price I'm personally willing to pay to make the types of scams they mention much less effective. The perfect is the enemy of the good.
branon
This 24-hour wait time nonsense is a humiliation ritual designed to invalidate any expectation of Android being an open platform. The messaging is very clear and the writing's on the wall now, there's nowhere to go from here but down.
module1973
Am I going to have to wait 24hrs to have Google's malware and spyware forceloaded onto my phone, or is this a different category of malware?
xnx
This is eminently reasonable. Now if only Android would allow for stronger sandboxing of apps (i.e. lie to them about any and all system settings).
occz
The 24 hour wait period is the largest of the annoyances in this list, but given that adb installs still work, I think this is a list of things I can ultimately live with.
summermusic
24 hour mandatory wait time to side load!? All apps I want to use on my phone are not in the Play Store. So I buy a new phone (or wipe a used phone) and then I can’t even use it for 24 hours?
aboringusername
It's not like the Google Play store hasn't been known to host malicious apps, yet you are not required to wait 24 hours before you install apps from their store. I suspect they are hoping users just give up and go to the play store instead. Google touts about "Play Protect" which scans all apps on the device, even those from unknown sources so these measures can barely be justified. Imagine if Microsoft said you need to wait 24 hours before installing a program not from their store, which is against the entire premise of windows. Computing, I once believed was based on an open idea that people made software and you could install it freely, yes there are bad actors, but that's why we had antivirus and other protection methods, now we're inch by inch losing those freedoms. iOS wants you to enter your date of birth now. The future feels very uncertain, but we need to protect the little freedoms we have left, once they're gone, they're gone for good.
dang
Is there an accurate, neutral third party link about this that we can make the primary link instead? https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor... ? Edit: I've put one up there now - if there's a better article, let us know and we can change it again. I put the submitted URL in the toptext.
wolvoleo
Do you need a Google account to opt out of the restriction? It says something about authenticating. I don't have a Google account on my Androids. But I can't remove play services on them, sadly. As an intermediate protection I just don't sign in to Google play, that gives them at least a bit less identifying information to play with. I hope this can be done without a Google account.