I fucking hate that word. It’s not ‘sideloading’ to install on my own device what I want to install, to use the apps I want to use; to not use the apps I don’t want to use. I am not ‘sideloading’ anything when I install programs on my PC. No different on my phone.
Fuck off with all these new bullshit terms that are only used to imply that what we’re doing (with our own devices) is somehow outside the norm, to justify the constant enshittifcation and the growing stranglehold these corporations want on our lives. It’s infuriating.
Perfect time for the Chinese to setup a shell company in Mexico that sells smartphones & devices with AOSP-android-based OS to the US. It’ll sell like hot cakes.
Weird that they want to do all the verification themselves and not just allow certificate signing using verified CAs. Oh well it’s not weird because we all know Google does this to fight back against third party stores and to get developers back to their shitty one and of course to better track them.
I’m guessing what you’re suggesting is that Google’s proposal is the same as requiring all packages be signed and accompanied by an Extended Validation or Oragnisation Validation X.509 certificate.
While that would technically work, the problem with using the existing PKI is that it’s still very expensive to get EV/OV certificates. And the most common of these certs (those for TLS purposes) will soon only last 47 days which is, to put it mildly, would be a pain in the ass to use for package-signing.
My project uses a free one from SignPath. They offer this for opensource projects and require a verifiable GitHub build process. It’s not EV certs but it’s good enough and free.
This framing still sucks. Google is blocking apps THEY don’t approve on YOUR phone.
Agreed. But one climb down means potentially more, as needed. 🤞🏻
Only if the protests continue with full force.
The company says it is now developing an “advanced flow that allows experienced users to accept the risks of installing software that isn’t verified.” This installation flow will include safeguards to protect people who are being coerced into installing a dangerous app, or tricked by a scammer, along with “clear warnings to ensure users fully understand the risks involved.”
IIRC we already had to enable a setting and confirm a warning popup. What are they gonna do? Add more popups? A captcha-“puzzle”? Less easy to accept dialogs?
They won’t kill side loading (the fact we even call it side loading instead of simply installing software is a problem). They’ll just shoot it in the knees a little. No big deal.
They already don’t let you use Google pay if you don’t give them control of your phone. This is just tightening the noose a little bit.
People shouldn’t use google pay in the first place. All of these things being tied together by the same group is a problem in and of itself.
Push 3 degrees harder, relent 2 when there’s resistance.
Meaning, 3 steps ahead for them if there’s no resistance. 1 step ahead if there is.
Wait some time, repeat.
That is more the fault/worry of the financial sector and not G. The fact that they gave up this amount of leeway is shocking. Their risk tolerance is very low and giving G the ability to manage virtual cards and allow payments with them is huge in itself.
Even Privacy, which does part of the same thing/idea, still only works for some cards, doesn’t work at all for credit cards (last time I checked), and has been in the sector for a similar amount of time.
G had to lock down Pay to appease the financial sector’s risk management. Anything else was DOA.
I wonder what an alternate history where Google chose not to become evil would look like.
What if they had looked at Microsoft’s Palladium proposal and thought, as pretty much everyone outside institutional IT departments did that locked devices with remote attestation was a nightmare scenario best forgotten, refused to build it, and made an effort to prevent anyone else from doing so on top of Android? Safetynet didn’t appear until 5-6 years after Android launched to the public. What if it never did? Android already had enough momentum by that point I don’t think the financial sector could refuse to be on it no matter what risk management said.
Well, I kind of know what happened in that scenario… because it did. Until Pay, there was Wallet. The original Wallet, not the current one. Wallet had a physical and virtual prepaid debit card, that you would load up and manage in the app. I used it a few times (new tech woo), and distinctively remember ordering at a McDonald’s, the clerk announced the cost, I held my Nexus 7 to the new nfc pad, they started to say ‘uhh no you have to-’ and then a success beep, and their jaw dropped. They thought it was nuts, I told them in a few years ‘this will be everywhere’.
So before Pay, there was Wallet, and it’s own little sandbox of testing if anyone would use this. A couple years later the Wallet card discontinued, and Pay took its place.
A different Wallet/Pay implementation is a possible outcome, but I’m thinking of a bigger picture where Android phones are more like PCs: no non-unlockable bootloaders, no remote attestation anywhere, barriers to root detection at the OS level, third-party ROMs encouraged.
The early days of Android were like that. I wonder if things had developed along that path, would we have a paradise for power users? A security nightmare for mainstream users? Both? Neither?
Until Pay, there was Wallet. The original Wallet, not the current one.
Classic Google.
I remember wallet only working consistently at McDonald’s.
Meanwhile the Play Store is full of scams. This isn’t about safety, it making sure they get a cut from the scam apps.
So about those linux phones…
Aaaaaaany day now… guys…?
(I have a pinephone and no, it is absolutely nowhere near ready)
My guess is that any good Linux phone experience would need greater funding from some company or foundation…(Valve please?)
That’s kind of a double edged sword though. Android got a foothold because a small scrappy unknown company in silicon valley brought them into the fold…
Cool story, goog.
I’m just going to keep waiting for a linux/foss phone so that its features and capabilities are actually predictable year to year.
But maybe I’m just too picky about what features and capabilities I want. I admit I’ve gotten used to some pretty outlandish stuff like… lemme check my notes here… “the device does the things I tell it to do.” Real galaxy-brain shit!
There is already postmarketOS if you have an old supported phone somewhere in the drawer… it has still some rough edges, but it works and gives a nice glimpse into that ecosystem.
They’re not killing sideloading, they’re just building the gallows and sharpening the axe.
The outrage doesn’t stop anything, it just makes them slow their plans and wait out the public outrage.
Fuck all of this tech bros enshittification surveillance bullshit. I’m going to Radio Shack and buy a Heath Kit! /s
Boiling the frog
Great, more hoops to jump thr… I mean… an “advanced flow”, for gaining the privilege of installing apps of your choosing
So this sucks obviously. Will this also affects apps from alternate appstores like F-Droid or only APK’s? I mean F-Droid already signs the apps, right? I’m a little confused.
My entire job depends on such an app, so this is a bit of a relief.
