I think this misses the forest for the trees here. The platforms behavior here is a symptom and not the core problem. I think the following are pretty clearly correct:
1. It's your damn phone and you should be able to install whatever the hell you want on it
2. Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices
Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store. 99.9% of users would never see the warning either because almost all developers would register their apps through the official store.
But there is a reason why Apple/Google won't do that, and it's because they take a vig on all transactions done through those apps (a step so bold for an OS that even MSFT never even dared try in its worst Windows monopoly days). In a normal market there would be no incentive to side load because legitimate app owners would have no incentive not to have users load apps outside of the secure channel of the official app store, and users would have no incentive to go outside of it. But with the platforms taxing everything inside the app, now every developer has every incentive to say "sideload the unofficial version and get 10% off everything in the app". So the platforms have to make it nearly impossible to keep everything in their controlled channel. Solve the platform tax, solve the side loading issue.
> 2. Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices
I would instead say that having a trustworthy channel for verified app loading is a valuable security tool. F-Droid is such a channel; the Google Play Store is not. So Google is trying to take this valuable security tool away from users.
Sure, but you'd probably also agree it should be up to the device owner (end user) which parties are to be considered 'trusted'
Yes, I think the end user is in a better position than Google to decide who to trust. Some end users will make bad decisions, but Google's interests are systematically misaligned with theirs.
Not really. Google has maybe the best security researchers in the world, most end users have no idea, Hacker News is not representative of the general population.
I am not saying it justifies locking down devices, but that's the kind of situation where I think a bit of friction is a good thing. For example having to connect your phone to a computer and run some command line tool (like for unlocking a bootloader). You still have your freedom, but it is also something you are less likely to do by accident. In the sideloading situation, it looks like you could make yourself a developer account and repack apps under your own identity, which is one of these high friction workarounds.
For F-Droid specifically, maybe they should negotiate with Google before going to the offensive. Maybe they did and it didn't work, but I think a good compromise would be to let F-Droid has a key to sign the apps they compile, making F-Droid accountable for the apps they distribute.
And by the way, Firefox is in a similar situation for extensions. Over the years, they made it really hard to install anything from outside the official Mozilla repository, citing security concerns. It is not just Google.
Yes, Google has much greater competency. But when their interests run counter to their users' interests, as in the particular case we're talking about where they are nuking F-Droid from orbit, thus depriving users of access to NewPipe and other apps that don't try to rip users off, that higher competency is a disadvantage, not an advantage.
Neither incentive alignment nor competency is sufficient without the other.
Even if you allow package distribution whitelists, and even if we allow Google, by virtue of essentially owning/steering Android to, by default, be on the whitelist in their distributions...
At some point you need to just let the user say "I'm OK with being accountable for the installation" and get out of the way.
"Trustworthy" requires a qualifier of "for what" and I do trust Google to not intentionally install malware on my device and to take reasonable steps to prevent other people from doing it. I will admit that I don't know the details of how the app stores work, but they are at least checking the hashes of the binaries right? The probability of trying to install Instagram from Meta, but actually installing Instapwned from some malicious third party is zero when you go through the app store, right?
I assume that's correct, for your very narrow definition of malware and a nonzero definition of zero, and it's a good point that trustworthiness is context-dependent. As Alan Karp used to say, "I trust my relatives with my kids but not my money. I trust my bank with my money but not my kids."
Yes, but app stores like F-Droid, if you trust them, provide an even stronger security statement: they guarantee that you can check out the full source code of the app you are running.
This is what has made Linux distributions the go to for secure OS to run on your server: even if malware or bug leaks in, you have a full security trail about when and how that happened right in the open.
Wrong, plenty crap make it into the store, that is true for both Android and iOS. And the advertisement in the Android store is designed specifically to try to trick you into installing a different but similar app to the one you wanted.
I'm unclear on why F-Droid is any safer than the playstore and not possibly worse since using it tells potential malware purveyors that you're into sideloading in the first place.
Because F-Droid inspects the source code of the applications they build, removes malware and other antifeatures from them, and compiles them from source to ensure that the binaries they deliver correspond to the source code they've inspected. The Google Play Store doesn't do any of those things. Consequently it's full of malware.
F-Droid provides curated applications vetted by parties that *the user* chooses to trust.
By default, F-Droid provides only the applications that they themselves have verified and built from source. They also allow the user to add other sources from other parties who the user trusts (e.g. GuardianProject, IzzyOnDroid, and others[0]).
Google provides any application uploaded by any anonymous third-party who signs up as a developer (and in future, provides the required ID).
[0] https://forum.f-droid.org/t/known-repositories/721
Not to be an asshole, but you must not be very familiar with F-Droid.
It’s not just a random hodgepodge of “third party” binaries. It’s all FOSS software that was actually built from source and verified.
Probably much safer than a random app on the Play Store.
If I had to install a random app from the play store or from F-droid, I would pick F-droid every time. The level of vetting they apply is miles ahead of Google.
> Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.
It is an obvious solution, and it's a good first solution. This popup already exists.
A problem in security engineering is that when people are motivated (which is easy to achieve), they will just click through warnings. That is why, for example, browsers are increasingly aggressive about SSL warnings and why modifying some of the Mac security controls make you jump through so many hoops.
The usual take on HN is take the attitude that the developer is absolved of responsibility since they provided a warning to the user. That's not helpful. Users are inundated with stupid warnings and aren't really equipped to deal with a technical message that's in between them and their current desire. They want to click the monkey or install the browser toolbar. The attitude that it's not my problem because I provided a warning they didn't understand doesn't restore the money that was stolen from them by malware.
A significant change that google implemented (announced?) for android recently was not allowing you to install software or allow "unknown sources" while on a phone call.
I think that's going to have a far more significant impact on people installing malware than developer attestation.
I guess this is a difference in philosophy then, but I think that the goal of security engineering should be to protect users from malicious actors, not to protect them from their own bad choices. If I give you a safety feature, and you turn it off, that's not my problem. There is a special level of hatred that I have reserved only for the busybodies who limit my choices and justify it as protecting me.
That said, your point about messaging is really good, and so many times I see security warnings I roll my eyes at how badly the message is written.
I agree that our choices should not be limited to protect us.
However, we need a better solution than pop-up warnings. I guarantee that you have clicked through a pop-up warning that was standing between you and the thing that you wanted to do (as have I, and everyone else who has used a computer for more than a day). We very quickly learn that most warnings aren't going to affect us, and that they're just saying "are you sure" to things that we're already sure of.
We've all selected a file, hit the delete key, got the pop-up saying "are you sure you want to delete wrong_file.txt", hit "yes" (because we always have to hit yes after hitting delete), then looked at the outcome and thought "oh, that was the wrong file" too late...
Which is why the default is often move to trash these days, or includes an undo option for a bit instead of a confirmation dialog.
But some actions are pretty hard to undo (eg installing malware), so the issue in general stands.
> it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store
That's close enough to how Android already works. Google wants to additionally prohibit installation of apps unless they're signed by a developer registered with (and presumably bannable by) Google.
>Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.
Android already does this. It's the thing that's going away.
> In a normal market there would be no incentive to side load because legitimate app owners would have no incentive not to have users load apps outside of the secure channel of the official app store, and users would have no incentive to go outside of it.
> Solve the platform tax, solve the side loading issue.
I think maybe for a large part of legitimate app owners there would be no incentive, but there are other reasons/incetives for legitimate app owners to go outside the official app store even in the case of no tax, a few that pop to mind are:
- open source devs might have the preference to publish their app on a community-led store.
- users trying to keep an old phone functioning using an unofficial custom android, with no support for the store.
- developers creating apps for themselves and their friends not needing to publish the app publicly.
- companies creating apps just for work phones wanting to keep them private outside of any store.
- A company providing "build-your-app-with-AI" service preferring to just provide a final apk file.
I think it's important to remember that there are loads of other reasons outside the financial one to keep the ability to install what you want on your phone. If google dropped any tax they put on their store now, the problem with these new changes would still be there
(edits: formatting issues)
I don't trust the Google Play Store.
"I don't trust the Google Play Store."
then you trust who??? Apple app stores?
No. I don't. False dichotomy.
Too bad. Pay up and ask big daddy google for permission if you want to use your device. /s
This comment is very uninformed and misleading.
> Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices
These are claims that Apple and Google make to justify their distribution monopolies, and you are repeating them as fact. I don't think it's true, and cite as evidence both major app stores and the massive amount of malware in them.
Don't parrot anti-competitive lies from monopolists.
> Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.
Google already does this. They've always done this, and it has always been a bad thing because it disadvantages app stores that try to compete with Google Play. Imagine you want to sell an app, and your marketing materials need to include instructions on how to enable "side loading" and tell people to ignore the multiple scary popups warning about vague security risks and malware.
> because they take a vig on all transactions done through those apps
This has already been litigated and federal judges ruled that they must allow devs to use third party payment processors. Look up the Epic Games cases against Apple and Google.
> In a normal market there would be no incentive to side load because...
This is nonsense. "sideload" just means to install something outside the Play store. In a normal market, there would be every incentive to do so, as consumers would be able to choose from multiple app stores. Users don't care where an app comes from, as long as they can figure out how to get it.
I find your comment more uninformed and misleading, the parent is actually fine.
Having a curated channel for app loading is indeed a valuable security tool. It does exist in Linux distributions as well. It does not mean that it has to be the only channel.
And it does make total sense, IMHO, to warn the users when they install something through an "unknown" channel. The first time you install an alternative store, it should tell you "you'd better be damn sure that this thing is not malicious because it will install all your apps".
Which brings me to a few points:
1. I don't really see a problem with the Google Play Store being installed by default on Google-certified phones, just like I don't have a problem with the GrapheneOS store being installed by default on GrapheneOS. But the Play Store should allow me to install alternative stores (like F-Droid), just like the GrapheneOS store allows me to install... the Play Store.
2. I should be able to install an alternative OS on my phone and relock the bootloader. Which actually the Google Pixels allow (one of the reasons why GrapheneOS runs on the Pixels). I don't see a problem in allowing Google-certified Android, it's just that Google should not be allowed (by law) to prevent me from running GrapheneOS.
3. Manufacturers should be forced by law to make it easier to some extent for alternative OSes, e.g. by opening the device tree and stuff. If they don't, they should prove that they have a good reason not to. Other than "hmm I don't know, but to be safe I will just keep it all proprietary".
> both major app stores and the massive amount of malware in them
This is true, but it's also not the main vector of attack. The primary threat is that the user is intending to download $WELL_KNOWN_APP and instead downloads a compromised binary from a malicious third party and is instantly compromised. The app stores make the probability of this essentially zero.
Question: if the OS does proper app sandboxing how is this basically any different from having unrestricted access to a web browser or email?
Oh no granny tapped a bad Google ad and got phished! I guess we should kill the open web and use the officially sanctioned “web store” from now on (where you have to apply, pay a fee, and of course a % commission to host a website). It’s much safer for us!
It is not funny, but this already happens. ID verification mandated in some countries already take care for that under disguise for children protection.
>So the platforms have to make it nearly impossible to keep everything in their controlled channel.
I don't understand what you're saying. Are you saying Google is making it harder to develop an app for sideloading than to develop an app for the Play Store? I don't see how that's the case. AFAICT, the new "sideloading" requirements aren't more restrictive than the Play Store requirements.
Disclosure: I work at Google, but not on Android.
Exactly what they do on Macs
> a step so bold for an OS that even MSFT never even dared try in its worst Windows monopoly days
I don't think it's like "MSFT didn't dare to try", but rather "MSFT was too stupid to come up with the idea". They didn't have the ability to manage it either (and till this day their Windows Store app still sucks with tons of bugs). Not to mention that Windows was already wide open, never with a restriction "you can only install these approved apps" to begin with.
Basically, not that Microsoft didn't do it, but it couldn't.
Also can you imagine trying to download software over the Internet in the 90s? They couldn't depend on their users having high speed connections because most didn't. App stores probably couldn't work before 2000.