This comment is very uninformed and misleading.
> Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices
These are claims that Apple and Google make to justify their distribution monopolies, and you are repeating them as fact. I don't think it's true, and cite as evidence both major app stores and the massive amount of malware in them.
Don't parrot anti-competitive lies from monopolists.
> Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.
Google already does this. They've always done this, and it has always been a bad thing because it disadvantages app stores that try to compete with Google Play. Imagine you want to sell an app, and your marketing materials need to include instructions on how to enable "side loading" and tell people to ignore the multiple scary popups warning about vague security risks and malware.
> because they take a vig on all transactions done through those apps
This has already been litigated and federal judges ruled that they must allow devs to use third party payment processors. Look up the Epic Games cases against Apple and Google.
> In a normal market there would be no incentive to side load because...
This is nonsense. "sideload" just means to install something outside the Play store. In a normal market, there would be every incentive to do so, as consumers would be able to choose from multiple app stores. Users don't care where an app comes from, as long as they can figure out how to get it.
I find your comment more uninformed and misleading, the parent is actually fine.
Having a curated channel for app loading is indeed a valuable security tool. It does exist in Linux distributions as well. It does not mean that it has to be the only channel.
And it does make total sense, IMHO, to warn the users when they install something through an "unknown" channel. The first time you install an alternative store, it should tell you "you'd better be damn sure that this thing is not malicious because it will install all your apps".
Which brings me to a few points:
1. I don't really see a problem with the Google Play Store being installed by default on Google-certified phones, just like I don't have a problem with the GrapheneOS store being installed by default on GrapheneOS. But the Play Store should allow me to install alternative stores (like F-Droid), just like the GrapheneOS store allows me to install... the Play Store.
2. I should be able to install an alternative OS on my phone and relock the bootloader. Which actually the Google Pixels allow (one of the reasons why GrapheneOS runs on the Pixels). I don't see a problem in allowing Google-certified Android, it's just that Google should not be allowed (by law) to prevent me from running GrapheneOS.
3. Manufacturers should be forced by law to make it easier to some extent for alternative OSes, e.g. by opening the device tree and stuff. If they don't, they should prove that they have a good reason not to. Other than "hmm I don't know, but to be safe I will just keep it all proprietary".
> both major app stores and the massive amount of malware in them
This is true, but it's also not the main vector of attack. The primary threat is that the user is intending to download $WELL_KNOWN_APP and instead downloads a compromised binary from a malicious third party and is instantly compromised. The app stores make the probability of this essentially zero.
Question: if the OS does proper app sandboxing how is this basically any different from having unrestricted access to a web browser or email?
Oh no granny tapped a bad Google ad and got phished! I guess we should kill the open web and use the officially sanctioned “web store” from now on (where you have to apply, pay a fee, and of course a % commission to host a website). It’s much safer for us!
It is not funny, but this already happens. ID verification mandated in some countries already take care for that under disguise for children protection.