alt Hacker NewsGoogle details new 24-hour process to sideload unverified Android apps
Comments
* enable developer options
* confirm that you are not tricked
* restart phone and re-authenticate
* wait one day
* confirm with biometrics that you know what you are doing
* decide if you only want unrestricted installs for 1 week or forever
* confirm that you accept the risks
* enjoy the few apps that still have developers motivated to develop for a user-base willing to put up with this
The measures seem a lot less restrictive than I expected. 24h wait time is nothing if you suppress your ego, developer options is already the first thing I enable, an open adb channel is and will be a constant choice and the one-time-forever option a neat convenience. They could kill user experience for all but it's more a friction and not a restriction.
Reminder that when you use terminology like "sideloading" you're accepting the premise that there's something inherently dodgy about installing your software onto your operating system.
Just call it "installing".
This is the main thing that Android users have been saying is the differentiator for them using Android, and they're butchering it in multiple ways. Wild.
“sideload”, is installing software without some asshole preventing me.
Let’s be clear here.
I feel like there's a big thing being missed in all of this, which is that F-Droid lives. I scrolled through hundreds of comments so far and not seen anyone make this observation.
Do I love it? Absolutely not. But F-Droid was facing an existential threat from the early early versions of the proposal and now will continue to live. Again, I don't love it but this is a huge change to the fate of F-Droid.
There are multiple apps that I know and want to use that are no longer available on Play Store, but only via Zapstore, Obtanium or similar. I'm just hoping that these changes don't affect solutions like GrapheneOS or that we will soon get linux based phone that's good...
tl;dr:
- You need to enable developer mode
- You need to click through a few scare dialogs
- You need to wait 24h once
I wonder how long this will last before they lock it down further. There was a lot of pushback this time around and they still ended up increasing the temperature of the metaphorical boiling frog. It still seems like they're pushing towards the Apple model where those who don't want to self-dox and/or pay get a very limited key (what Google currently calls "limited distribution accounts").
Developers could protest by changing our app icons to grayscale: https://news.ycombinator.com/item?id=47354917
I've stuck with Android despite privacy concerns because of the control I have over the device. If they're going to do this I might as well go Apple.
Supported Android since the beta m3 SDK in 2008 (ok, I was in high school, but I still downloaded it!) Never considered abandoning it before now.
It's time to leave Android.
Call me naive, but despite the feeling in my gut I was holding out for Google's answer. Reading what it is, this is still going way too far. You essentially need to be a developer in order to sideload, which brings Android down to parity with iOS.
No, being able to sideload (on my phones, AND friends and family as-needed) is a fundamental computing right. This is my personal belief. And this move by Google is a step too far.
The search begins...
I feel like loading sideloaded applications it's locked enough, google created google protect (which I have disable) but it if you have it enabled you are unable to instal sideloaded apps, also you have to accept the prompt to accept the app you're installing from and the prompt from your android to let you install sideloaded apps, like how many prompts is enough? now also a fee and verification. Most of the apps I enjoy the most are in alternatives stores. Ankidroid,keeepassxc,revanced, newpipe,tubular.
I've been slowly degoogling because of how Google is treating Android. It's slow, but I've been setting up emails on other providers, stopped using Google search, stopped uploading photos etc.
they even say that you can allow sideloading temporary or indefinitely. Guess which option wont be available anymore in two years.
I switched to iOS in anticipation of this change. The reality is, if they are thinking about doing this, it's only a matter of time before they do it. If I have to choose between two walled gardens, apple will win every time.
Well, this sucks.
The fact that I can sideload whatever I need and stay out of Google's ecosystem is the whole reason I use Android. Given the miserable choice between two fully locked-down platforms, why would I pick theirs?
There are numerous alternative operating systems and variants out there that should get more of our attention now. There's a mobile ubuntu, e/os , and more.
This is great news for my wife and my parents, but it would really be nice to have the choice when it comes to my phone's OS. Just like I had with Linux. I boggles my mind how the components in a phone are somehow different to the components in a PC in that they are unaccessible to people who write drivers for them.
That's not entirely unreasonable. As long as there is a way to enable this in perpetuity for my device(s) and it works for all Android devices it's a compromise I could live with.
Again, can we, please, stop call it side-loading. I'm not sliding in anything "from the side" on the sly, I am simply installing an app of my choice on my damn phone.
It'd be nice if they put a little sticker on the box or a flashing warning when you go to buy the phone noting that you'll be unable to use it as you desire for 24 hours if you are not willing to bend over to your corporate overlord.
Alternatives like GrapheneOS and Lineage are the way to go for right now, but I worry as things get more and more locked down that those options won't work with a lot of apps.
The 24 hour wait period is the largest of the annoyances in this list, but given that adb installs still work, I think this is a list of things I can ultimately live with.
So what's the solution? Graphene OS? Let's convince everyone we know to buy the upcoming Motorola phone. If it's sales hit 10s or 100s of million devices, only then Google will listen.
>And what is malware? For [Android Ecosystem President], malware in the context of developer verification is an application package that “causes harm to the user’s device or personal data that the user did not intend.”
Like when Google, Facebook, Apple, Microsoft, et al. cooperated with¹ the unconstitutional and illegal² PRISM program to hand over bulk user data to the NSA without a warrant? That kind of harm to my personal data that I did not intend?
If so, I'd love to hear an explanation of why every Google/Alphabet, Facebook/Meta, and Microsoft application haven't been removed for being malware already.
¹ https://www.theguardian.com/world/2013/jun/06/us-tech-giants...
² https://www.reuters.com/business/media-telecom/us-court-mass...
Nothing screams being infantilised by your platform more than having to wait 24 hours to be allowed to install software on your own purchased computing devices.
Personally, I think they should at least drop the $25 fee if you publish outside of Play Store.
This seems like a good solution that will put a sizeable dent in scam success rates while not actually removing options for developers and power users. The added friction will make some people bounce off F-Droid and the likes which is unfortunate, but the wins here in scam prevention are much bigger than the losses in onboarding power users.
So this effectively means, if you buy a new phone and want to set it up, you'll have to do it tomorrow, because of an arbitrary flow Google created to save their play store percentages...
So if I have to reinstall my phone it won't be usable for 24h because I won't be allowed to install my F-Droid apps?
Tbh, I love this flow. They truely think for users, all users not just advanced users. Unlike Apple, Apple just think for its ecosystem, its money.
How the advanced flow works for users
Enable developer mode in system settings: Activating this is simple. This prevents accidental triggers or "one-tap" bypasses often used in high-pressure scams.
Confirm you aren't being coached: There is a quick check to make sure that no one is talking you into turning off your security. While power users know how to vet apps, scammers often pressure victims into disabling protections.
Restart your phone and reauthenticate: This cuts off any remote access or active phone calls a scammer might be using to watch what you’re doing.
Come back after the protective waiting period and verify: There is a one-time, one-day wait and then you can confirm that this is really you who’s making this change with our biometric authentication (fingerprint or face unlock) or device PIN. Scammers rely on manufactured urgency, so this breaks their spell and gives you time to think.
Install apps: Once you confirm you understand the risks, you’re all set to install apps from unverified developers, with the option of enabling for 7 days or indefinitely. For safety, you’ll still see a warning that the app is from an unverified developer, but you can just tap “Install Anyway.”How does it track time? Is it possible that user will just change current time to the future to instantly process the request? Is it possible to track time "safely"?
People already have the choice between an ecosystem that offers the safety of a walled garden and one that allows the freedom to do anything you like, including shooting yourself in the foot.
Google's decision to walk back the supposed freedom to run anything you like removes user choice from the marketplace and harms consumers.
Feels like one of those changes that makes sense from a security perspective, but will mostly hurt smaller devs who rely on sideloading.
Curious how this will play out for niche apps that aren’t on the Play Store.
Do you need a Google account to opt out of the restriction? It says something about authenticating.
I don't have a Google account on my Androids. But I can't remove play services on them, sadly. As an intermediate protection I just don't sign in to Google play, that gives them at least a bit less identifying information to play with.
I hope this can be done without a Google account.
I think I would be fine with that if they also provided the option to check the box immediately when you first setup your account on a new phone. I don't want to wait for 24 hours every time I change phones.
I read several articles about this today, and surprisingly, found this video more clear and easy to understand what is the situation https://youtu.be/-WF34Sgq76c
Can you set your clock forward or does this also require phoning home to a central server to install an app on your computer?
A lot of people here are looking for compromises. Any compromise on this means giving ground to Google's monopoly and the war on open computing and ultimately freedom.
This is exactly what Google intended. This is why they started off by announcing completely removing device owner chosen installs (this is not side loading! It's simply installing.) and announced only apps allowed by Google would be available for install.
They knew it would cause backlash. They anticipated that and planned ahead faking a compromise.
They are trying to boil us like frogs by so slowly raising the temperature so we do not notice. Whenever the water gets so warm that people do notice they cool it down a little. But they will turn up the the heat again!
This 24h window is designed to make device owner controlled installs as unattractive as possible. They try to reduce it as much as they can while having plausible deniability ("You can still install apps not whitelisted by us"). They want to get the concept of people installing software of their own choice onto their own device as far away from the mainstream as possible. They want to marginalize it. They want to slowly and quietly kill off the open Android app ecosystem by reducing the user base.
The next step will be them claiming that barely anyone is installing apps not signed by them anyway. First they make people jump through ridiculous hoops to install non whitelisted apps, then they use the fact that few people jump through these hoops to justify removing the ability altogether.
Google does not care about preventing scams. If they did they would do something against the massive amount of scam ads that they host. Scams are just their "think of the children".
Do not play by their playbook!
Do not give them ground!
We must not accept any restrictions on the software we run on our own devices. The concept of ownership, personal autonomy and choice are being dismantled. Our freedom is the target of a slow, long waging war. This is yet another attack.
We must not compromise with the attacker. We must not give them any centimeter of ground.
Stop propagating the term sideloading like its some kinda dirty thing.
Its just installing an app.
The secret reason they are doing this is because governments want to be able to identify everyone online everywhere it matters at all time. They want to strip anonymity from computing.
Apple and Google can now credibly claim to governments to have nearly ubiquitous computing platforms that they can guarantee do not run any software that is not approved or antithetical to the goals of authorities. This makes the device safe for storing things like government IDs. OSs and Browsers will be required to present these IDs or at first just attest to them.
Before posting online, renting a server, using an app you will have to idenitfy yourself using your phone or similarly locked down PC (i.e. mac).
The introduction is under the guise as always of protecting the children. In reality they are removing your rights to privacy and free speech.
I'd urge everyone here to seriously consider switching to GrapheneOS. It's a far simpler transition than e.g. switching from Windows or OSX to Linux, and many people find that it has basically no friction vs android.
More people moving to GrapheneOS is the best tool we have against Google's continued and escalating hostility to user freedom and privacy and general anti-competitive conduct. (Of course, you could ditch having a smartphone entirely..., but if you're willing to consider that you don't need me plugging an alternative).
Good guy Google must have published the numbers of scamming incident due to current software installation setup.
I appreciate if some good samaritan can link to it.
50 times more likely? Don't they need to supply the data for that when making an "advertisement"?
One gotta give it to them, advanced flow, what a great new double-speak-ism, would have made the ministry of truth very very proud.
I think the new solution is a good compromise.
The 7 days vs forever choice is still crappy and gives me a bit of bad vibes considering they are the ones that pulled the youtube promotions (shorts, games) you can never turn off forever, so there's the concern they will remove the forever option from Android in the future. But as long as they don't end up doing that, it's fine for me.
Also, I do think it would be a good idea to make an exception to the 24-hour wait time if the phone is new enough (e.g. onboarding steps were completed less than one day ago), and/or through some specific bypass method using ADB. Power users who get a new phone want to set it up with all their cool apps and trinkets right away, and it's not good user experience to have to use ADB to install every single sideloaded app. Meanwhile a a regular user getting scammed right after getting a new phone is statistically unlikely.
That's just friggin great, except for those who use newer phones from Cricket - who disables developer mode for until the phone's been active on their network for 6 months...
This is the first thing I will be doing in my new Android Smartphone, in the very first hour.
Also, was this really necessary Google?
How is a 24 delay for manually installing apps going to combat malware on Google's play store?
Is there an accurate, neutral third party link about this that we can make the primary link instead?
https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...?
Edit: I've put one up there now - if there's a better article, let us know and we can change it again. I put the submitted URL in the toptext.