Google details new 24-hour process to sideload unverified Android apps

Calling for regulators, especially the EU, is futile. They want this. All you'll get is something that feels and sounds like pushback, at most.

They have now successfully turned the temperature knob from 2 to 5. I wonder what 7 will be.

The only reason I stuck with Android was to have the freedom to basically install anything I like. This is not a solution, much less to any problem which existed before. I don't think my next phone will be Android.

At this point the meta for tech inclined people is to go full dumbphone, get a UMPC with SIM card support, cobble together a cyberdeck with a SIM module, or building an ESP32 powered cellphone (https://www.xda-developers.com/someone-made-a-4g-esp32-smart...). RIP F-Droid.

Since after doing this Google knows the user knows what they're doing (and officially they say they don't want to get in the way), why does this only enable installing unverified apps (still unprivileged), why is the system still insanely locked down? I thought the 24-hour delay solved the "security" problem?

SailfishOS / Jolla are unlikely to do this. Time to switch. Google's monopoly power over android is showing, badly.

A lot of you have never seen your loved ones get some shitty app on their phones and it shows.

Some years ago had a scam call about my "router connection error logs" and "I needed" to install TeamViewer from the PlayStore... So can't imagine what is this going stop

> Install apps: Once you confirm you understand the risks, you’re all set to install apps from unverified developers, with the option of enabling for 7 days or indefinitely. For safety, you’ll still see a warning that the app is from an unverified developer, but you can just tap “Install Anyway.”

If you can enable this once, forever, after a 24 hour cooldown period I don't hate this as much as I hated some of the other proposals from Google. It'll just be something you do as part of the setup for a new phone.

So can it be breached by turning off networking and setting the date forward a couple days?

I am not happy about this, but as long as advanced Android users can still turn this off and keep it off, we're still in a better place than iOS.

Even though I understand the design decisions here, I think we're going about this the wrong way. Sure, users can be pressured into allowing unverified apps and installing malware, and adding a 24-hour delay will probably reduce the number of victims, but ultimately, the real solution here is user education, not technological guardrails.

If I want to completely nuke my phone with malware, Google shouldn't stand in my way. Why not just force me to read some sort of "If someone is rushing you to do this, it is probably an attack" message before letting me adjust this setting?

Anyone who ignores that warning is probably going to still fall for the scam. If anything, scammers will just communicate the new process, and it risks sounding even more legitimate if they have to go through more Google-centric steps.

Seems like a very reasonable compromise. What's the catch?

It's not like the Google Play store hasn't been known to host malicious apps, yet you are not required to wait 24 hours before you install apps from their store.

I suspect they are hoping users just give up and go to the play store instead. Google touts about "Play Protect" which scans all apps on the device, even those from unknown sources so these measures can barely be justified.

Imagine if Microsoft said you need to wait 24 hours before installing a program not from their store, which is against the entire premise of windows.

Computing, I once believed was based on an open idea that people made software and you could install it freely, yes there are bad actors, but that's why we had antivirus and other protection methods, now we're inch by inch losing those freedoms. iOS wants you to enter your date of birth now.

The future feels very uncertain, but we need to protect the little freedoms we have left, once they're gone, they're gone for good.

If android security is so fucked that the 24 hours helps, why do they maintain it has security?

I hate to say it, but I'm somewhat in agreement. I don't know why there's a allow 3 days/allow forever option. That's the only thing that's suspicious.

Assuming the requirements are actually justified, this seems like a tolerable compromise.

I'll say it again: this isn't a problem for Android to solve. Scammers will naturally adapt their "processes" to account for this 24-hour requirement and IMO it might make it seem more legitimate to the victim because there's less urgency.

The onus of protecting people's wealth should fall on the bank / institution who manages that persons wealth.

Nevertheless, this solution is better than ID verification for devs.

Corry's enshitification is in charge

stopped reading at "combating malware"

The constant sociopathic nudging from Google to do this or that to use something that was absolutely normal before or to enable something I didn't want and slowly removing reasonable options in favor of their dark pattern preferences was what made me to degoogle ~10 years ago, and they just seem to continue on the march to their dark side unconcerned.

What? No requirement to personally bring in a form in triplicate to the Google office in Siberia, of course notarized by the Pope and Zendaya, and simply prove it was signed on the moon.

Imagine if Microsoft did that with Windows. Absurd. The difference between Microsoft and Google seems to be that Microsoft accepts a small fraction of not-so-bright users getting scammed, because this is obviously much less bad than locking down the OS for everyone. (I say this as someone who is usually much more positive about Google than about Microsoft.)

We need to get Epsteinist Interests out of our tech.

And now we see why Android never really was Linux.

Does it have a Linux kernel? Of course. But this isn't a free operating system.

> Wait 24 hours

Man, fuck Google. I hope this bullshit is struck down by government regulation as malicious compliance to 3rd party app stores.

I wonder if GrapheneOS will have the same level of user-hostile bullshit. That may be my salvation board right now.

Sailfish OS would be great, but unfortunately my banks don't seem to play along with it.

[dead]

[dead]

[dead]

I think most people here live too much in their tech bubble and don't realize how dumb the vast majority of people are when it comes to tech. I know that feeling myself that you lose the grip to "reality" when you are too much into tech, but after dealing a bit with "ordinary" people, I do understand why Google wants to do that. Most people have absolutely no idea about tech at all. So many people don't even know what exactly a browser is, what a "tab" means or can't even get to install an iPad. Google mainly has to take care of these people, not people who install apps using F-Droid. Go to the streets and ask strangers if they know what F-Droid is, and if they don't, try to explain it to them. The 24 hour wait period looks like a good trade off to me. Still allowing experienced users to install apps, but the majority of people will be protected, and it won't even affect most people.

And no, I'm not a bot or some pro Google activist, check my github account, I even use GrapheneOS myself.

I'm not in agreement with most of you, hn. They've found a decent compromise that works for power users and the general population. Your status as a power user does not invalidate the need to help the more vulnerable.

Having to wait a day for a one off isn't a big deal, if they kept it looser then you'd be shouting about the amount of scams that propagate on the platform.