logoalt Hacker News

bjornrobergtoday at 1:40 PM3 repliesview on HN

The detail that keeps getting lost in these threads: the "advanced flow" for power users is delivered through Google Play Services, not the Android OS. That's the whole game.

It means the safeguard is not part of AOSP. It ships as a closed component that Google can narrow, gate, or remove in any Play Services update, with no Android version bump, no OEM coordination, no user consent beyond the usual auto-update. "Open platform with an escape hatch" is load-bearing in the PR; "closed escape hatch bolted onto an open kernel" is what's actually shipping.

The second tell is timing. It's five months from enforcement and the flow has not appeared in any beta, dev preview, or canary build. We're being asked to treat a blog post and UI mockups as a functional guarantee. No other platform change of this scope lands without a shipping preview this late, and Google knows it.

The third piece most devs skim past: registration requires uploading evidence of your private signing key. Whatever you think of the verification program in principle, that specific requirement changes the threat model of every Android key in existence, including the ones protecting apps people already depend on.

"Sideloading still works" is only true in the narrow sense that some ceremony remains. The mechanism protecting that ceremony is owned by the party with the strongest incentive to eventually close it.

Replies

safety1sttoday at 1:52 PM

What follows is the "advanced flow." I feel like there should be a class action lawsuit in response to this as when I purchased my device I had an expectation that I could install apps without this insane limitation

    Enable Developer Mode ↗ by tapping the software build number in About Phone seven times

    In Settings > System, open Developer Options and scroll down to “Allow Unverified Packages.”

    Flip the toggle and answer a scare screen confirming that you are not being coerced

    Enter your device unlock pin/password

    Restart your device

    Wait 24 hours

    Return to the unverified packages menu at the end of the security delay

    Scroll past additional scare screen warnings and select either “Allow temporarily” (seven days) or “Allow indefinitely.”

    On the next scare screen, confirm that you understand the risks.

    You can now install unverified packages on the device by tapping the “Install anyway” option in the package manager.
show 2 replies
creatoneztoday at 1:57 PM

> the "advanced flow" for power users is delivered through Google Play Services, not the Android OS. That's the whole game.

What is the source for this claim? I can believe it, but I haven't seen where the claim actually comes from, and it doesn't seem to be mentioned in Google's announcements.

syoleenetoday at 2:02 PM

If the "advanced flow" is delivered through play services, what does this mean for degoogled Android phones? Or are those not concerned with the new side loading limitations?

Put simply, If I were to install plain AOSP and F-Droid would I be able to continue installing apps normally?

show 2 replies