FRESH

Hacker News

Home

Google details new 24-hour process to sideload unverified Android apps

125 points by 0xedb

by grishka

8 subcomments

At this point I'm convinced that there's something deeply wrong with how our society treats technology.
Ruining Android for everyone to try to maybe help some rather technologically-hopeless groups of people is the wrong solution. It's unsustainable in the long run. Also, the last thing this world needs right now is even more centralization of power. Especially around yet another US company.
People who are unwilling to figure out the risks just should not use smartphones and the internet. They should not use internet banking. They should probably not have a bank account at all and just stick to cash. And the society should be able to accommodate such people — which is not that hard, really. Just roll back some of the so-called innovations that happened over the last 15 years. Whether someone uses technology, and how much they do, should be a choice, not a burden.

by astra1701

11 subcomments

This is going to hurt legitimate sideloading way more than actually necessary to reduce scams:
- Must enable developer mode -- some apps (e.g., banking apps) will refuse to operate and such when developer mode is on, and so if you depend on such apps, I guess you just can't sideload?
- One-day (day!!!) waiting period to activate (one-time) -- the vast majority of people who need to sideload something will probably not be willing to wait a day, and will thus just not sideload unless they really have no choice for what they need. This kills the pathway for new users to sideload apps that have similar functionality to those on the Play Store.
The rest -- restarting, confirming you aren't being coached, and per-install warnings -- would be just as effective alone to "protect users," but with those prior two points, it's clear that this is just simply intended to make sideloading so inconvenient that many won't bother or can't (dev mode req.).

by politelemon

2 subcomments

I'm not in agreement with most of you, hn. They've found a decent compromise that works for power users and the general population. Your status as a power user does not invalidate the need to help the more vulnerable.
Having to wait a day for a one off isn't a big deal, if they kept it looser then you'd be shouting about the amount of scams that propagate on the platform.

by janice1999

1 subcomments

The forced ID for developers outside the Play store is already killing open source projects you could get on F-Droid. The EU really needs to identify this platform gatekeeping as a threat. As an EU citizen I should not be forced to give government ID to a US company, which can blacklist me without recourse, in order to share apps with other EU citizens on devices we own.

by branon

0 subcomment

This 24-hour wait time nonsense is a humiliation ritual designed to invalidate any expectation of Android being an open platform. The messaging is very clear and the writing's on the wall now, there's nowhere to go from here but down.

by devsda

4 subcomments

Death, taxes and escalating safety are the only certainities in this tech dominated world. So, be ready for more safety in the next round few months/years down the line. Eventually Android will become as secure as ios. We need a third alternative before that day comes.
It's not a win by any means. I hope that we don't stop making noise.

by focusedone

3 subcomments

I'm generally OK with this, but the 24 hour hang time does seem a bit onerous.
Most of the apps on my phone are installed from F-Droid. I guess the next time I get a new phone I'll have to wait at least 24 hours for it to become useful.
I'm seriously considering Graphene for a next personal device and whatever the cheapest iOS device is for work.

by teroshan

0 subcomment

That's a lot of words to explain how to install things on the device I supposedly own.
Wondering how long the blogpost would be if it explained what the flow for corpoloading applications approved by Google's shareholders would be?

by egorelik

1 subcomments

As an idea, what about allowing the 24 hours to be bypassed using adb?
I understand there is some problem trying to be solved here, but honestly this is still quite frustrating for legitimate uses. If this is the direction that computing is moving, I'd really rather there were separate products available for power users/devs that reflected our different usage.

by 9cb14c1ec0

1 subcomments

It's getting harder and harder to be an Android enthusiast. Especially given the hypocrisy of Google Play containing an awful lot of malware.

by summermusic

2 subcomments

24 hour mandatory wait time to side load!? All apps I want to use on my phone are not in the Play Store. So I buy a new phone (or wipe a used phone) and then I can’t even use it for 24 hours?

by lucasay

1 subcomments

The goal seems to be breaking the real-time guidance scammers rely on. 24h probably works, but it feels like a heavy tradeoff for legit users.

by andyjohnson0

0 subcomment

I'd rather not have to go through this ritual, but I appreciate that there is a genuine security problem that google are trying to address. I also suspect that they have other motivations bound-up in this - principally discouraging use of alternative app stores. But basically I could live with this process.
Yeah, I know... Stockholm syndrome...
Although I may not have to live with it, as none of my present devices are recent enough to still receive ota updates.
Context: I don't use alternative app stores. I occasionally side-load updates to apps that I've written myself, and very occasionally third party apps from trusted sources.

by occz

0 subcomment

The 24 hour wait period is the largest of the annoyances in this list, but given that adb installs still work, I think this is a list of things I can ultimately live with.

by module1973

1 subcomments

Am I going to have to wait 24hrs to have Google's malware and spyware forceloaded onto my phone, or is this a different category of malware?

by dang

0 subcomment

Is there an accurate, neutral third party link about this that we can make the primary link instead?
https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...?
Edit: I've put one up there now - if there's a better article, let us know and we can change it again. I put the submitted URL in the toptext.

by wolvoleo

1 subcomments

Do you need a Google account to opt out of the restriction? It says something about authenticating.
I don't have a Google account on my Androids. But I can't remove play services on them, sadly. As an intermediate protection I just don't sign in to Google play, that gives them at least a bit less identifying information to play with.
I hope this can be done without a Google account.

by aftergibson

0 subcomment

Nothing screams being infantilised by your platform more than having to wait 24 hours to be allowed to install software on your own purchased computing devices.

by w4rh4wk5

0 subcomment

I'll repeat my question from a while ago. Is the official Temu app, available on the Play Store, still full of questionable malware / spyware code?
If so, it's clear that none of these changes are actually to protect users.

by RIMR

0 subcomment

I am not happy about this, but as long as advanced Android users can still turn this off and keep it off, we're still in a better place than iOS.
Even though I understand the design decisions here, I think we're going about this the wrong way. Sure, users can be pressured into allowing unverified apps and installing malware, and adding a 24-hour delay will probably reduce the number of victims, but ultimately, the real solution here is user education, not technological guardrails.
If I want to completely nuke my phone with malware, Google shouldn't stand in my way. Why not just force me to read some sort of "If someone is rushing you to do this, it is probably an attack" message before letting me adjust this setting?
Anyone who ignores that warning is probably going to still fall for the scam. If anything, scammers will just communicate the new process, and it risks sounding even more legitimate if they have to go through more Google-centric steps.

by xnx

0 subcomment

This is eminently reasonable.
Now if only Android would allow for stronger sandboxing of apps (i.e. lie to them about any and all system settings).

by nullc

0 subcomment

I'd urge everyone here to seriously consider switching to GrapheneOS. It's a far simpler transition than e.g. switching from Windows or OSX to Linux, and many people find that it has basically no friction vs android.
More people moving to GrapheneOS is the best tool we have against Google's continued and escalating hostility to user freedom and privacy and general anti-competitive conduct. (Of course, you could ditch having a smartphone entirely..., but if you're willing to consider that you don't need me plugging an alternative).

by anonym29

0 subcomment

>And what is malware? For [Android Ecosystem President], malware in the context of developer verification is an application package that “causes harm to the user’s device or personal data that the user did not intend.”
Like when Google, Facebook, Apple, Microsoft, et al. cooperated with¹ the unconstitutional and illegal² PRISM program to hand over bulk user data to the NSA without a warrant? That kind of harm to my personal data that I did not intend?
If so, I'd love to hear an explanation of why every Google/Alphabet, Facebook/Meta, and Microsoft application haven't been removed for being malware already.
¹ https://www.theguardian.com/world/2013/jun/06/us-tech-giants...
² https://www.reuters.com/business/media-telecom/us-court-mass...

by cobbal

0 subcomment

Can you set your clock forward or does this also require phoning home to a central server to install an app on your computer?

by beepbooptheory

0 subcomment

I get that its pretty clear with the straight sideloading case, but can anyone say for sure what this will look like for an f-droid user? Its hard to keep track but I thought something new here because of EU is that alternative app stores != sideloading? Something where app stores could choose themselves to get "verified," whatever that means, to become a trusted vendor? Or is this completely wrong?

by mzajc

1 subcomments

tl;dr:
- You need to enable developer mode
- You need to click through a few scare dialogs
- You need to wait 24h once
I wonder how long this will last before they lock it down further. There was a lot of pushback this time around and they still ended up increasing the temperature of the metaphorical boiling frog. It still seems like they're pushing towards the Apple model where those who don't want to self-dox and/or pay get a very limited key (what Google currently calls "limited distribution accounts").

by tadfisher

2 subcomments

Honestly, if coerced sideloading is a real attack vector, then this seems to be a pretty fair compromise.
I just remain skeptical that this tactic is successful on modern Android, with all the settings and scare screens you need to go through in order to sideload an app and grant dangerous permissions.
I expect scammers will move to pre-packaged software with a bundled ADB client for Windows/Mac, then the flow is "enable developer options" -> "enable usb debugging" -> "install malware and grant permissions with one click over ADB". People with laptops are more lucrative targets anyway.

by omnifischer

1 subcomments

Those working in Google (AOSP) that write these code should be ashamed of themselves. Eventually they are doing a bad thing for the society.

by hypeatei

1 subcomments

I'll say it again: this isn't a problem for Android to solve. Scammers will naturally adapt their "processes" to account for this 24-hour requirement and IMO it might make it seem more legitimate to the victim because there's less urgency.
The onus of protecting people's wealth should fall on the bank / institution who manages that persons wealth.
Nevertheless, this solution is better than ID verification for devs.

by aboringusername

0 subcomment

It's not like the Google Play store hasn't been known to host malicious apps, yet you are not required to wait 24 hours before you install apps from their store.
I suspect they are hoping users just give up and go to the play store instead. Google touts about "Play Protect" which scans all apps on the device, even those from unknown sources so these measures can barely be justified.
Imagine if Microsoft said you need to wait 24 hours before installing a program not from their store, which is against the entire premise of windows.
Computing, I once believed was based on an open idea that people made software and you could install it freely, yes there are bad actors, but that's why we had antivirus and other protection methods, now we're inch by inch losing those freedoms. iOS wants you to enter your date of birth now.
The future feels very uncertain, but we need to protect the little freedoms we have left, once they're gone, they're gone for good.

by 2OEH8eoCRo0

4 subcomments

Seems like a very reasonable compromise. What's the catch?

by silver_sun

2 subcomments

It's a little inconvenient for someone setting up a new phone to have to wait a full day to install unregistered apps. But while I can't speak for others, it's a price I'm personally willing to pay to make the types of scams they mention much less effective. The perfect is the enemy of the good.