Discussion · bonfire.cafe

@lauren@mastodon.laurenweinstein.org · 5 days ago

***** Google's plans to restrict sideloading on Android are an authoritarian wet dream come true *****

Let me be really clear about how horrifically dangerous #Google's plans are to restrict #Android sideloading to "verified developers" (that is, entities for which Google has full verified identity and associated information that they could hand over to authorities on demand).

This means that even though you own your Android device, you cannot install apps obtained from ANY source (except perhaps apps you build yourself that will only be permitted to run on your own device) unless Google knows pretty much everything about who created that app.

The ways that this could be abused are so numerous I won't even start listing them here, other than to note that it is absolutely horrific overreach by Google and at least appears to be Google bending over for abusive government demands, and could put already vulnerable individuals and groups at even more risk.

Absolutely disgusting.

Optimistic Moron

@OptimisticMoron@mastodon.xyz replied · yesterday

@lauren
Welcome to Apple Universe, people.
Wait for Google to start creaming off 25 percent of all transactions.

AndreasDavour

@AndreasDavour@dice.camp replied · 4 days ago

@lauren google don't need any abusive governments. Remember "do no evil"? They changed that, remember? Says it all.

lopta

@lopta@mastodon.social replied · 4 days ago

@lauren Time for non-Android Linux to step up?

ViSzKe

@ViSzKe@mastodon.acc.sunet.se replied · 4 days ago

@lauren
So there will be no difference between Android and iOS

dummzeuch

@dummzeuch@mastodon.social replied · 5 days ago

@lauren Google is planning to do, what Apple has been doing all along and what Microsoft has been trying to do too: Be the gate keeper to their walled garden, keep those pesky independent software developers out or at least charge them dearly for the privilege.

Zem 🇪🇹 🇪🇺

@zem@framapiaf.org replied · 5 days ago

@lauren how is this impacting the #fdroid project? @fdroidorg ?

Simon Poole

@simon@en.osm.town replied · 5 days ago

@lauren I would note that this wouldn't actually effect apps built and distributed via @fdroidorg as they build and sign them themselves (it does sabotage their drive for reproducible builds a bit though).

James Cridland

@james@bne.social replied · 5 days ago

@lauren How many people actually sideload to Android now, do we know? I’m reasonably techie, but I can’t recall if I ever side loaded something to my Pixel.

Orion Ussner kidder

@OrionKidder@mas.to replied · 5 days ago

@lauren So basically, Google is trying to wall off Androids the way iPhones have always been walled off.

Gross.

:digitalcourage: Damien

@d4m13n@digitalcourage.social replied · 5 days ago

@lauren @arstechnica says, user without Play Services are not affected.

ꓤɔᴉʇɐʇS

@StaticR@guild.pmdcollab.org replied · 5 days ago

@lauren the term "sideloading" in of itself is complete whack, it's just downloading and installing software. Imagine you were calling shopping from somewhere other than amazon "sideshopping". same energy.

Don't legitimaze their practices by legitimizing their terminology.

Luna chan

@Luna@mastodon.world replied · 5 days ago

@lauren Oh hell no if I can't use F-Droid they can go to hell.

Whispr

@Whispr@mastodon.social replied · 5 days ago

@lauren You’re right to be sounding the alarm on this — it’s a big deal for privacy and control over our own devices. Have you ever listened to Rob Braxman (he’s known as the ‘Internet Privacy Guy’)? He’s been covering Google’s tightening grip on Android and sideloading for a while now. I think you’d appreciate his perspective — he breaks it down in a way that makes sense for both the technical and everyday user. Worth a listen if you haven’t run across him yet.

SpaceLifeForm

@SpaceLifeForm@infosec.exchange replied · 5 days ago

@lauren

Got root? It not, avoid the device.

Lauren Weinstein

@lauren@mastodon.laurenweinstein.org replied · 5 days ago

@SpaceLifeForm Root is not a solution for 99.999% of users. I don't really care about techies (like you or me) in this regard. I care about ordinary people who use what they're given by Big Tech. Also, you can anticipate root becoming harder and harder to obtain, under orders from governments.

SpaceLifeForm

@SpaceLifeForm@infosec.exchange replied · 5 days ago

@lauren

The alternative is what happened in the olden daze. Talk offline face-to-face.

Farbs

@Farbs@mastodon.social replied · 5 days ago

@lauren What the fucking fuck?! And this is from the company who turned the web into a full virtual machine so they could operate freely within everyone else's operating systems?!

Bredroll

@Bredroll@mas.to replied · 5 days ago

@lauren when my current phone dies, i think ill just go to my old feature phone.

rzeta0

@rzeta0@mstdn.social replied · 5 days ago

@lauren

does this mean alternative OS's like @GrapheneOS won't be possible on Pixel phones?

(I realise there's a difference between side loaded apps and side loaded OSes)

Lauren Weinstein

@lauren@mastodon.laurenweinstein.org replied · 5 days ago

@rzeta0 @GrapheneOS For rooted phones all bets are off (but expect rooting to become more difficult over time). But this doesn't help 99.999% of people who don't root their phones, they are the ones I'm concerned about who are at risk.

GrapheneOS

@GrapheneOS@grapheneos.social replied · 5 days ago

@lauren @rzeta0 GrapheneOS is not rooted and installing it doesn't involving rooting. Devices can be purchased with it preinstalled already. There will be devices with official support from the OEM for GrapheneOS in the future.

Łącze

@Lacze@hear-me.social replied · 5 days ago

@lauren @rzeta0 @GrapheneOS

GrapheneOS is not rooted and it does not support root. You are using wrong terminology.

Lauren Weinstein

@lauren@mastodon.laurenweinstein.org replied · 5 days ago

@Lacze @rzeta0 @GrapheneOS It's a distinction without a difference. To install any alternate OS, you need to be able to unlock the bootloader, and the same applies to rooting. If the bootloader can't be unlocked you can't effectively do either in any realistic sense. And again, this is not a solution for the overwhelmingly large majority of users.

tranquil_cassowary

@tranquil_cassowary@infosec.exchange replied · 5 days ago

@lauren @Lacze @rzeta0 @GrapheneOS
That's not true. it's a distinction with a difference. If you are installing a proper third-party OS on a phone that supports installing third-party OSes with all security features intact you are supposed to unlock the bootloader, flash the third-party OS and then relock the bootloader. After relocking the bootloader verified boot and all other hardware security features are still supposed to work. Root is something entirely different and completely undermines the security model of Android.

rzeta0

@rzeta0@mstdn.social replied · 5 days ago

@lauren @GrapheneOS

I agree with your focus on the vast majority of non-techie people.

I feel sad about it but that 99.999% are easy victims of surveillance and control.

I something think there must be a gap in the market for secure tech that is usable by that 99.999% ... but on thinking further, I think the established interests have the capability to kill any such venture quite easily.

If democracy depends on everyone being a PhD in electronics and software then that democracy is broken.

GrapheneOS

@GrapheneOS@grapheneos.social replied · 5 days ago

@rzeta0 @lauren GrapheneOS is gradually working towards making the out-of-the-box experience better, overhauling or replacing the legacy AOSP apps and also launching phones with official support for GrapheneOS with an OEM. It's not at all intended for only technical people. We aren't going to take problematic shortcuts which massively sacrifice privacy and security though. We're only willing to launch a device with an OEM able to meet our official requirements (https://grapheneos.org/faq#future-devices).

Darker Knight

@darkerknight@climatejustice.social replied · 5 days ago

@lauren

How about 'DeGoogled' OS's such as eOS that get their apps from F-Droid?
Are they affected?

slash

@agreeable_landfall@mastodon.social replied · 5 days ago

@lauren I'm hopeful that the non-Google Android ROMs (like LineageOS or Graphene) will drop that code from the AOSP base sources.

To be honest, Google is the most obvious example of a "lateral arabesque" in software. Start a FOSS project, get everyone to contribute and ensure alternatives die off. Then, slowly, move code to non-FOSS licensing.

I think TIVO did something similar, years ago.

I do wonder if we have what it takes to fork Android.

Lauren Weinstein

@lauren@mastodon.laurenweinstein.org replied · 5 days ago

@agreeable_landfall None of that is useful for ordinary nontechies, and they are the ones most at risk.

Dan Goodin

@dangoodin@infosec.exchange replied · 5 days ago

@lauren

Saving people the hassle of looking for a link not included in this thread:

https://developer.android.com/developer-verification

Brian Swetland

@swetland@chaos.social replied · 5 days ago

@lauren I suspect that it's primarily driven by malware complaints (and ensuing customer service costs) rather than government demands (though it certainly makes those much easier to fulfill).

It's still horrible overreach and combined with the killing off of AOSP build support for Pixel devices it's a bad sign for the health of the Android platform and ecosystem.

We (early Android team) fought hard for open app installation and replaceable OS images. Sad to see that finally dying.