Remember everyone…Google never cared about you or your phone or your privacy. They are a marketing company and make money selling your data. Your data is all they care about. They don’t offer a wide range of products, like search and Gmail and all of their office products for free, just for the fun of it.
I didn’t get it. EU pushes Apple for sideloading option. Android will come with embedded Linux terminal support and you can even run native Linux apps on your Android phone with Android 15.
I guess some C-Level assholes forcing this change in Google but this does not make any sense…
This is the risk of “trusted computing” architectures. Who is governing the “trusted” part of that.
These cryptographic signatures are not as much of a death knell for Android as some would have you believe. The trick is to get a common code signing cert into your device, that is then used to sign any third party APK you want to run. You can avoid the Google tax this way. I assume that’s how most sideloading sites and apps are going to handle this.
The question is, how do you add that certificate? Is it easy and straight forward (with plenty of scary warnings), as a user? Or is it going to be a developer options deal? Or will I need root to add the cert?
I’m not sure what that answer is right now.
I just want to finish this post with a few words about trusted computing models. Plainly: Apple has been doing this for years … That’s why you download basically everything from an app store with Apple. Whether on your Mac OS device, your iPhone, iPad or whatever iDevice… Whether the devs need to sign it, or the app gets signed when it lands on the store, there’s a signature to ensure that the app hasn’t been tampered with and that Apple has given the app it’s security blessings, that it is safe to run. Microsoft and Google have both been climbing towards the same forever. Apple embedded their root of trust in their own proprietary TPM which has been included with every Mac, and iDevice for a long ass time. Google also has a TPM, the Titan security module, I believe that was introduced around pixel 3? Or 4?.. Microsoft made huge waves requiring it for Windows 11, and we all know what that discussion looks like. Apple requires a TPM (which they supply, so nobody noticed), Google has been adding a TPM and TPM functionality to their phones for years, and now Windows is the same. None of this is a bad thing. Trusted computing can eliminate much of the need for antivirus software, among other things. I digress. We’ve been going this way for a long time. Google is just more or less, doing what Apple has already done, and what Microsoft will very likely do very soon, making it a requirement. Battlefield 6 I think, was one of the first to require trusted computing on Windows and it will, for damned sure, not be the last that does. The only real hurdle here is managing what is trusted. So far, each vendor has kept the keys to their own kingdoms, but this is contrary to computing concepts. Like the Internet, it should be able to be done without needing trust from a specific provider. That’s how SSL works, that’s how the Internet works, that’s how trusted computing should work. The only thing that should be secret is the private signing keys. What Google, Apple, and Microsoft should be doing, is issuing intermediary keys that can sign code signing certs. So trusted institutions that create apps, like… Idk, valve as an example, can create a signature key for steam and sign Steam with it, so the trust goes from MS root to intermediary key for valve, to steam code signing key, and suddenly you have an app that’s trusted. Valve can then use their key to sign software on their store that may not have a coffee signing key of it’s own. This is just one example based on Windows. And above all of this, the user should be able to import a trusted code signing cert, or an intermediary cert signing cert, to their service as trusted.
Anyways, thanks for coming to my Ted talk.
This is about Revanced, isn’t it? They failed to kill it via the YouTube backend so now it’s down to lock down the os and browsers as much as possible to keep feeding people the juicy ads.
I just hope that the Graphene devs continue to support the last supported versions of Android that allow installing apks.
I couldn’t be happier with my P7 that has been running Graphene since day one. Zero Google. Zero problems
So yeah we’ll do a decentralized Linux phone of sorts, if Google is going full 3rd Reich with Android we’ll move to a Linux based OS phone.
Simple as that.
If Google is going to lock down my device to the point where I can’t install apps without their permission, I might as well dump Android and go straight to Apple. I sacrificed my phone being good for the openness of the platform, but if Google loses that openness, why shouldn’t I go with Apple?
Openness isn’t just a nice to have. It is essential.
The difference between general purpose computing and gatekept walled garden computing is night and day.
Identifying the devs is not in the “need to know” for Google. Google sells or helps to sell a general purpose open device where it is on us to exploit that device however we will.
Now Google wants to switch to a walled garden, moderated development model.
If Google promises it won’t use those dev IDs to moderate development, their promise is only worth the wind it moves and the sound it makes.
You might say their words are like farts in the wind
We don’t even need to assume: https://torrentfreak.com/apple-revokes-eu-distribution-rights-for-torrent-client-developer-left-in-the-dark/
now while at first view, your sentiment is understandable, i actually kinda differ.
when you buy any product at any store, i believe that there has to be a legal entity behind the store that sells you this product, and the legal entity needs to be identifiable. i.e. if you run a shop and give packages to people, you need to show ID to open up that shop. i believe it is the same for charity organizations which give away packages for free.
now, why would it be different for apps? apps are software packages, and if they’re given away, there should be a legal entity behind it that is identifiable. this isn’t to surveil or suppress people, it’s just how business has always been done, and for good reason so. businesses need legal representatives to operate, even if it’s a charity, because otherwise there’s nobody to “talk to” when there’s issues, and also imposters would have an easy game.
that doesn’t mean that you can’t donate packages away on the streets. just put it in front of your front door and wait until somebody passes by and takes it, or give it directly into the hands of your friends, you don’t need to open a business for that. just, if you do it regularly, interacting with people you don’t personally know, there is a legal entity that represents that recurring activity, like a business or charity.
If i understand it correctly, even with the new changes, what can be done is that open software distribution sites like F-Droid can sign the packages instead of the original developers and therefore circumvent the identification of the original developers, and also you can still install unsigned third-party apps if you enter a command on the command line to disable ID certificate checking. it’s just an extra step, not a block-all.
This change requires you to attach your real name when publishing software. That’s all. You can still publish to and install packages from anywhere. This doesn’t come close to Apple’s complete control.
Google already scans packages you’re installing for malware and alerts you and allows you to install them anyway. This gives that scanner one more tool to identify bad actors.
This was the main reason I have a spare android phone to install whatever I want on it and just factory reset if there’s an issue. Android / Google is really shooting itself in the foot cause there isn’t a point in owning an android after this imo
Christ. Some cheap phone for calls, SMS and banking. Some other device for literally everything else, perhaps I can get it with a headphone jack again.
I have LineageOS on my second phone, so the issue doesn’t apply to custom ROMs, as the developers assured me. On my main phone, however, I still have the stock ROM because it’s a new and expensive phone, and there are no custom ROMs for it yet, especially as it’s a MediaTek. If they try to block sideloading, it would be a good time to report it to the European Union.
How does this affect “second-party” apps (i.e. apps you have created yourself)? Are you still allowed to go to Android studio, make an APK, transfer it to your own phone, and install that app? If no, this spells the death of experimental indie developers on Android.
They might copy from apple. 3 apps with a self signed cert that needs to be renewed every week…
I think I am just done with the whole concept of the convenient prepackaged tech product, and especially staying “connected” with them.
For example, I stopped wearing a smart watch this summer and it’s been a positive. I was the type to wear it 23 hours a day and track my sleep with it and everything. It turns out that not instantly seeing every notification or knowing the exact minute of the day are not a big deal, sans are even good for me.
Part of what I’ve also done is use my phone a lot less and my linux desktop a lot more. I use it as a mobile communication device and not my computer for everything. I guess the next time I need to replace it I’ll either get an iphone since everybody in my family has one, or I’ll see where these wonderful Linux phone projects end up.
I’m wearing my smartwatch as a wristwatch. All notifications are off, but I see the temperature, UV index, step and calorie counters, which is nice. And if I ever want to review my sleep data, pulse, sPO2 saturation and location history, I got it available just in case. And for the very rare case that my phone is charging and I want to access messages from another room, I can do that manually.
In all fairness to smart watches, mine is what turned me on to regularly checking the UV index. That’s an important thing for all people, but especially me because I have an increased skin cancer risk due to unrelated medical stuff. And it was extra-extra important this year because I have done a ton of good work outside this summer.
And to be more specific about my watch situation, there’s more going on than just avoiding notifications. I have been minimizing the amount of stuff I keep on my person in general, right down to finally getting my wedding ring tattooed on this year. There are various reasons ranging from abstract introspective life improvement stuff to the practical where that outside work I mentioned was constant and pretty rough on anything on my hands/arms.
So even if I wore a nice mechanical watch, I’d probably still be going with the double bare wrists right now.
In all fairness to smart watches, mine is what turned me on to regularly checking the UV index.
Can’t you just do that on your phone? Surely if the UV is high, you just plan accordingly for the day? Sunscreen, wide brim hat, stick to the shade where possible, etc. I can’t imagine what benefit constantly checking the UV on your watch gives you. Even if it did happen to fluctuate for some reason, you would be wasting so much time constantly ducking in and out depending on what your watch says at any given moment.
Yeah you are absolutely right. I do just check it on my phone or PC now.
But having it constantly visible for the months or years I had it on my watch face etched the habit into my ADHD brain. It also gave me a feel for how weather and time of day affect it. But not in a way where I try to vibe measure the UV index. It reminds me to check the weather data. :)
You’re pissed about it? Visit here: https://opencollective.com/postmarketOS
IMHO that’s our best shot. Totally Google free, mainstream Linux kernel.
Don’t worry as the current OEMs continue to lock down bootloaders and lock required drivers behind copyright and other restrictive licensing schemes they will ensure nice things like PostmarketOS at best remain fringe and never able to replace modern phones for daily usage.
Most of they will but hopefully we will still have projects like PinePhone or Fairphone that will support it.
Does this also work with android tablets? Or is there a separate os for those?
Here you can see current state: https://wiki.postmarketos.org/wiki/Devices
In theory it will just be another Linux able to run on everything Linux supports + Android hardware. Honestly I don’t know if it will ever run on common modern phones but it should at least be possible to run it on more “open” phones like Fairphone or PinePhone.
These are the most supported devices, maintained by at least 2 people and have the functions you expect from the device running its normal OS, such as calling on a phone, working audio, and a functional UI.
If the above is where we are at still with PostmarketOS, it will be a decade or more before it is anything more than a curiosity. The table stakes of what people, even us tech nerds, expect from a smartphone fit for daily use is so much more than “it can make phones calls and the UI works” it is not even funny.
Can you just refuse to upgrade your 2021 or previous (nothing on their device list applies to models released after 2021) to not be affected by this policy change? I have never noticed a useful feature in android version upgrades for quite a while now.
I bought a Pixel recently and for 2 days I tried to make it work. 2 whole days of fumbling pain! And I felt fucking horrible. Almost nothing is customizable and everything coated in a thick layer of AI. Every google app has dark patterns. Don’t like it? Well too bad, apps like goog photos keep on asking if you want to upload your life with a recurring popup that tries to trick you. Don’t want Google Search Bar? Well… you don’t get to say no bitch, don’t make me hurt you. It is not a healthy relationship.
So. I just took the plunge and flashed GrapheneOS. Graphene will take a bit of work getting replacements for some of my needed apps like mail and map. But there are lots of neat options and I’m having fun with it. Problem fixed.
I used the graphene web install. I booted up my Pi 4B+ and used gnome-disks to flash a MicroSD with Ubuntu 24.10 then installed the two packages in the web install instructions then I got Brave (I went to the Brave homepage and they have some curl option to download. I needed to install curl, did that then got Brave installed. Once brave is installed you have to disable browser fingerprinting memory reduction and disable the “brave shield” (the little shield near the address bar) for the web installer GrapheneOS page. (It’s a fresh install, on a Pi, and I know the site, no real risk)
After this you can just press the big buttons on the page and follow the instructions on the page.
There are many ways to do this. They have lists of compatible browsers and operating systems. I picked (eww) Ubuntu and (eww) Brave because they seemed easiest on the list and I did not virtualize or use containers in any way cause it messes up the webUSB magic the website uses. I like to play it safe as possible when firmware is involved so I didnt speed up the instructions. And also when you buy a Pixel, big thing! Turn on dev tools and toggle your oem bootloader setting off and on again. If it can’t do that you need to return the phone because it’s locked down by carrier.
Well… I hope my long sleep deprived ramblings help someone else break their chains. Read a bunch about it before starting! Good Luck!
Will this kill FDroid ? I imagine yes since you have to install it from a download.
I haven’t watched the video — I would generally rather have text form content — but if Rossman is announcing the same thing that I just read about elsewhere, it’s not a removal of sideloading. It requires that a developer register and provide Google with personal information for Google to let them create packages. Assuming that Google is willing to let the F-Droid developers register an account (which I assume they have) and sign the F-Droid package, it should not restrict installation of the F-Droid package.
However, you wouldn’t be able to use F-Droid to install any packages that didn’t conform to Google’s new requirements.
I doubt that the restriction is at the store app level, but at the package installation level. That is, I would expect that the F-Droid or Google’s store app or whatever says “install this package” and the OS refuses.
https://developer.android.com/developer-verification
Starting in September 2026, Android will require all apps to be registered by verified developers in order to be installed on certified Android devices.
Step 1
Verify your identity
You will need to provide and verify your personal details, like your legal name, address, email address, and phone number.
If you’re registering as an organization, you’ll also need to provide a D-U-N-S number and verify your organization’s website.
You may also need to upload official government ID.
Step 2
Register your apps
You’ll need to prove you own your apps by providing your app package name and app signing keys.
And especially any youtube app that blocks ads. OF COURSE Google will never allow Newpipe, Revanced, FreeTube and so on to be installed on Android phones ever again.
I have no idea if this shit is coming to android tv, but i turned updates off just in case as I use SmartTube Next on it to watch ad free youtube. Ugh. Fuck google.
You can use F-Droid and other install sources on alternative ROMs.
