Recently Google decided that in the future for an app to be installable on an Android device, the developer of this app needs to be ID’d and registered at Google. They claim this is in order to “to better protect users”. However, I think, this is a move to get more control over the Android ecosystem, and the data they can collect with it. If anyone who wants to develop an app for Android devices has to be registered with Google, this puts all the power of who to allow distributing an app to Google.
Furthermore F-Droid shows, that safe app stores can exist without registration, neither of users nor of developers. There is zero malware or spyware on the F-Droid store. What there is on F-Droid is thousands of beautiful, useful and, most importantly, safe apps. And this entire ecosystem is at risk, because Google wants to gain more control over its users and over the Android operating system.
I’m not really an expert on Android but isn’t it available in open source?
I’m curious why we don’t see more open source phone hardware and a fork of Android that doesn’t have egregious centralization. FOSS ideology has solved this in many areas.
Is the core issue that banking apps won’t run without signing or in a “secure environment”? And Google’s apps won’t run without play / Google services?
That is one issue. The next is that software support on phones is generally poor because there’s lots of proprietary drivers and they don’t have a common base system like computers do (bios). So building custom roms is difficult, doesn’t scale well over the number of different devices and they often don’t work great in the areas of camera, accelerated graphics and wireless networking. Also installing custom roms is also too difficult for the majority of people, and requires bootloader unlock which is either not possible at all or at a minimum cancels the warranty.
im gonna lose it if i cant use seal and fossify man ;-;
What does seal do?
its a video downloader for all kind of websites including Youtube
Huh neat! Thank you.
Jesus that post is bleak. It’s basically “Please write your political representative to do something or we’re forced to close up shop”. Since all our political representatives are walking around with massive hard-ons at the idea of surveilling us, it’s basically a poorly veiled good bye note.
Honest question: what else can they do anyway? They cannot fight this war alone.
They really can’t, I’m not blaming them. Maybe they could pivot ressources to contribute to sailfish or postmarket in some form. Android is pretty much dead for people who want to own their devices at this point.
I was sold a device (pixel) that runs the software I want, if Google is taking that away, Google should offer to buy back my phone. Without Fdroid or control of my device its no longer fit for purpose
Will you be able to install the fdroid store with ads?
I believe Google is doing this to comply with the Cyber Resilience Act; no chance that this requirement is going away in the EU.
Please explain how this is even related to that
Of course, the DSA already requires app stores to collect copies of identity papers, but it excluded small enterprises. I guess that’s why F-Droid didn’t have to do that, so far.
The CRA takes effect in 2027. Maybe you could come up with some argument for how Google could do this differently. But why should they bother to lawyer this? It’s not their problem, and they’d only be damned for pushing back.
Article 23
Identification of economic operators
- Economic operators shall, on request, provide the market surveillance authorities with the following information:
(a) the name and address of any economic operator who has supplied them with a product with digital elements;
(b) where available, the name and address of any economic operator to whom they have supplied a product with digital elements.
- Economic operators shall be able to present the information referred to in paragraph 1 for 10 years after they have been supplied with the product with digital elements and for 10 years after they have supplied the product with digital elements.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02024R2847-20241120
Does fdroid and free foss count as “economic”?
Google is collecting those names. They certainly have to comply. They are responsible for FOSS on their products. Wouldn’t want Google to get out of regulations by going open source…
The OSS community extensively lobbied for exceptions. You can click the link and see for yourself how much open source gets mentioned. The more professional foundations like Mozilla should be safe, as well as individual contributors. I’m not so sure about the in-between; individuals with FOSS repositories who collect donations.
Makes me WannaCry ☹️
Bad ransomware jokes aside, it actually really does…
I think that they will leave the possibility to install apps from ADB
you can install apps like that if they’ve been signed with a developer key. or im guessing if you’ve compiled them yourself, and signed them with your developer key.
f-droid could still work, but it would need to be signed with a developer key, and any apps on there would need to be signed with developer keys
I mean, it’s worked for Apple so far. And if this is, as others have suggested, an effort to comply with EU attacks on privacy, then just maybe there’s a tiny silver lining in Trump leaning on the EU to stop it.
What I don’t understand yet: custom ROMs don’t need that dev verification. Everybody cries now, that F-Droid can close shop, if Google comes through. But why? F-Droid would still be the #1 distribution platform for de-googled ROMs. So why this “that would kill F-Droid” sentiment?
I mean, yep: it is a shitty move by Google, but who expects non-shitty moves from Google these days? Of course they will punish and oppress their customers. That is what Big Tech is here for. If anything we ought to help those users.
Phone hardware is getting locked down too, making it much harder to install custom ROMs. This is a full court press on our rights to use our devices as we want. They’ll close most of the loopholes.
To what others say (not many people use custom ROMs) I’ll add that using f-droid on a Googled ROM is often the first foot into the ecosystem, that might confort people into commiting to a custom ROM.
But Google also stopped publishing device trees for their devices. And they are withholding the Android source code until release. Android is being developed in secrecy behind closed doors now. Public access to security patches is delayed by four months.
Google is increasing their chokehold on the platform. Development and maintenance of custom ROMs is getting more and more difficult. More and more vendors such as Samsung and Xiaomi are removing the possibility to unlock the bootloader. Installing a custom ROM was never a mainstream thing, and it is increasingly becoming impossible for most people.
Yep. As I wrote: Google does shitty things. It’s time to try to establish an alternative OS for mobile.
Majority of users don’t use custom ROMs.Who wants to develop an app with no audience? Who wants to develop open source software on a platform that is more and more behind closed doors. I see why developer don’t agree with their terms. We need the right to use the software we want on our devices.
Do a lot of people use custom ROMs? As much as I am interested in the software, the main reason I haven’t installed them are the hardware limitations. I admit this isn’t a topic that I have a lot of knowledge on, but I assumed very few people who use FDroid are using custom ROMs and that FDroid was developed to run on stock Android specifically, even if it can be made to work with other ROMs.
No, probably a very small minority. Still, for those F-Droid is THE “store”. So, I don’t get how that “kills” F-Droid in any capacity. Anyhow, one could hope, that people who love F-Droid but are not de-googled yet would try out a custom ROM to keep their favorite store.
Ah I wasn’t aware FDroid ran on custom ROMs. I think perhaps the fear is that the userbase goes way down and kills any desire to keep up the project. I hope that isn’t the case.
So Google says it is for security when all the malware is on its store…
It makes no sense at all.It is clear why they want to do that.This is another level of gatekeeping and should be illegal.
Of course: Securing their monopoly is paramount.
There is zero malware or spyware on the F-Droid store
That is a bold claim considering that :
- Proving that something does not exist is very hard
- F-droid allows you to rely on third party repositories (and makes it easy)
Although Google have to be mad lads if they actually think people are not responsible of what they install after having to enable developer options, accepting 2 popups and eventually adding a custom repository to F-droid.
F-Droid is in a bit of a bad position to argue here, as it does have a genuine security vulnerability that many choose to avoid the service for. Basically, while they say “our store is safe and contains zero malware” this isn’t necessarily true of the 3rd party repositories you can subscribe to with their app. So, if an attacker compromises the F-Droid app on your device, they can subscribe to their own repository and load malicious apps onto your device through the F-Droid app.
Unfortunately this move by Google is a bit of a death knell anyway. I can’t see governments preventing Google from doing this, particularly not now they’ve established means of access (paying) for data Google holds, and especially since governments (eg UK) are now mandating you install government apps on your phone.
This is circular.
if an attacker compromises the F-Droid app on your device, they can… load malicious apps onto your device
Could be rewritten:
if an attacker compromises your device, they can compromise your device
You’ve already lost when they put the first malicious app on.
Google itself has tons of malware in the play store, I don’t buy the security argument.
Yup, that’s a genuine vulnerability.
Then again, the playstore hosts predatory adware that legislation was forced to blunt.
Of the two, you have a higher chance of being scammed/harmed via the official playstore than by fdroid.
Yes absolutely. In fact, you’ve touched on the very issue that people don’t understand with Google - the likelihood of the risk.
Most people think that because the consequence of Google getting your data is low, it’s a lesser risk than a hacker getting into your device (very high consequence). But likelihood is just as important with risk. It’s very unlikely a competent hacker will attack your device (moreso with good practice on your part), so the risk is still low even though the severity is high. But it is an absolute certainty that Google will get your data - so even though the severity is low the risk is still significant, and arguably Google present a more significant risk than a hacker.
I’m not advocating using Google over F-Droid, or that Google’s change here is good, or even lawful. This is a textbook anti-trust type case that the EU prosecuted against in the past. However, unfortunately governments seem gung-ho for this to happen this time around.
All I’m saying is that if F-Droid want to tout the security of their service, they probably shouldn’t leave the door open for attackers to use their app as a vector for attacking devices. Their response to this wasn’t strong enough to justify their implied claim that they are at the forefront of security. They’re much better than Google, sure, but they should be trying harder if they want to lead.
On the contrary - it’s not Google getting one’s data that is to be avoided. They are a law abiding (if law bending) entity.
The issue is there are apps on the store that takes data for third parties, who then proceed to sell that data to threat actors who have a phone number and a user profile (great for scam calls).
The adverts within apps can also be predatory - preying on gambling addiction (I know this for a fact, I worked in the gambling industry), loneliness (AI partner boom), and inexperience (oh god the crypto scams…).
There is a greater probability of issues, but the severity is underplayed if examined without a psychological lense. When this is taken into account - the playstore offers a greater probability of lesser harm, and an equal (or greater) probability of severe harm.
The issue is that Google considers them getting your data as more important than allowing you to evade the data collection of third parties that pay them.
The issue is Google’s profiteering.
Agreed!
I disagree with the notion that letting users make their own decisions regarding where to install apps from is a vulnerability. That’s how computers have always and are supposed to work. It’s like saying banking apps are a vulnerability because people can transfer money to scammers through them.
Why do you think vulnerabilities and functionality are mutually exclusive??
Of course being able to connect to other repos is a useful function of F-Droid, I use it for several. However, functionality also opens up potential doors for attackers.
The most effective way to secure your device is to limit functionality. Then, it becomes a trade off between what functionality you want or can do without, and what potential risk you’re willing to accept.
It’s easy to ignore risk and enable all functionality, and sometimes that’s nice to do, but you’ve got to find a balance.
My point here is that F-Droid is arguing about their viability because of their security, while running a service that has a known vulnerability.
Under this thought process, Linux is the most insecure OS.
