AFAIK this only applies within Singapore (not sure if this applies to visiting devices) for apps requesting certain permissions (RECEIVE_SMS, READ_SMS, BIND_NOTIFICATIONS, and accessibility) downloaded outside of app stores (F-Droid is fine) and opened directly on the device (adb install is fine).
You can probably bypass the restriction by just disabling Play Protect if you don't want Google to tell you what you can and cannot install, but I'm not in Singapore so I can't confirm if that will work or not. That said, Google has made it impossible to disable Play Protect while on a call, that's probably a smart move.
> In some cases, before downloading the malicious APK file, victims would also be guided to disable Google Play Protect that helps to prevent harmful downloads. Once Google Play Protect is disabled, victims would not receive alerts that there is malware introduced into their mobile phones. Victims may also be asked to download Virtual Private Network (VPN) applications from Google Play Store which would facilitate scammers’ connection to their Android device. Scammers would then be able to bypass the banking anti-malware measures and remotely access the victims’ banking accounts with the phished ibanking login credentials.
skybrian · 13h ago
Also, people in Singapore seem to be particularly vulnerable to scams:
> Pang is just one of tens of thousands of Singaporeans to fall foul of scams last year, who lost a total of S$1.1bn, according to police, a 70 per cent increase on the previous year. The true figure could be even higher, according to the Global Anti-Scam Alliance, which estimates that more than two-thirds of Singaporean victims did not report their experience.
> This is a small part of a global criminal enterprise worth an estimated $1tn, but Singaporeans, affluent, digitally advanced and compliant, are particularly vulnerable to these scams. As one person involved in the recovery of assets put it: “They are rich and naive”.
This is blaming the victim, and I'm not having it.
The problem has been that BankCorp are all forcing us into online pathways because it's cheaper for BankCorp. Of course, they don't put good security on the pathways because that would dramatically increase the customer support cost for BankCorp. Getting scammed is "just sucks to be you" because that costs LittlePlebian.
The "solution" is that liability for these kinds of scams need to be on BankCorp, period. LittlePlebian simply cannot be expected to protect themselves from every professional scammer in the universe beyond very basic measures. Bitcoin people regularly get scammed and they are supposedly more "sophisticated" than the average bear. Nobody less sophisticated stands a chance against the professionals.
bsimpson · 12h ago
It's also unclear why this post even exists, except as simple marketing FUD.
> Powered by PureOS, a Debian-based Linux operating system, the Librem 5 and Liberty Phones
Can their devices run APKs? The only Linux distro I know of that does is Sailfish, whose weird licensing model makes it really hard to take advantage of unless you have an obscure, obsolete phone and flash it with the image they sell.
To their credit, Purism has invested more into touch Linux with Phosh than most others in the space have, but Linux on a touchscreen is still a befuddlingly garbage experience.
Unless their experience is impacted by the features they're writing about (which it doesn't sound like it is), this post is just trying to make its mainstream alternative sound bad in the hopes that someone buys their crap instead.
stonogo · 9h ago
Purism devices can run Android APKs via Waydroid. I don't think this Google policy materially affects that, though, so I'm also mystified why they bothered writing this article.
mordnis · 11h ago
Thanks for the context!
Pxtl · 13h ago
Worth noting - was that before or after Google started getting painful decisions in court battles on the App Store thing?
Because this is not going to be super positive for them on that front.
> victims would also be guided to disable Google Play Protect that helps to prevent harmful downloads.
I feel like there's only so much a company can do when it comes to balancing protecting users from themselves vs allowing users free rights over their own computers, especially when users have gotten habituated to ignoring incessant safety warnings caused by attempts to protect users.
I also keep wondering how safe the Play store is from this stuff. The very existence of obscenely detailed public GPS datasets about Android users show that even "official store" apps are somewhat malicious.
I don't see a real solution besides giving a smart and friendly 3rd party admin rights over the devices of susceptible users.
ethbr1 · 8h ago
> I feel like there's only so much a company can do when it comes to balancing protecting users from themselves vs allowing users free rights over their own computers
Convert to a one-time escape hatch unlock via a random-question quiz hosted by Google that assesses security and computing knowledge?
If the intent is to prevent the dumbest users from doing something, then a good place to start would be an assessment to determine if a user is actually dumb or not.
It's oxymoronic to attempt cover-all methods that encompass both (a) advanced users who do want to sideload & (b) people who will type in anything the internet tells them will make a cracked app work.
rafram · 14h ago
This is a few paragraphs of fluff and then an ad for Purism.
zodiakzz · 10h ago
I immediately mentally discarded everything I read once I realized it's an ad. Can we please get a better link @dang.
fsflover · 14h ago
Obviously, from the upvotes, people are worried about the direction of Android development and are interested in the alternative.
raincole · 11h ago
Obviously, from the upvotes, people only read the title.
hn8726 · 12h ago
The article is a blatant clickbait not written in good faith, and not painting the whole picture. Obviously
rrix2 · 12h ago
Obviously, you're free to submit an article that discusses this better or from a primary source, i'd love to read it!
> In a pilot program launched in Singapore, the tech giant now blocks the installation of certain sideloaded apps—particularly those requesting sensitive permissions such as SMS access or accessibility services—if they are downloaded via web browsers, messaging apps, or file managers.
There are a lot of qualifiers on this: Only in Singapore, only on apps requesting certain permissions frequently used by scams, and only when downloaded via certain paths.
I don’t see the full details but this implies that it’s still possible for advanced users to side load whatever they want. They don’t want to make it easy for the average user to start sideloading apps that access SMS permissions or accessibility controls.
If it takes a few extra steps for the advanced user to sideload these apps that’s not really a big infringement on freedom like this purism PR piece is trying to imply. Unfortunately sideloaded apps are a problematic scam avenue for low-tech users.
> The move, developed in partnership with Singapore’s Cyber Security Agency, is designed to prevent fraud and malware-enabled scams.
This explains why it’s only in Singapore for now.
soulofmischief · 14h ago
I think you're dismissing legitimate concerns without fully understanding them, because through the right lens you realize how this can be anticompetitive in the mass market.
Even if some technically inclined folk can install what they want, the masses will stay in the walled garden so that Google can get their cut and exert ideological control. Even now, both Google and Apple engage in practices across their product that are designed to scare people away from third party applications. From Google's terminology when describing Google in banners as "a more secure browser" etc, to Apple requiring a secret incantation in order to run unsigned apps.
All of this kind of mind control bullshit should be eradicated via regulation. Companies should not have a license to be deceptive towards their users.
Klonoar · 13h ago
The comment you're responding to includes the line:
> The move, developed in partnership with Singapore’s Cyber Security Agency, is designed to prevent fraud and malware-enabled scams.
Your comment seems to disregard it and instead lay this entirely at Google's feet as if they're seeking anti-competitive behavior - but if this was driven by a government, does Google really deserve all the blame?
(Note that I am explicitly not endorsing the move. I think sideloading should be left mostly untouched.)
azalemeth · 13h ago
Singapore is far from a nation known for free speech or to pick the side of liberty should it come into conflict with security. I've no doubt whatsoever that approved apps on a CTS "hardware backed" remote attestation phone is more secure. It's also possible to remotely own such a device unambiguously, and provides a central place where apps can be taken offline. It's win win from the point of view of a security agency. It's not from mine.
card_zero · 13h ago
> partnership
Could mean anything from reluctant to opportunistic.
m4rtink · 10h ago
Isn't the Singapore government pretty authoritarian? They might have other motivation than just pure user security.
HeatrayEnjoyer · 12h ago
Google has already been weighed and found guilty of creating and persisting systemic anti competitive policy.
soulofmischief · 13h ago
> Your comment seems to disregard it
Because it's irrelevant.
> but if this was driven by a government, does Google really deserve all the blame?
Of course. If the government ordered Google to assist in a genocide against some demographic, and Google goes along with it, it doesn't matter if the government is also evil. Google is evil for playing ball.
And we don't have to speak in hypotheticals. Both Google and Amazon are actively engaging in tech-assisted genocide.
I have boycotted Amazon for a while now and I'd boycott Google too if it wasn't so pervasive in my professional life.
redavni · 12h ago
When you understand that this is not literally the truth, but is actually still true.
soulofmischief · 12h ago
I'm not sure what you're talking about, mind elaborating?
redavni · 9h ago
I would love to, but this is the wrong forum. This is going to sound weird if you understand these events purely literally, but me and you are ideologically aligned, but not dialectically aligned. There is a much greater truth to this entire situation.
soulofmischief · 8h ago
And what is that truth?
SoftTalker · 13h ago
The masses will always stay in the walled garden. It's where they want to be and they don't even realize there are walls. It is just what is for them.
EvanAnderson · 13h ago
> The masses will always stay in the walled garden. It's where they want to be and they don't even realize there are walls. It is just what is for them.
The walls should have open doors, though, versus prison bars. Physical switches on devices (much like older Chromebook devices had) used to opt out of the walled garden should be mandated by consumer protection regulations.
tuckerman · 12h ago
It's not entirely unlike the qualified/accredited investor rules which won't let you invest in unregulated securities without income/net worth/certification requirements. No form exists which would allow someone to say "hey, I get why these wall are here, but I understand and am opting out of your protection".
I personally think there should be (I value individual rights/freedom over preventing someone from harming themselves), but I also see why we ended up here. When bad things happen, people demand action and government wants to be seen as doing something.
AstralStorm · 10h ago
Really, we're talking Singapore, which is one of the most restrictive places in the world.
Have the EU counterbalance this closing with extra fines for anticompetitive behavior.
abletonlive · 11h ago
> Physical switches on devices (much like older Chromebook devices had) used to opt out of the walled garden should be mandated by consumer protection regulations.
I don’t want to live in the same society as the person that wrote this asinine comment with this much confidence. We are just ideologically incompatible
gmueckl · 10h ago
How so? I understand the tension between freedom to tinker and consumer protection. It's OK to assign different values to either of them. And there are definitely ways to reconcile the two positions. Some of that will have to come through nuanced regulations.
For example, it could be regulated that if the flip is switched (or a fuse is blown irreversibly) on a device, responsibility for the device and its software fall entirely onto the owner. So if they get phished on an unprotected device and lose their life savings, it's entirely on them. Manufacturers and service providers have no obligation to support them.
soulofmischief · 8h ago
Once you have enough power to legislate and enforce this, what's to stop a future administration from tightening the ratchet just a little bit further and forcing users to purchase TPM computers with unbreakable DRM and encrypted blobs running who knows what, and no ability for users to modify their system, change hardware or operating systems without either running afoul of the law or losing access to banking and insurance?
EvanAnderson · 7h ago
My comment (GGGP) was about regulating devices to require physical switches to allow the owner of the device to opt for freedom. I'm not sure where you got DRM-type stuff out of that.
I think efuses being blown by device manufacturers should be illegal.
I think bootloaders that don't allow the device owner to run whatever software they want should be illegal.
I think device owners should be permitted to repair their devices without losing functionality because of DRM embedded in the parts themselves.
I think a physical switch, exercisable only with physical access, should be present on locked-down devices to allow the owner to exercise their ownership over the device. If that means that "attestation" functionality breaks and that causes some third-party software to "break" so-be it.
(I think the problem with banks, etc, requiring "trusted" devices is also in the realm of consumer protection, probably in banking regulation. I haven't thought about it deeply.)
gmueckl · 8h ago
Well, you do realize that there are already a lot of laws covering these things, right? If you're this cynical, then you need to realize that stuff like what you describe could be legislated at any time. There's no real barrier.
sapphicsnail · 11h ago
Normal users complain about not being able to change things on their devices all the time. My whole family was pissed about the latest android update because Gemini was foisted on them and they didn't know how to turn it off.
g-b-r · 12h ago
It's a misconception that the masses want it
I don't think they cheeref at the arrival of the Microsoft Store on Windows, for example.
That's what's pushed for on the current smartphones, and they accept it; they easily don't see the problems, and it can seem complex for them to avoid it.
SoftTalker · 12h ago
Other than when talking with other techies and on forums like this one I've never heard anyone complain about ads in Windows or the Microsoft Store. Again, for most people, computers and web sites and apps just are what they are. They don't even realize there's any other way.
soulofmischief · 8h ago
Yeah, it's like saying the masses wanted high-fructose corn syrup, or lead, or asbestos, or BPA, or CFCs, or whatever other cost-saving or profit-increasing but classist and consumer-hostile product or practice was foisted upon us and sweetened with deep propaganda and gaslighting, bankrolled by global corporate interests.
mschuster91 · 13h ago
> All of this kind of mind control bullshit should be eradicated via regulation. Companies should not have a license to be deceptive towards their users.
I agree with you. However, the impact of scams should not be underestimated either.
soulofmischief · 13h ago
To me it seems like fighting teen pregnancy by preaching abstinence. We should be teaching a higher baseline of computer literacy, and providing more secure systems that keep the user in control and in the know when it comes to their own device and the software running on it.
Attacking the problem by reducing user freedoms and increasingly monopolistic control is not the answer, even though Google's PR department would tell you otherwise.
nazcan · 12h ago
As far as I know the reason you don't preach abstinence, beyond enforcing your morals, is that it is not effective.
So the question on if this effectively reduce scams is the first question to answer.
soulofmischief · 12h ago
Yeah, it's definitely a piece to the puzzle. I still think it's not so hard to prove that increasingly technical literacy, outlawing deceptive UX and language that prey on information asymmetry, and providing increased autonomy with more fine-grained and visible security controls is a net win for the population, whether or not this particular method of Google's is effective enough against spam compared to some baseline.
AstralStorm · 10h ago
Agreed. Android already has seriously big whitelisting requirement for installing applications from outside the Google Play store.
The correct way to do it would be to whitelist other good stores, and allow developer mode installs with an extra process that says explicitly I am extra sure this may be danger, but no. This would reduce Google's income streams.
The way I see it, it must be attacked the way default Internet Explorer was attacked.
sfRattan · 9h ago
> To me it seems like fighting teen pregnancy by preaching abstinence.
More like fighting teen pregnancy by mandating chastity belts... With the same ultimate problems too: those most determined to overcome the block will make use of bolt cutters or their digital equivalent.
TechDebtDevin · 13h ago
.... This doesnt stop scammers. Software will never stop scammers. Its pretty wild that people would be willing to sacrafice their freedom permantely so a scammer can spend two weeks thinking of another approach to scam.
mschuster91 · 10h ago
You are correct. But it's not about stopping scammers, it's about making their lives as difficult as possible. The problem is, as seen with Facebook [1], even that was not enough to stop "self-xss" exploits.
The actual way to stop the scammers would be to sanction their host countries into oblivion: India, Philippines and Myanmar are big in targetting English speaking countries, and Turkey when it comes to German speaking countries. Scammer Payback alone has made so many complaints with very little follow up from local authorities, partially due to open corruption. Either these countries clean up their act or they get dropped from SS7 (phone) and the Internet. But I see no way of this ever happening.
> There are a lot of qualifiers on this: Only in Singapore, only on apps requesting certain permissions frequently used by scams, and only when downloaded via certain paths.
Only certain permissions actually matter. That's one of three.
But "only in singapore so far" is not reassuring.
And "downloaded via certain paths"? Browsers and file managers are the normal ways to put files onto a phone. That doesn't reassure me at all.
eddd-ddde · 8h ago
Browsers and file managers are absolutely not the "normal ways" to put apps in a phone however.
Dylan16807 · 8h ago
Well sure but "app store" is already excluded by the context of sideloading.
blacksmith_tb · 14h ago
Unless they block ADB, I wouldn't say it's accurate to claim they're "blocking sideloading". That said, it's clearly a balancing act between protecting people from installing malware but allowing them to intentionally install things they really do want to install, regardless of what permissions they need.
Zak · 13h ago
Every time the technical sophistication required to install apps from anywhere but Google's store (I don't love the term "sideloading" since it kind of denormalizes the act) is increased, the chances anyone will put in the effort to distribute apps any other way goes down. It also means apps Google doesn't want in its store are less likely to get made; I'd really like to see something that prioritizes notifications for me, for example, and I think that's against Google's rules.
I'm sure making it harder to obtain software outside a first-party app store provides some protection to some users from scams, but I really don't want that to be the answer. I don't claim to have a good one myself.
jeroenhd · 13h ago
They don't, and they don't even block F-Droid. You can also just disable Play Protect (though Google won't let you while you're on a call, probably a smart move). According to the Singapore police, scammers also have victims download VPNs of Google Play to work around the regional restrictions.
I don't think the restrictions are doing much for victims. I assume Google was pressured into doing this by the authorities, or may be doing this to get in a good spot politically.
cAtte_ · 13h ago
requiring a user to own a PC in order to sideload apps (with adb) would, in fact, count as blocking sideloading, albeit partially. so i don't think that's the right limit
FergusArgyll · 13h ago
I've sideloaded apps for other people. They don't have to own a PC but it's true that it'll slow it down, so you do have a point.
mystified5016 · 13h ago
Yeah, just like you can sideload on iPhone by desoldering the flash, decrypting it, and modifying the OS.
Just because something is technically possible does not make it a solution
blacksmith_tb · 12h ago
That's a little higher bar than plugging in a usb cable and running ADB... but I would agree that most users probably won't figure out how to sideload from a terminal.
kgeist · 12h ago
>There are a lot of qualifiers on this: Only in Singapore,
We had a big client from Singapore who only agreed to buy our SaaS subscription after we integrated SingPass (Singapore's national digital identity system) for user login.
When I read "Singapore" in the OP I immediately remembered about it.
The client is not with us anymore, but we still have this thing somewhere in the codebase :)
IshKebab · 12h ago
Boiling the frog though... Obviously they're not going to roll it out all in one go.
hiccuphippo · 10h ago
They can still add more locations later.
I would prefer if Google moved in the direction of giving apps fake permissions. Otherwise the scammers will just move onto another layer.
Lammy · 13h ago
Once it's normalized it's just one more step to block everything. No thanks.
thaumasiotes · 2h ago
> There are a lot of qualifiers on this: Only in Singapore, only on apps requesting certain permissions frequently used by scams, and only when downloaded via certain paths.
Those "certain paths" include "file managers"; how exactly would you sideload an app without providing the file?
aiauthoritydev · 13h ago
It will always be possible to side-load apps on Android if you really want. It is one big strength of Android. There are many Android's no-internet deployments in the wild that rely on this feature.
tdeck · 13h ago
I've got to say, some of the comments here are pretty funny.
> "The sideloading restriction is easily solved by installing GrapheneOS"
> "Unless they block ADB, I wouldn't say it's accurate to claim they're "blocking sideloading"".
Not to pick on these folks but it's like we on HN have forgotten that ordinary people use phones too. For some of us, it's not a limitation as long as we can solder a JTAG debugger to some test pads on the PCB and flash our own firmware, but for most users that's just about as possible as replacing the OS.
crossroadsguy · 12h ago
There was some Ubuntu (or Linux) forum where I had asked a question and I wanted an app or something (I can't recall now) which was easier to use and do repeatedly. Most of the people were replying with stuff like "why can't you just do <something that involves lots of CLI and more than an hour ro so>" or on the lines of it.
I, someone extremely new to Linux (hell, new to computers), was bewildered. Then a commenter replied with something that helped me and exactly what I needed. He added a note directed towards others which went something like - the battle for Linux as THE desktop OS was sabotaged by its most ardent practitioners.
godelski · 12h ago
> the battle for Linux as THE desktop OS was sabotaged by its most ardent practitioners.
This definitely happened with Arch. For some reason they killed the noob guide (which I helped maintain). It was a great guide that helped people go from noob to kinda knowing linux.
You can't have wizards without first having noobs.
Why gatekeep people from enjoying the same thing you enjoy?
Well, I guess all that gave us EndeavourOS and Manjaro. But still, we need more places for people to learn that nitty gritty stuff.
Hell, I'd love to learn more about the hardware hacking the OP is talking about. Love to learn about those GPU hardware modifications people do. I know it's hacker news, but I'd actually love to learn about that hacker stuff. If these companies are going to continue to fight this hard to prevent us from owning the things we buy, it sounds like an important thing to learn. Or else we're soon going to have robot butlers that are just sending lidar maps and high resolution photos of our homes back to these companies. We don't need elitest pricks, we need wizards teaching noobs
drdeca · 10h ago
Regarding gatekeeping, there was one webforum I used to visit when I was a kid, which I think approached this in an interesting way. Most of the boards were available to the public, general users could post in them (other than the one that announced rules of course), but there was a subforum which could only be accessed by those who had demonstrated some minimum level of competency. Specifically this was a forum about programs for bots for a for-kids MMO (said MMO didn’t really have PVP that depended or gear or levels or anything, or a way of trading items or anything like that, so there wasn’t any player economy. So I think these cheats were pretty harmless. Well, except for the people making bots move in arrangements to make offensive symbols.). The process was, one could submit a program one had made that did something interesting, and they would judge whether it was sufficient to be allowed in to the subforum.
I think this had the benefits of:
• allowing people who don’t want to bother with newbies to not have to, if they stay in the subforum
• still having the places for “people who are skilled and willing to work with/help newbies” and “people who are skilled but don’t want to deal with newbies much” be in a sense the same place, while also having the place for the latter be the same as a place for newbies.
• provides an incentive for newbies to become skilled.
_____
Of course, this method doesn’t work if no one is willing to engage with the newbies. But I think it’s probably fine/reasonable to keep outsiders away from a few things provided that there is a reasonable path in.
Though, I’m not advocating that the approach that forum used be implemented everywhere. I just think it is something that a community could reasonably choose, depending on their priorities.
rightbyte · 9h ago
C'mon name the game. I need to know now.
drdeca · 5h ago
It was “Club Penguin”.
The forum was primarily about the “Penguin Client Library” (or “Penguin Client System”, I think they went back and forth about the name?), which allowed writing PHP scripts to interact with the game servers.
Why PHP? I think maybe it was originally so people could use it to make web forms where people could put in their username and password and it would e.g. give them whatever item, but that kind of cheat was blocked very quickly, and I think it just remained in PHP for historical reasons, so instead you had a bunch of people running PHP on their local machine to run a bot doing normal game actions (but combined in unusual ways). Or maybe it was just the language the devs were most comfortable with, idk.
keyringlight · 11h ago
Something I know from a past role is that teaching is demanding, and for any broad audience you've got to consider the range of different thought processes that you may need to provide your knowledge in different ways. As someone trying to increase my linux skills (and assess the best one for potentially migrating/supporting my parents) it doesn't help that a lot of linux documentation comes across as barebones, or very concise about the one way it's meant to be done with a certain distro (plus potentially outdated on an earlier version), and a general lack of explanations.
As example toy projects I'm trying to test out dnf-automatic because I'd prefer not to have the admin work of manually keeping on top of routine updates, but there's little feedback (although so far that's better than pacman on Arch which specifically expects atdmin), or learning why a distro has set up swap/zram/zswap the way they have, what the limits are on that config, how to measure what my system uses and if/how to adjust it. There's little guidance within the system to get you up to that level, and to open another can of worms the terminal-first approach in linux's DNA usually doesn't present anything but the bare essentials for whatever tool you're running, but any extra/wasteful information shown could nudge you where the next step is.
godelski · 2h ago
> teaching is demanding
But rewarding. What makes it less rewarding online is we don't see the benefits. We don't hear thanks. Which we should say more often
> a lot of linux documentation comes across as barebones
One thing I try to encourage is writing documentation. People are extremely resilient to this and I'm not sure why. It has a lot of benefits. I forget what I did, it helps remind me.
But people often claim no one else will read it or it's obvious. I think we've all dealt with the frustration of dealing with undocumented code. Seen how much time it takes because of the lack of documentation. Why doesn't this encourage writing documentation?
When docs are scarce and you have access, add a little. It can be built over time. Some is better than none.
The other thing I do is write notes. I put a lot of them in my dotfiles actually. This means I keep them just text (or link for images) and these can get carried around with me. I hand them out frequently and am always happy to have others contribute or share theirs but honestly I don't know a single other person that does this. But I find it extremely helpful. I reference them all the time. Granted, they're written for me but I think more people should.
randmeerkat · 12h ago
> Hell, I'd love to learn more about the hardware hacking the OP is talking about. Love to learn about those GPU hardware modifications people do. I know it's hacker news, but I'd actually love to learn about that hacker stuff.
This, I feel like ever since the fall of Twitter, a true hackerspace has been missing for awhile.
johnisgood · 10h ago
> For some reason they killed the noob guide (which I helped maintain).
Is it up or archived anywhere?
godelski · 2h ago
You can probably find an archive somewhere but it's utility is probably low. It did need constant maintenance. Which was fine. There were enough of us.
In fact, I even got more people to contribute. I used to say the best way to learn Linux is to install arch. To come back to me after your third failure. It's rough, but you learn a ton and accelerate really fast. Telling people to expect failure helps. They know it's not them being dumb and they won't ruin their computer. Plus, they have a safety net and I promise I will help, but the real lesson is the struggle.
vegadw · 10h ago
Oh I am so pissed about the noob guide thing. I have intentionally removed my post about my bad interactions with the Arch community from my website, but if you're curious it's in the history: https://github.com/VegaDeftwing/OpGuidesHugoSrc/commit/dcc07...
The TL;DR: Arch gets harder year over year as the number of ways to setup/options for each piece of your system grows. Hell, even picking a bootloader among 10 options is confusing. A guide that just at least says "This is common for X, this for Y, the others are interesting and may be worth trying. If you don't want to investigate now, use X" Is DESPRATELY needed.
I tried to have that on my site, and a pretty high level arch forum admin came buy and told me to delete my website and made a PR just deleting the page. It was honestly one of the most rude and hateful interactions I've ever had online.
Am4TIfIsER0ppos · 12h ago
> Why gatekeep people from enjoying the same thing you enjoy?
That's an easy one to answer: they will eventually demand that Foo changes and remove things they do not like. It has happened to all media, it has happened to all software, you can be damn sure it will happen to something as modular as a Linux distribution.
godelski · 2h ago
> That's an easy one to answer
It was rhetorical
Really, I'm calling people dumb for gatekeeping the things they enjoy. Things change regardless.
With Linux, you can have your distorts. Because Linux people tend to understand that you don't build "products" but environments. Places to build from. To build in. It's not always but it's a good idea. You can't make a product for everyone, but you can make an environment for everyone. It's why a computer or a phone is so universal but iOS or Android isn't
ang_cire · 11h ago
This seems to falsely assume that technical users are more aligned with whatever the status quo is, and non-technical users are the ones who are looking to change things. In reality, technical users become technical users because they want to make changes, and 'casual' users just use whatever app/OS/etc is given to them, as-is.
Having bad or no support for your software isn't some good way to keep it 'pure', it's just keeping it less useful/relevant. Linux is OSS: fork it if you don't like something new, but don't hurt the ecosystem.
Deliberately hamstringing software or documentation so that others will stay away and not make changes is literally antithetical to OSS as a philosophy.
Jubbleroot · 9h ago
> This seems to falsely assume that technical users are more aligned with whatever the status quo is, and non-technical users are the ones who are looking to change things. In reality, technical users become technical users because they want to make changes, and 'casual' users just use whatever app/OS/etc is given to them, as-is.
Neither of this is true. There are plenty non-technical users that will be suggesting changes, there are plenty of technical users where they don't want things to change.
> Having bad or no support for your software isn't some good way to keep it 'pure', it's just keeping it less useful/relevant.
You are conflating "bad or no support" with "gate-keeping". Gate-keeping is about keeping riff raff out, but allowing those that are interesting to a path to being involved.
With respect to Linux distros. Linux is like a "kit". Different people offer you different "kits" called distros. Some of these kits may be given to you pre-assembled (Ubuntu/Fedora/Debian), other will require partial assembly (Arch) and some will require full assembly (Gentoo/LFS).
Arch/Void/Gentoo flavours of Linux don't advertise itself a user friendly distro like Ubuntu/Mint/Fedora. *It is expected you read the documentation and understand the command line*.
Thus why people were suggesting they should use the CLI tool. If a user doesn't want this, they should use something else.
Having a "noob" version of installation instructions for something like Arch/Gentoo will have the effect of allowing someone to fumble about and maybe achieve getting something functional, but they won't actually understand what they are actually doing and this will cause them problems in the future as they won't understand how to fix issues when they arise.
> Linux is OSS: fork it if you don't like something new, but don't hurt the ecosystem.
It is extremely difficult for even for large companies to run their own fork of large open source projects. Sure you can fork a smaller piece of software and maintain your own version, but anything significant you are unlikely to be able to do that. So you are forced either to use the changes you may not like, or you use something different, or you are are like the anti-systemd crowd essentially running a protest distro.
Also all the big forks in the software ecosystem is when two important factions have disagreed fundamentally on the direction of the project. We are not talking about individual users or developers, we are talking about the top tier developers/maintainers. A part-time/bedroom coder is unlikely to have any significant effect, even if they did it is often lead to burnout of these developers.
> Deliberately hamstringing software or documentation so that others will stay away and not make changes is literally antithetical to OSS as a philosophy.
Ignoring the fact that you are misstating the issue. It isn't antithetical to the philosophy at all. People decide their own level of involvement in any group activity. If you aren't willing to "pay your dues", then it maybe better for you to not be involved.
You will BTW see this to varying extents in Churches, Cricket Clubs and even your place of employment.
e.g. If you go to Church you have to accept certain tenants about the faith or at least respect them while you are there. I've been invited to Churches in my local area, by very nice people that I would like to get to know, but I can't believe in Christ, so I don't go.
ang_cire · 9h ago
> non-technical users that will be suggesting changes
Suggesting is not making. Non-technical users will not be making changes.
> You are conflating "bad or no support" with "gate-keeping".
If the support is intentionally removed with the goal of keeping out people, then it's both. That was the premise accepted by both of the comments above mine, hence my comment working from that premise.
> Having a "noob" version of installation instructions for something like Arch/Gentoo will have the effect of allowing someone to fumble about and maybe achieve getting something functional, but they won't actually understand what they are actually doing and this will cause them problems in the future as they won't understand how to fix issues when they arise.
Everyone is a noob at some point, so getting rid of documentation is only a means to prevent someone from learning. There is no cost to anyone if someone installs Arch without being an expert in the CLI.
> It is extremely difficult for even for large companies to run their own fork of large open source projects.
Agreed. And if there aren't enough people who are willing to support a fork to manage one, there aren't enough people to justify preventing a change that keeps the current version as it is (which is what in this case, that fork would be).
I.e. if there aren't enough people who support the current version, to maintain an unchanged version as a fork, there aren't enough people who support the current version to justify not changing it in the first place.
> If you aren't willing to "pay your dues", then it maybe better for you to not be involved.
Where are you getting this from? The whole conversation was newcomers making changes. Code contributions (i.e. changes) are explicitly the "dues" that OSS devs 'pay'.
> If you go to Church you have to accept certain tenants about the faith or at least respect them while you are there.
If enough of the congregation feels it needs to change, it will (or it will die out). Modern versions of religions look nothing like they did hundreds of years ago, and not all the changes happened due to schisms/ forks. Everything changes, or it dies.
Jubbleroot · 7h ago
> If the support is intentionally removed with the goal of keeping out people, then it's both.
No it isn't. Stating it is doesn't make it so.
If I expect you to follow a particular procedure and not support another (which is deemed initially friendly) that is perfectly valid. If it keeps people out that wouldn't otherwise be able to follow it, that is a positive, not negative.
It can gatekeep and be authoritative.
> That was the premise accepted by both of the comments above mine, hence my comment working from that premise.
And the premise is incorrect. Thus my comment.
There are also other reasons. Like having two version of the documentation causes confusion in itself.
> Everyone is a noob at some point, so getting rid of documentation is only a means to prevent someone from learning.
Not if the "noob" documentation obscures knowledge by letting people skip important parts of understanding the process.
> There is no cost to anyone if someone installs Arch without being an expert in the CLI.
Yes there is. That person will quiz people in discord, forums, voice chats, reddit etc when they will invariably be presented with an issue that they cannot resolve. Similarly that why people distro-hop.
RTFM response actually trains people to solve their own problems and is the correct way, by first following the process and then only asking when the process doesn't work.
> Where are you getting this from? The whole conversation was newcomers making changes. Code contributions (i.e. changes) are explicitly the "dues" that OSS devs 'pay'.
I was talking about the benefits of gate-keeping in general. I never said anything about specific about code contributions.
BTW, these people will affect code contributions. Much of the Linux desktop is a clone of other systems (typically Windows) to appease users that expect that UI. This actually dominated the conversation for about 15 years in linux.
If we are talking about the newbies. They have to prove they can follow the documentation provided i.e. RTFM.
> If enough of the congregation feels it needs to change, it will (or it will die out). Modern versions of religions look nothing like they did hundreds of years ago, and not all the changes happened due to schisms/ forks. Everything changes, or it dies.
Every group is lead by a minority. The minority in every group, set the agenda, not the majority. That is fact of life, if you think otherwise you are mistaken. Even revolts are usually led by people who are part of disgruntled minority. Every one of those changes would have been made either by someone important in the Church or the state (as the state and the church was typically tied).
Every single one of those changes were made by elites or governments at the time. Not the majority of the congregation. BTW many of the Churches in England and Europe didn't change that much, that why loads of these people migrated in the first place to the US.
BTW many young converts are going to the Orthodox Church because they see it as the most "OG" version of the Church, because some people crave what they believe to be the authentic experience.
eastbound · 11h ago
Well Linux can be used to plot crimes against humanity, can’t it? Can’t let that happen, think of the children.
RobRivera · 10h ago
hear hear
dingaling · 12h ago
Yet telling someone to open regedit, find some deeply-buried branch, create a new binary key, rename it to SetFocusRefreshTimeout and set its value to 0xFFFF is... desktop usability.
Demiurge · 12h ago
It's not, there is nothing essential a regular desktop user needs to edit in the registry directly. For better or worse, Windows has standard framework for things like GUI widgets, settings storage, installation paths. It might support decades of those standards, but I'm pretty sure you know that Linux kernel and Linux the distro are very different, and much more numerous, and logically do things differently.
JadeNB · 12h ago
> It's not, there is nothing essential a regular desktop user needs to edit in the registry directly.
I think that this reads better "there is nothing that Microsoft wants regular users to touch that they need to edit in the registry directly." The distinction between the two doesn't really matter as long as the user's interests are reasonably aligned with Microsoft's, but the modern Microsoft-the-ad-company approach to Windows means that this is not at all true.
lesuorac · 12h ago
Giving them a link to a msi that does that is pretty user intuitive.
cardiffspaceman · 12h ago
If they have been properly introduced to PCs it’s unlikely they will use that. I myself would use it after scanning it by eye for trickiness.
>the battle for Linux as THE desktop OS was sabotaged by its most ardent practitioners.
Don't believe that for a second. Industry de-facto standards are a result of power dynamics, and the actual users of the thing wield orders of magnitude less power than they project. If a corporation like MS or Google wanted Linux desktop to happen, no amount of gatekeepers could actually hold the gates.
The reason why Windows is the de-facto standard is because Microsoft put a lot of behind-the-scenes work into making it a de-facto standard. I am meaning them sabotaging everything else, treating the status quo with the famous EEE, many business deals with governments to use it, put it in school curricula, having manufacturers preinstall it to PCs, and bend every piece of connected tech to Windows' direction - hardware drivers, computer games, specialty software, even the internet.
That is how Windows got its desktop users, and how Linux and others didn't really.
Dylan16807 · 12h ago
> Most of the people were replying with stuff like "why can't you just do <something that involves lots of CLI and more than an hour ro so>" or on the lines of it.
More than an hour? That's very strange, enough that I wonder if you had the right impression of things.
Usually the reason to go with command line is that even though it might be bewildering to look at, slamming in the command only takes a moment and you don't need to do any button-hunting.
It's a tradeoff, is what I'm saying. But you seem to be describing a situation where it's significantly worse in every way. Why would a bunch of people all be on that bad plan?
HeWhoLurksLate · 9h ago
> More than an hour?
That's usually how long it takes me to get an FFMPEG command I'm planning to use more than once right
Dylan16807 · 9h ago
Well I sure hope they didn't just say "use ffmpeg" and gesture vaguely at a couple filters.
If you give someone an already-done ffmpeg command it should be straightforward to use.
cycomanic · 11h ago
One reason that people often overlook is that it's much easier (and much less error prone for the user) to give an instruction that uses the cli instead of a GUI tool, e.g. if someone would ask how to add a new user who's in the usb group on Linux, I would always tell the person `adduser --ingroup usb [username] ` instead of giving the GUI instructions which are longer and depend on what desktop the person uses.
ikiris · 10h ago
If you think a single add user command is comparable to things like use grapheneos or adb usb injection chains then you’ve missed the point here.
doctorpangloss · 9h ago
That may be. But the CLI guys have had the last laugh, no? An LLM can work through a terminal with decades of stability much better than it can poke around constantly changing product UIs.
avgDev · 10h ago
It once took me a few hours to get a printer working on Ubuntu, never again.
WWLink · 9h ago
That problem plagues every OS. Fortunately, my 14 year old canon networked printer/scanner/fax works in fedora 42 without any configuration at all. As long as it sees it on the network. Scans too! I was surprised about the scanning lol.
The brother wifi laser printer I have works on everything without any installation at all. Windows, mac, linux, my phones.
lenerdenator · 9h ago
To be fair, printers suck everywhere. I hate printers.
CamperBob2 · 12h ago
What's needed is a Dropbox analogue for Linux -- something that doesn't do anything that isn't already possible, but that makes things that are possible accessible to non-specialists.
It looked like SteamOS was going to be a contender, but apparently not.
vvillena · 12h ago
This is impossible by design. Decades ago there were some distributions that had this as a goal (e.g. Mandrake, Suse), they included an application similar to the Windows Control Panel to manage everything. But such applications can never reach into all the corners, unless the distribution is severely locked down. The example of this extreme is... macOS. And still, there are some cases where dropping into the command line is the better or even the only option.
Back on Linuxland, the userbase realized this about two decades ago, when Ubuntu launched. Having a nice default experience was considered better than having easy tweakability, because Ubuntu could also be configured to the fullest extent in the classic Linux way of reaching into the guts of the system and rearranging things to taste. Not that I would ever recommend tweaking Ubuntu too much, but it can be done.
What about the other end? Most people who like fiddling with Linux by reaching into its internals have settled on distributions such as Arch, where this way of managing the system is expected and thus the distribution works to ensure this experience is as easy and predictable as it can be, by providing a good happy path experience for common scenarios, and providing top-notch documentation for common and uncommon customization options, or minority hardware platforms and devices.
alterom · 10h ago
The control panel doesn't need to reach all corners.
Just enough corners to cover day-to-day usability so that new users would be able to help themselves if they get stumped.
That set of corners has been pretty much covered by Windows 95 when it comes to the GUI.
For tweakability, command-line interface isn't unfriendly — the commands are.
People love talking to ChatGPT. This tells you how friendly typing interface is.
I'm not saying that natural language processing should necessarily be a feature of the interface (although it could make a lot of things much smoother), but FFS, an interactive dialogue-based CLI is a much friendlier thing than "figure out the right incantation" paradigm.
charcircuit · 11h ago
Does Android not fulfill that role already?
lenerdenator · 10h ago
"... and just recompile the kernel!"
Waterluvian · 12h ago
People in general are very bad at knowing what the average experience is. We almost all have a predisposition to perceive our experience as being approximately normal, or if not, not too far away from normal. This is especially exaggerated anywhere experts of a domain congregate. They adjust to a significantly biased frame of reference. And that results in opinions that don't fall anywhere within the galaxy of what's reasonable for the vast majority of users of a given thing.
No comments yet
oneplane · 13h ago
Do ordinary people side load at all? Assuming most people use the phone to do something else, and not for the sake of using the phone, after you get the apps you want/need, ordinary people are likely to just do the same thing/consume the same apps over and over.
croemer · 10h ago
Yes, my health relies on it.
I sideload a glucose monitor app that's not available through Playstore (it's FOSS and health is a tricky area with liability).
It's a fantastic app and the ability to sideload it is a major reason I use Android over iOS.
I also sideload a patched app of the Dexcom glucose reader OEM's shitty app to allow the data to be read by the better (sideload) FOSS app.
Ok I'm not an ordinary person, I guess, but if I was I'd still use those apps and I know people who are ordinary and do so.
elzbardico · 12h ago
If I haven't prohibited him, I am pretty sure my 11 years old son would have installed dozens of pirated games and apps of dubious provenance on his phone.
But I am pretty sure that like any other teenagers since the beginning of time he obeys me, and has only rooted his phone for educational purposes.
His friends, though, I am not so sure.
nashashmi · 12h ago
Yes. We download an apk file. And then install it after it giving it permission that it is ok to install unverified apks.
Some of the more savvy ordinary people even export apps as apk for other phones.
bpfrh · 12h ago
I installed fdroid on a friends phone and they use it install newpipe and keep it up to date, without having a tech savy friend around to download the apk relase from github.
londons_explore · 12h ago
A lot of my non-techy friends have a sideloaded copy of spotify/youtube to get premium features for free. I think they just blindly follow some guide they find on tiktok.
plumeria · 12h ago
Spotify uses something like the Play Integrity API to prevent access using modded APKs.
porridgeraisin · 11h ago
There are still many modded apks that work. My friends still use them.
plumeria · 4h ago
I’m talking about the Spotify case, I’m sure there are a lot of naive apps that don’t use APK integrity checks.
consumer451 · 11h ago
I believe that the official DJI app required side loading on Android. Not sure if it still does.
omoikane · 12h ago
Majority of users don't sideload any apps according to:
You say that like 18% is just some rounding error.
About 1 in 5 users sideload?! That's not something to ignore
WillPostForFood · 12h ago
A majority do not, but the article characterizes it more positively:
Sideloading is a fairly popular practice. Our research indicates that 18.3% of mobile users globally engage in sideloading. In some regions, such as the Asia Pacific, the impact is as high as 43%.
ackbar03 · 12h ago
A lot of Chinese apps still do. Mostly cause I guess they don't allow Google play store in China (? I think it's blocked, can't quite remember for sure)
yread · 12h ago
Everyone should side load the epic games, just to stick it to the MAN/Google
ikiris · 10h ago
Installing the epic games launcher is just sticking it to yourself.
I love steam, but epic is very user hostile.
hiccuphippo · 10h ago
Too bad Steam doesn't have an app for actual mobile games. I wonder if there is an agreement between them and Google. I heard there was one with Blizzard from the Epic vs Apple/Google case.
miki123211 · 9h ago
> Do ordinary people side load at all?
Yes, usually when somebody calls them, pretends to be from the security department of their bank, and asks them to install an app to "catch the hacker who just stole $2000 from your account in the act."
In countries where Android is popular (not the US), this is an extremely common scam vector.
ge96 · 12h ago
I've only side loaded my own app through Android Studio
edit: which I'm not even sure if that counts as side loading
fsflover · 12h ago
They "sideload" apps on desktop, which we usually call "installing software". They would probably do it on a phone, too.
godelski · 12h ago
This!
It's crazy how we act like phones are dramatically different than other computers. An average computer user can go to a website, click "download" and then we think the average phone user can't do the exact same thing? It's the same people! They might be used to downloading from one location but it would be laughable to think they couldn't do the normal thing too
(To clarify, I mean apps. Things like GrapheneOS you're going to run into the same issues as expecting my grandma to install Linux. Might be doable but it isn't quite there yet)
saurik · 12h ago
And, worse, it isn't even true, right? As Google keeps adding more and more DRM tech to Android, along with APIs that let apps ensure they are running on "legitimate" software, installing GrapheneOS isn't even a viable option going forward unless you are effectively exiting the entire ecosystem anyway.
Aurornis · 11h ago
Making it difficult for ordinary people to sideload apps that access their SMS or accessibility features (e.g. screen recording, controlling the phone) is the point.
I think what people on HN really forget is that the average person isn’t equipped to tell the difference between a legit source sideloaded app or a Trojan horse app that some TikTok video instructed them to install.
palmotea · 11h ago
> Making it difficult for ordinary people to sideload apps that access their SMS or accessibility features (e.g. screen recording, controlling the phone) is the point.
I wonder if they could solve that with delays. E.g. you can sideload, but the process is deliberately delayed to take two full days and require carefully reading warning screens and correctly answering questions about the warnings, then getting time to think, multiple times.
axus · 12h ago
Replying to everyone:
Google changing defaults is a permanent change for some large percentage of their userbase. A subset of those can still figure out how to download and run an APK file but have no further recourse against monopolistic behavior.
Maybe those people do need to be protected from scams. Social engineers have complete control over the user, so any control given to the user is owned by the scammer. Seems like the same problem as pig butchering, a technology or process solution can't save someone too stupid to save.
Thinking about less controversial options for Google, they could track if any side-loaded apps have the dangerous permissions, and provide a global true/false status to other apps that request it. So Wallet / whatever would disable features if any "outside" apps were in a position to exploit the user. And Android could offer a button that cleans up the "problem" apps, setting the global status back to false.
rvnx · 13h ago
And official Android-based OS bring advantages too. For example, Samsung has lot of proprietary and useful features, and GrapheneOS you cannot use Google Pay (one major feature of a phone).
umbra07 · 13h ago
The primary reason why I haven't bought a Pixel and switched to GrapheneOS is because Samsung's OneUI is just so far ahead of the curve. They innovate new software features years before anyone else does.
behnamoh · 13h ago
I mean, Samsung and Xiaomi at this point pretty much just copy Apple, sometimes shamelessly.
nashashmi · 12h ago
First Sam/Xiam create something new. Then it does not catch on. So they kill it. Then when Apple launches it, they recreate it and launch it again.
sideloading apps was a feature that did not catch on. Now they kill it. Then when Apple launches it, watch them tout it again as a feature.
pdntspa · 12h ago
Apple already did. But Europe only!
lawgimenez · 12h ago
You mean like Android widgets has been around since the start and then Apple released their own subpar version after 10 years.
crossroadsguy · 12h ago
> just copy Apple, sometimes shamelessly
Right.
And something that Apple has been doing generally from Android (while trying really hard to catch up) - feature after feature and shamelessly releasing it as the next biggest revolutionary thing since the moon landing, or an invention shadowed only that of the wheel and fire.
In fact last few years of Apple's phone advancement has been nothing along with some features which has been Android for years. Or maybe that's not "copying", that's bringing "at par" which is of course different?
sfRattan · 10h ago
> GrapheneOS you cannot use Google Pay (one major feature of a phone)
News to me. Edit: I misread parent comment.
6581 · 10h ago
Google Play != Google Pay.
sfRattan · 9h ago
Apologies. I misread. Yeah, it sucks that Google Pay doesn't work on GrapheneOS.
Though Google Pay is also probably the least private of the major tech-company payment platforms (the others being Apple Pay, Samsung Pay, and Garmin Pay). It is, I think, the only one that actually requires an open network connection on the phone to work. The others all generate one-time codes that get sent through the payment machine's network for verification by Apple/Samsung/Garmin on the backend (i.e. you can tap an Apple Watch to pay with all its radios off, but you can't do that with Google Pay).
From what I gather, Garmin Pay can work with GrapheneOS if you have one of their smartwatches. And Privacy.com works, but not with tap-to-pay.
9-133-392-393 · 8h ago
> Garmin Pay can work with GrapheneOS
As an aside - I think the Paypal app in Germany offers HCE tap-to-pay, and In the UK/Europe 'Curve' is a Google pay replacement that runs fine on GrapheneOS (and they have first-party support for huawei phones that don't even ship Google play services anymore)
fifteen1506 · 12h ago
Yes, you are right [regarding Google Pay].
That being said, it is a reasonable compromise that, as long as people know that beforehand, losing Google Pay as the price to loosen Google's grip on your data, location and preferences is an acceptable one [price].
magicalist · 11h ago
> Not to pick on these folks but it's like we on HN have forgotten
The linked article is literally an ad for Librem phones though?
paxys · 11h ago
"Ordinary people" aren't sideloading apps one way or another. In fact this will help 99% of them, since for them sideloading is mostly used for malware and phishing.
ty6853 · 13h ago
Fortunately the overlap between people that distrust centralization and those who have higher aptitude for overcoming is synergistic.
ryao · 10h ago
They ordinary people would be the ones that need this level of protection, since a scammer would talk them into sideloading malware if the device permits it.
nullc · 13h ago
GrapheneOS is totally normie friendly.
When we last got new phones I put GrapheneOS on mine and my partners, I never subsequently had to play tech support on hers.
demosthanos · 13h ago
And who's going to put GrapheneOS on an ordinary person's phone in the first place?
The Web installer [0] is not really approachable to a normal Android user. The instructions are dense, loaded up with warnings about dozens of edge cases that are discussed in jargon that would intimidate even relatively tech-savvy users:
What's USB passthrough? Did I install my browser through Flatpak or Snap? How would I know? Did I need to understand the paragraph explaining in detail how carrier models lock users in? There's a bunch of stuff in there about Linux... do I need Linux? What's a sha256 hash and do I need to care?
It's not that this is impossible for non-IT-folks to grasp, but there's no chance that my parents are installing this on their phone.
You're right, but ironically the web installer is the most user-friendly way of installing Android. The GOS page simply documents technical aspects in great detail, but the actual process is no different from the stock web installer from Google[1]. It could easily be wrapped in a similar wizard-like UI without the technical jargon. The reason it's not is because the intended audience who would consider installing GOS is expected to be tech savvy, and they appreciate the details.
FWIW, GOS is an excellent project, but I don't think it's a good fit for non-technical users. But there's nothing stopping someone from creating a distribution of it with a preconfigured Google Play sandbox, some sane defaults and applications, to provide technical support, and to streamline the installation process, or even sell devices with it preinstalled. As long as that entity is trustworthy, it would be a good alternative for people who want to leave the Google/Samsung/etc. ecosystem, but don't have the technical knowledge or want to bother with installing and configuring GOS themselves.
It would be great if it were easier to setup but tech that works for normal users if someone gets in working for them is still useful. The first time I used Linux a guy at a meet up set up dual-booting and showed me the basics. Now I'm doing it for others.
fifteen1506 · 12h ago
It can be a non-binary option.
I have never installed OpenWRT on an home router -- too afraid to brick it, to deal with somewhat manual updates [I think].
I bought a GL.iNet. Totally normie, automatic updates. And then, "Hey look, this is... OpenWRT with a GUI!"
There are some [mobile] brands going on similar direction [albeit one that doesn't seem right to me]. Volla & Fairphone. They provide alternatives. I don't like them [the software options available for them], but alternatives exist, working out of the box.
HeatrayEnjoyer · 12h ago
I am legitimately glad for devs of graphene os and for it graphene working in your case but it is not functional if a user needs banking orr streaming apps, or any number of other impacted apps such as mcdonald's or pokemon go.... that is after installing the optional play services, reducing the privacy benefits of graphene.
I own no firsthand experience but read many users require app 2FA to make card payments.
The solution must be social-legislative. The London smog and terrifying auto deaths at 30 KPH were solved but not by niche enthusiast projects.
nullc · 6h ago
Works for banking apps for me.
My phone is play store free, my SO's isn't. I agree having the play store isn't great for privacy but for the purpose of this thread it isn't relevant.
codethief · 12h ago
> but it is not functional if a user needs banking orr streaming apps
Huh? Banking apps not working on GOS are a rather rare exception (which I have not run into ever and I use several), and streaming apps work just fine. I "only" use Netflix & Amazon Prime but other people attest[0] to Disney+, Paramount, Max, and SkyGo working, too – even without Google services.
oh come on please it's easy just /etc/init.apt-get/frob-set-conf --arc=0 - +/lib/syn.${SETDCONPATH}.so.4.2 even my grandma can do that
CaffeineLD50 · 13h ago
Murena has a preloaded fork.
Easy
fellowniusmonk · 13h ago
Ok, now try sending RCS messages?
CaffeineLD50 · 10h ago
I use signal. Don't need.
gbin · 13h ago
I am the first to be on the "I own my phone let me do whatever the heck I want with it" but recently something hit me.
DJI forces you to side load their app for their Air Units and Drones. And this is scary.
It looks like the rule they violate for the play store is that their app can self modify.
Let that sink in ... Any tension or whatever political bull crap happens and you have a state controlled malware on your device that can do anything it wants with your drone.
Millions of people installed this without really understanding what could be the consequences...
IshKebab · 12h ago
The solution to this is better controls over what the DJI apps can actually do, not having Google pretend to check all apps for malicious code.
Google clearly knows this. IMO the motivation here is obvious, and it isn't security.
al_borland · 10h ago
I find it interesting that all the things Apple did from the start in the name of security, Google is slowly needing to do over time in the name of security. Meanwhile, various parties (the EU being the big one) are pushing to have Apple role back some of these controls.
Zak · 10h ago
When a design decision has potential motivations that are based in security or anticompetitive behavior, my first guess as to Google's primary motivation is not security.
bigyabai · 7h ago
The parent is telling you what the obvious, correct solution is: secure the runtime. That's how MacOS stops attackers, that's how Windows stops attackers, and there's no reason to pretend that smartphones are some unique situation. Runtime security should not ever be treated as optional.
US Senators like Ron Wyden would probably tell you that Apple's approach harms your security overall. After all, he was the one that whistleblew Apple's hidden and warrantless Push Notification surveillance pipeline. Forcing you to rely on a first-party service you can't replace is never a secure option, not in the US nor Europe.
Ajedi32 · 13h ago
This is why "do whatever the heck I want with it" ought to apply to software, not just hardware. This is one thing I think Richard Stallman got right, all the way back in 1988:
> the freedom to change a program, so that you can control it instead of it controlling you; for this, the source code must be made available to you.
We're a long way from that ideal today. Software controls us all the time. Usually that just leads to anti-consumer annoyances like lock screen ads or DLC seat heaters. But when the one controlling the software that controls you is a communist government...
Not sure what the short term practical solution to this is though.
OsrsNeedsf2P · 13h ago
Nations already work with tech giants to get this in via OEMs. Blocking side loading only prevents hackers from disabling this malware.
Groxx · 12h ago
self-modification doesn't imply much when you can embed v8 in your app, which they take no issue with at all
jmb99 · 10h ago
The difference is, in theory if DJI were discovered to be doing something malicious, it could be taken down from the Play Store. If 0% of its current users were side loading the application, that means 100% of their users would be unable to install the app the normal way, and there would be substantial friction to migrate them to sideloading (a google of "install dji app" would probably return a bunch of news articles about whatever the problem was before dji's install instructions).
By making it "normal" to install the app via sideloading, there's little Google could do in the event of malicious app behaviour, and the majority of users would not find out about it (at least, not immediately).
lblume · 10h ago
The difference is that V8 is sandboxed.
Groxx · 9h ago
then replace "v8" with "arbitrary binaries" because that's true too. embed a lisp and do whatever you like, for example. Golang, C, Rust, Dart, etc are all quite common too, and nobody would call C "sandboxed".
all self-modifying really prevents you from doing is stuff like dynamically changing your permissions. which is a broadly reasonable restriction because it'd complicate the approval UI (and the actual enforcement mechanisms) quite a bit further.
gmueckl · 9h ago
I haven't seen a single widely used sandbox that has never leaked.
teitoklien · 13h ago
I don't know why you're getting downvoted when its very possibly true.
Just one month ago they found intentionally embedded Kill Switches in chinese provided solar panels [0][1].
Not even complex apps require capabilities of such self-modification, the fact that a DJI drone app, requires such capabilities, is quite suspicious especially as they are heavily involved in PLA Drone Warfare R&D and Capacity building.
The sideloading restriction is easily solved by installing GrapheneOS, which has all the security benefits of Google's Android on Pixel.
In parallel, Google has rolled out its Play Integrity API, which allows developers to limit app functionality when sideloaded, effectively pushing users to install apps only through the Google Play Store.
The issue is even bigger. Even when using Play Store on GrapheneOS with a locked bootloader (which is the recommended configuration by the GrapheneOS project), Google refuses to let apps use the hardware attestation support in the Play Integrity API [1], which blocks certain banking apps, Google Wallet, etc.
It's insane that Google lets Android vendors that have a lot of dubious security practices (months-late security updates, etc.) pass, while an OS that implements more security mitigations than PixelOS and is sometimes faster than Google rolling out security updates is excluded.
The move, developed in partnership with Singapore’s Cyber Security Agency, is designed to prevent fraud and malware-enabled scams.
> It's insane that Google lets Android vendors that have a lot of dubious security practices (months-late security updates, etc.) pass, while an OS that implements more security mitigations than PixelOS and is sometimes faster than Google rolling out security updates is excluded.
That's because it's about control, not safety.
JCattheATM · 13h ago
A huge problem with Graphene is the incredibly small number of supported devices. We need something that isn't as reliant on specific hardware, and while that would mean some security features are not supported it would still be better than most other options by far.
sfRattan · 9h ago
Unfortunately, Google's Pixel devices have been the only ones with hardware that meets all of the project's stringent security requirements, including a secure hardware enclave and multiyear commitments from the vendor to firmware security updates (I think 7 years of updates now for the newest Pixels). Those seem to be the big two things that no other Android vendor achieves together.
The GrapheneOS devs are serious about security, probably more focused on it than 99% of end users. That they manage to release a project with the high level of usability that GrapheneOS achieves is impressive, even if it isn't as convenient to the end user as stock Android. Ultimately, nothing will ever be as convenient to the end user as stock Android or iOS, but that's not the point of the project.
JCattheATM · 8h ago
> Unfortunately, Google's Pixel devices have been the only ones with hardware that meets all of the project's stringent security requirements, including a secure hardware enclave
That's my point, though. The projects security requirements don't need to be that stringent. By all means, take advantage of the hardware security on devices that offer it like pixel, but even on devices without that hardware security it would still be the most secure Android based OS available, and orders of magnitudes more people would benefit from having access to that.
sfRattan · 7h ago
> The projects security requirements don't need to be that stringent.
GrapheneOS security requirements very much do need to be that stringent. That's the whole reason for the project. Have something that is maximally secure within the most aggressive limits of what is possible today.
It targets end users who either have an acute threat model (e.g. journalists, dissidents) or are willing to tolerate some level of inconvenience (compared to stock Android) to gain the security advantages. Not everyone is willing to make that trade-off, and that's okay. I don't want my daily use phone OS to adopt a more permissive security model to appeal to a broader audience. I suspect most GrapheneOS users share that stance.
There are other AOSP custom distributions that benefit from the security improvements GrapheneOS is able to get accepted upstream (though Google is making this more difficult than it used to be). I think, for people who aren't willing to make the trade-off, a better path is to use another AOSP distribution on the hardware they prefer, or to establish a separate project to build a downstream version of GrapheneOS (under a clearly distinct name) for other, less secure hardware... Trying to shadow each release as closely as possible and make best use of Graphene's generally excellent software customizations (e.g. storage scopes, deny network permission, etc) without pursuing a hard fork.
I'd certainly like something similar for NVIDIA Shield Devices, for example. But I know that's not what Graphene's mission is.
The GrapheneOS devs absolutely will not listen to anyone asking them to loosen their security model. And thank goodness they don't! That's why I use GrapheneOS. It's why many do.
JCattheATM · 7h ago
> GrapheneOS security requirements very much do need to be that stringent. That's the whole reason for the project.
They don't though, that's just a nonsense claim.
Remove the parts dependent on the Pixel security hardware, and you still have a MUCH stronger android OS than anything else available.
> And thank goodness they don't!
Your reasoning does not support your conclusion.
sfRattan · 7h ago
>Remove the parts dependent on the Pixel security hardware, and you still have a MUCH stronger android OS than anything else available.
Yes.
And the correct course of action is a separate, downstream project with a different name doing exactly that and shadowing the GrapheneOS releases. Not a weakening of the GrapheneOS security model. If you don't want a maximally secure build of AOSP, you don't want GrapheneOS: you want something else. Maybe something substantially similar, but not GrapheneOS.
>They don't though, that's just a nonsense claim.
I don't know what is nonsensical about claiming that a project whose principal goal is to be maximally secure shouldn't weaken its hardware security requirements. The statement is closer to tautological than it is to nonsensical.
xvfLJfx9 · 12h ago
You need secure hardware to have secure software.
JCattheATM · 12h ago
Ideally, but in the absence of secure hardware secure software can fill a lot of gaps.
charcircuit · 13h ago
Android's key attestation API is supported on GrapheneOS that apps can integrate with.
Yes, but vanishingly few apps actually use that, rather than Google Play Integrity. As a result, in general it is fair to say that Android apps that require hardware attestation will not run on GrapheneOS. I say this as a satisfied GrapheneOS user.
Time to get serious about contributing to and using projects like https://postmarketos.org! We can continue to fork Android every release, but that's just re-arranging deck chairs on the titanic without upstream driver support.
fsflover · 12h ago
Or PureOS mentioned in TFA.
Lockal · 3h ago
A person from Singapore here. In practice, this changes nothing (from the news standpoint). The most critical applications are already integrated with Play Integrity API. Singpass (ID system) is 100% unavoidable for every long-term visitor and has strict Play Integrity integration (but attacker can select SMS flow and nullify the protection). Banks and all financial organizations require Singpass too, also use Play Integrity in most cases. The biggest bank DBS has extra checks, like "if there is an .apk in Downloads directory, then device is considered as compromised" (and they recently disabled SMS bypass). The most funny case that a similar protection is used in McDonald's app (again, maybe enforced only in specific countries): have something sus on your phone -- no burgers for you! They also have extra checks (i. e. device passes "strong integrity test", but app refuses to work).
Another note: this obviously does not prevent people from having multiple phones, feel free to buy an extra phone and install LineageOS/Gentoo/whatever you want.
Zigurd · 11h ago
The way this is designed appears to be entirely intentional and sensible. Yes, you can still install malware using ADB. It's just harder. That seems really sensible. It's a speed bump, but not a prohibition.
I also haven't seen any specific examples of software that's frequently sideloaded that would be unjustly discriminated against.
samtheprogram · 10h ago
Alternative app stores. See Epic v. Google.
I’m an Apple user, but above all I value choice. Isn’t the point of Android that it’s an open ecosystem?
ADB is arguably worse than what Apple did in the EU for sideloading to abide court orders, and Apple was lambasted.
Zigurd · 9h ago
I'm not a user of them so I can't tell you much about them or if they're all lame, but there are third-party app stores in the Google Play store.
Are there high quality or especially useful apps stores that are not in the Play store.
londons_explore · 12h ago
> [blocking apps] requesting sensitive permissions such as SMS access or accessibility services
These are the permissions most used to impersonate a user. SMS access lets an app log into every service you use and get OTP codes. Accessibility tools lets the app open your banking apps etc. whilst you're sleeping.
Singapore has big issues with identity 'trading' - and there are big signs saying things like "if a stranger offers to buy your phone number from you, and you accept, we will send you to prison for 5 years". Same with bank accounts, credit cards, etc.
Basically, if something is tied to your identity, and you let someone else use it for crime, then they're gonna punish you heavily.
miki123211 · 9h ago
This will impact the blind community in a pretty serious way.
In countries where Android is popular and iPhones are expensive, Commentary (Jieshuo) screen reader is a popular and arguably much better alternative to TalkBack, the built-in Android screen reader. Because it's a Chinese app and there's no major conglomerate behind it, it's not on the Play Store.
Because it needs to be able to read all screen contents and drive the entire system UI (that's literally what a screen reader is for), the permissions it requests are quite intrusive. Blocking it from accessing sensitive apps would entirely defeat its purpose, after all, if you need a screen reader in the first place, one that doesn't work in banking apps will be pretty useless to you.
Googlers will probably point to Webaim[1] and say that nobody uses the app so it's not a problem, entirely forgetting that Webaim is mostly filled out by well-off English speakers. If you look at data sources that better represent the global population at large, like the Yandex user survey, you will see something very different.
Will this affect alternative app stores like F-droid or is it only about downloading and installing an APK with a web browser?
An example of "normal" users that side load (through F-droid or direct APK) is most Ingress players. While Ingress itself is in the playstore most people use the "companion" intel app called IITC which isn't in the playstore as it's technically against the ToS.
qbane · 11h ago
The Google input method on my phone is patched by myself. So is the calculator, and many other everyday apps. I cannot imagine owning an Android phone without the ability of sideloading. Maybe I will consider rooting my phone and void my warranty on the first day with my every future Android phone.
mcflubbins · 11h ago
Can anyone using a Librem 5 as their daily phone report back as to how well it works. Specifically, how reliable are the most basic, and crucial SMS and calling functions? How's battery life?
I had a Pinephone a couple of years ago and receiving phone calls wasn't very reliable.
fsflover · 8h ago
Librem 5 is my daily driver, buy I'll just give links to good, extensive reviews:
Tl;dr: calls and texts work fine, battery life is not as good as Android/Apple but usable. Also you can replace the battery on the go.
throitallaway · 11h ago
> In parallel, Google has rolled out its Play Integrity API, which allows developers to limit app functionality when sideloaded
How about Google focuses on proper sandboxing and permissions models? With those in place where an app comes from should not be a concern.
Zak · 10h ago
That change is not for the benefit of the end user; it's for app developers with an adversarial relationship to their users who want to trust the client not to do anything unprofitable.
(And probably game anti-cheat)
awoimbee · 14h ago
I can't find sources to this one sided article nor can I find anything recent when searching for it
You also can't turn off Play Protect if you've enabled Advanced Protection on your account (which also enforces a range of other security measures) but that's fully opt-in and hasn't even been availble to the wide public for all that long.
wrs · 14h ago
This would have been a great time to explain how Purism protects users from malware better than Google while giving users more freedom, instead of just repeating the word “security”. If, in fact, that is the case.
I like Purism as an idea but, lord, is their marketing annoying. Between FUD like this and regular emails inviting me to become some kind of investor (if I search my inbox for "purism investor" I get dozens of results), I've begun tuning them out.
A4ET8a8uTh0_v2 · 13h ago
Sigh, same. I am clearly a 'believer', because I keep trying various alternatives and am disappointed that they come up short. And now that work started to effectively require phone to log in ( remote mostly ), I am genuinely considering apple as my next move. And I dislike apple a fair bit.
xbmcuser · 13h ago
To me this is ironic as Singapore Government own lottery and sports betting app has to be side loaded as Google play does not allow gambling apps.
harvey9 · 12h ago
That's odd because the UK has a lottery and it's app is in Google Play.
xbmcuser · 12h ago
does it have sports betting as well?
JimDabell · 13h ago
As I’ve mentioned here before, sideloading is a genuine security concern, not merely an excuse for Apple to exert control. There is a never-ending stream of people losing their life savings. It happens on Android and not iOS because Android allows sideloading and iOS doesn’t. There is a very real human cost to this.
> Police warn new Android malware scam can factory reset phones; over S$10 million lost in first half of 2023
> There have been more than 750 cases of victims downloading the malware into their phones in the first half of 2023, with losses of at least S$10 million (US$7.3 million).
> 74-year-old man loses $70k after downloading third-party app to buy Peking duck
> “I couldn’t believe the news. I thought: Why am I so stupid? I was so angry at myself for being cheated of my life savings. My family is frustrated and I ended up quarrelling with my wife,” said Mr Loh, who has three children.
> Singapore Android users to be blocked from installing certain unverified apps as part of anti-scam trial
> "Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 per cent of installations came from internet-sideloading sources," it added.
> Android users in Singapore tried to install unverified apps nearly 900,000 times in past 6 months
> These attempts were blocked by a security feature rolled out by Google six months ago as part of a trial to better protect users against malware scams, which led to at least S$34.1 million (US$25.8 million) in losses last year with about 1,900 cases reported.
Shouldn't we block "sideloading" to all other kinds of computers as well, then, and make it illegal?
minitech · 8h ago
We should implement mechanisms that make it hard and obvious to do unsafe things and easy to do safe things, in all kinds of computers; even as an expert user, I don’t want to have to think about my text editor’s color scheme being able to access my bank. Yes, this necessarily involves a barrier to installing apps with certain privileges, and it should be high enough in software targeted at non-expert users to provide them with protection against scams. No, we obviously shouldn’t make it illegal for a user to do what they want, and nobody has even come close to proposing that here. That’s a straw man.
skybrian · 12h ago
Maybe just the ones that could be used to send all your money to scammers from your bank account or crypto wallet?
Computers are cheap these days. You can buy a Raspberry Pi to hack on and use something else for your money. If you like hacking on smart phones, carrying more than one phone is an option. You don’t need root access on every device you own.
zb3 · 12h ago
I'd want a separate, secure smartphone only for auth/banking... but Google makes this impossible by preinstalling their unremovable spyware. And if you dare to remove it, then poof - your device is no longer considered secure. Google knows what they're doing.
g-b-r · 8h ago
Everyone used web banking for decades on normal computers
zb3 · 12h ago
I'm tired of this crap where companies constantly restrict my freedom in the name of security.. the same thing happened to Chromium, where Google decided that MV2 was "insecure" so with MV3 we alsi lost the webRequestBlocking api which had nothing to do with that..
Hey, listen, I don't fall for these obvious scams and I even rarely install apps/extensions, but when I do, I know what I'm doing.
There should be a giant "OPT OUT" button (you press it, you're responsible for it) so I'd not be bothered ever again.
Zak · 9h ago
The fact that MV3 retained webRequest while removing webRequestBlocking should tell you everything you need to know about their motivations.
michalpleban · 12h ago
And how is it supposed to work in China, where the Google Play Store is blocked and sideloading is very common to install apps on Android phones? Looks like Google plans to throw its Chinese users under the bus.
tomComb · 11h ago
What Chinese users? Google pulled out of China like a decade ago when they insisted that Google censor search results.
throitallaway · 11h ago
How does this work for iOS devices? Sideloading on those through sketchy workarounds is a PITA.
transpute · 14h ago
Outside the app store, Android 15 on Google Pixels supports Debian Linux "Terminal" pKVM VM with access to Debian Arm packages. It doesn't yet support accelerated (v)GPU graphics, in development for Android and shipped on some Chromebooks.
AstralStorm · 10h ago
Is it forking time? It feels like it's forking time.
Seriously, just restrict it to signed applications unless debugging mode is active. With explicit permission from the user.
butz · 11h ago
It would be great to have more devices running PureOS available, especially a bit smaller ones than current generation "phablets". Where did all 4" devices gone?
aftbit · 14h ago
As long as AOSP and its various flavors continue to be viable alternatives, Android is still better than Apple. If you run Lineage or Graphene, I'm sure you can still "sideload" just fine.
Zak · 14h ago
Google works pretty hard (e.g. with SafetyNet/Play Integrity) to ensure those are only viable alternatives for people with a very high level of technical sophistication and tolerance for hassle.
hedora · 14h ago
I tried graphene, and came to the conclusion that it’s not a viable alternative to iOS.
1) Apps like uber, lyft, ev charging and parkmobile would crash with null pointer exceptions some weeks but not others, so for the use cases that force me to carry a phone, it doesn’t work.
2) There isn’t a modern e2e sync ecosystem, and backup is completely broken.
3) The camera sort of worked out of the box (pixel pro 6), but to get all the modes, I had to install sandboxed google play services, which halved the standby battery life.
Has this changed in the last 3-4 years?
gausswho · 13h ago
I would say it has improved substantially in the past years
To your items, and my experience on Pixels 7, 9, and 9a running GrapheneOS regularly for the last two years:
1. I use Uber and Lyft semi-regularly (disabled when not actively using) and don't recall experiencing any crashes. Can't speak to ev or parking apps.
2. It may not meet your definition of modern, but I am very happy with Syncthing Fork on phone alongside Syncthing on linux laptop and desktop (where I run restic nightly backups.) It takes some effort to set up compared to handing the keys to the big corps, I will give you that. I'm still unsatisfied with GrapheneOS backups, but mainly because I want them written to storage where my syncing can send them along, and be able to flash a new phone as if it were a regular drive. But that's maybe asking a lot on phone hardware?
3. Pixel Camera app I pull down from Aurora Store, decline Network permission, and takes photos seamlessly even without Play services. It won't let you actually view photos in app without the Google Photos app which is a bummer. I've taken to using Files to view them, which is cumbersome. Maybe I should just install Photos and decline network.
g-b-r · 12h ago
Isn't synchthing unable to access the data of the apps?
gausswho · 12h ago
if the app allows writing to sd you can have syncthing watch it. in this way i backup DCIM (photos), Obsidian, OpenTrack, and others.
g-b-r · 8h ago
That's extremely little, almost all apps only store their data internally and don't allow exporting it.
For games especially, it's a huge problem, especially if you don't use (nor want to use) a Google account
devmor · 14h ago
Not entirely - the article doesn’t explain it well, but from what I understand, one of the new features allows developers to prevent apps not installed via Google Play from using the device enclave.
Meaning if you want to use say, a financial app while on Lineage or Graphene, you are SoL if the developer decides to enable that feature.
I don't really understand why all sideloads are put into same category. Because the APK must be signed, and e.g. you could easily verify Facebook/Microsoft/bigcompany signatures.
josephcsible · 14h ago
I don't want a world where people can only sideload apps from big companies like Facebook and Microsoft.
cdmckay · 14h ago
I think what’s being suggested is that you could install any app but verify if it’s legit via the signature.
hedora · 14h ago
Facebook was just caught using loopback networking to completely bypass app sandboxes. If anything, I’d want to block any app that contains a dependency they signed.
charcircuit · 12h ago
>bypass app sandboxes
Apps on android are freely able to talk to each other. It is not a bypass to be able to do so.
aiauthoritydev · 13h ago
> In a pilot program launched in Singapore, the tech giant now blocks the installation of certain sideloaded apps—particularly those requesting sensitive permissions such as SMS access or accessibility services—if they are downloaded via web browsers, messaging apps, or file managers. The move, developed in partnership with Singapore’s Cyber Security Agency, is designed to prevent fraud and malware-enabled scams.
This is a reasonable restriction and I am surprised this restriction is coming now and not ten years ago.
Sideloading must be limited to tech savvy users only who know what they are doing.
g-b-r · 12h ago
> Sideloading must be limited to tech savvy users only who know what they are doing.
Who says so?
CommenterPerson · 13h ago
Hate the $megacorps too, soPurism sounded like a good idea. But half the links on their site are broken. It makes them look like a scammer unfortunately.
krunck · 13h ago
As long as AOSP - or /e/ in my case - doesn't go down this road I'm ok with it.
JCattheATM · 13h ago
Are you finding advantages with /e/ over Lineage?
casenmgreen · 12h ago
It seems to me this was inevitable.
Google could do this, and it's in their interest.
It happened.
charcircuit · 14h ago
The way this is worded suggests that installing using alternate appstores (that set the installer metatadata) will still work.
Also it's not clear what exactly it means. Does it have a dialog you can click through like play protect, does adb install still work, etc.
throitallaway · 11h ago
I enjoy Android is because of its relatively nonrestrictive nature. It trusts that I know what I'm doing. The highly locked down nature of iOS is a reason why I will never buy one of their devices. Google will drive me further away from their services (and into GrapheneOS, which has "no" Google hooks) with moves like this.
From the article, I presume this is being done in the name of "cyber security" (least common denominator strikes again.) In newer versions of Android, a few warnings/confirmations are shown prior to sideloading an app. I think the best solution here is to gate-keep sideloading behind Developer Mode. Enabling Developer Mode, then enabling side loading, would be complex enough to stop brain dead drive-by side loading from occurring. And (mostly) only people that know what they're doing enable Developer Mode.
Aldipower · 11h ago
My Motorola Razr 3 doesn't have this problem.
Animats · 14h ago
Ignoring the Purism ad, does this break F-Droid?
jeroenhd · 13h ago
According to Google:
> This enhanced fraud protection will analyze and automatically block the installation of apps that may use sensitive permissions frequently abused for financial fraud when the user attempts to install the app from an Internet-sideloading source (web browsers, messaging apps or file managers).
It probably hasn't since they started doing this last year, but once scammers find out you can publish your own malware F-Droid repo, they might.
fluidcruft · 12h ago
Fully open source malware via f-droid's automated builds. That's some popcorn.
kleiba · 11h ago
EU regulators to the rescue!
garbagecoder · 12h ago
It's OK if it's not Apple doing it———Someone, probably.
b0a04gl · 13h ago
imo this doesn;t feel like scam prevention, it's permission centralisation. the attack surface didn’t shrink, just moved upstream to whoever owns the allowlist.
everyone · 9h ago
Smartphones are just trash.. Totally stupid human interface design + the worst OSes imaginable.
I've totally gotten into modern AI, cus its actually useful, but I've always been a "luddite" re. smartphones. I've always thought they suck.
Smartphone = a computer that's shitty and dumb enough to be popular.
flmontpetit · 13h ago
The inexorable process of using security as a pretext to enshittify your platform carries on. I don't believe there is a meaningful difference between Google and Apple anymore.
dismalaf · 12h ago
How the hell does this get upvoted? This is major FUD by an Android "competitor". First of all, it just introduces an addition level of security, at the request of the government of Singapore. Second, it's a year and a half old. Third, it obviously hasn't affected side loading in other parts of the world 1.5 years later. The other restriction, allowing app makers to restrict side loading, is to combat piracy and it's again, up to the app makers themselves.
Garbage article. Also embarrassing so many fell for it.
theodric · 12h ago
The flexibility afforded by sideloading, which allows that that an Android phone is still for the most part a pocket-sized computer that can operate in a mode not intended by its creators (as opposed to a restricted consumption appliance like the iPhone) is what has kept me on the platform for 16 years and counting. If they take that away, then I really don't see a compelling difference between the two platforms.
Android has been getting markedly more flaky for me ON MULTIPLE GOOGLE PIXEL DEVICES since 2018. My current Pixel 8a on Android 15 regularly has the underlying UI controls (separate from the launcher) crash and force me to restart if I want to use the app overview switcher since day 1. I also have no app overview button in the stock Android calculator since Android 14, the shipped OS, so if I want to switch between a calculation and another app I must first return to the home screen. Wasn't like this in previous releases! Furthermore, the day/date is routinely cut off in the statusbar and its pulldown. This product passed multiple reviews and 2 major OS releases with these (and many other) obvious and irritating bugs and shows no signs of improvement. If they left these holes in the surface, I can only imagine what's underneath. It's ridiculous, but I guess we're cranking out complexity at a rate that exceeds our ability to manage it (or our ability to manufacture new fucks at a rate exceeding their consumption).
If Purism is shopping for new users, all they would eventually need to do is not get worse at a rate as fast as Android, or more expensive at a rate as fast as iOS devices. Based on what I've seen from them so far...they're not at that point yet: meager specifications, high prices. I will continue to cling to my Android device, but I'll cheer them on from the sidelines.
throwaway290 · 27m ago
> as opposed to a restricted consumption appliance like the iPhone
You can root iphones
cft · 13h ago
I am on Google ecosystem since the original T-Mobile G1 - now at Pixel 9 Pro XL. The moment this is rolled out, I am getting iPhones for me and family.
g-b-r · 12h ago
Where side loading is easier?
How about getting a linux phone? (or a dumbphone + a linux portable device)
CaffeineLD50 · 13h ago
I'm pretty sure my degoogled Murena /e/ OS pixel 5 won't have this problem.
shadowgovt · 14h ago
Do these restrictions require the phone to support Play Services and the Play Store? I'd imagine on a non-Play-Store phone this still won't be a thing, yeah?
superkuh · 14h ago
Let's not adopt the newspeak of the megacorps here. The actual headline is,
"Google Restricts Android Application Installation–What It Means for User Autonomy and Freedom"
The idea that you're not allowed to install any application without it coming directly from $megacorp is the new wierd thing. The idea of installing applications yourself on your computer is well established and normal.
"Sideloading" is a dangerous word that implicitly gives up freedoms. It should not be used.
f1shy · 14h ago
Actually in computers, there are also „safeward“ criping in…
It is imperative to avoid the term. It is just installing sw in the device you pay and own. I do not want any big-(brother)-tech protecting me. At most I would find ok if there is a config option, so I can set it to my parents, but no more than that.
soulofmischief · 13h ago
Agreed, if we argue in their language we have already lost the debate.
g-b-r · 12h ago
I could never believe how that word acquired widespread usage
mouse_ · 14h ago
Good take
mouse_ · 14h ago
the only security paradigm that is 100% foolproof is to assume breach. Taking away any number of users freedoms, big or small, does not change that.
Old computers, before sandboxing and Windows defender and real-time protection, were more secure, because people were less likely to plug their bank account information, social security number, birth date, and home address into them.
At a certain point we have got to level with the idea that a smartphone is no longer a general purpose computer in your pocket. It's more like a cyber passport. It knows everything about you and authenticates formal activities.
minitech · 8h ago
> Old computers, before sandboxing and Windows defender and real-time protection, were more secure, because people were less likely to plug their bank account information, social security number, birth date, and home address into them.
So they weren’t actually more secure – they were less secure and less useful (setting aside the questionable historical accuracy of where popular online banking sits in the timeline relative to OS security measures in that claim). Maybe if we relax the made up constraint that a change must create 100% foolproof security, we can have a more nuanced discussion about ways to improve security.
shadowgovt · 14h ago
Sure, but by the same logic old roads were safer because we used horses on them instead of cars and a horse won't generally plow into the oncoming lane if you fall asleep at the reigns.
It feels like this analysis really downplays some advantages making sandboxes and Windows defender and realtime protection got us in the average case (even if in the edge case someone can get hurt).
mvdtnz · 12h ago
This is an ad
ReptileMan · 10h ago
>These policies reinforce Google’s control over Android’s ecosystem under the guise of security but have sparked renewed concern over digital autonomy, innovation suppression, and user rights.
Ahhh yes. You want some of the action apple is getting from EU commission don't you?
Talking about the api-s that discriminate between playstore and side loaded aps. Which is not clear if are Singapore only
reify · 13h ago
there has never been Autonomy and Freedom, not from google, ever.
I have never ever used a fully loaded android phone with all the spying, surveillance apps and play services, amazon, facecrook, whatshit, running.
why on earth do muppets insist that they cannot live a life without google and the rest.
I have installed the latest AOSP on all my phones, including family aand friends.
I currently have a motorola edge 20 pro with android 15 installed.
and my very old oneplus 5T also has android 15 installed.
all my family and friends have either lineage or E/os installed.
I dont see the problem here. I hear no complaints.
fool me once, More fool anyone who thinks google, facecrook and whatshit is their friend.
Autonomy for me, MEANS, self regulation. this is severely absent in the lives of the modern human being.
pirateships · 14h ago
as long as I can continue to pirate android apps. one thing I hate about apple is that I have to pay for everything. annoying. information needs to be free as in no payment. the great thing about android is that it's so easy to find the APKs for any app, and unlock paid purchases and what not.
luckily for me and other others who are sailing is that you cannot keep sideloading without enabling pirating as well.
the rich techies can downvotes if they want but I and others in India don't have money to pay for your silly todo apps. ha ha.
NoSalt · 13h ago
After all these years, and they are still following Apple's playbook. Sad.
zb3 · 14h ago
Google should not be allowed to own Android, it gives them too much control.
hiddenfinance · 13h ago
Well they can, but isn't debian and freebsd on mobile here now? I know they are rough around the edges, but who still cares about Android or iOS in the long run? If I can run my mobile device with root access using debian or freebsd, why still bother with Google and Apple?
gausswho · 13h ago
A healthy competitor that grandma could use would change the world. Your alternatives are not there yet, and probably won't ever be.
bigstrat2003 · 12h ago
It doesn't even need to be something that Grandma can use. It just needs to be something that will let you pass the various "you must have a smartphone to participate in society" checks. But considering banks and the like won't even let you use AOSP in many cases, I sincerely doubt one can get a Debian phone to work.
gausswho · 11h ago
i hear the bank argument a lot and although i can understand the importance for those without another device, i'm a little stunned people rely on modern pocket spyware to monitor their accounts. maybe i know too much, or too little, but my banking concerns are infrequent and always in a browser.
zb3 · 11h ago
Welcome to Poland, where you can't transfer more than ~$13K daily without using mobile auth (bank app). Currently only the PKO bank implements this (and I hope this backfires on them), but I'd not be surprised if others follow.
zb3 · 13h ago
Which devices are you talking about? Do they have cameras, modems, NFC?
And you're not talking about running these systems on top of android, right?
aiauthoritydev · 12h ago
Decides who ?
zb3 · 12h ago
Antitrust laws.
msgodel · 13h ago
The smartphone app ecosystem is a net loss for most users sideloading or not.
AFAIK this only applies within Singapore (not sure if this applies to visiting devices) for apps requesting certain permissions (RECEIVE_SMS, READ_SMS, BIND_NOTIFICATIONS, and accessibility) downloaded outside of app stores (F-Droid is fine) and opened directly on the device (adb install is fine).
You can probably bypass the restriction by just disabling Play Protect if you don't want Google to tell you what you can and cannot install, but I'm not in Singapore so I can't confirm if that will work or not. That said, Google has made it impossible to disable Play Protect while on a call, that's probably a smart move.
Based on this article from the Singapore police, the approach doesn't seem to have helped much: https://www.police.gov.sg/media-room/news/20250417_police_ad...
> In some cases, before downloading the malicious APK file, victims would also be guided to disable Google Play Protect that helps to prevent harmful downloads. Once Google Play Protect is disabled, victims would not receive alerts that there is malware introduced into their mobile phones. Victims may also be asked to download Virtual Private Network (VPN) applications from Google Play Store which would facilitate scammers’ connection to their Android device. Scammers would then be able to bypass the banking anti-malware measures and remotely access the victims’ banking accounts with the phished ibanking login credentials.
> Pang is just one of tens of thousands of Singaporeans to fall foul of scams last year, who lost a total of S$1.1bn, according to police, a 70 per cent increase on the previous year. The true figure could be even higher, according to the Global Anti-Scam Alliance, which estimates that more than two-thirds of Singaporean victims did not report their experience.
> This is a small part of a global criminal enterprise worth an estimated $1tn, but Singaporeans, affluent, digitally advanced and compliant, are particularly vulnerable to these scams. As one person involved in the recovery of assets put it: “They are rich and naive”.
https://archive.is/fCmW1
This is blaming the victim, and I'm not having it.
The problem has been that BankCorp are all forcing us into online pathways because it's cheaper for BankCorp. Of course, they don't put good security on the pathways because that would dramatically increase the customer support cost for BankCorp. Getting scammed is "just sucks to be you" because that costs LittlePlebian.
The "solution" is that liability for these kinds of scams need to be on BankCorp, period. LittlePlebian simply cannot be expected to protect themselves from every professional scammer in the universe beyond very basic measures. Bitcoin people regularly get scammed and they are supposedly more "sophisticated" than the average bear. Nobody less sophisticated stands a chance against the professionals.
> Powered by PureOS, a Debian-based Linux operating system, the Librem 5 and Liberty Phones
Can their devices run APKs? The only Linux distro I know of that does is Sailfish, whose weird licensing model makes it really hard to take advantage of unless you have an obscure, obsolete phone and flash it with the image they sell.
To their credit, Purism has invested more into touch Linux with Phosh than most others in the space have, but Linux on a touchscreen is still a befuddlingly garbage experience.
Unless their experience is impacted by the features they're writing about (which it doesn't sound like it is), this post is just trying to make its mainstream alternative sound bad in the hopes that someone buys their crap instead.
Because this is not going to be super positive for them on that front.
> victims would also be guided to disable Google Play Protect that helps to prevent harmful downloads.
I feel like there's only so much a company can do when it comes to balancing protecting users from themselves vs allowing users free rights over their own computers, especially when users have gotten habituated to ignoring incessant safety warnings caused by attempts to protect users.
I also keep wondering how safe the Play store is from this stuff. The very existence of obscenely detailed public GPS datasets about Android users show that even "official store" apps are somewhat malicious.
I don't see a real solution besides giving a smart and friendly 3rd party admin rights over the devices of susceptible users.
Convert to a one-time escape hatch unlock via a random-question quiz hosted by Google that assesses security and computing knowledge?
If the intent is to prevent the dumbest users from doing something, then a good place to start would be an assessment to determine if a user is actually dumb or not.
It's oxymoronic to attempt cover-all methods that encompass both (a) advanced users who do want to sideload & (b) people who will type in anything the internet tells them will make a cracked app work.
https://techcrunch.com/2024/02/07/google-starts-blocking-use...
There are a lot of qualifiers on this: Only in Singapore, only on apps requesting certain permissions frequently used by scams, and only when downloaded via certain paths.
I don’t see the full details but this implies that it’s still possible for advanced users to side load whatever they want. They don’t want to make it easy for the average user to start sideloading apps that access SMS permissions or accessibility controls.
If it takes a few extra steps for the advanced user to sideload these apps that’s not really a big infringement on freedom like this purism PR piece is trying to imply. Unfortunately sideloaded apps are a problematic scam avenue for low-tech users.
> The move, developed in partnership with Singapore’s Cyber Security Agency, is designed to prevent fraud and malware-enabled scams.
This explains why it’s only in Singapore for now.
Even if some technically inclined folk can install what they want, the masses will stay in the walled garden so that Google can get their cut and exert ideological control. Even now, both Google and Apple engage in practices across their product that are designed to scare people away from third party applications. From Google's terminology when describing Google in banners as "a more secure browser" etc, to Apple requiring a secret incantation in order to run unsigned apps.
All of this kind of mind control bullshit should be eradicated via regulation. Companies should not have a license to be deceptive towards their users.
> The move, developed in partnership with Singapore’s Cyber Security Agency, is designed to prevent fraud and malware-enabled scams.
Your comment seems to disregard it and instead lay this entirely at Google's feet as if they're seeking anti-competitive behavior - but if this was driven by a government, does Google really deserve all the blame?
(Note that I am explicitly not endorsing the move. I think sideloading should be left mostly untouched.)
Could mean anything from reluctant to opportunistic.
Because it's irrelevant.
> but if this was driven by a government, does Google really deserve all the blame?
Of course. If the government ordered Google to assist in a genocide against some demographic, and Google goes along with it, it doesn't matter if the government is also evil. Google is evil for playing ball.
And we don't have to speak in hypotheticals. Both Google and Amazon are actively engaging in tech-assisted genocide.
https://www.aljazeera.com/news/2024/4/23/what-is-project-nim...
I have boycotted Amazon for a while now and I'd boycott Google too if it wasn't so pervasive in my professional life.
The walls should have open doors, though, versus prison bars. Physical switches on devices (much like older Chromebook devices had) used to opt out of the walled garden should be mandated by consumer protection regulations.
I personally think there should be (I value individual rights/freedom over preventing someone from harming themselves), but I also see why we ended up here. When bad things happen, people demand action and government wants to be seen as doing something.
Have the EU counterbalance this closing with extra fines for anticompetitive behavior.
I don’t want to live in the same society as the person that wrote this asinine comment with this much confidence. We are just ideologically incompatible
For example, it could be regulated that if the flip is switched (or a fuse is blown irreversibly) on a device, responsibility for the device and its software fall entirely onto the owner. So if they get phished on an unprotected device and lose their life savings, it's entirely on them. Manufacturers and service providers have no obligation to support them.
I think efuses being blown by device manufacturers should be illegal.
I think bootloaders that don't allow the device owner to run whatever software they want should be illegal.
I think device owners should be permitted to repair their devices without losing functionality because of DRM embedded in the parts themselves.
I think a physical switch, exercisable only with physical access, should be present on locked-down devices to allow the owner to exercise their ownership over the device. If that means that "attestation" functionality breaks and that causes some third-party software to "break" so-be it.
(I think the problem with banks, etc, requiring "trusted" devices is also in the realm of consumer protection, probably in banking regulation. I haven't thought about it deeply.)
I don't think they cheeref at the arrival of the Microsoft Store on Windows, for example.
That's what's pushed for on the current smartphones, and they accept it; they easily don't see the problems, and it can seem complex for them to avoid it.
I agree with you. However, the impact of scams should not be underestimated either.
Attacking the problem by reducing user freedoms and increasingly monopolistic control is not the answer, even though Google's PR department would tell you otherwise.
So the question on if this effectively reduce scams is the first question to answer.
The correct way to do it would be to whitelist other good stores, and allow developer mode installs with an extra process that says explicitly I am extra sure this may be danger, but no. This would reduce Google's income streams.
The way I see it, it must be attacked the way default Internet Explorer was attacked.
More like fighting teen pregnancy by mandating chastity belts... With the same ultimate problems too: those most determined to overcome the block will make use of bolt cutters or their digital equivalent.
The actual way to stop the scammers would be to sanction their host countries into oblivion: India, Philippines and Myanmar are big in targetting English speaking countries, and Turkey when it comes to German speaking countries. Scammer Payback alone has made so many complaints with very little follow up from local authorities, partially due to open corruption. Either these countries clean up their act or they get dropped from SS7 (phone) and the Internet. But I see no way of this ever happening.
[1] https://stackoverflow.com/questions/21692646/how-does-facebo...
Only certain permissions actually matter. That's one of three.
But "only in singapore so far" is not reassuring.
And "downloaded via certain paths"? Browsers and file managers are the normal ways to put files onto a phone. That doesn't reassure me at all.
I'm sure making it harder to obtain software outside a first-party app store provides some protection to some users from scams, but I really don't want that to be the answer. I don't claim to have a good one myself.
I don't think the restrictions are doing much for victims. I assume Google was pressured into doing this by the authorities, or may be doing this to get in a good spot politically.
Just because something is technically possible does not make it a solution
We had a big client from Singapore who only agreed to buy our SaaS subscription after we integrated SingPass (Singapore's national digital identity system) for user login.
When I read "Singapore" in the OP I immediately remembered about it.
The client is not with us anymore, but we still have this thing somewhere in the codebase :)
I would prefer if Google moved in the direction of giving apps fake permissions. Otherwise the scammers will just move onto another layer.
Those "certain paths" include "file managers"; how exactly would you sideload an app without providing the file?
> "The sideloading restriction is easily solved by installing GrapheneOS"
> "Unless they block ADB, I wouldn't say it's accurate to claim they're "blocking sideloading"".
Not to pick on these folks but it's like we on HN have forgotten that ordinary people use phones too. For some of us, it's not a limitation as long as we can solder a JTAG debugger to some test pads on the PCB and flash our own firmware, but for most users that's just about as possible as replacing the OS.
I, someone extremely new to Linux (hell, new to computers), was bewildered. Then a commenter replied with something that helped me and exactly what I needed. He added a note directed towards others which went something like - the battle for Linux as THE desktop OS was sabotaged by its most ardent practitioners.
You can't have wizards without first having noobs.
Why gatekeep people from enjoying the same thing you enjoy?
Well, I guess all that gave us EndeavourOS and Manjaro. But still, we need more places for people to learn that nitty gritty stuff.
Hell, I'd love to learn more about the hardware hacking the OP is talking about. Love to learn about those GPU hardware modifications people do. I know it's hacker news, but I'd actually love to learn about that hacker stuff. If these companies are going to continue to fight this hard to prevent us from owning the things we buy, it sounds like an important thing to learn. Or else we're soon going to have robot butlers that are just sending lidar maps and high resolution photos of our homes back to these companies. We don't need elitest pricks, we need wizards teaching noobs
I think this had the benefits of:
• allowing people who don’t want to bother with newbies to not have to, if they stay in the subforum
• still having the places for “people who are skilled and willing to work with/help newbies” and “people who are skilled but don’t want to deal with newbies much” be in a sense the same place, while also having the place for the latter be the same as a place for newbies.
• provides an incentive for newbies to become skilled.
_____
Of course, this method doesn’t work if no one is willing to engage with the newbies. But I think it’s probably fine/reasonable to keep outsiders away from a few things provided that there is a reasonable path in.
Though, I’m not advocating that the approach that forum used be implemented everywhere. I just think it is something that a community could reasonably choose, depending on their priorities.
The forum was primarily about the “Penguin Client Library” (or “Penguin Client System”, I think they went back and forth about the name?), which allowed writing PHP scripts to interact with the game servers.
Why PHP? I think maybe it was originally so people could use it to make web forms where people could put in their username and password and it would e.g. give them whatever item, but that kind of cheat was blocked very quickly, and I think it just remained in PHP for historical reasons, so instead you had a bunch of people running PHP on their local machine to run a bot doing normal game actions (but combined in unusual ways). Or maybe it was just the language the devs were most comfortable with, idk.
As example toy projects I'm trying to test out dnf-automatic because I'd prefer not to have the admin work of manually keeping on top of routine updates, but there's little feedback (although so far that's better than pacman on Arch which specifically expects atdmin), or learning why a distro has set up swap/zram/zswap the way they have, what the limits are on that config, how to measure what my system uses and if/how to adjust it. There's little guidance within the system to get you up to that level, and to open another can of worms the terminal-first approach in linux's DNA usually doesn't present anything but the bare essentials for whatever tool you're running, but any extra/wasteful information shown could nudge you where the next step is.
But people often claim no one else will read it or it's obvious. I think we've all dealt with the frustration of dealing with undocumented code. Seen how much time it takes because of the lack of documentation. Why doesn't this encourage writing documentation?
When docs are scarce and you have access, add a little. It can be built over time. Some is better than none.
The other thing I do is write notes. I put a lot of them in my dotfiles actually. This means I keep them just text (or link for images) and these can get carried around with me. I hand them out frequently and am always happy to have others contribute or share theirs but honestly I don't know a single other person that does this. But I find it extremely helpful. I reference them all the time. Granted, they're written for me but I think more people should.
This, I feel like ever since the fall of Twitter, a true hackerspace has been missing for awhile.
Is it up or archived anywhere?
In fact, I even got more people to contribute. I used to say the best way to learn Linux is to install arch. To come back to me after your third failure. It's rough, but you learn a ton and accelerate really fast. Telling people to expect failure helps. They know it's not them being dumb and they won't ruin their computer. Plus, they have a safety net and I promise I will help, but the real lesson is the struggle.
The TL;DR: Arch gets harder year over year as the number of ways to setup/options for each piece of your system grows. Hell, even picking a bootloader among 10 options is confusing. A guide that just at least says "This is common for X, this for Y, the others are interesting and may be worth trying. If you don't want to investigate now, use X" Is DESPRATELY needed.
I tried to have that on my site, and a pretty high level arch forum admin came buy and told me to delete my website and made a PR just deleting the page. It was honestly one of the most rude and hateful interactions I've ever had online.
That's an easy one to answer: they will eventually demand that Foo changes and remove things they do not like. It has happened to all media, it has happened to all software, you can be damn sure it will happen to something as modular as a Linux distribution.
Really, I'm calling people dumb for gatekeeping the things they enjoy. Things change regardless.
With Linux, you can have your distorts. Because Linux people tend to understand that you don't build "products" but environments. Places to build from. To build in. It's not always but it's a good idea. You can't make a product for everyone, but you can make an environment for everyone. It's why a computer or a phone is so universal but iOS or Android isn't
Having bad or no support for your software isn't some good way to keep it 'pure', it's just keeping it less useful/relevant. Linux is OSS: fork it if you don't like something new, but don't hurt the ecosystem.
Deliberately hamstringing software or documentation so that others will stay away and not make changes is literally antithetical to OSS as a philosophy.
Neither of this is true. There are plenty non-technical users that will be suggesting changes, there are plenty of technical users where they don't want things to change.
> Having bad or no support for your software isn't some good way to keep it 'pure', it's just keeping it less useful/relevant.
You are conflating "bad or no support" with "gate-keeping". Gate-keeping is about keeping riff raff out, but allowing those that are interesting to a path to being involved.
With respect to Linux distros. Linux is like a "kit". Different people offer you different "kits" called distros. Some of these kits may be given to you pre-assembled (Ubuntu/Fedora/Debian), other will require partial assembly (Arch) and some will require full assembly (Gentoo/LFS).
Arch/Void/Gentoo flavours of Linux don't advertise itself a user friendly distro like Ubuntu/Mint/Fedora. *It is expected you read the documentation and understand the command line*.
Thus why people were suggesting they should use the CLI tool. If a user doesn't want this, they should use something else.
Having a "noob" version of installation instructions for something like Arch/Gentoo will have the effect of allowing someone to fumble about and maybe achieve getting something functional, but they won't actually understand what they are actually doing and this will cause them problems in the future as they won't understand how to fix issues when they arise.
> Linux is OSS: fork it if you don't like something new, but don't hurt the ecosystem.
It is extremely difficult for even for large companies to run their own fork of large open source projects. Sure you can fork a smaller piece of software and maintain your own version, but anything significant you are unlikely to be able to do that. So you are forced either to use the changes you may not like, or you use something different, or you are are like the anti-systemd crowd essentially running a protest distro.
Also all the big forks in the software ecosystem is when two important factions have disagreed fundamentally on the direction of the project. We are not talking about individual users or developers, we are talking about the top tier developers/maintainers. A part-time/bedroom coder is unlikely to have any significant effect, even if they did it is often lead to burnout of these developers.
> Deliberately hamstringing software or documentation so that others will stay away and not make changes is literally antithetical to OSS as a philosophy.
Ignoring the fact that you are misstating the issue. It isn't antithetical to the philosophy at all. People decide their own level of involvement in any group activity. If you aren't willing to "pay your dues", then it maybe better for you to not be involved.
You will BTW see this to varying extents in Churches, Cricket Clubs and even your place of employment.
e.g. If you go to Church you have to accept certain tenants about the faith or at least respect them while you are there. I've been invited to Churches in my local area, by very nice people that I would like to get to know, but I can't believe in Christ, so I don't go.
Suggesting is not making. Non-technical users will not be making changes.
> You are conflating "bad or no support" with "gate-keeping".
If the support is intentionally removed with the goal of keeping out people, then it's both. That was the premise accepted by both of the comments above mine, hence my comment working from that premise.
> Having a "noob" version of installation instructions for something like Arch/Gentoo will have the effect of allowing someone to fumble about and maybe achieve getting something functional, but they won't actually understand what they are actually doing and this will cause them problems in the future as they won't understand how to fix issues when they arise.
Everyone is a noob at some point, so getting rid of documentation is only a means to prevent someone from learning. There is no cost to anyone if someone installs Arch without being an expert in the CLI.
> It is extremely difficult for even for large companies to run their own fork of large open source projects.
Agreed. And if there aren't enough people who are willing to support a fork to manage one, there aren't enough people to justify preventing a change that keeps the current version as it is (which is what in this case, that fork would be).
I.e. if there aren't enough people who support the current version, to maintain an unchanged version as a fork, there aren't enough people who support the current version to justify not changing it in the first place.
> If you aren't willing to "pay your dues", then it maybe better for you to not be involved.
Where are you getting this from? The whole conversation was newcomers making changes. Code contributions (i.e. changes) are explicitly the "dues" that OSS devs 'pay'.
> If you go to Church you have to accept certain tenants about the faith or at least respect them while you are there.
If enough of the congregation feels it needs to change, it will (or it will die out). Modern versions of religions look nothing like they did hundreds of years ago, and not all the changes happened due to schisms/ forks. Everything changes, or it dies.
No it isn't. Stating it is doesn't make it so.
If I expect you to follow a particular procedure and not support another (which is deemed initially friendly) that is perfectly valid. If it keeps people out that wouldn't otherwise be able to follow it, that is a positive, not negative.
It can gatekeep and be authoritative.
> That was the premise accepted by both of the comments above mine, hence my comment working from that premise.
And the premise is incorrect. Thus my comment.
There are also other reasons. Like having two version of the documentation causes confusion in itself.
> Everyone is a noob at some point, so getting rid of documentation is only a means to prevent someone from learning.
Not if the "noob" documentation obscures knowledge by letting people skip important parts of understanding the process.
> There is no cost to anyone if someone installs Arch without being an expert in the CLI.
Yes there is. That person will quiz people in discord, forums, voice chats, reddit etc when they will invariably be presented with an issue that they cannot resolve. Similarly that why people distro-hop.
RTFM response actually trains people to solve their own problems and is the correct way, by first following the process and then only asking when the process doesn't work.
> Where are you getting this from? The whole conversation was newcomers making changes. Code contributions (i.e. changes) are explicitly the "dues" that OSS devs 'pay'.
I was talking about the benefits of gate-keeping in general. I never said anything about specific about code contributions.
BTW, these people will affect code contributions. Much of the Linux desktop is a clone of other systems (typically Windows) to appease users that expect that UI. This actually dominated the conversation for about 15 years in linux.
If we are talking about the newbies. They have to prove they can follow the documentation provided i.e. RTFM.
> If enough of the congregation feels it needs to change, it will (or it will die out). Modern versions of religions look nothing like they did hundreds of years ago, and not all the changes happened due to schisms/ forks. Everything changes, or it dies.
Every group is lead by a minority. The minority in every group, set the agenda, not the majority. That is fact of life, if you think otherwise you are mistaken. Even revolts are usually led by people who are part of disgruntled minority. Every one of those changes would have been made either by someone important in the Church or the state (as the state and the church was typically tied).
Every single one of those changes were made by elites or governments at the time. Not the majority of the congregation. BTW many of the Churches in England and Europe didn't change that much, that why loads of these people migrated in the first place to the US.
BTW many young converts are going to the Orthodox Church because they see it as the most "OG" version of the Church, because some people crave what they believe to be the authentic experience.
I think that this reads better "there is nothing that Microsoft wants regular users to touch that they need to edit in the registry directly." The distinction between the two doesn't really matter as long as the user's interests are reasonably aligned with Microsoft's, but the modern Microsoft-the-ad-company approach to Windows means that this is not at all true.
> https://trustmeitsfinebro.com/install.sh | bash
:D
Don't believe that for a second. Industry de-facto standards are a result of power dynamics, and the actual users of the thing wield orders of magnitude less power than they project. If a corporation like MS or Google wanted Linux desktop to happen, no amount of gatekeepers could actually hold the gates.
The reason why Windows is the de-facto standard is because Microsoft put a lot of behind-the-scenes work into making it a de-facto standard. I am meaning them sabotaging everything else, treating the status quo with the famous EEE, many business deals with governments to use it, put it in school curricula, having manufacturers preinstall it to PCs, and bend every piece of connected tech to Windows' direction - hardware drivers, computer games, specialty software, even the internet.
That is how Windows got its desktop users, and how Linux and others didn't really.
More than an hour? That's very strange, enough that I wonder if you had the right impression of things.
Usually the reason to go with command line is that even though it might be bewildering to look at, slamming in the command only takes a moment and you don't need to do any button-hunting.
It's a tradeoff, is what I'm saying. But you seem to be describing a situation where it's significantly worse in every way. Why would a bunch of people all be on that bad plan?
That's usually how long it takes me to get an FFMPEG command I'm planning to use more than once right
If you give someone an already-done ffmpeg command it should be straightforward to use.
The brother wifi laser printer I have works on everything without any installation at all. Windows, mac, linux, my phones.
It looked like SteamOS was going to be a contender, but apparently not.
Back on Linuxland, the userbase realized this about two decades ago, when Ubuntu launched. Having a nice default experience was considered better than having easy tweakability, because Ubuntu could also be configured to the fullest extent in the classic Linux way of reaching into the guts of the system and rearranging things to taste. Not that I would ever recommend tweaking Ubuntu too much, but it can be done.
What about the other end? Most people who like fiddling with Linux by reaching into its internals have settled on distributions such as Arch, where this way of managing the system is expected and thus the distribution works to ensure this experience is as easy and predictable as it can be, by providing a good happy path experience for common scenarios, and providing top-notch documentation for common and uncommon customization options, or minority hardware platforms and devices.
Just enough corners to cover day-to-day usability so that new users would be able to help themselves if they get stumped.
That set of corners has been pretty much covered by Windows 95 when it comes to the GUI.
For tweakability, command-line interface isn't unfriendly — the commands are.
People love talking to ChatGPT. This tells you how friendly typing interface is.
I'm not saying that natural language processing should necessarily be a feature of the interface (although it could make a lot of things much smoother), but FFS, an interactive dialogue-based CLI is a much friendlier thing than "figure out the right incantation" paradigm.
No comments yet
I sideload a glucose monitor app that's not available through Playstore (it's FOSS and health is a tricky area with liability).
It's a fantastic app and the ability to sideload it is a major reason I use Android over iOS.
I also sideload a patched app of the Dexcom glucose reader OEM's shitty app to allow the data to be read by the better (sideload) FOSS app.
https://github.com/NightscoutFoundation/xDrip
https://www.patreon.com/byod/about?
Ok I'm not an ordinary person, I guess, but if I was I'd still use those apps and I know people who are ordinary and do so.
But I am pretty sure that like any other teenagers since the beginning of time he obeys me, and has only rooted his phone for educational purposes.
His friends, though, I am not so sure.
Some of the more savvy ordinary people even export apps as apk for other phones.
https://zimperium.com/blog/the-hidden-risks-of-sideloading-a...
About 1 in 5 users sideload?! That's not something to ignore
Sideloading is a fairly popular practice. Our research indicates that 18.3% of mobile users globally engage in sideloading. In some regions, such as the Asia Pacific, the impact is as high as 43%.
I love steam, but epic is very user hostile.
Yes, usually when somebody calls them, pretends to be from the security department of their bank, and asks them to install an app to "catch the hacker who just stole $2000 from your account in the act."
In countries where Android is popular (not the US), this is an extremely common scam vector.
edit: which I'm not even sure if that counts as side loading
It's crazy how we act like phones are dramatically different than other computers. An average computer user can go to a website, click "download" and then we think the average phone user can't do the exact same thing? It's the same people! They might be used to downloading from one location but it would be laughable to think they couldn't do the normal thing too
(To clarify, I mean apps. Things like GrapheneOS you're going to run into the same issues as expecting my grandma to install Linux. Might be doable but it isn't quite there yet)
I think what people on HN really forget is that the average person isn’t equipped to tell the difference between a legit source sideloaded app or a Trojan horse app that some TikTok video instructed them to install.
I wonder if they could solve that with delays. E.g. you can sideload, but the process is deliberately delayed to take two full days and require carefully reading warning screens and correctly answering questions about the warnings, then getting time to think, multiple times.
Google changing defaults is a permanent change for some large percentage of their userbase. A subset of those can still figure out how to download and run an APK file but have no further recourse against monopolistic behavior.
Maybe those people do need to be protected from scams. Social engineers have complete control over the user, so any control given to the user is owned by the scammer. Seems like the same problem as pig butchering, a technology or process solution can't save someone too stupid to save.
Thinking about less controversial options for Google, they could track if any side-loaded apps have the dangerous permissions, and provide a global true/false status to other apps that request it. So Wallet / whatever would disable features if any "outside" apps were in a position to exploit the user. And Android could offer a button that cleans up the "problem" apps, setting the global status back to false.
sideloading apps was a feature that did not catch on. Now they kill it. Then when Apple launches it, watch them tout it again as a feature.
Right.
And something that Apple has been doing generally from Android (while trying really hard to catch up) - feature after feature and shamelessly releasing it as the next biggest revolutionary thing since the moon landing, or an invention shadowed only that of the wheel and fire.
In fact last few years of Apple's phone advancement has been nothing along with some features which has been Android for years. Or maybe that's not "copying", that's bringing "at par" which is of course different?
News to me. Edit: I misread parent comment.
Though Google Pay is also probably the least private of the major tech-company payment platforms (the others being Apple Pay, Samsung Pay, and Garmin Pay). It is, I think, the only one that actually requires an open network connection on the phone to work. The others all generate one-time codes that get sent through the payment machine's network for verification by Apple/Samsung/Garmin on the backend (i.e. you can tap an Apple Watch to pay with all its radios off, but you can't do that with Google Pay).
From what I gather, Garmin Pay can work with GrapheneOS if you have one of their smartwatches. And Privacy.com works, but not with tap-to-pay.
As an aside - I think the Paypal app in Germany offers HCE tap-to-pay, and In the UK/Europe 'Curve' is a Google pay replacement that runs fine on GrapheneOS (and they have first-party support for huawei phones that don't even ship Google play services anymore)
That being said, it is a reasonable compromise that, as long as people know that beforehand, losing Google Pay as the price to loosen Google's grip on your data, location and preferences is an acceptable one [price].
The linked article is literally an ad for Librem phones though?
When we last got new phones I put GrapheneOS on mine and my partners, I never subsequently had to play tech support on hers.
The Web installer [0] is not really approachable to a normal Android user. The instructions are dense, loaded up with warnings about dozens of edge cases that are discussed in jargon that would intimidate even relatively tech-savvy users:
What's USB passthrough? Did I install my browser through Flatpak or Snap? How would I know? Did I need to understand the paragraph explaining in detail how carrier models lock users in? There's a bunch of stuff in there about Linux... do I need Linux? What's a sha256 hash and do I need to care?
It's not that this is impossible for non-IT-folks to grasp, but there's no chance that my parents are installing this on their phone.
[0] https://grapheneos.org/install/web
FWIW, GOS is an excellent project, but I don't think it's a good fit for non-technical users. But there's nothing stopping someone from creating a distribution of it with a preconfigured Google Play sandbox, some sane defaults and applications, to provide technical support, and to streamline the installation process, or even sell devices with it preinstalled. As long as that entity is trustworthy, it would be a good alternative for people who want to leave the Google/Samsung/etc. ecosystem, but don't have the technical knowledge or want to bother with installing and configuring GOS themselves.
[1]: https://flash.android.com/back-to-public
I have never installed OpenWRT on an home router -- too afraid to brick it, to deal with somewhat manual updates [I think].
I bought a GL.iNet. Totally normie, automatic updates. And then, "Hey look, this is... OpenWRT with a GUI!"
There are some [mobile] brands going on similar direction [albeit one that doesn't seem right to me]. Volla & Fairphone. They provide alternatives. I don't like them [the software options available for them], but alternatives exist, working out of the box.
I own no firsthand experience but read many users require app 2FA to make card payments.
The solution must be social-legislative. The London smog and terrifying auto deaths at 30 KPH were solved but not by niche enthusiast projects.
My phone is play store free, my SO's isn't. I agree having the play store isn't great for privacy but for the purpose of this thread it isn't relevant.
Huh? Banking apps not working on GOS are a rather rare exception (which I have not run into ever and I use several), and streaming apps work just fine. I "only" use Netflix & Amazon Prime but other people attest[0] to Disney+, Paramount, Max, and SkyGo working, too – even without Google services.
[0]: https://discuss.grapheneos.org/d/20256-streaming-apps/6
Easy
DJI forces you to side load their app for their Air Units and Drones. And this is scary. It looks like the rule they violate for the play store is that their app can self modify.
Let that sink in ... Any tension or whatever political bull crap happens and you have a state controlled malware on your device that can do anything it wants with your drone.
Millions of people installed this without really understanding what could be the consequences...
Google clearly knows this. IMO the motivation here is obvious, and it isn't security.
US Senators like Ron Wyden would probably tell you that Apple's approach harms your security overall. After all, he was the one that whistleblew Apple's hidden and warrantless Push Notification surveillance pipeline. Forcing you to rely on a first-party service you can't replace is never a secure option, not in the US nor Europe.
> the freedom to change a program, so that you can control it instead of it controlling you; for this, the source code must be made available to you.
We're a long way from that ideal today. Software controls us all the time. Usually that just leads to anti-consumer annoyances like lock screen ads or DLC seat heaters. But when the one controlling the software that controls you is a communist government...
Not sure what the short term practical solution to this is though.
By making it "normal" to install the app via sideloading, there's little Google could do in the event of malicious app behaviour, and the majority of users would not find out about it (at least, not immediately).
all self-modifying really prevents you from doing is stuff like dynamically changing your permissions. which is a broadly reasonable restriction because it'd complicate the approval UI (and the actual enforcement mechanisms) quite a bit further.
Just one month ago they found intentionally embedded Kill Switches in chinese provided solar panels [0][1].
Not even complex apps require capabilities of such self-modification, the fact that a DJI drone app, requires such capabilities, is quite suspicious especially as they are heavily involved in PLA Drone Warfare R&D and Capacity building.
[0](https://www.reuters.com/sustainability/climate-energy/ghost-...)
[1](https://www.rickscott.senate.gov/2025/6/sens-rick-scott-mars...)
In parallel, Google has rolled out its Play Integrity API, which allows developers to limit app functionality when sideloaded, effectively pushing users to install apps only through the Google Play Store.
The issue is even bigger. Even when using Play Store on GrapheneOS with a locked bootloader (which is the recommended configuration by the GrapheneOS project), Google refuses to let apps use the hardware attestation support in the Play Integrity API [1], which blocks certain banking apps, Google Wallet, etc.
It's insane that Google lets Android vendors that have a lot of dubious security practices (months-late security updates, etc.) pass, while an OS that implements more security mitigations than PixelOS and is sometimes faster than Google rolling out security updates is excluded.
The move, developed in partnership with Singapore’s Cyber Security Agency, is designed to prevent fraud and malware-enabled scams.
Time to block the Facebook/Instagram apps then, given https://localmess.github.io ?
[1] https://grapheneos.social/@GrapheneOS/112878070618462132
That's because it's about control, not safety.
The GrapheneOS devs are serious about security, probably more focused on it than 99% of end users. That they manage to release a project with the high level of usability that GrapheneOS achieves is impressive, even if it isn't as convenient to the end user as stock Android. Ultimately, nothing will ever be as convenient to the end user as stock Android or iOS, but that's not the point of the project.
That's my point, though. The projects security requirements don't need to be that stringent. By all means, take advantage of the hardware security on devices that offer it like pixel, but even on devices without that hardware security it would still be the most secure Android based OS available, and orders of magnitudes more people would benefit from having access to that.
GrapheneOS security requirements very much do need to be that stringent. That's the whole reason for the project. Have something that is maximally secure within the most aggressive limits of what is possible today.
It targets end users who either have an acute threat model (e.g. journalists, dissidents) or are willing to tolerate some level of inconvenience (compared to stock Android) to gain the security advantages. Not everyone is willing to make that trade-off, and that's okay. I don't want my daily use phone OS to adopt a more permissive security model to appeal to a broader audience. I suspect most GrapheneOS users share that stance.
There are other AOSP custom distributions that benefit from the security improvements GrapheneOS is able to get accepted upstream (though Google is making this more difficult than it used to be). I think, for people who aren't willing to make the trade-off, a better path is to use another AOSP distribution on the hardware they prefer, or to establish a separate project to build a downstream version of GrapheneOS (under a clearly distinct name) for other, less secure hardware... Trying to shadow each release as closely as possible and make best use of Graphene's generally excellent software customizations (e.g. storage scopes, deny network permission, etc) without pursuing a hard fork.
I'd certainly like something similar for NVIDIA Shield Devices, for example. But I know that's not what Graphene's mission is.
The GrapheneOS devs absolutely will not listen to anyone asking them to loosen their security model. And thank goodness they don't! That's why I use GrapheneOS. It's why many do.
They don't though, that's just a nonsense claim.
Remove the parts dependent on the Pixel security hardware, and you still have a MUCH stronger android OS than anything else available.
> And thank goodness they don't!
Your reasoning does not support your conclusion.
Yes.
And the correct course of action is a separate, downstream project with a different name doing exactly that and shadowing the GrapheneOS releases. Not a weakening of the GrapheneOS security model. If you don't want a maximally secure build of AOSP, you don't want GrapheneOS: you want something else. Maybe something substantially similar, but not GrapheneOS.
>They don't though, that's just a nonsense claim.
I don't know what is nonsensical about claiming that a project whose principal goal is to be maximally secure shouldn't weaken its hardware security requirements. The statement is closer to tautological than it is to nonsensical.
https://grapheneos.org/articles/attestation-compatibility-gu...
See replies to this: https://news.ycombinator.com/item?id=32496220
Another note: this obviously does not prevent people from having multiple phones, feel free to buy an extra phone and install LineageOS/Gentoo/whatever you want.
I also haven't seen any specific examples of software that's frequently sideloaded that would be unjustly discriminated against.
I’m an Apple user, but above all I value choice. Isn’t the point of Android that it’s an open ecosystem?
ADB is arguably worse than what Apple did in the EU for sideloading to abide court orders, and Apple was lambasted.
Are there high quality or especially useful apps stores that are not in the Play store.
These are the permissions most used to impersonate a user. SMS access lets an app log into every service you use and get OTP codes. Accessibility tools lets the app open your banking apps etc. whilst you're sleeping.
Singapore has big issues with identity 'trading' - and there are big signs saying things like "if a stranger offers to buy your phone number from you, and you accept, we will send you to prison for 5 years". Same with bank accounts, credit cards, etc.
Basically, if something is tied to your identity, and you let someone else use it for crime, then they're gonna punish you heavily.
In countries where Android is popular and iPhones are expensive, Commentary (Jieshuo) screen reader is a popular and arguably much better alternative to TalkBack, the built-in Android screen reader. Because it's a Chinese app and there's no major conglomerate behind it, it's not on the Play Store.
Because it needs to be able to read all screen contents and drive the entire system UI (that's literally what a screen reader is for), the permissions it requests are quite intrusive. Blocking it from accessing sensitive apps would entirely defeat its purpose, after all, if you need a screen reader in the first place, one that doesn't work in banking apps will be pretty useless to you.
Googlers will probably point to Webaim[1] and say that nobody uses the app so it's not a problem, entirely forgetting that Webaim is mostly filled out by well-off English speakers. If you look at data sources that better represent the global population at large, like the Yandex user survey, you will see something very different.
[1] https://webaim.org/projects/screenreadersurvey10/
An example of "normal" users that side load (through F-droid or direct APK) is most Ingress players. While Ingress itself is in the playstore most people use the "companion" intel app called IITC which isn't in the playstore as it's technically against the ToS.
I had a Pinephone a couple of years ago and receiving phone calls wasn't very reliable.
https://forums.puri.sm/t/nine-months-librem-5-as-my-only-pho...
https://forums.puri.sm/t/a-l5-review-1-week-to-my-ready-to-s...
Tl;dr: calls and texts work fine, battery life is not as good as Android/Apple but usable. Also you can replace the battery on the go.
How about Google focuses on proper sandboxing and permissions models? With those in place where an app comes from should not be a concern.
(And probably game anti-cheat)
A few months ago they improved their security somewhat by not letting you disable Play Protect while on the phone: https://9to5google.com/2025/01/29/google-play-protect-calls/
You also can't turn off Play Protect if you've enabled Advanced Protection on your account (which also enforces a range of other security measures) but that's fully opt-in and hasn't even been availble to the wide public for all that long.
> Police warn new Android malware scam can factory reset phones; over S$10 million lost in first half of 2023
> There have been more than 750 cases of victims downloading the malware into their phones in the first half of 2023, with losses of at least S$10 million (US$7.3 million).
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> DBS, UOB become latest banks to restrict access if unverified apps are found on customers' phones
> They are the latest banks in Singapore to do so – after OCBC and Citibank – amid a spate of malware scams targeting users of Android devices.
— https://www.channelnewsasia.com/singapore/dbs-uob-anti-scam-...
> 74-year-old man loses $70k after downloading third-party app to buy Peking duck
> “I couldn’t believe the news. I thought: Why am I so stupid? I was so angry at myself for being cheated of my life savings. My family is frustrated and I ended up quarrelling with my wife,” said Mr Loh, who has three children.
— https://www.straitstimes.com/singapore/74-year-old-man-loses...
> Singapore Android users to be blocked from installing certain unverified apps as part of anti-scam trial
> "Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 per cent of installations came from internet-sideloading sources," it added.
— https://www.channelnewsasia.com/business/anduril-secures-305...
> CNA Explains: Are Android devices more prone to malware and how do you protect yourself from scams?
> Why are scammers more likely to target Android users? How do you spot a fake app and what should you do if your device is infected by malware?
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> Nearly 2,000 victims fell for Android malware scams, at least S$34.1 million lost in 2023
> In 2023, about 1,899 cases of Android malware scams were reported in Singapore. The average amount lost was about S$17,960.
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> Android users in Singapore tried to install unverified apps nearly 900,000 times in past 6 months
> These attempts were blocked by a security feature rolled out by Google six months ago as part of a trial to better protect users against malware scams, which led to at least S$34.1 million (US$25.8 million) in losses last year with about 1,900 cases reported.
— https://www.channelnewsasia.com/singapore/android-users-inst...
Computers are cheap these days. You can buy a Raspberry Pi to hack on and use something else for your money. If you like hacking on smart phones, carrying more than one phone is an option. You don’t need root access on every device you own.
Hey, listen, I don't fall for these obvious scams and I even rarely install apps/extensions, but when I do, I know what I'm doing.
There should be a giant "OPT OUT" button (you press it, you're responsible for it) so I'd not be bothered ever again.
Seriously, just restrict it to signed applications unless debugging mode is active. With explicit permission from the user.
1) Apps like uber, lyft, ev charging and parkmobile would crash with null pointer exceptions some weeks but not others, so for the use cases that force me to carry a phone, it doesn’t work.
2) There isn’t a modern e2e sync ecosystem, and backup is completely broken.
3) The camera sort of worked out of the box (pixel pro 6), but to get all the modes, I had to install sandboxed google play services, which halved the standby battery life.
Has this changed in the last 3-4 years?
To your items, and my experience on Pixels 7, 9, and 9a running GrapheneOS regularly for the last two years:
1. I use Uber and Lyft semi-regularly (disabled when not actively using) and don't recall experiencing any crashes. Can't speak to ev or parking apps.
2. It may not meet your definition of modern, but I am very happy with Syncthing Fork on phone alongside Syncthing on linux laptop and desktop (where I run restic nightly backups.) It takes some effort to set up compared to handing the keys to the big corps, I will give you that. I'm still unsatisfied with GrapheneOS backups, but mainly because I want them written to storage where my syncing can send them along, and be able to flash a new phone as if it were a regular drive. But that's maybe asking a lot on phone hardware?
3. Pixel Camera app I pull down from Aurora Store, decline Network permission, and takes photos seamlessly even without Play services. It won't let you actually view photos in app without the Google Photos app which is a bummer. I've taken to using Files to view them, which is cumbersome. Maybe I should just install Photos and decline network.
For games especially, it's a huge problem, especially if you don't use (nor want to use) a Google account
Meaning if you want to use say, a financial app while on Lineage or Graphene, you are SoL if the developer decides to enable that feature.
Apps on android are freely able to talk to each other. It is not a bypass to be able to do so.
This is a reasonable restriction and I am surprised this restriction is coming now and not ten years ago.
Sideloading must be limited to tech savvy users only who know what they are doing.
Who says so?
Google could do this, and it's in their interest.
It happened.
Also it's not clear what exactly it means. Does it have a dialog you can click through like play protect, does adb install still work, etc.
From the article, I presume this is being done in the name of "cyber security" (least common denominator strikes again.) In newer versions of Android, a few warnings/confirmations are shown prior to sideloading an app. I think the best solution here is to gate-keep sideloading behind Developer Mode. Enabling Developer Mode, then enabling side loading, would be complex enough to stop brain dead drive-by side loading from occurring. And (mostly) only people that know what they're doing enable Developer Mode.
> This enhanced fraud protection will analyze and automatically block the installation of apps that may use sensitive permissions frequently abused for financial fraud when the user attempts to install the app from an Internet-sideloading source (web browsers, messaging apps or file managers).
It probably hasn't since they started doing this last year, but once scammers find out you can publish your own malware F-Droid repo, they might.
I've totally gotten into modern AI, cus its actually useful, but I've always been a "luddite" re. smartphones. I've always thought they suck.
Smartphone = a computer that's shitty and dumb enough to be popular.
Garbage article. Also embarrassing so many fell for it.
Android has been getting markedly more flaky for me ON MULTIPLE GOOGLE PIXEL DEVICES since 2018. My current Pixel 8a on Android 15 regularly has the underlying UI controls (separate from the launcher) crash and force me to restart if I want to use the app overview switcher since day 1. I also have no app overview button in the stock Android calculator since Android 14, the shipped OS, so if I want to switch between a calculation and another app I must first return to the home screen. Wasn't like this in previous releases! Furthermore, the day/date is routinely cut off in the statusbar and its pulldown. This product passed multiple reviews and 2 major OS releases with these (and many other) obvious and irritating bugs and shows no signs of improvement. If they left these holes in the surface, I can only imagine what's underneath. It's ridiculous, but I guess we're cranking out complexity at a rate that exceeds our ability to manage it (or our ability to manufacture new fucks at a rate exceeding their consumption).
If Purism is shopping for new users, all they would eventually need to do is not get worse at a rate as fast as Android, or more expensive at a rate as fast as iOS devices. Based on what I've seen from them so far...they're not at that point yet: meager specifications, high prices. I will continue to cling to my Android device, but I'll cheer them on from the sidelines.
You can root iphones
How about getting a linux phone? (or a dumbphone + a linux portable device)
"Google Restricts Android Application Installation–What It Means for User Autonomy and Freedom"
The idea that you're not allowed to install any application without it coming directly from $megacorp is the new wierd thing. The idea of installing applications yourself on your computer is well established and normal.
"Sideloading" is a dangerous word that implicitly gives up freedoms. It should not be used.
Old computers, before sandboxing and Windows defender and real-time protection, were more secure, because people were less likely to plug their bank account information, social security number, birth date, and home address into them.
At a certain point we have got to level with the idea that a smartphone is no longer a general purpose computer in your pocket. It's more like a cyber passport. It knows everything about you and authenticates formal activities.
So they weren’t actually more secure – they were less secure and less useful (setting aside the questionable historical accuracy of where popular online banking sits in the timeline relative to OS security measures in that claim). Maybe if we relax the made up constraint that a change must create 100% foolproof security, we can have a more nuanced discussion about ways to improve security.
It feels like this analysis really downplays some advantages making sandboxes and Windows defender and realtime protection got us in the average case (even if in the edge case someone can get hurt).
Ahhh yes. You want some of the action apple is getting from EU commission don't you?
Talking about the api-s that discriminate between playstore and side loaded aps. Which is not clear if are Singapore only
I have never ever used a fully loaded android phone with all the spying, surveillance apps and play services, amazon, facecrook, whatshit, running.
why on earth do muppets insist that they cannot live a life without google and the rest.
I have installed the latest AOSP on all my phones, including family aand friends.
I currently have a motorola edge 20 pro with android 15 installed. and my very old oneplus 5T also has android 15 installed.
all my family and friends have either lineage or E/os installed.
I dont see the problem here. I hear no complaints.
fool me once, More fool anyone who thinks google, facecrook and whatshit is their friend.
Autonomy for me, MEANS, self regulation. this is severely absent in the lives of the modern human being.
luckily for me and other others who are sailing is that you cannot keep sideloading without enabling pirating as well.
the rich techies can downvotes if they want but I and others in India don't have money to pay for your silly todo apps. ha ha.