HN

Comments (401)

• Menu

  tavavex
  The part in the flow where you select between allowing app installs for 7 days or forever is a glimpse into the future. That toggle shows the thought process that's going on at Google.I can bet that a few versions down the line, the "Not recommended" option of allowing installs indefinitely will become so not recommended that they'll remove it outright. Then shrink the 7 day window to 3 days or less. Or only give users one allowed attempt at installing an app, after which it's another 24 hour waiting period for you. Then ask the user to verify themselves as a developer if they want to install whatever they want. Whatever helps them turn people away from alternatives and shrink the odds of someone dislodging their monopoly, they will do. Anything to drive people to Google Play only.
• Menu

  grishka
  At this point I'm convinced that there's something deeply wrong with how our society treats technology.Ruining Android for everyone to try to maybe help some rather technologically-hopeless groups of people is the wrong solution. It's unsustainable in the long run. Also, the last thing this world needs right now is even more centralization of power. Especially around yet another US company.People who are unwilling to figure out the risks just should not use smartphones and the internet. They should not use internet banking. They should probably not have a bank account at all and just stick to cash. And the society should be able to accommodate such people — which is not that hard, really. Just roll back some of the so-called innovations that happened over the last 15 years. Whether someone uses technology, and how much they do, should be a choice, not a burden.
• Menu

  astra1701
  This is going to hurt legitimate sideloading way more than actually necessary to reduce scams:- Must enable developer mode -- some apps (e.g., banking apps) will refuse to operate and such when developer mode is on, and so if you depend on such apps, I guess you just can't sideload?- One-day (day!!!) waiting period to activate (one-time) -- the vast majority of people who need to sideload something will probably not be willing to wait a day, and will thus just not sideload unless they really have no choice for what they need. This kills the pathway for new users to sideload apps that have similar functionality to those on the Play Store.The rest -- restarting, confirming you aren't being coached, and per-install warnings -- would be just as effective alone to "protect users," but with those prior two points, it's clear that this is just simply intended to make sideloading so inconvenient that many won't bother or can't (dev mode req.).
• Menu

  bityard
  Welp, I guess my current Android phone will be my last one.At least half of the apps I use on a daily basis come from f-droid. This enforced 24-hour wait is simply not acceptable. Android has always been a far inferior overall user experience compared to iPhone. Android's _only_ saving grace was that I could put my own third-party open-source apps on it. There is nothing left keeping me on Android now.I'll probably get an iPhone next, but I do sincerely hope this hastens progress on a real "Linux phone" for the rest of us. Plasma Mobile (https://plasma-mobile.org) looks very nice indeed. I'll be more than happy to contribute to development and funding.
• Menu

  janice1999
  The forced ID for developers outside the Play store is already killing open source projects you could get on F-Droid. The EU really needs to identify this platform gatekeeping as a threat. As an EU citizen I should not be forced to give government ID to a US company, which can blacklist me without recourse, in order to share apps with other EU citizens on devices we own.
• Menu

  devsda
  Death, taxes and escalating safety are the only certainities in this tech dominated world. So, be ready for more safety in the next round few months/years down the line. Eventually Android will become as secure as ios. We need a third alternative before that day comes.It's not a win by any means. I hope that we don't stop making noise.
• medhir
  taps the sign: https://medhir.com/blog/right-to-root-access
• branon
  This 24-hour wait time nonsense is a humiliation ritual designed to invalidate any expectation of Android being an open platform. The messaging is very clear and the writing's on the wall now, there's nowhere to go from here but down.
• Menu

  focusedone
  I'm generally OK with this, but the 24 hour hang time does seem a bit onerous.Most of the apps on my phone are installed from F-Droid. I guess the next time I get a new phone I'll have to wait at least 24 hours for it to become useful.I'm seriously considering Graphene for a next personal device and whatever the cheapest iOS device is for work.
• sunaookami
  Whoever worked on this: Thank you for your killing open computing. I hope you are proud and don't spend all the money at once.
• teroshan
  That's a lot of words to explain how to install things on the device I supposedly own.Wondering how long the blogpost would be if it explained what the flow for corpoloading applications approved by Google's shareholders would be?
• Gud
  “sideload”, is installing software without some asshole preventing me.Let’s be clear here.
• Menu

  egorelik
  As an idea, what about allowing the 24 hours to be bypassed using adb (edit: bypass to allow indefinitely, not just install a single app)?I understand there is some problem trying to be solved here, but honestly this is still quite frustrating for legitimate uses. If this is the direction that computing is moving, I'd really rather there were separate products available for power users/devs that reflected our different usage.
• Menu

  9cb14c1ec0
  It's getting harder and harder to be an Android enthusiast. Especially given the hypocrisy of Google Play containing an awful lot of malware.
• Menu

  summermusic
  24 hour mandatory wait time to side load!? All apps I want to use on my phone are not in the Play Store. So I buy a new phone (or wipe a used phone) and then I can’t even use it for 24 hours?
• Menu

  module1973
  Am I going to have to wait 24hrs to have Google's malware and spyware forceloaded onto my phone, or is this a different category of malware?
• Menu

  lucasay
  The goal seems to be breaking the real-time guidance scammers rely on. 24h probably works, but it feels like a heavy tradeoff for legit users.
• pmdr
  > Balancing openness and choice with safetyNo, I'm afraid this is tipping the scale of control in Google's favor.
• Menu

  widowlark
  I switched to iOS in anticipation of this change. The reality is, if they are thinking about doing this, it's only a matter of time before they do it. If I have to choose between two walled gardens, apple will win every time.
• arendtio
  24H forced wait time?!? WTFWhen I side-load open-source apps for other people, I want to do it right in the moment, not activate the feature, and the next time I see them (like half a year later), install the app.When Google announced there would be an alternative installation method, I did not expect such a mess...
• dang
  Is there an accurate, neutral third party link about this that we can make the primary link instead?https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...?Edit: I've put one up there now - if there's a better article, let us know and we can change it again. I put the submitted URL in the toptext.
• 13415
  The alleged inability of a company like Google to create an operating system that makes banking apps secure while allowing users to install whatever they like is very implausible. Android apps are already sandboxed and have fine-grained access control, and the operating system controls everything that is painted on the screen.The security justification for this measure is not credible.
• occz
  The 24 hour wait period is the largest of the annoyances in this list, but given that adb installs still work, I think this is a list of things I can ultimately live with.
• Menu

  Retr0id
  They should let you skip the wait if you're setting up a device for the first time.
• 2001zhaozhao
  I think the new solution is a good compromise.The 7 days vs forever choice is still crappy and gives me a bit of bad vibes considering they are the ones that pulled the youtube promotions (shorts, games) you can never turn off forever, so there's the concern they will remove the forever option from Android in the future. But as long as they don't end up doing that, it's fine for me.Also, I do think it would be a good idea to make an exception to the 24-hour wait time if the phone is new enough (e.g. onboarding steps were completed less than one day ago), and/or through some specific bypass method using ADB. Power users who get a new phone want to set it up with all their cool apps and trinkets right away, and it's not good user experience to have to use ADB to install every single sideloaded app. Meanwhile a a regular user getting scammed right after getting a new phone is statistically unlikely.
• Menu

  basilikum
  A lot of people here are looking for compromises. Any compromise on this means giving ground to Google's monopoly and the war on open computing and ultimately freedom.This is exactly what Google intended. This is why they started off by announcing completely removing device owner chosen installs (this is not side loading! It's simply installing.) and announced only apps allowed by Google would be available for install.They knew it would cause backlash. They anticipated that and planned ahead faking a compromise.They are trying to boil us like frogs by so slowly raising the temperature so we do not notice. Whenever the water gets so warm that people do notice they cool it down a little. But they will turn up the the heat again!This 24h window is designed to make device owner controlled installs as unattractive as possible. They try to reduce it as much as they can while having plausible deniability ("You can still install apps not whitelisted by us"). They want to get the concept of people installing software of their own choice onto their own device as far away from the mainstream as possible. They want to marginalize it. They want to slowly and quietly kill off the open Android app ecosystem by reducing the user base.The next step will be them claiming that barely anyone is installing apps not signed by them anyway. First they make people jump through ridiculous hoops to install non whitelisted apps, then they use the fact that few people jump through these hoops to justify removing the ability altogether.Google does not care about preventing scams. If they did they would do something against the massive amount of scam ads that they host. Scams are just their "think of the children".Do not play by their playbook!Do not give them ground!We must not accept any restrictions on the software we run on our own devices. The concept of ownership, personal autonomy and choice are being dismantled. Our freedom is the target of a slow, long waging war. This is yet another attack.We must not compromise with the attacker. We must not give them any centimeter of ground.
• Menu

  gumby271
  > In addition to the advanced flow we’re building free, limited distribution accounts for students and hobbyists. This allows you to share apps with a small group (up to 20 devices) without needing to provide a government-issued ID or pay a registration fee.I don't quite understand how those installs would be tracked. If I create a "hobbyist" account and share the apk, are the devices that install that app all reporting it to Google? To my knowledge, Google only does this through the optional Play Protect system, is that now no longer optional? I'd like to know if my computer is reporting every app I install up to Google.
• Menu

  xnx
  This is eminently reasonable.Now if only Android would allow for stronger sandboxing of apps (i.e. lie to them about any and all system settings).
• Menu

  andyjohnson0
  I'd rather not have to go through this ritual, but I appreciate that there is a genuine security problem that google are trying to address. I also suspect that they have other motivations bound-up in this - principally discouraging use of alternative app stores. But basically I could live with this process.Yeah, I know... Stockholm syndrome...Although I may not have to live with it, as none of my present devices are recent enough to still receive ota updates.Context: I don't use alternative app stores. I occasionally side-load updates to apps that I've written myself, and very occasionally third party apps from trusted sources.
• ptrl600
  Hey, the user doesn't need a Google account, that's good. Still a danger of frog boiling but not as bad as I was expecting.
• modeless
  Hmm, as long as the waiting period is not per-app then maybe this is OK. Especially now that there is a well supported way to distribute alternative app stores without going through the sideloading process.
• Menu

  politelemon
  I'm not in agreement with most of you, hn. They've found a decent compromise that works for power users and the general population. Your status as a power user does not invalidate the need to help the more vulnerable.Having to wait a day for a one off isn't a big deal, if they kept it looser then you'd be shouting about the amount of scams that propagate on the platform.
• Menu

  viktorcode
  Judging by the comments sideloading plays a major part in everyone's life. What apps do you sideload guys? Why those apps are not in a store?
• fhn
  All these vibe coders and we're still stuck with Google and Apple. This is what you get with a duopoly
• Menu

  mzajc
  tl;dr:- You need to enable developer mode- You need to click through a few scare dialogs- You need to wait 24h onceI wonder how long this will last before they lock it down further. There was a lot of pushback this time around and they still ended up increasing the temperature of the metaphorical boiling frog. It still seems like they're pushing towards the Apple model where those who don't want to self-dox and/or pay get a very limited key (what Google currently calls "limited distribution accounts").
• Menu

  wolvoleo
  Do you need a Google account to opt out of the restriction? It says something about authenticating.I don't have a Google account on my Androids. But I can't remove play services on them, sadly. As an intermediate protection I just don't sign in to Google play, that gives them at least a bit less identifying information to play with.I hope this can be done without a Google account.
• notrealyme123
  they even say that you can allow sideloading temporary or indefinitely. Guess which option wont be available anymore in two years.
• Menu

  fdghrtbrt
  Reminder that when you use terminology like "sideloading" you're accepting the premise that there's something inherently dodgy about installing your software onto your operating system.Just call it "installing".
• anonym29
  >And what is malware? For [Android Ecosystem President], malware in the context of developer verification is an application package that “causes harm to the user’s device or personal data that the user did not intend.”Like when Google, Facebook, Apple, Microsoft, et al. cooperated with¹ the unconstitutional and illegal² PRISM program to hand over bulk user data to the NSA without a warrant? That kind of harm to my personal data that I did not intend?If so, I'd love to hear an explanation of why every Google/Alphabet, Facebook/Meta, and Microsoft application haven't been removed for being malware already.¹ https://www.theguardian.com/world/2013/jun/06/us-tech-giants...² https://www.reuters.com/business/media-telecom/us-court-mass...
• macinjosh
  The secret reason they are doing this is because governments want to be able to identify everyone online everywhere it matters at all time. They want to strip anonymity from computing.Apple and Google can now credibly claim to governments to have nearly ubiquitous computing platforms that they can guarantee do not run any software that is not approved or antithetical to the goals of authorities. This makes the device safe for storing things like government IDs. OSs and Browsers will be required to present these IDs or at first just attest to them.Before posting online, renting a server, using an app you will have to idenitfy yourself using your phone or similarly locked down PC (i.e. mac).The introduction is under the guise as always of protecting the children. In reality they are removing your rights to privacy and free speech.
• aftergibson
  Nothing screams being infantilised by your platform more than having to wait 24 hours to be allowed to install software on your own purchased computing devices.
• cobbal
  Can you set your clock forward or does this also require phoning home to a central server to install an app on your computer?
• PieUser
  So convoluted... that's all I gotta say.
• IamDaedalus
  the best marketing apple has received in a long; death by self sabotage
• prmoustache
  This is ridiculous, most malware is shipped by google itself through the playstore.
• nullc
  I'd urge everyone here to seriously consider switching to GrapheneOS. It's a far simpler transition than e.g. switching from Windows or OSX to Linux, and many people find that it has basically no friction vs android.More people moving to GrapheneOS is the best tool we have against Google's continued and escalating hostility to user freedom and privacy and general anti-competitive conduct. (Of course, you could ditch having a smartphone entirely..., but if you're willing to consider that you don't need me plugging an alternative).
• grishkno
  That's similar to the process of enabling developer options on Xiaomi phones, for the last 5 years
• guilhas
  Some years ago had a scam call about my "router connection error logs" and "I needed" to install TeamViewer from the PlayStore... So can't imagine what is this going stop
• w4rh4wk5
  I'll repeat my question from a while ago. Is the official Temu app, available on the Play Store, still full of questionable malware / spyware code?If so, it's clear that none of these changes are actually to protect users.
• jacquesm
  Malicious compliance.
• Menu

  tadfisher
  Honestly, if coerced sideloading is a real attack vector, then this seems to be a pretty fair compromise.I just remain skeptical that this tactic is successful on modern Android, with all the settings and scare screens you need to go through in order to sideload an app and grant dangerous permissions.I expect scammers will move to pre-packaged software with a bundled ADB client for Windows/Mac, then the flow is "enable developer options" -> "enable usb debugging" -> "install malware and grant permissions with one click over ADB". People with laptops are more lucrative targets anyway.
• benatkin
  Funny how that post doesn't mention that a huge amount of malware is downloaded from Google (from the Chrome Web Store as well as from Google Play).
• ForHackernews
  > Install apps: Once you confirm you understand the risks, you’re all set to install apps from unverified developers, with the option of enabling for 7 days or indefinitely. For safety, you’ll still see a warning that the app is from an unverified developer, but you can just tap “Install Anyway.”If you can enable this once, forever, after a 24 hour cooldown period I don't hate this as much as I hated some of the other proposals from Google. It'll just be something you do as part of the setup for a new phone.
• Menu

  NooneAtAll3
  is it 24 hour per app or to enable sideloading at all?
• shadowgovt
  So can it be breached by turning off networking and setting the date forward a couple days?
• Menu

  omnifischer
  Those working in Google (AOSP) that write these code should be ashamed of themselves. Eventually they are doing a bad thing for the society.
• RIMR
  I am not happy about this, but as long as advanced Android users can still turn this off and keep it off, we're still in a better place than iOS.Even though I understand the design decisions here, I think we're going about this the wrong way. Sure, users can be pressured into allowing unverified apps and installing malware, and adding a 24-hour delay will probably reduce the number of victims, but ultimately, the real solution here is user education, not technological guardrails.If I want to completely nuke my phone with malware, Google shouldn't stand in my way. Why not just force me to read some sort of "If someone is rushing you to do this, it is probably an attack" message before letting me adjust this setting?Anyone who ignores that warning is probably going to still fall for the scam. If anything, scammers will just communicate the new process, and it risks sounding even more legitimate if they have to go through more Google-centric steps.
• beepbooptheory
  I get that its pretty clear with the straight sideloading case, but can anyone say for sure what this will look like for an f-droid user? Its hard to keep track but I thought something new here because of EU is that alternative app stores != sideloading? Something where app stores could choose themselves to get "verified," whatever that means, to become a trusted vendor? Or is this completely wrong?
• darkwater
  They have now successfully turned the temperature knob from 2 to 5. I wonder what 7 will be.
• jwlake
  If android security is so fucked that the 24 hours helps, why do they maintain it has security?
• Menu

  2OEH8eoCRo0
  Seems like a very reasonable compromise. What's the catch?
• lenerdenator
  And now we see why Android never really was Linux.Does it have a Linux kernel? Of course. But this isn't a free operating system.
• spwa4
  What? No requirement to personally bring in a form in triplicate to the Google office in Siberia, of course notarized by the Pope and Zendaya, and simply prove it was signed on the moon.
• Menu

  hypeatei
  I'll say it again: this isn't a problem for Android to solve. Scammers will naturally adapt their "processes" to account for this 24-hour requirement and IMO it might make it seem more legitimate to the victim because there's less urgency.The onus of protecting people's wealth should fall on the bank / institution who manages that persons wealth.Nevertheless, this solution is better than ID verification for devs.
• aboringusername
  It's not like the Google Play store hasn't been known to host malicious apps, yet you are not required to wait 24 hours before you install apps from their store.I suspect they are hoping users just give up and go to the play store instead. Google touts about "Play Protect" which scans all apps on the device, even those from unknown sources so these measures can barely be justified.Imagine if Microsoft said you need to wait 24 hours before installing a program not from their store, which is against the entire premise of windows.Computing, I once believed was based on an open idea that people made software and you could install it freely, yes there are bad actors, but that's why we had antivirus and other protection methods, now we're inch by inch losing those freedoms. iOS wants you to enter your date of birth now.The future feels very uncertain, but we need to protect the little freedoms we have left, once they're gone, they're gone for good.
• surgical_fire
  > Wait 24 hoursMan, fuck Google. I hope this bullshit is struck down by government regulation as malicious compliance to 3rd party app stores.I wonder if GrapheneOS will have the same level of user-hostile bullshit. That may be my salvation board right now.Sailfish OS would be great, but unfortunately my banks don't seem to play along with it.
• inquirerGeneral
  [dead]
• sevaustinov74
  [dead]
• Menu

  silver_sun
  It's a little inconvenient for someone setting up a new phone to have to wait a full day to install unregistered apps. But while I can't speak for others, it's a price I'm personally willing to pay to make the types of scams they mention much less effective. The perfect is the enemy of the good.
• quyleanh
  Tbh, I love this flow. They truely think for users, all users not just advanced users. Unlike Apple, Apple just think for its ecosystem, its money. How the advanced flow works for users Enable developer mode in system settings: Activating this is simple. This prevents accidental triggers or "one-tap" bypasses often used in high-pressure scams. Confirm you aren't being coached: There is a quick check to make sure that no one is talking you into turning off your security. While power users know how to vet apps, scammers often pressure victims into disabling protections. Restart your phone and reauthenticate: This cuts off any remote access or active phone calls a scammer might be using to watch what you’re doing. Come back after the protective waiting period and verify: There is a one-time, one-day wait and then you can confirm that this is really you who’s making this change with our biometric authentication (fingerprint or face unlock) or device PIN. Scammers rely on manufactured urgency, so this breaks their spell and gives you time to think. Install apps: Once you confirm you understand the risks, you’re all set to install apps from unverified developers, with the option of enabling for 7 days or indefinitely. For safety, you’ll still see a warning that the app is from an unverified developer, but you can just tap “Install Anyway.”