Apps from outside the Play Store? No, because previously your phone had no reason to ask Google anything. You could always not sign in to Google and disable Play Protect and use F-Droid and Obtainium.
But now, it needs to check developer signatures to know if it’s a verified developer, and it obviously can’t cache all of them as the size would be insane.
And that in turn implies that your phone needs to reach out to Google and be like yo, is this app banned?
That query gives them at minimum the IP of the user, the package name, and the time at which it happened.
And thus they can effectively track anyone using say, privacy apps, making it that much riskier to use them in places where they’re not allowed.
Apps from outside the Play Store? No, because previously your phone had no reason to ask Google anything.
Play store seems to be sending list of all applications to ask for available updates. This is observable because play store offers me updates for apps I installed via f-droid and obtanium.
But now, it needs to check developer signatures to know if it’s a verified developer, and it obviously can’t cache all of them as the size would be insane.
Not how signatures usually work. You check the signing key (certificate) is signed by google key and you fetch a revocation list (banned developers). Of course, google could implement it in the way you suggest in theory, but I find it unlikely, since it would block offline installation for no reason.
They said it would require network access and that they would have a handful of popular apps preloaded to avoid too much disruption so those can be installed offline. In practice that probably means Google apps, Meta apps and other big corp apps.
They also have you register package names with them, not just a certificate.
I was hoping it would be a certificate situation but we’re kind of past Google using the least intrusive and privacy preserving options.
I must have missed that. Well, there goes any possible excuse about security, since they are going out of their way to make it less privacy preserving…
Apps from outside the Play Store? No, because previously your phone had no reason to ask Google anything. You could always not sign in to Google and disable Play Protect and use F-Droid and Obtainium.
But now, it needs to check developer signatures to know if it’s a verified developer, and it obviously can’t cache all of them as the size would be insane.
And that in turn implies that your phone needs to reach out to Google and be like yo, is this app banned?
That query gives them at minimum the IP of the user, the package name, and the time at which it happened.
And thus they can effectively track anyone using say, privacy apps, making it that much riskier to use them in places where they’re not allowed.
For your “safety”.
Play store seems to be sending list of all applications to ask for available updates. This is observable because play store offers me updates for apps I installed via f-droid and obtanium.
Not how signatures usually work. You check the signing key (certificate) is signed by google key and you fetch a revocation list (banned developers). Of course, google could implement it in the way you suggest in theory, but I find it unlikely, since it would block offline installation for no reason.
They said it would require network access and that they would have a handful of popular apps preloaded to avoid too much disruption so those can be installed offline. In practice that probably means Google apps, Meta apps and other big corp apps.
They also have you register package names with them, not just a certificate.
I was hoping it would be a certificate situation but we’re kind of past Google using the least intrusive and privacy preserving options.
I must have missed that. Well, there goes any possible excuse about security, since they are going out of their way to make it less privacy preserving…