Recently Google decided that in the future for an app to be installable on an Android device, the developer of this app needs to be ID’d and registered at Google. They claim this is in order to “to better protect users”. However, I think, this is a move to get more control over the Android ecosystem, and the data they can collect with it. If anyone who wants to develop an app for Android devices has to be registered with Google, this puts all the power of who to allow distributing an app to Google.
Furthermore F-Droid shows, that safe app stores can exist without registration, neither of users nor of developers. There is zero malware or spyware on the F-Droid store. What there is on F-Droid is thousands of beautiful, useful and, most importantly, safe apps. And this entire ecosystem is at risk, because Google wants to gain more control over its users and over the Android operating system.
I mean, it’s worked for Apple so far. And if this is, as others have suggested, an effort to comply with EU attacks on privacy, then just maybe there’s a tiny silver lining in Trump leaning on the EU to stop it.
So Google says it is for security when all the malware is on its store…
Of course: Securing their monopoly is paramount.
It makes no sense at all.It is clear why they want to do that.This is another level of gatekeeping and should be illegal.
I think that they will leave the possibility to install apps from ADB
you can install apps like that if they’ve been signed with a developer key. or im guessing if you’ve compiled them yourself, and signed them with your developer key.
f-droid could still work, but it would need to be signed with a developer key, and any apps on there would need to be signed with developer keys
Jesus that post is bleak. It’s basically “Please write your political representative to do something or we’re forced to close up shop”. Since all our political representatives are walking around with massive hard-ons at the idea of surveilling us, it’s basically a poorly veiled good bye note.
Honest question: what else can they do anyway? They cannot fight this war alone.
They really can’t, I’m not blaming them. Maybe they could pivot ressources to contribute to sailfish or postmarket in some form. Android is pretty much dead for people who want to own their devices at this point.
What I don’t understand yet: custom ROMs don’t need that dev verification. Everybody cries now, that F-Droid can close shop, if Google comes through. But why? F-Droid would still be the #1 distribution platform for de-googled ROMs. So why this “that would kill F-Droid” sentiment?
I mean, yep: it is a shitty move by Google, but who expects non-shitty moves from Google these days? Of course they will punish and oppress their customers. That is what Big Tech is here for. If anything we ought to help those users.
Phone hardware is getting locked down too, making it much harder to install custom ROMs. This is a full court press on our rights to use our devices as we want. They’ll close most of the loopholes.
Majority of users don’t use custom ROMs.Who wants to develop an app with no audience? Who wants to develop open source software on a platform that is more and more behind closed doors. I see why developer don’t agree with their terms. We need the right to use the software we want on our devices.
But Google also stopped publishing device trees for their devices. And they are withholding the Android source code until release. Android is being developed in secrecy behind closed doors now. Public access to security patches is delayed by four months.
Google is increasing their chokehold on the platform. Development and maintenance of custom ROMs is getting more and more difficult. More and more vendors such as Samsung and Xiaomi are removing the possibility to unlock the bootloader. Installing a custom ROM was never a mainstream thing, and it is increasingly becoming impossible for most people.
Yep. As I wrote: Google does shitty things. It’s time to try to establish an alternative OS for mobile.
Do a lot of people use custom ROMs? As much as I am interested in the software, the main reason I haven’t installed them are the hardware limitations. I admit this isn’t a topic that I have a lot of knowledge on, but I assumed very few people who use FDroid are using custom ROMs and that FDroid was developed to run on stock Android specifically, even if it can be made to work with other ROMs.
No, probably a very small minority. Still, for those F-Droid is THE “store”. So, I don’t get how that “kills” F-Droid in any capacity. Anyhow, one could hope, that people who love F-Droid but are not de-googled yet would try out a custom ROM to keep their favorite store.
Ah I wasn’t aware FDroid ran on custom ROMs. I think perhaps the fear is that the userbase goes way down and kills any desire to keep up the project. I hope that isn’t the case.
Will you be able to install the fdroid store with ads?
im gonna lose it if i cant use seal and fossify man ;-;
What does seal do?
its a video downloader for all kind of websites including Youtube
Huh neat! Thank you.
I believe Google is doing this to comply with the Cyber Resilience Act; no chance that this requirement is going away in the EU.
Makes me WannaCry ☹️
Bad ransomware jokes aside, it actually really does…
Please explain how this is even related to that
Of course, the DSA already requires app stores to collect copies of identity papers, but it excluded small enterprises. I guess that’s why F-Droid didn’t have to do that, so far.
The CRA takes effect in 2027. Maybe you could come up with some argument for how Google could do this differently. But why should they bother to lawyer this? It’s not their problem, and they’d only be damned for pushing back.
Article 23
Identification of economic operators
- Economic operators shall, on request, provide the market surveillance authorities with the following information:
(a) the name and address of any economic operator who has supplied them with a product with digital elements;
(b) where available, the name and address of any economic operator to whom they have supplied a product with digital elements.
- Economic operators shall be able to present the information referred to in paragraph 1 for 10 years after they have been supplied with the product with digital elements and for 10 years after they have supplied the product with digital elements.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02024R2847-20241120
F-Droid is in a bit of a bad position to argue here, as it does have a genuine security vulnerability that many choose to avoid the service for. Basically, while they say “our store is safe and contains zero malware” this isn’t necessarily true of the 3rd party repositories you can subscribe to with their app. So, if an attacker compromises the F-Droid app on your device, they can subscribe to their own repository and load malicious apps onto your device through the F-Droid app.
Unfortunately this move by Google is a bit of a death knell anyway. I can’t see governments preventing Google from doing this, particularly not now they’ve established means of access (paying) for data Google holds, and especially since governments (eg UK) are now mandating you install government apps on your phone.
This is circular.
if an attacker compromises the F-Droid app on your device, they can… load malicious apps onto your device
Could be rewritten:
if an attacker compromises your device, they can compromise your device
You’ve already lost when they put the first malicious app on.
I disagree with the notion that letting users make their own decisions regarding where to install apps from is a vulnerability. That’s how computers have always and are supposed to work. It’s like saying banking apps are a vulnerability because people can transfer money to scammers through them.
Under this thought process, Linux is the most insecure OS.
Why do you think vulnerabilities and functionality are mutually exclusive??
Of course being able to connect to other repos is a useful function of F-Droid, I use it for several. However, functionality also opens up potential doors for attackers.
The most effective way to secure your device is to limit functionality. Then, it becomes a trade off between what functionality you want or can do without, and what potential risk you’re willing to accept.
It’s easy to ignore risk and enable all functionality, and sometimes that’s nice to do, but you’ve got to find a balance.
My point here is that F-Droid is arguing about their viability because of their security, while running a service that has a known vulnerability.
Google itself has tons of malware in the play store, I don’t buy the security argument.
Yup, that’s a genuine vulnerability.
Then again, the playstore hosts predatory adware that legislation was forced to blunt.
Of the two, you have a higher chance of being scammed/harmed via the official playstore than by fdroid.
Yes absolutely. In fact, you’ve touched on the very issue that people don’t understand with Google - the likelihood of the risk.
Most people think that because the consequence of Google getting your data is low, it’s a lesser risk than a hacker getting into your device (very high consequence). But likelihood is just as important with risk. It’s very unlikely a competent hacker will attack your device (moreso with good practice on your part), so the risk is still low even though the severity is high. But it is an absolute certainty that Google will get your data - so even though the severity is low the risk is still significant, and arguably Google present a more significant risk than a hacker.
I’m not advocating using Google over F-Droid, or that Google’s change here is good, or even lawful. This is a textbook anti-trust type case that the EU prosecuted against in the past. However, unfortunately governments seem gung-ho for this to happen this time around.
All I’m saying is that if F-Droid want to tout the security of their service, they probably shouldn’t leave the door open for attackers to use their app as a vector for attacking devices. Their response to this wasn’t strong enough to justify their implied claim that they are at the forefront of security. They’re much better than Google, sure, but they should be trying harder if they want to lead.
On the contrary - it’s not Google getting one’s data that is to be avoided. They are a law abiding (if law bending) entity.
The issue is there are apps on the store that takes data for third parties, who then proceed to sell that data to threat actors who have a phone number and a user profile (great for scam calls).
The adverts within apps can also be predatory - preying on gambling addiction (I know this for a fact, I worked in the gambling industry), loneliness (AI partner boom), and inexperience (oh god the crypto scams…).
There is a greater probability of issues, but the severity is underplayed if examined without a psychological lense. When this is taken into account - the playstore offers a greater probability of lesser harm, and an equal (or greater) probability of severe harm.
The issue is that Google considers them getting your data as more important than allowing you to evade the data collection of third parties that pay them.
The issue is Google’s profiteering.
Agreed!
