Google's new developer mandate is hitting alternative app stores hard. F-Droid says forced registration, fees, and ID checks could end the open-source project.
What pisses me off it that they say they do this for security. It changes absolutely anything.
They really think that malware developers will say “oh no! I need to submit a picture of an id card to sign my malware! It’s literally impossible to submit a jpg of a stolen id card, I’m ruined and out of a job!”
What does it change? Waste 20 minutes of some malware developer while they register under a stolen id? They already have a system that scans for known malware and automatically remove it.
If it’s like the play store verification, it’s quite simple. The main problem is that once “verified”, Google publicly doxxes individual devs by publishing their residential address + private phone number + private Gmail on their dev page, and this is unacceptable for anyone except who used stolen identities
Thing is, Play Store is already filled with malware or near-malware from seemingly verified developers. I ran into several scam clone apps just today. It’s even snuck in through OEM apps.
Same on iOS, which supposedly verifies devs.
If ‘verification’ and curation is their idea of security, well… It appears their system is already overloaded, yet they want to expand it?
Not really, it’s more about children not being exposed to things usually. Hence starting with age requirements for porn and they move forward to other things.
“Protecting the children from harmful content and predators”, “protecting people from terrorists and criminals”, “protecting users from hackers” are all forms of security, and are all used as arguments to erode freedoms.
It all boils down to: just give up this bit of freedom so we can keep everyone safe.
They really think that malware developers will say “oh no! I need to submit a picture of an id card to sign my malware! It’s literally impossible to submit a jpg of a stolen id card, I’m ruined and out of a job!”
Which is irrelevant.
They can block any malware - now impossible to do with sideloading of apps during pop-ups.
Both things can be true. It definitely is better for security. It’s pretty much indisputably better for security.
But you know what would be even better for security? Not allowing any third-party code at all (i.e., no apps).
Obviously that’s too shitty and everyone would move off of that platform. There’s a balance that must be struck between user freedom and the general security of a worldwide network of sensitive devices.
Users should be allowed to do insecure things with their devices as long as they are (1) informed of the risks, (2) prevented from doing those things by accident if they are not informed, and (3) as long as their actions do not threaten the rest of the network.
Side-loading is perfectly reasonable under those conditions.
It’s pretty much indisputably better for security.
I dispute this. While adding extra layers of security looks good on paper, flawed security can be worse than no security at all.
Android packages already have to be signed to be valid and those keys already are very effective in practice. In effect these new measures are reinventing the wheel as to what a layperson would think this new system does.
Adding this extra layer in fact has no actual security benefit beyond posturing/“deterrence”. Catching a perpetrator is not the same thing as preventing a crime. Worse - catching a thief in meatspace has the potential to recover stolen goods, but not so in digital spaces - either the crime is damage or destruction of data for which no punishment undoes the damage or the crime is sharing private data which in practice would almost certainly have been immediately fenced to multiple data brokers.
And were only getting started with this security theater:
Nothing prevents an organization from hiring a developer for long enough to register before being flushed (or the same effect with a burner account on fiver)
Nothing in this program does anything to get code libraries vetted - many of these developers may accidentally be publishing code from poisoned wells that they have no practical knowledge of.
None of these measures make scams less profitable.
None of this addresses greyware - software that could technically qualify as legal (because the user agreed to terms of service for a service of dubious value)
All of this costs time and resources that will likely inevitably be shouldered on low paid engineers that could have put that effort to better uses.
Metrics and statistics may likely be P-hacked to reflect that the new system as a success (because there’s internal pressure to make it look good) this turning-security-into-press-releases would have collateral of making accountability overall worse.
But you know what would be even better for security?
While we’re at it we could add the tropes of removing network connectivity, or switch to using clay tablets kept in a wooden box guarded by a vengeful god. Both of those would be more secure, too.
Users should be allowed to do insecure things with their devices
100% agree with you here - it’s fundamentally the principle of “Your liberty to swing your fist ends just where my nose begins”. Users should be given the tools and freedom to do as they want with their property - up until it affects another person or their property in an unwanted way.
Of course they know that. It’s about power and money. After all, they already have a security program that filters out malware. If we believe their stated reasoning (which we don’t), they’re tacitly admitting that their current security program is a complete failure, and also that they will not try to fix it.
What pisses me off it that they say they do this for security. It changes absolutely anything.
They really think that malware developers will say “oh no! I need to submit a picture of an id card to sign my malware! It’s literally impossible to submit a jpg of a stolen id card, I’m ruined and out of a job!”
What does it change? Waste 20 minutes of some malware developer while they register under a stolen id? They already have a system that scans for known malware and automatically remove it.
I don’t think it’s going to be as simple to verify as uploading a pic of an id
If it’s like the play store verification, it’s quite simple. The main problem is that once “verified”, Google publicly doxxes individual devs by publishing their residential address + private phone number + private Gmail on their dev page, and this is unacceptable for anyone except who used stolen identities
Thing is, Play Store is already filled with malware or near-malware from seemingly verified developers. I ran into several scam clone apps just today. It’s even snuck in through OEM apps.
Same on iOS, which supposedly verifies devs.
If ‘verification’ and curation is their idea of security, well… It appears their system is already overloaded, yet they want to expand it?
That was fundamentally F-Droid’s retort.
It’s absolutely insane that anyone pretends Google Play and the App Store are fine though.
Has anyone scrolled through any search and not seen a sea of heavily marketed scam apps?
It’s always security when someone wants to take our freedom away. Always security…
Not always. It can also be about the children.
About keeping the children safe
That’s also security.
Not really, it’s more about children not being exposed to things usually. Hence starting with age requirements for porn and they move forward to other things.
“Protecting the children from harmful content and predators”, “protecting people from terrorists and criminals”, “protecting users from hackers” are all forms of security, and are all used as arguments to erode freedoms.
It all boils down to: just give up this bit of freedom so we can keep everyone safe.
Which is irrelevant. They can block any malware - now impossible to do with sideloading of apps during pop-ups.
Both things can be true. It definitely is better for security. It’s pretty much indisputably better for security.
But you know what would be even better for security? Not allowing any third-party code at all (i.e., no apps).
Obviously that’s too shitty and everyone would move off of that platform. There’s a balance that must be struck between user freedom and the general security of a worldwide network of sensitive devices.
Users should be allowed to do insecure things with their devices as long as they are (1) informed of the risks, (2) prevented from doing those things by accident if they are not informed, and (3) as long as their actions do not threaten the rest of the network.
Side-loading is perfectly reasonable under those conditions.
I dispute this. While adding extra layers of security looks good on paper, flawed security can be worse than no security at all.
Android packages already have to be signed to be valid and those keys already are very effective in practice. In effect these new measures are reinventing the wheel as to what a layperson would think this new system does.
Adding this extra layer in fact has no actual security benefit beyond posturing/“deterrence”. Catching a perpetrator is not the same thing as preventing a crime. Worse - catching a thief in meatspace has the potential to recover stolen goods, but not so in digital spaces - either the crime is damage or destruction of data for which no punishment undoes the damage or the crime is sharing private data which in practice would almost certainly have been immediately fenced to multiple data brokers.
And were only getting started with this security theater:
While we’re at it we could add the tropes of removing network connectivity, or switch to using clay tablets kept in a wooden box guarded by a vengeful god. Both of those would be more secure, too.
100% agree with you here - it’s fundamentally the principle of “Your liberty to swing your fist ends just where my nose begins”. Users should be given the tools and freedom to do as they want with their property - up until it affects another person or their property in an unwanted way.
Most Android owners don’t even know they have Android phones. They are not informed.
Of course they know that. It’s about power and money. After all, they already have a security program that filters out malware. If we believe their stated reasoning (which we don’t), they’re tacitly admitting that their current security program is a complete failure, and also that they will not try to fix it.