I'm struck with how long the history of Apple's earliest iPhone has shaped and produced long-term damage to the concept of digital ownership. Apple originally didn't allow anybody but Apple to create software for the 1st gen iPhone, and only later was forced "opening" it my market forces.
People who realized they actually owned the thing they bought wanted to do what they wanted, which required circumventing Apple's control or "jailbreaking". This differentiator stimulated Google to "allow" installing on Android without "jailbreaking" the device aka "sideloading", giving the illusion of the kind of freedom that was never in question on normal computers.
It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles or other embedded computing devices where the controls against arbitrary applications is even stronger.
The fact that mobile phones aren't yet just a standard type of portable computer with an open-ish harware/driver ecosystem that anybody can just make an OS for (and hence allow anybody to just install what they want) is kind of wild IMHO. Why hasn't the kind of ferver that created Linux driven engineers to fix their phones? Is Android and iOS just good enough to keep us complacent and trapped forever? I can't help but think there might be some effect here that's locking us all in similar to how the U.S. healthcare system can't seem to shake for profit insurance.
I'm sometimes surprised at the plethora of cheap handheld gaming systems coming out of China that support either Linux, Android, or sometimes both, and seem to be based on a handful of chipsets. If anybody ever slapped an LTE module and drivers onto one of those things we'd have criminally cheap and powerful, open phone ecosystem.
> It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles
Historically, when the first game consoles with game cartridges existed, the hardware was much more niche than the available personal computers. Game system developers designed hardware specifically for games, and game developers developed for those specific systems. Also, physical media for games provided an ownership model and DRM.
In 2003, Apple released the iTunes Music Store partnering with music labels to counteract the prevalence of music pirating. That was the first major digital marketplace with DRM and way before the App Store in 2008!
In 2005, digital distribution for video game consoles came with the Xbox 360, PlayStation 2, and Wii. Being game consoles with unique hardware, they kept their restricted licensed development model of previous generations.
The iPhone and App Store just followed that pattern. Unique hardware and a licensed digital marketplace to go with it.
Now, the hardware between video game consoles, smartphones, and personal computers are mostly unified; and the only real difference is software, but the restricted marketplace model still remains.
---
> The fact that mobile phones aren't yet just a standard type of portable computer with an open-ish harware/driver ecosystem that anybody can just make an OS for (and hence allow anybody to just install what they want) is kind of wild IMHO. Why hasn't the kind of ferver that created Linux driven engineers to fix their phones?
DRM. There are already devices where you can unlock the bootloader and install any OS on it. But then you won't be able to install apps that use the Play Integrity API to ensure DRM. Companies/developers want revenue and develop apps that require Play Integrity.
Any device that doesn't have DRM will never support a paid digital marketplace or paid content streaming.
> Is Android and iOS just good enough to keep us complacent and trapped forever?
Probably. Microsoft tried a DRM supported OS with Windows Phone and that failed.
---
That being said, digital marketplaces and DRM have there place to prevent piracy and allow developers and creators to make a living.
If someone has a solution to prevent piracy without a root of trust that would be ideal.
"That being said, digital marketplaces and DRM have there place to prevent piracy and allow developers and creators to make a living.
If someone has a solution to prevent piracy without a root of trust that would be ideal.'
This is the equivalent statement to inspecting everyone's bag at any point because they might have something illegal. It's not an acceptable move from google.
I think it's more equivalent to when game consoles check the license on disc media.
It used to be via hardware in the disc reader, then online license checking. And now it's fully digital, media and license.
The fucked up part is the fact that we can't transfer digital ownership of purchases. Maybe this is what we should use blockchains for, but it would still require a locked device with root-of-trust.
---
> It's not an acceptable move from google.
By all means, you can have an unlocked Android device with a non-Google sanctioned OS and not use Google Play. That way you can use any app that doesn't require Google Play Protect.
Companies are OK with it because it makes them money. The majority of users are OK with it because they can use those companies' apps.
Steam is a bit different, since that originated as a PC digital marketplace before complete root-of-trust DRM from HW->bootloader->OS->SW.
If anything, I would bet on a shift where Steam on Linux requires a signed OS like Windows Secure Boot. Wait, a signed Linux OS with Secure Boot already exists... It's Android Play Protect.
Also on Linux, you only get Widevine L3, which limits video and audio quality for DRM web content.
It's less likely that game consoles and smartphones will become fully unlocked like personal computers. I would bet on the opposite where personal computers have the same HW/SW model as smartphones. We are already almost there with macOS SIP and Windows Secure Boot. The only thing missing is removal or isolation of root privilege escalation.
> I can't help but think there might be some effect here that's locking us all in similar to how the U.S. healthcare system can't seem to shake for profit insurance.
Yup. The Amish have had no trouble implementing a single payer healthcare system in the USA. It can be done, where the people want it. But, by and large, the people really don't care. In the back of their minds they might think it would be nice to have in the same way they think it would be nice to have a muscly six pack, but when it comes down to putting in the effort to see it happen...
I understand what you're saying, but I still think it's wrong to blame the people "not wanting it". The corporations and politicians are really powerful and they go far and wide to protect their profits and interests.
Yes, the people could care more and could stand up for it, but it's so easy to blame them and that's exactly what the corporations & politicians want.
Maybe in some magical AGI future computers can do the work, but until then where else is the effort going to come from? It isn't going to randomly appear out of thin air, that is for sure. There is nothing else to "blame" but them.
It's not the "corporations" (which, in this context, is just another way to say people — and in this case often the very same people) keeping you from that six pack, nor it is it keeping you from building a single payer healthcare system. Not wanting to put in the toil to make it happen will certainly get in the way, though. We all understand why nobody really wants to put in the hard work and suffering to make the necessary changes, but that doesn't change the fact that it won't happen until you do it.
> It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles
Yes, there needs to be a lot more uproar for these cases as well. One of the most appalling cases is that of macOS. To distribute your app (as a .dmg for instance), you need to sign up and pay for a Developer ID, sign the app with a Developer ID certificate and then notarize it, EVEN if you don't intend to use their App Store.
You can self sign without a developer account and self distribute and all it does is notify the user that the software is from the internet the first time they run it. They can still use the app. If it is completely unsigned, users may have to bypass gatekeeper, but that is just a setting.
If you want to sign using a cert trusted by apple, and distribute on their infrastructure, you do need a paid account.
This seems like a reasonable compromise, quite honestly. That is based on remembering the bad old days of just having to trust that the software you downloaded from some random shareware site hadn't been modified maliciously.
99% of users are not going to understand why they can't just double click the app to run it. And the second they see macOS gaslight them into thinking self-signed applications are radioactive biohazards via scary warnings, they aren't going to take additional complicated steps to run the app they wanted to run in the first place.
Users will just assume the app is broken, a virus or that you're a hacker, all because of the way macOS treats apps from developers who didn't pay the Apple tax or submit the app to Apple's panopticon for approval.
Users should not have to know some cursed and arcane ritual to run the apps they want to run.
Wait, do you need to do that? I've never attempted distribution, but I've created multiple local apps with Electron and Tauri for myself, and they are just a .app on my Applications folder. Wouldn't it be as easy as sharing this file with anyone else if I wanted to distribute them?
They need to try to open it, visit Settings > Privacy & Security, scroll down quite a bit, hit Open Anyway, try to open it again, and confirm one last time.
(Might be quicker for some in Terminal if supported.)
I think it used to be Right Click > Open, then confirm.
No, macOS treats your machine's self-signed certificates in a special way so that running apps signed with them is transparent to you, but a nightmare to anyone you dare to distribute the apps to without Apple's approval.
> I can't help but think there might be some effect here that's locking us all in similar to how the U.S. healthcare system can't seem to shake for profit insurance.
Yeah. It's called capitalism, where the reasoning behind everything is "How can businesses make a profit?". And in the U.S., it's also, if the business doesn't make a profit I'll starve.
> The fact that mobile phones aren't yet just a standard type of portable computer with an open-ish harware/driver ecosystem that anybody can just make an OS for (and hence allow anybody to just install what they want) is kind of wild IMHO. Why hasn't the kind of ferver that created Linux driven engineers to fix their phones?
It's because each phone SoC is essentially its own bespoke architecture. You can't build one arm64 Linux ISO that will work on all phones like you can an x86_64 ISO on a PC. Each and every model of phone requires 0) unlocked bootloaders and either 1) full support from the vendor for Linux or 2) dedicated hackers willing to reverse engineer the board to get it to boot Linux in the first place & then developers willing to write missing device drivers & then maintainers willing to keep the fork up to date or mainline the changes.
It will always be cheaper for phone manufacturers to develop bespoke SoCs than it is for them to implement protocols and interfaces that make booting and hardware discovery standardized like they are on the PC. Making a phone as accessible as a PC to booting generic operating systems inherently means increasing costs at every level from the design up.
> I'm sometimes surprised at the plethora of cheap handheld gaming systems coming out of China that support either Linux, Android, or sometimes both, and seem to be based on a handful of chipsets. If anybody ever slapped an LTE module and drivers onto one of those things we'd have criminally cheap and powerful, open phone ecosystem.
On the surface it seems like that, but all of those devices suffer from the same issues I described above. There will be thousands of devices that "support" Linux, but only nominally.
What happens is, if the manufacturer even releases the kernel source, you get a git dump of a forked kernel that was never modified to be upstreamed with the vanilla mainline kernel. That essentially means you are stuck using that fork unless you have the time, knowledge and skill to port that fork over to the mainline, which is a lot of work. This applies to every SoC, and SoC modification, in gaming systems. Barely any of this work crosses over or can be standardized like it is on a PC.
None of that makes a platform a real open ecosystem.
Source: I'm involved in porting and maintaining a Linux distro for those cheap Chinese handheld gaming systems. The only reason Linux runs on them is because weird nerds spent time getting it to run on them. When they get bored, your Linux "support" ends.
The best we can hope for is for ARM servers to scale down to the point we can use them in small form factors, as ARM servers implement the same standards PCs do to run generic Linux ISOs. We aren't going to get this from the mobile hardware ecosystem, there just are no incentives to make such an investment. Maybe we'll get them if ARM PCs truly take off.
> It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles or other embedded computing devices where the controls against arbitrary applications is even stronger.
The conversation takes place all the time, there are tons of people who want to, and do, run homebrew and Linux on their consoles, same thing with embedded devices. Getting Linux or Doom to run on an embedded device is a rite of passage.
One of the interesting history of the PC was when Microsoft started selling their OS to clone makers. To hear Balmer tell it, it was frighting as IBM was making their PS2 machines more proprietary. They won and IBM os2 lost. I figured android was Google’s MSDos for mobile, but it seems the temptation of ad revenue is too strong (even showing up on windows..)
Linux is the answer though on mobile it’s just starting to be a little competitive.
“Steve Ballmer:
We said ooh, IBM's probably not going to like this. This is going to threaten OS 2. Now we told them about it, right away we told them about it, but we still did it. They didn't like it, we told em about it, we told em about it, we offered to licence it to em.
Bill Gates:
We always thought the best thing to do is to try and combine IBM promoting the software with us doing the engineering. And so it was only when they broke off communication and decided to go their own way that we thought, okay, we're on our own, and that was definitely very, very scary.”
> It's because each phone SoC is essentially its own bespoke architecture.
Right, but that's a choice from manufacturers, not a requirement of building a mobile platform.
> It will always be cheaper for phone manufacturers to develop bespoke SoCs than it is for them to implement protocols and interfaces that make booting and hardware discovery standardized like they are on the PC.
This... seems suspect? I'm not doubting you, but I do wonder if it's a question of robbing Peter to pay Paul; perhaps it is cheaper to design a bespoke chip than it is to develop a standard for it, but over the course of many generations the benefits of standardizing would kick in?
I do know that RISC-V can support UEFI, so perhaps that's where we need to look to see how developments work out in the long run.
>It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles or other embedded computing devices where the controls against arbitrary applications is even stronger.
I think we could set the bar substantially higher. Don't even bother with discussion of sideloading. Talk about bounded transactions and device control.
What is needed is: Once I have purchased a device, the transaction is over. I then have 100% control over that device and the hardware maker, the retailer, and the OS maker have a combined 0% control.
First thing on the list for me is dramatically reforming the Digital Millenium Copyright Act (DMCA), which currently makes it a federal felony to provide other people any information or tools they might use to control the devices they own, ex:
> Thanks to DMCA 1201, the creator of an app and a person who wants to use that app on a device that they own cannot transact without Apple's approval. [...] a penalty of a five year prison sentence and a $500,000 fine for a first criminal offense, even if those tools are used to allow rightsholders to share works with their audiences.
In some ways, I think this is even more important than attempting to bar companies from putting in the anti-consumer digital locks in the first place: It's easier to morally justify, easier to legally formulate, and more likely to politically pass. The average person won't be totally stuck lobbing the government to enforce anti-lock rules for them, consumers can act independently to develop lockpicks.
Plus it removes the corporations' ability to bully people using your tax-dollars and government lawyers.
The DMCA stuff is quite annoying for more reasons but all are US; my hoster and internet provider both have standard emails for DMCA and copyright violations from US companies: "We received this, we do not care if you act on it, cheers.".
well, we need a platform competitor like Huawei doing for the past years
but Open Ecosystem/Platform
which is likely never happen tbh, since the amount of resources that required is a lot and would need monetization which would end up like at position like this
What does this even mean? You don't want software updates? Or strictly only software updates that are 100% aligned with your wishes whatever they may be at the time?
No forced updates, no downgrade prohibition, no bootloader locking, kernel GPL compliance (with drivers that can be loaded in it, even if they are closed source), no remote attestation.
The bare minimum so that I can use the device I bought as I wish, even if the manufacturer later decides to "alter the deal".
Why would anyone want an update misaligned with them, ever?
You should be able to set auto update, auto update with confirmation, manual update only, for any or all apps.
What someone does with that, and why, isnt something anyone should have to explain or excuse.
It could be as simple as not wanting any new features beyond but what an original version of an app has. Or not wanting an update that takes user data surveillance to another level.
Most of the time, software updates remove features, change things around for no good reason (breaking our workflows), or add unwanted features.
We really should separate pure bugfix updates (which include security updates) from feature updates. We nearly always want the former, but not necessarily the latter.
So much this. I totally want security fixes, but I only want security fixes. I don't want UI changes, features removed or altered, or anything with my usability upset.
My computing devices are tools I use to do my job and run my life. I don't want those tools changing without my consent.
Unfortunately, even for desktop software, this has shifted today: you can hardly get a security update without a feature upgrade too.
Except in cases like Debian (or Ubuntu LTS main collection, Redhat distribution...) which assumes the burden of backporting security fixes to a stable collection of software.
Unironically, I want finished software. I don't like it one bit how the vast majority of software products today are in an "eternal beta", so to speak.
Android, in particular, is a finished product. It doesn't need yearly updates. It may need an occasional update to patch a vulnerability, but this whole "we changed the notification shade UI for tenth time because we're so out of ideas" thing has to stop.
Yeah, that's the problem. As soon as it became feasible to push upgrades over the wire, software companies started relying on it. And unfortunately that mentality is viral, because as soon as one thing starts doing that, anything that else that interoperates with that other thing winds up having to do it to some extent. It's a tragedy of the commons.
But I'd definitely love to not be shipped alpha or beta software. MVPs are great when hacking, but why are we shipping hacked together stuff. "It works" doesn't mean it actually works...
Back when it came on physical media, it was very much finished. Needing an update to fix a critical bug or a UX issue was a very costly problem to have, both in money and in reputation. Users had to be convinced to buy and install major updates, instead of being strong-armed into it. Staying on an older version was easier, and in case of operating systems, much more widely accepted.
Many video games fall into that category even today. Sure, the "we can always release an update" mentality did infest game developers as well, but, unlike apps and OSes, most games do have a finite scope and stop being developed once that scope has been realized.
> Back when it came on physical media, it was very much finished.
That's also not true and I think you're not reading my point fairly. Back when software came on physical media we still had patches. We had patches that came through the internet and we had patches that came through physical media. The latter making it harder to patch.
It's a great situation when a bug is discovered and it is hard to patch.
You're fantasizing about a time that never existed. Software isn't "ever finished" because we are not omniscient writers who can foresee all problems, fix all bugs, and write software that is unhackable. That's the mindset that "all tests pass" or "it works for me" means the software "works."
We can't address the problems, as discussed in the article and that I mentioned in my comment, if we're going to retcon history and redirect ourselves to a worse environment. That doesn't fix anything.
We'll never be omniscient, sorry. The world changes. Hardware changes. Software rots. Time marches on. These do not change and we have to operate in a world where we acknowledge these basic facts of reality. We'll never make decent software if we can't acknowledge reality first.
I think this is a good point, even if you're presenting it as a false dichotomy.
Obviously saying "Apple shouldn't be allowed to touch my device after I purchase it" as well as "Apple should be compelled to provide security updates" is nuts.
But I think saying, "Apple shouldn't be allowed to touch my device after I purchase it" as well as "I should be able to provide my own security updates, if Apple doesn't want to" is totally reasonable.
But Apple would never allow that. So allowing sideloading seems like a reasonable amount of pain Apple should be forced to put up with...
I don't think Apple should be compelled to provide security updates. I think Apple should be held accountable for security vulnerabilities in anything they release. You can't evade liability by patching it later.
I'll take that deal 9 times out of 10.
Why would I want updates tied to a phone if I'm going to be installing my own software with its own updates? This is already done on most software, browsers, etc.
CVE on text messages? Cool, wasn't using the manufacturer's app anyway.
Maybe software updates could contain things users actually want, that provide a competitive incentive for users to choose to buy the phones from specific makers?
Maybe I do, maybe I don't. It's for me to decide what updates I want, if any. Apple and Microsoft do not give you a choice. Precisely zero people wanted Copilot on their computers, but it's there anyway whether you want it or not.
That bar would require infinitely good software on the hardware. Then it will be your device. Otherwise, they will constantly need to improve it. then it will be their software on your device.
Would you consider Microsoft Windows or Linux infinitely good software? The scenario described by the GP applies 100% to most personal desktop and laptop computers.
I don't think it matters if it's their software on your device, just like it's their chips inside the box. The key is that you choose whether or not to buy the product, or install their software.
People always say things like these, and I wish it were that way too. Maybe if history had gone a little differently.
But what's the point of defining these standards now? Is the world where this is the reality still feasible? It seems nearly impossible, unless you're an extremely wealthy and influential individual. What I'm seeing is that we never will move to a world where a device that you bought is truly "yours" anymore. Instead, we'll be renting one of the approved devices, ran by one of the tech megacorporations and overseen by your government. They will give no real way to execute any random code that you want, unless you're also licensed and vetted as a developer. They will be tightly surveilled, all information will be saved, every interaction between these devices will be controlled for the sake of security. It will be an entire web of trust, defined by the powers that be. We're seeing early attempts at it now, but we still haven't hit full centralization. But once we do, what happens then?
I said it elsewhere in the thread, but the current model is already falling apart: it has led to random IoT devices becoming parts of widespread botnets, affecting Internet functioning, and putting unwitting consumers at risk.
Fixing that problem might turn out to be cheaper for competitors by making their platforms more open and avoiding the full responsibility as a vendor.
Basically, combine current and future legislation about electronic waste, cybersecurity of IoT and connected devices, and the carve-outs for free software and open source platforms, and suddenly it becomes much cheaper to ship a product that will run for 20 years (say a washing machine) if you as a vendor can guarantee some of this for the warranty period (1-5 years), and open up the platform to consumers and shift the responsibility at that point. Also imagine the case of a vendor going under which needs to be covered too (this would make subscriptions infeasible too).
If legislation demands this (imagine no insecure devices for 20 years), markets will do the rest.
> I said it elsewhere in the thread, but the current model is already falling apart: it has led to random IoT devices becoming parts of widespread botnets, affecting Internet functioning, and putting unwitting consumers at risk.
But isn't this also exactly how the pitch will sound for what I proposed? You know, "The internet is too important and random people are allowed to upload and run random dangerous code within it with no oversight, this has to be stopped." The manufacturers will never bear the consequences of their choices, the consumers will. There might be a push to make the internet watertight by requiring all major websites and services to only allow access to "secure" devices and block all other traffic. After all, why spend money on cybersecurity when everyone can only use the (important parts of the) internet with their real names, and developers are de-anonymized?
Will this actually improve security? It seems very unlikely. But despite it, this move seems like exactly the kind of thing that's coming, because it massively benefits both companies and governments.
You are right, which is why I stress the time component and e-waste concerns. If combined they end up meaning that a vendor ships you a device and they need to take it back for recycling in 2-7 years when they stop providing security updates, market will force a change.
At the moment, laws are disjoint even in EU, and not strict about what happens when you stop fixing security bugs.
I mean, maybe, but I think what you're describing is a view so bleak and fatalistic that it amounts to saying the world may as well self-destruct because there's nothing we can do about it.
How's Ubuntu (or hell, any Linux distro) for mobile going to change what I outlined? It's not going to matter what OS you're running once all the important websites and services you use every day (up to and including government services) start requiring some form of attestation or other layers of security that will no doubt only be provided by a few locked-down vendors. Once that happens, your Ubuntu Touch phone will be about as useful as a Nokia 3310, at least online. After all, it's <0.01% of the market and open (therefore dangerous), Google or Microsoft or Apple aren't going to sign off on that. A natural consequence of that will be that "unsecured" devices will be stamped out, perhaps not by force, but just economically. That's the day when what I described will just become mundane reality.
When that happens we'll abandon the web as you described it and build a new one that better resists the cancer. Honestly there are a lot of bad decisions baked into out default stack that it's gonna be refreshing to be rid of. Not just malware and corporate overreach, but 1980s thinking that seemed fine at the time and turned out to not be.
So to answer your question: Ubuntu will let you access the next web, and Android probably won't.
If you're talking about developing some brand new means of worldwide communications, this seems extremely improbable if done by the 1% of the rest of us (basically, hobbyists and techy people). The internet required tens of billions of dollars worth of development and infrastructure to get to this point, how will it ever happen without the sponsorship of large centralized entities?
If you're talking about leeching off the existing internet infrastructure to communicate with some brand new protocols over them, who's going to let you do that? Both companies and governments would have incentive to put a stop to this in any way possible, because it drives away customers from the manufacturers and signers of all "secure" devices and lessens the amount/value of surveilled data. It may be allowed at a small scale, but I'm not seeing how anything long-term could be established that could threaten the existing powers in any way.
Its just a pattern I see repeated. The innovators find a playground, its cool for a while, then it succumbs to grift of some kind or another, and the innovators move on.
There was a time when "pamphlets" were an edgy new social medium, now its just a certain kind of ad. Same thing happened with radio. And now it has happened to the web also.
Why should this be the last time?
As for threatening the existing powers... I don't see what power they have if all they're guarding is a pile of stuff that nobody wants anymore.
It may be a bit inconvenient, but if you really need a device with radios that you can run arbitrary code on, you can get one for something like $4 and you can use your existing phone to drive it over something generic like http (There are plenty of people on meshtastic doing this).
I don't have the answers re: next steps but I know that its far more difficult to prevent people from communicating in novel ways than it is to come up with novel ways to communicate. I figure we've been playing this cat and mouse game with authority for millennia: they always win eventually and we always find a new way to make that victory irrelevant.
We lost. OK. What's left to do but invent the next battleground? We're hackers, its what we do.
I think this misses the forest for the trees here. The platforms behavior here is a symptom and not the core problem. I think the following are pretty clearly correct:
1. It's your damn phone and you should be able to install whatever the hell you want on it
2. Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices
Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store. 99.9% of users would never see the warning either because almost all developers would register their apps through the official store.
But there is a reason why Apple/Google won't do that, and it's because they take a vig on all transactions done through those apps (a step so bold for an OS that even MSFT never even dared try in its worst Windows monopoly days). In a normal market there would be no incentive to side load because legitimate app owners would have no incentive not to have users load apps outside of the secure channel of the official app store, and users would have no incentive to go outside of it. But with the platforms taxing everything inside the app, now every developer has every incentive to say "sideload the unofficial version and get 10% off everything in the app". So the platforms have to make it nearly impossible to keep everything in their controlled channel. Solve the platform tax, solve the side loading issue.
> 2. Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices
I would instead say that having a trustworthy channel for verified app loading is a valuable security tool. F-Droid is such a channel; the Google Play Store is not. So Google is trying to take this valuable security tool away from users.
Yes, I think the end user is in a better position than Google to decide who to trust. Some end users will make bad decisions, but Google's interests are systematically misaligned with theirs.
Not really. Google has maybe the best security researchers in the world, most end users have no idea, Hacker News is not representative of the general population.
I am not saying it justifies locking down devices, but that's the kind of situation where I think a bit of friction is a good thing. For example having to connect your phone to a computer and run some command line tool (like for unlocking a bootloader). You still have your freedom, but it is also something you are less likely to do by accident. In the sideloading situation, it looks like you could make yourself a developer account and repack apps under your own identity, which is one of these high friction workarounds.
For F-Droid specifically, maybe they should negotiate with Google before going to the offensive. Maybe they did and it didn't work, but I think a good compromise would be to let F-Droid has a key to sign the apps they compile, making F-Droid accountable for the apps they distribute.
And by the way, Firefox is in a similar situation for extensions. Over the years, they made it really hard to install anything from outside the official Mozilla repository, citing security concerns. It is not just Google.
Even if you allow package distribution whitelists, and even if we allow Google, by virtue of essentially owning/steering Android to, by default, be on the whitelist in their distributions...
At some point you need to just let the user say "I'm OK with being accountable for the installation" and get out of the way.
Yes, Google has much greater competency. But when their interests run counter to their users' interests, as in the particular case we're talking about where they are nuking F-Droid from orbit, thus depriving users of access to NewPipe and other apps that don't try to rip users off, that higher competency is a disadvantage, not an advantage.
Neither incentive alignment nor competency is sufficient without the other.
"Trustworthy" requires a qualifier of "for what" and I do trust Google to not intentionally install malware on my device and to take reasonable steps to prevent other people from doing it. I will admit that I don't know the details of how the app stores work, but they are at least checking the hashes of the binaries right? The probability of trying to install Instagram from Meta, but actually installing Instapwned from some malicious third party is zero when you go through the app store, right?
I assume that's correct, for your very narrow definition of malware and a nonzero definition of zero, and it's a good point that trustworthiness is context-dependent. As Alan Karp used to say, "I trust my relatives with my kids but not my money. I trust my bank with my money but not my kids."
Yes, but app stores like F-Droid, if you trust them, provide an even stronger security statement: they guarantee that you can check out the full source code of the app you are running.
This is what has made Linux distributions the go to for secure OS to run on your server: even if malware or bug leaks in, you have a full security trail about when and how that happened right in the open.
Wrong, plenty crap make it into the store, that is true for both Android and iOS. And the advertisement in the Android store is designed specifically to try to trick you into installing a different but similar app to the one you wanted.
I'm unclear on why F-Droid is any safer than the playstore and not possibly worse since using it tells potential malware purveyors that you're into sideloading in the first place.
F-Droid provides curated applications vetted by parties that *the user* chooses to trust.
By default, F-Droid provides only the applications that they themselves have verified and built from source. They also allow the user to add other sources from other parties who the user trusts (e.g. GuardianProject, IzzyOnDroid, and others[0]).
Google provides any application uploaded by any anonymous third-party who signs up as a developer (and in future, provides the required ID).
Because F-Droid inspects the source code of the applications they build, removes malware and other antifeatures from them, and compiles them from source to ensure that the binaries they deliver correspond to the source code they've inspected. The Google Play Store doesn't do any of those things. Consequently it's full of malware.
If I had to install a random app from the play store or from F-droid, I would pick F-droid every time. The level of vetting they apply is miles ahead of Google.
> it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store
That's close enough to how Android already works. Google wants to additionally prohibit installation of apps unless they're signed by a developer registered with (and presumably bannable by) Google.
> Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.
It is an obvious solution, and it's a good first solution. This popup already exists.
A problem in security engineering is that when people are motivated (which is easy to achieve), they will just click through warnings. That is why, for example, browsers are increasingly aggressive about SSL warnings and why modifying some of the Mac security controls make you jump through so many hoops.
The usual take on HN is take the attitude that the developer is absolved of responsibility since they provided a warning to the user. That's not helpful. Users are inundated with stupid warnings and aren't really equipped to deal with a technical message that's in between them and their current desire. They want to click the monkey or install the browser toolbar. The attitude that it's not my problem because I provided a warning they didn't understand doesn't restore the money that was stolen from them by malware.
I guess this is a difference in philosophy then, but I think that the goal of security engineering should be to protect users from malicious actors, not to protect them from their own bad choices. If I give you a safety feature, and you turn it off, that's not my problem. There is a special level of hatred that I have reserved only for the busybodies who limit my choices and justify it as protecting me.
That said, your point about messaging is really good, and so many times I see security warnings I roll my eyes at how badly the message is written.
I agree that our choices should not be limited to protect us.
However, we need a better solution than pop-up warnings. I guarantee that you have clicked through a pop-up warning that was standing between you and the thing that you wanted to do (as have I, and everyone else who has used a computer for more than a day). We very quickly learn that most warnings aren't going to affect us, and that they're just saying "are you sure" to things that we're already sure of.
We've all selected a file, hit the delete key, got the pop-up saying "are you sure you want to delete wrong_file.txt", hit "yes" (because we always have to hit yes after hitting delete), then looked at the outcome and thought "oh, that was the wrong file" too late...
>Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.
Android already does this. It's the thing that's going away.
> a step so bold for an OS that even MSFT never even dared try in its worst Windows monopoly days
I don't think it's like "MSFT didn't dare to try", but rather "MSFT was too stupid to come up with the idea". They didn't have the ability to manage it either (and till this day their Windows Store app still sucks with tons of bugs). Not to mention that Windows was already wide open, never with a restriction "you can only install these approved apps" to begin with.
Basically, not that Microsoft didn't do it, but it couldn't.
Also can you imagine trying to download software over the Internet in the 90s? They couldn't depend on their users having high speed connections because most didn't. App stores probably couldn't work before 2000.
> Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices
These are claims that Apple and Google make to justify their distribution monopolies, and you are repeating them as fact. I don't think it's true, and cite as evidence both major app stores and the massive amount of malware in them.
Don't parrot anti-competitive lies from monopolists.
> Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.
Google already does this. They've always done this, and it has always been a bad thing because it disadvantages app stores that try to compete with Google Play. Imagine you want to sell an app, and your marketing materials need to include instructions on how to enable "side loading" and tell people to ignore the multiple scary popups warning about vague security risks and malware.
> because they take a vig on all transactions done through those apps
This has already been litigated and federal judges ruled that they must allow devs to use third party payment processors. Look up the Epic Games cases against Apple and Google.
> In a normal market there would be no incentive to side load because...
This is nonsense. "sideload" just means to install something outside the Play store. In a normal market, there would be every incentive to do so, as consumers would be able to choose from multiple app stores. Users don't care where an app comes from, as long as they can figure out how to get it.
> both major app stores and the massive amount of malware in them
This is true, but it's also not the main vector of attack. The primary threat is that the user is intending to download $WELL_KNOWN_APP and instead downloads a compromised binary from a malicious third party and is instantly compromised. The app stores make the probability of this essentially zero.
Question: if the OS does proper app sandboxing how is this basically any different from having unrestricted access to a web browser or email?
Oh no granny tapped a bad Google ad and got phished! I guess we should kill the open web and use the officially sanctioned “web store” from now on (where you have to apply, pay a fee, and of course a % commission to host a website). It’s much safer for us!
It is not funny, but this already happens. ID verification mandated in some countries already take care for that under disguise for children protection.
Despite all the bad moves, one of the reasons why I use android and not iPhone is installing apps from places like fdroid.
If this stops, it fundamentally disallows me to have the privacy that Apple app store can't provide. The amount of garbage apps in play store is horrible. I don't try out any new apps from there cos of this. So I will just switch to iPhone.
Already degoogled for pretty much most things. This will be the last. And maybe switch my website from netlify which I think is using google cloud (need to check).
To me this seems analogous to the motivation of certain people, as soon as they were able to work from home during the pandemic, to move to some arbitrary other cheaper place only because they were no longer required to go into the office.
Specifically it's weird to me that those people, akin your statement about platforms, don't seem to have a sense of place within which they do their stuff, whether that stuff is talking to the friends in your neighborhood regularly or checking your email; there aren't any other reasons you prefer Android, iOS is the default?
I personally don't fucking like iOS at all, never have, but I've always let myself re-evaluate it when the opportunity comes up. I find the UI clumsy and primitive, lacking in personality, customization, versatility. It was just fine on my old iPad for a few basic tasks, and it's still just as fin and just as basic, relatively speaking, on newer devices. However I am a career-long macOS user by choice. I usually admire both macs and iPhones for their hardware design.
Likewise, even though I moved to my relatively high cost of living city for a job years ago, if my current one let me WFH exclusively, I'd move... nowhere, this is exactly where I want to be. There is always some threshold of course whereby favoring one choice over another is too costly to maintain, but even though this particular freedom topic is important to me, I'm not about to just switch platforms because I've secretly hated it otherwise.
> To me this seems analogous to the motivation of certain people, as soon as they were able to work from home during the pandemic, to move to some arbitrary other cheaper place only because they were no longer required to go into the office.
Because that is important to them. Everybody has different opinions on different things. Their priorities are different. I prioritise privacy. I had a workflow with convenience and privacy setup I can do with Android now. It had a lot of loopholes but it is something I am satisfied with. Its something I have developed it by making compromises and adjustments based on privacy, convenience and functionality. So FOR ME, it becomes valueless after this change. And the better would become iOS. So I would change.
I could also argue that yours is a boiling frog situation where you are fine with bad changes around you but you keep getting adjusted to it and making excuses.
For example, due to my privacy setup, I rarely see ads, I rarely get scam calls. There are convenience I get because of it.
All you have to think is... If whatever these companies do online... Will you be OK with it if they do it offline and in person?
Imagine I follow you everywhere and keep telling me to buy a burger from McDonalds. Stalk you around, noting everything you do. And about your family. How long will it take for you to call the cops on me or confront me? Why are you complacent when these companies do the same online? End result is literally the same. Only difference is scale and the fact that one is happening in your face while other is out of your view.
In conclusion, Everybody's threshold (like you mentioned) to different changes are different based on their views and priorities.
And most importantly, as a software professional, we definitely should hold ourselves to higher standards. I am doing what I CAN now.
Instead it would be great if you join the fight against Google (and Apple) by using FOSS and independent distributions like GrapheneOS. It is the most secure and private option we have today. Most apps work as it is except a few those who purposefully use Google Play Integrity API to block independent platforms.
Author here. I admit I am rather startled by the tone of many comments here and the accusations of disingenuity. Splitting hairs about the origin of the term "sideload" does not change the fact that those who promote the term tend to do so in order to make it feel deviant and hacker-ish. You don't "sideload" software on your Linux, Windows, or macOS computer: you install it.
You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on. I'm dismayed to see that this sentiment is not more widespread in this of all communities.
This is mostly a framing war. Calling it "sideloading" makes it sound risky or unusual, but if we called it "installing software on your own device", Apple's and Google's restrictions would seem absurd - like telling homeowners what kind of light bulbs they're allowed to use.
This community has pockets of people who like authoritarian control, and genuinely believe in Apple or Google Play as some kind of superego that they need to defend, that they believe is protecting us.
This surfaces in many types of discussions, including discussions where they may be prompted to defend the locked down nature of mobile devices.
I say it's just pockets. A vocal pocket. It's not everyone here. But it elicits comments justifying that stuff, which can feel surprising for those who don't share those views.
> This community has pockets of people who like authoritarian control,
Alternatively, we've spent our lives helping our parents out. Last year my mom just got completely owned, total taken over of all her financial accounts. The most likely vector was that her phone was out of date and not receiving security patches anymore.
Luckily her bank's anti fraud systems kicked in before too much damage was done.
Prior to smart phones, many of us remember making monthly, or even weekly, trips to family members houses to remove malware and viruses from personal computers.
You're assuming that the drawbacks of Google's peddled response are worth the alleged fix. Given that the primary malware vector for your mom's phone is the play store, this has all the hallmarks of a nonsolution: no benefit, only drawbacks.
It is the equivalent of restricting car use to paved roads only as a "solution" to car crashes.
> The most likely vector was that her phone was out of date
No one is talking about stopping security patches. Your computer works fine, gets security patches, and you aren't restricted from installing any software on it.
Perhaps, as a fellow developer and a HACKER News user, you can understand that the underlying problem is the device security. Amplifying the problem is the surveillance capitalism ecosystem. Your data is valuable, to the trillion dollar companies and to hackers. Which means they need to collect that data and try to drive a fine line of giving them access but no one else. I thought we were all aware that trying to make backdoors is a foolish endeavor.
> Prior to smart phones ... to remove malware and viruses from personal computers.
Your desktop computer is still a desktop computer. The smart phone didn't change anything there. If you're getting fewer viruses it is because either 1) the user is becoming more proficient, 2) the hackers are becoming less proficient, or 3) (the actual answer) security is getting stronger. Critical to #3 is noting that this has happened without the requirement of app stores.
I also want to stress, the enforcement of app stores is the death of phones and general purpose computers.
What makes computers (phones included) so great is that they are an ecosystem. You can't make a product for everyone, but you can make an ecosystem that can be adapted to anyone. Without programs these things aren't very useful. We're back in the old days like with the IBMs. Just remember, it took Google and Apple years before they put a flashlight app on their phones, but it only took weeks for developers. If we wait for them to build everything we're going to wait forever and won't get half the stuff we need.
>>> You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on
> This community has pockets of people who like authoritarian control, and genuinely believe in Apple or Google Play as some kind of superego that they need to defend, that they believe is protecting us.
The fact that Apple and Google have taken away digital freedom on the most important device of our time is shameful and gross.
That they've convinced everyone that this is okay, and that they've maintained regulatory capture to keep doing it, is absurd.
We need web downloads and installs on Apple and Android immediately. With no "scare walls" or deeply nested and hidden menu settings to enable it.
We need the ability to run any kind of tech, including JIT runtimes. Apple and Google shouldn't be able to tell consumers or the industry what type of computing is permissible.
Smartphones are the most important device category in the world. They're how people bank, work, navigate, shop, order, communicate, date, order food at restaurants, take photos, -- life without them is impossible.
It would be nice to see as much competition as we do with the automotive industry, but the next best thing would be to rid Apple and Google of their draconian overlording of the platforms.
Consumers do not have the expertise to articulate this or really understand what is happening to them. This requires regulators and industry professionals to push forward.
I would say the situation is worse as this "subscription-esque" model is "spreading" to areas beyond software. Exercise equipment like ellipticals and bicycles - whose software is/could be borderline +/- resistance level trivial - has been moving to "only works with an online subscription" business models for a long time.
I mean, I have had instances that controlled resistance with like a manual knob, but these new devices won't let you set levels without some $30+/month subscription. It's like the planned obsolescence of the light bulb cartels of the 1920s on steroids.
Personally, I have a hard time believing markets support this kind of stuff past the first exposé. I guess when you don't have many choices or the choices that you do have all bandwagon onto oligopoly/cartel-like activity things, pretty depressing, but stable patterns can emerge.
Heck, maybe someone who knows the history of retail could inform us that it came to software "from business segment XYZ". For example, in high finance for a long-time negotiated charging prices that are a fraction of assets under management is not uncommon. Essentially a "percent tax", or in other words the metaphorical "charging Bill Gates a million dollars for a cheeseburger".
EDIT: @terminalshort elsethread is correct in his analysis that if you remove the ability to have a platform tax, the control issues will revert.
That planned obsolescence thing on light bulbs isn't the entire story. Light bulbs will last longer if driven less hard, due to the lower temperature. But that lower temperature also means much lower efficiency because the blackbody spectrum shifts even further into the infrared. So some compromise had to be picked between having a reasonable amount of light and a reasonable life span.
But yeah agree, this subscription thing is spreading like a cancer.
I'm not an expert on the case law, but supposedly United States v. General Electric Co. et al., 82 F.Supp. 753 (D.N.J. 1949) indicates that whatever design trade-offs might have existed, corporate policy makers were really just trying to screw consumers [1] (which is why they probably had to agree on short lifespans as a cartel rather than just market "this line of bulbs for these preferences" vs. "this other line for other people" -- either as a group or separate vendors). I keep waiting for the other shoe to drop where they figure out how to make LED bulbs crappy enough to need replacement.
Leds are already awful. I already lost 4 of 10 led light bulbs I boughtast year. I hope they will be replaced. It's because every led bulb has a small transformer inside and it fails quite quickly
I think its a heat dissipation issue. I have some overhead LED lights that replaced some halogen bulbs and they have huge metal heat sinks on the back and have all lasted 10+ years. Unfortunately they are no longer sold but I did buy a few spare just in case.
It depends a lot on the bulbs. When we moved into our current house 11 years ago, we replaced everything with LEDs. Many of those original bulbs are still going strong, including all of the 20 or so integrated pot lights we put in to replace the old-school halogen ones. Others died within a year, and replacements have been similarly hit and miss.
To some extent you get what you pay for; most of the random-Chinese-brand LEDs I've picked up off of Amazon have failed pretty quickly. Most of the Philips and similarly expensive ones have lasted. Also the incandescent-looking ones that stuff all the electronics into the base of the bulb tend to fail quickly, as do anything installed in an enclosed overhead light fixture, due to heat buildup.
> as do anything installed in an enclosed overhead light fixture, due to heat buildup
This is my problem. My house has a lot of enclosed overhead light fixtures, and LEDs just do not last long in them. And renovating all of them to be more LED friendly would be quite expensive.
I got one of these free energy audit things which included swapping out up to 30 or so bulbs with LEDs. Whatever contractor did it seems to have gotten the cheapest bulbs they could, and the majority of them have failed by 4 or 5 years later. So far so good on the name brand ones I replaced them with.
"That planned obsolescence thing on light bulbs isn't the entire story."
Whilst that's certainly true the Phoebus cartel's most negative aspect was that it was a secret organisation, its second was that it was actually a cartel. These disadvantaged both light bulb consumers and any company that wasn't a member of the cartel—a new startup company that wasn't aware of or a member of the cartel would be forced out of business by the cartel's secret unfair competition.
Without the cartel manufacturers could have competed by offering a range of bulbs based on longevity versus life depending on consumers' needs. For example, offering a full brightness/1000h type for normal use and a 70% brightness/2000h one for say in applications where bulbs were awkward to replace (such product differences could even be promoted in advertising).
Nowadays, planned obsolescence is at the heart and core of much manufacturing and manufacturers are more secretive than ever about the techniques they've adopted to achieve their idea of the ideal service lives of their products—lives that optimize profits. This is now a very sophisticated business and takes into account many factors including ensuring their competition's products do not gain a reputation for having a longer service life or better repairability than their own (still a likely corrupting factor that originally drove the formation of the Phoebus cartel).
Right, the philosophy's not changed since Phoebus but the sophistication of its implementation has increased almost beyond recognition. There's not space to detail this adequately here except to say I've some excellent examples from the manufacture of whitegoods and how production has changed over recent decades to manufacturers' advantage often to the detriment of consumers.
In short, planned obsolescence and the secrecy that surrounds it has negative and very significant consequences for both consumers and the environment. When purchasing, consumers are thus unable to make informed decisions about whether to trade off the reduced initial costs of products with a short service live against those that have increased longevity and or improved repairability. Similarly, shortlived products only add to environmental pollution, witness the enormous e-waste problem that currently exists.
As manufacturers won't willingly give up panned obsolescence or secrecy that surrounds it, one solution would be to tax products with artificially shortened service lives. In the absence of manufacturing information governments could statistically determine product tax rates based on observable service lives.
Yes, but the compromise didn't have to be an industrywide conspiracy with penalties for manufacturing light bulbs that were too long-lasting and inefficient. But it was. Consumers could have freely chosen short-lived high-efficiency bulbs or long-lived low-efficiency ones.
In fact, they could have chosen the latter just by wiring two lightbulb sockets in series, or in later years putting one on a dimmer.
I agree, but why you buy it then? Everyone should be allowed to price how they want it. If they price at 1m + 100k/month would sell much less. Therefore the price they charge is “reasonable” for correct customers
The reason subscriptions are spreading everywhere is that stock markets and private investors usually value recurring revenue at a much higher multiple than non-recurring revenue. The effect can be so large that it can be better to have less recurring revenue than more non-recurring revenue, at least if you are seeking investment or credit.
It creates a powerful incentive to seek recurring revenue wherever possible. Since it affects things like stock prices and executives and sometimes even rank and file employees often have stock, it's an incentive throughout the organization. If something is incentivized you're going to get more of it.
In the past it was structurally hard to do this, but now that everything is online it becomes possible to put a chip in anything and make it a subscription. We are only going to see more and more of this unless either consumers balk en masse or something is done to structurally change the incentives.
All very true and "balk en masse" is what I meant by "first exposé". (Ancient wisdom, even, if you think about individuals and mortages/car loans and having a steady job, etc. rather than just businesses.) Maybe we'll anyway see some market segments succeed with "pay 2x more for your screwdriver, but it will at least be your screwdriver" slogans, and then have screwdrivers to do with what we will, like the proverbial "pound sand". ;-)
FWIW, thank you and the team for all the hard work. Me and my family use it to install, discover, and try out many of the genuinely useful and really cool, high-quality Apps on our de-Googled devices and truly appreciate it. I could never imagine using that ad-ridden, user-tracking, scam-infested, filth-flinging abomination they call Play "Store". The only thing that's worse is GCM - you don't even see it's there as a regular user.
> But how much malware has been distributed via F-Droid versus "Google Play Store"
There's been only a single case of malware that we know of that has slipped into distribution on F-Droid (through a supply-chain attack on a transitive dependency), and it was caught within a day. So if we were feeling glib, we might have made the claim that "there is over 224 times as much malware on the Play Store than on F-Droid".
To me, the question is not even relevant. Whatever the quality of f-droid,each use should be free to decide if they want to use it or not without Google having a life or death choice on the app that you want to use.
The freedom of installing whatever you want indeed brings more opportunity to come across malware, but as long as you lose the freedom, it's up to Google to decide which apps are "safe", which are not. Google will be the only, sole source of apps, they control everything.
It's not about immediate safety, it's about safety in the long run.
Yes, software on F-droid is free and reviewed for anti-features before publishing. Google Play has the worst, ad ridden, dark pattern filled, data guzzling, subscription packed, commercial slop with no real oversight on what gets published. Malware frequently gets on the Play Store, never heard of it being a problem on F-Droid.
I don't even understand how this is an interesting or relevant point. "Can I install what I want on my service how and when I want" is the end of the conversation.
Regardless of its origin, its usage in context clearly implies it's supposed to be understood as a non-standard, non-default process. Making preferred software design choices feel like defaults, or making preferred app or distribution ecosystems feel like default is the product of extraordinary and intentional effort to set expectations, and so I don't see it as an accident that the nomenclature would be used for the purposes you describe.
I did make a comment in this thread about the historical usage of the term sideload, although for my purposes, I was noting a historical quirk frim a unique time in the history of the internet rather than disputing any premise in your post. It was the first and only comment at the time I posted it and I was not anticipating such an unfortunate backlash that seized on terminology for the purpose of disputing your point, or for otherwise missing your point.
But it is indeed missing the point. Requiring developer registration to install is exercising a degree of control over the software ecosystem that's fundamentally out of step with something I regard as a pretty important and fundamental ideal in how software is able to be accessed and used.
Hey, I hope you have a nice day. F-droid is one of the communities which was really a key role in, what open source project should I recommend if given the power to, for people to gain maximum impact on, and f-droid was one of the tops in that charts, so much so that I really tinkered with android apps creation with rust/tauri just to create an android app for f-droid (building android apps is hard I must admit, which makes my appreciation for apps on f-droid even more lovely)
> You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on
I feel like there are some phones, I will say my honest experience, I had a xiaomi phone which required me to unlock the bootloader for me to root it/ remove the spyware that I feel it has, I never felt safe really (maybe paranoia?) but I wanted an open source operating system on it and that required me to unlock my bootloader
Which required me to create an MI Unlock / MI account which then later required me to open up a windows computer and try to do things with the windows computer
I didn't have a windows computer, I am a linux guy and I didn't want to touch windows and I tried any option available on linux (there was a java thing and some other exploit too but both failed)
Later, I tried to actually install win-boat and tried to install the mi tool in it after so many nights of work and I tried and it actually opened but it asked me for the otp to sign up but I don't know if I overwhelmed their system or not but their OTP just straight up didn't show on the phone's sim I had registered on.
That OTP not coming after 5-6 tries, I am not sure if they had detected it was win-boat or what, but idk, that effectively locks me out of ways to unlock the device and remove some spyware functionality I think it has.
I feel like this case made me feel as if although I had a device, it feels like a license when you think about it. This is true for many other consumer devices as well and thus, people accepting the fact that their devices have become similar to licenses, not hardware which they own, but rather software which they rent
> I'm dismayed to see that this sentiment is not more widespread in this of all communities.
I feel like your message is in the right heart, and its honestly okay, sad even, that some part of the community didn't respond to your message in agreement.
But Honestly, please don't lose hope because of this, You and people/foundations like f-droid,linux etc. inspire a sense of confidence for a good future while actively working on it. I was thinking of trying to host some f-droid mirror but I didn't personally because I was a little skeptical of getting any notices or anything after the f-droid team had created a blog post about something similar.
Also one thing, I would try to tell you is that you are trying your best. And that's all that matters. What doesn't matter is the past or the future or how the community responds but rather doing what you think is right with correct intentions which I think you do a perfect job in.
Doing the right thing can be difficult but maybe in a world where doing the right thing isn't rewarded as much in even mere appreciation or sharing the sentiment whereas doing the wrong thing is financially rewarded. its a complicated world we live in, but hopefully, we all can try to make it a little more beautiful for us and our future generations by trying to do things the right way no matter how hard they are, just because its the right thing.
I may speak these things but I myself regularly contradict these. So I don't feel the best guy speaking this stuff but I just want to say that f-droid really means a lot to me, a recent example is how I ditched that xiaomi phone, used my mum's old moto phone, tried to install termux from playstore but it couldn't download for some reason from play store because it was android 8 yet theoretically it should work, but I then opened up f-droid and installed it from there and I am running a termux/gitea server on it now :)
Please, have a nice day, F-droid/you deserve it, I just hope that you recognize that there are people's lives that you have touched (like my termux thing and there are countless other stories as well) and how impactful the project is.
Lets use this comment as a way to show our appreciation to f-droid in whatever ways it has touched our lives and how effectively google's recent moves are really gonna impact f-droid/ hurt us as well. How I wouldn't have been able to run git server on my phone if it wasn't for f-droid and so much more.
>You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on. I'm dismayed to see that this sentiment is not more widespread in this of all communities.
agreed, but i'm not going to die on any hill. i don't see much point in this discussion, these corps will do whatever they like. for me it is simple: iphone never was an option precisely because of this reason, and i've been quite content with android, but i don't think my current smartphone will run android for much longer, and the next one will definitely not.
it is, but i'm willing to compromise. grapheneos can be an option for a while, ultimately a linux phone. worst case i can settle with 2 phones for a while, one cheap/old stock android exclusively for the bank and such, another one for everything else.
it's also a long run, the way things are shaping up i don't expect alternatives to become mainstream but nevertheless getting improved support over time.
if we indeed end up in a situation where there is no viable alternative then screw that, i might as well go completely off grid.
There is a lot of money to be made in locking down Android and iOS. We should be surprised if companies like Google and Apple are not spreading lies and trying to decieve the public.
No morals can be expected from publically traded companies. Finding a "PR firm" willing to do the lowly dirty job of going on HackerNews, MacRumors or wherever people are and blatantly lie and make stuff up shouldn't be too hard either, I can imagine.
Have to constantly remind others (and myself!) at work that "we aren't focusing on that right now, that's not what this conversation is about". Technical minded people seem to have a real problem of missing the forest for the trees.
> In general HN skews towards an incredibly privileged and spoiled crowd
> This poem sums up most of HN's politics on control structures.
Please let's not have these sweeping generalisations about the HN community or this grandiose "first they came" rhetoric. The HN community is a bell curve like any other large group of people. All the evidence I see from looking at the discussions for hours each day is that it skews left-libertarian - i.e., supports individual freedoms and opposes government and corporate authoritarianism. This is what you would expect from a cohort of people dominated by technology employees and freelancers, of whom most are deeply supportive of the principles of open-source software and the freedom to do what you please with your devices. It also includes huge numbers of people from different places around the world who are not at all "privileged" and "spoiled". Of course there will always be exceptions in a large group of people – or really, the other end of the bell curve. But this broad-strokes characterisation of the HN community as a whole makes no sense at all.
The guidelines ask us to do better than this, in all these different ways:
Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.
Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.
Please don't fulminate. Please don't sneer, including at the rest of the community.
Eschew flamebait. Avoid generic tangents. Omit internet tropes.
put a fork in it, it's done,almost!
android that is.
linux phones are comming up fast, and will be set up to run the droid apps we like.
but big props to fdroid
just used "etchdroid" to transfer a linux iso to a thumb drive and boot a new desk top, and if I get a few bucks ahead I will buy a dev board from these guys
https://liberux.net/
flinuxoid?, flinux?
As far as I'm concerned, it did. Linux is far and away the best OS for my needs so I'll keep using it.
Did it "win" more of some metric of perfusion / capital versus the other big two? Perhaps some, mostly not. Who cares. The market is dumb.
What matters here is whether the capability exists at all. When it comes to phones, I'm still leery about linux. Support isn't quite wide enough and for a device that I need 110% reliability out of we ain't there yet.
I do know one thing - the effects of closed ecosystems that caused 99.99999% of servers to use linux, will eventually come for interface hardware. Companies have periodic bouts of psychosis that make their walled gardens inherently unreliable. It's just a whole lot slower in a realm that doesn't iterate at web-speed. Will that mean everybody uses linux phones in the future? Of course not. But I do hope it will mean I get to put my own phone together with an OS I own, someday. That would be an unequivocal good.
How much does it cost to build a barebones phone that (A) runs tuxracer and (B) makes phone calls? Librem: almost as much as an iPhone. PinePhone: You have to travel to the moon to find one for sale. FLX1: Not for sale yet (so PinePhone 2.0)
Maybe when I can buy a $100 barebones board that I can hook some AA batteries up to and make calls, and develop a little flappy bird clone, people will take notice of the market. As long as every Linux phone is some dude with too much money in his pocket thinking he'll make the next Android, it's not going anywhere. Even with tech nerds.
Google really knew what they were doing by hiring Marc Levoy. The Google camera is the only thing keeping me from getting something other than a pixel phone.
I agree with your point about "install" vs "sideload".
> Google’s message that “Sideloading is Not Going Away” is clear, concise, and false
Given your(and my) definition, this statement is false. Google isn't taking away sideloading, you can still use adb. I'd say using adb to load an apk from another device is the proper use of "sideloading".
What Google is doing is much worse, they are taking away your ability to _install_ software.
And yes, HN loves splitting hairs. But if it wasn't for the hairsplitting, there probably would be be much discussion. Just most people agreeing with you and a few folks who would prefer to give up freedom for security.
I agree it's a pointless distraction, but it's a distraction you instigated by trying to language police your own supporters. I and most others who use the term sideloading don't use it because we want to make sideloading "feel deviant and hacker-ish", we use it because it's the commonly accepted term for installing apps outside the app store. I'm open to alternative phrasing, but "direct install" doesn't work because installing apps from F-Droid isn't a "direct install" and "installing" doesn't work because that doesn't distinguish from installing from the Play Store. "Sideloading" is simply the correct word, and I've yet to see a better alternative. There's no reason to be ashamed of it, or accuse people of being part of some conspiracy for calling it that.
If anything, the fact that Google feels the need to disingenuously argue "sideloading isn't going away" suggests to me that the term sideloading has a good reputation in the public consciousness, not a negative one.
Let's just focus on the fact that Google is trying to take away Android users' ability to install software that Google doesn't approve of, and not stress so much about what words people use to describe that.
> and "installing" doesn't work because that doesn't distinguish from installing from the Play Store
I'm not choosing sides, but why do you need a term to distinguish from installing from the Play Store? On my Debian machine I install git from apt (officially supported) but also install Anki from a tarball I downloaded from a website. Same term `install`.
This comment is funny because you have defined these words to be as such
You have defined installing to be specifically from play store and sideloading as everything except it.
Google isn't trying to prevent installing, just sideloading works in this sentence because of what you have already defined but you are using this sentence in defense of that....
As OP stated, installing can mean on debian as an example, installing from both apt or either tarballs. Both are valid installations
So it is the same for google/android as well yet google is trying to actively prevent one part of the installing or make it really extremely hard to do so.
It is a dangerous precedent. And I would say that it severely limits what you mean by installing.
I got an PC, and I got internet connection, usually it isn't trying to prevent what I install if I am on linux.
Yet I am on android and earlier it used to do the same but now its a slippery slope where it either requires me to use adb or keep another device at me at all times if I ever want to install software on it.
Not because its not that these phones can't do it, In fact that they already do but they are removing it, simply because they can.
No, that is not the definition I was using. "Sideloading" is a subset of installing, not disjoint from it. If Google were to prevent installing, it would prevent sideloading, but it would also prevent installing from the Play Store, which clearly they don't want.
It's a very dangerous precedent, but one that's difficult to discuss without having a name for the kind of installing that Google is trying to prevent.
This is why this specific definition is problematic: both "sideloading" and "install from Play store" are subsets of "installing".
If one limited the ability to "install from Play store", while keeping the ability to "sideload", would you say it's fair to say "installing is restricted"?
I feel like although sideloading could be correct term maybe but at the same time as the author stated, people might refer something shady to something which is a genuinely normal part, maybe even more safer when you download from f-droid compared to play-store
I feel like you are having this discussion in good faith which is really nice but I just feel like saying that google is oppressing other open source appstores or just using the word installing and later clarifying can make the people feel about how dangerous it really is.
Let me be really clear. If Google can prevent sideloading and the only feasable way for 99% users is their play store which uses their policy terms which can be ever changing, chances are, that they can also prevent people from downloading your app, and can remove your app etc. as well so they can very definitely prevent installing in general as well
The only escape hatch is maybe adb but please, for the 99% of use cases, I doubt how many people would operate a computer open up the terminal and try to use adb or other scenarios, but in all ways, I think that speaking of it as an installing itself isn't so bad after all.
If Google can genuinely go ahead and do this, it would definitely prevent installation of certain app in and in of itself because play store is also controlled by google and they can also remove/prevent apps installs from there too.
I would still recommend to you / the community to say it as an installation as earlier I was also used to saying sideloading but it was only while writing this comment when I realized of how google can actually prevent installation from play store as well since they own it, its an effective lock/restriction in installation itself for all purposes.
Ultimately the only escape hatch is to build hardware that isn't dependent on Google, then stop being dependent on Android, which is what Huawei has done. https://news.ycombinator.com/item?id=45721022 goes into more detail.
I hereby name the thing that Google wants to allow "supplicating an app(lication)". Installing puts software on a device. Supplicating asks Google for an app, and maybe it gets installed.
I don't know, why do we need a term to distinguish brown from dark orange? The term emerged organically because the built-in app store is the most common way to install apps on mobile phones (and the only way on iOS), but on Android you can also install apps from other sources without needing Google's permission so people came up with a catchy name for that.
It's convenient because now we can say "Google is killing sideloading" as a very succinct way to describe what's happening when we're arguing against it. "Blocking users from installing apps not approved by Google" works equally well but is a bit more wordy. I personally prefer the latter because I think it's a little more precise, but trying to imply people have to phrase things that way or they're part of some conspiracy does nothing but alienate your supporters and distract from the real issue.
Hey, question. While I'm also miffed about Google's decision and see your point about the term sideloading, there is another elephant in the room you seem to not be addressing here.
You write:
> “Sideloading is Not Going Away” is clear, concise, and false_
But isn't Google saying that you will still be able to sideload via ADB? Which would mean their statement is true, and that your claim that Google's statement is files is itself false?
I'm so confused why you never even mention ADB or its relevance to sideloading, which they refer to rather explicitly in their blog post. At the very least, if you think ADB doesn't change anything, you could mention it and say so. Could you explain this seemingly critical omission?
Forcing ADB may as well be a ban, if you don't see that, you're pretty out of touch with consumers. Sideloading is already hard enough for many, forcing the use of an extra computer, a dev tool in the CLI, and dev mode is way way outside what people will do
Also if the majority of sideloaders go away because it's become more difficult, what will happen to the development scene? Will it stall out from lack of developer interest because there's such a small audience compared to before? (Despite it still being possible.)
There's no spite or emotion, it's a company. They want to kill NewPipe etc. to force everything through apps they control and can monetize. It's just about money.
You could make a glossy PC client around it. On the meta quest there's an app called SideQuest that does just that because meta doesn't permit apps to install other apps. It's still a fairly big thing there.
I'm happy about the adb loophole, but I'm worried this would be just the start of the slippery slope, and Google would find a way to lock down adb next, citing the risk of malware sideloaded by fancy tools wrapping adb, once they start popping up.
The number of people that don't even own a general purpose computer is huge. And for those that do, ADB is a ridiculous thing to get setup for a particular device. I get paid to work on android software, and I don't even want to put up with the hassle.
Yes. And a bigger question is, why should I have to? This is a perfectly functional computer, it is more than capable of downloading a file and running it.
It's really sad that Apple and Google (and to some extent MS though they're just behind in this race to the anti-consumer bottom) happened upon this "solution to malware" (note: not a real solution) of "OS vendor vets and controls all software." It's a lazy way, it's an ineffective way, and it has made computers - incredibly flexible, programmable devices - more like cable boxes or telephones from past decades, that you had to rent from a monopolist and had no control over.
As I understand it, the delivery mechanism won't matter: Play Store,ADB, F-Droid, Bluetooth, or website. If the APK isn't signed by a Google-approved developer, it's not going to install.
If there's some ADB command that one can issue to install unsigned APKs for now, it's a temporary reprieve at best. Two Android versions later, the update from Google will read "Only 0.02% of users installed apps using adb, but the corresponding malware incidence rate was 873% more than the Play Store. Due to the outsized risk, we're disabling adb installations going forward"
Not so. The new mandate isn't that all APKs must be uploaded anywhere, only that all APKs must be signed by approved developer keys. So to test new builds, devs will only have to sign with their approved key, then upload. No extra hassle once you already have an approved key.
I'm not sure it works that way. _In general_ before the recent announcement you are supposed to sign the debug build (what you feed into adb to install) with your debug key that's different from the release nor upload key, and the debug key is never submitted to google.
Of course _maybe_ at some point google will also force you to submit your debug key to them. But I don't believe that's the case now.
Sure, you would test-install apps via any delivery method of your choice, including USB-C cable or WiFi, after Google attests that your test-app signature is whitelised[0]. After all, there is no legitimate reason[1] to not sign your app, since you want it to closely match the distributed version as much as possible, and there won't exist unsigned distributable apps.
0. Developer has valid signatures and in Google's good graces, and application hasn't been installed on more than 16 devices
1. Oh, you CI/CD signing infra won't let you? You better fix your workflows to match the Google way.
adb is a developer tool. You need a tethered and trusted computer to be able to transfer an app using adb, and you need to enable "developer mode" on the device, which is an arcane dance that involves navigation through an obscure tree of settings and then quickly tapping a mystery spot 5+ times. Google can't block adb, because that is how Android apps are developed and tested, just how Apple cannot block their developer tools from being able to transfer apps onto an iPhone.
This is so far from a realistic and acceptable substitute that I question the honesty of anyone who claims that "adb will still work, so no problem!"
I hope that explains my seemingly critical omission.
> just how Apple cannot block their developer tools from being able to transfer apps onto an iPhone.
If I recall correctly (I might be wrong, because this was 10+ years ago), but Apple did exactly this when the iPhone was first released. When the iPhone first came out, Apple released its XCode devtools for free, including an iOS emulator that you could use to test your iPhone app. But you had to pay a $99 USD per year "developer program" free in order to use the devtools to test the app on your physical device.
If Google is also blocking preventing you from loading your own software onto your own phone with adb unless you pay a free, then this would be a very important thing to call out explicitly.
You recall correctly, but that did end in 2015, when Apple ended the requirement that developers sign up for their paid developer program to be able to develop and test iPhone apps. I've written about that elsewhere: https://appfair.org/blog/gpl-and-the-app-stores#fn:3
The adb workaround for Android is essentially on par with being able to use Xcode's tooling to install apps on an iPhone: technically possible without paying a fee, but enough friction that no one would seriously consider as an alternative solution for publishing their apps to a general audience.
Note: Apple restricts apps uploaded with Xcode, (depending on how it is signed I believe) to 7 days or 1 year. adb currently doesn't have this limit.
But what if they find that somebody made 'sideloading' 'too easy' again. E.g. somebody could come up with the idea of running adb or an adb emulator on another phone, or even a small hardware dongle, integrating it with a pretty UI that looks like a regular app shop. Then their currently proposed new rule would become ineffective and due to whatever thought process they arrived at their current conclusion, could place similar limits on adb.
The reason for its omission should be obvious. First, most people who "sideload" apps do not have ADB installed, and may not have the technical knowledge to do so. Second, the ability to do so can be taken away just as arbitrarily as the right to do so without it.
Perhaps the author is speaking purely from a "consumer" point of view, rather than developer/pro types who of course can bypass restrictions using common dev tools.
I believe f-droid strives to be a simple platform of from-source builds for non-Googled apps that anyone can use.
You will continue to be able to build and run an app even if your identity is not verified. Android Studio is unaffected because deployments performed with adb, which Android Studio uses behind the scenes to push builds to devices, is unaffected. You can continue to develop, debug, and test your app locally by deploying to both emulators and physical devices, just as you do now.
If you see a loophole in the clear argument they're making there, I'd love to know. I don't see any obvious ones.
I'm just not sure people have been referring to that method when saying 'sideloading' and Google didn't mention sideloading specifically there.
This is what they say in the quote this article is about:
"Does this mean sideloading is going away on Android?
Absolutely not. Sideloading is fundamental to Android and it is not going away. Our new developer identity requirements are designed to protect users and developers from bad actors, not to limit choice. We want to make sure that if you download an app, it’s truly from the developer it claims to be published from, regardless of where you get the app. Verified developers will have the same freedom to distribute their apps directly to users through sideloading or through any app store they prefer."
In this paragraph they don't mention ABD at all similar to how in your paragraph they don't mention sideloading.
I see, wow. That's such a frustrating lack of clarity on Google's part and (consequently?) those responding to the blog post...
As far as I now, historically, "sideloading" has always meant "installing from some mechanism other than the Play Store", and everyone has been referring to adb-based installations as "sideloading" as long as I can remember (example [1]). If Google or others don't call using adb sideloading, then I have no idea what they would call it, and I'm thoroughly confused.
Not only will sideloading via ADB continue to work, installing from most other third-party app stores will continue to work. The developers on the Amazon, Samsung, and Epic app stores won't have a hard time with the developer verification process. F-Droid is in a uniquely inconvenient position that they have a legitimate app store, but its design causes them to have a hard time with developer verification.
> won't have a hard time with the developer verification process
Unless any government powerful enough has reason to make Google reject developers. Hell, doesn't even have to be a government. Do anything that annoys Google, goodbye rights for your app to be installed on any Android. Why would you ignore the obvious and main caveat? It doesn't matter what store it "continues to work on". Google can revoke privileges overnight with little to no recourse for the developer, regardless of the merit of such action, the usefulness of the app, or how much people want/need that app. This is literally heading in the direction of Kafkaesque.
F-Droid is also the only one that does reproducible builds which is a big security feature. One that is precisely the cause of making this hard. But it also makes it safer than even the play store. It should really be accommodated.
>But isn't Google saying that you will still be able to sideload via ADB?
No, it will not. Nothing will install an application without a Google approved signature on it. They will remove ad blocks from your Android and you will like it. "The beatings will continue until morale improves" sort of behavior.
I'm hopeful that the mystery OEM that GrapheneOS is targeting is in fact Sony Xperia. If it isn't, I'm just going to stop carrying a smartphone when all my installed apps stop working on it.
> No, it will not. Nothing will install an application without a Google approved signature on it.
How do you interpret this then:
>> You will continue to be able to build and run an app even if your identity is not verified. Android Studio is unaffected because deployments performed with adb, which Android Studio uses behind the scenes to push builds to devices, is unaffected. You can continue to develop, debug, and test your app locally by deploying to both emulators and physical devices, just as you do now.
Isn't that the opposite of what you wrote? What am I missing?
I interpret that as you will be able to install an unverified app. And you will get the annoying unverified app screen every time you launch it. And it will very likely be crippled in other ways, as it is unverified.
>Lando: But that wasn't our deal!
>Vader: I have modified our deal. Pray I do not modify it further.
I think it's better to shut down the project. I used to contribute to privacy projects, but then after being slandered for damaging youtube's "creators" by blocking the trackers, I realize that people enjoy getting f*cked by google and enjoy shilling google collecting personal data. So I stopped, it's better for my mental health and I have more free time for myself.
That's just the price of developing open source software. People will complain. Don't worry about the people who don't want to use your software. They can make their own. You should only consider stopping your own project when there is a better alternative.
> Splitting hairs about the origin of the term "sideload" does not change the fact that those who promote the term tend to do so in order to make it feel deviant and hacker-ish.
That is not a fact, that is your opinion. Lots of people say "sideload" without trying to convey such negative meanings. For better or for worse, the term has entered the common lexicon and I very rarely see it used with negative connotations attached to it.
> Lots of people say "sideload" without trying to convey such negative meanings
Sure, but they effectively do even if they're not trying to. It comes off like you're up to no good or doing something dangerous. Like GP said: deviant.
>Sure, but they effectively do even if they're not trying to.
What specific acts are referring to? Is it just their recent plans to restrict sideloading? This feels circular. "Google is evil because they're trying to restrict sideloading. They're also extra evil because trying to demonize sideloading. How? By restricting sideloading!"
>It comes off like you're up to no good or doing something dangerous. Like GP said: deviant.
Yes, but only insofar as if you're not taking the primary route, you're taking the "side" route. Or you're "deviating" from the intended route. None of that actually implies you're a "deviant" for doing so, any more than a driver taking side streets to shave 30s is a "deviant".
I think the recent push to restrict "sideloading" made people realize that the term itself helps Google frame it to normies as a fringe, non-standard thing that needs controls around it. When in reality you're just installing software on a device.
>I think the recent push to restrict "sideloading" made people realize that the term itself helps Google frame it to normies as a fringe, non-standard thing that needs controls around it.
No, it made all the pro-sideloading people (for lack of a better term) find any reason to hate google even more, including flimsy arguments about how "sidleoad" is some sort of sinister psyop. I still haven't seen any evidence to suggest "sideload" has any negative connotations to the average "normie", beyond its meaning of "install from third party source"[1]. All I've seen are endless speculation that it's a google psyop in techie/hacker[2] circles, like this post.
There's been a concerted effort by smartphone manufacturers to demonize side loading explicitly for some time now. This is actually about code signing rather than sideloading, so it's kind of funny that we have this sub thread that's explicitly about the term sideloading, but regardless, that term has been demonized by Apple.
Is there no line, in your opinion? At this point, there are computers (many of which run variants of Linux in many cases) in my:
1. Laptop
2. Phone
3. Car
4. Washing machine
5. Handheld GPS
6. E-reader
7. TV
Is there some intrinsic different between a device where the manufacturer has programmed it using an ARM/x86-based chip vs a microcontroller vs some other method that means in the 1st case I have the right to install whatever I want? Because that feels like what's happened with cell phones: manufacturers started building them with more capable and powerful components to drive the features they wanted to include, and because those components overlapped what we'd seen in desktop computers, we've decided that we have an intrinsic right to treat them like we historically treated those computers.
For everything on that list, I'd say that if you figure out how to run software of your choice on them the manufacturer shouldn't be able to legally stop you. (And specifically, the anti-circumvention clauses of the DMCA are terrible).
Phones get a lot of attention in this regard because they've replaced a large amount of PC usage, so locking them down has the effect of substantially reducing computing freedom.
> I'd say that if you figure out how to run software of your choice on them the manufacturer shouldn't be able to legally stop you.
That's already the case. The manufacturer can't come after you for anything you do to your device. They can:
1. Set up their terms of service so that things you do to alter the device are grounds for blocking your access to cloud/connected services that they host on their infrastructure
2. Attempt to make it difficult to run software of your choice.
3. Use legal means to combat specific methods of redistributing tools to other people that compromise things they do in number 2.
There is already a widespread notion of "general computing" device.
For all intents and purposes, a laptop computer and a smart phone are one. This is, for example, evidenced by the fact we run general purpose "applications" on them (not defined ahead of time), including a most general app of them all (a web browser).
For other device types you bring up, I would go with a very similar distinction: when you can run an open ended app platform like a browser, why not be able to install non-browser based applications as well? Why require going through a vendor to do that?
"why not" isn't a compelling case for something to be a fundamental right.
I'm not saying I dislike the concept of being able to run my own code on my devices. I love it. I do it on several devices, some of which involve circumventing manufacturer restrictions or controls.
I just don't think that because manufacturers started using the same chips in phones as computers, they magically had new requirements applied to them. Phones had app stores before they were built using the same chips. My watch lets me install apps from an app store.
You've asked for an intrinsic difference between a class of devices: no, you are unlikely to want to run general purpose apps on your washing machine. Yes, you are likely to do so on your smart phone. Probable on your modern "smart TV". Low probability on your eReader.
Legislation like EU Cybersecurity Act hopefully pushes things into more of a fundamental rights thing by demanding that devices don't go into the trash pile as soon as the vendor stops issuing security updates by mandating an ability to keep operating these devices without negatively affecting Internet at large (by, for example, becoming a part of a botnet).
This is already possible with many general compute devices by putting a version of up-to-date GNU/Linux or FreeBSD or... on it. And for a smaller subset of GC smartphones, with AOSP-based Android.
I'm not asking for an intrinsic difference: I'm suggesting that if "I can install custom applications/code on this device I own" is a fundamental right, there would need to be an intrinsic difference. My personal opinion is that there is not an intrinsic difference. That "I want to do it to these devices and not those" can't be the justification for it being a right that I'm able to.
The only one that sounds potentially harmful is the car and in that case I think it should have to meet emissions standards and prove you aren't running a defeat device but like... Yeah. I should be allowed to run my own infotainment system that doesn't crash and doesn't spy on me
I'm not asking what you'd like to do. I'd like to be able to customize all of those things too.
I'm asking why taking a device that uses a microcontroller and making a new model with an ARM chipset and a Linux-based OS seems to suddenly make people treat the ability to install custom software on it as a fundamental right.
Good catch. They are similarly noteworthy to phones: there are all kinds of projects and tools built around making custom and modded games for the Gameboy, or hacking the NES, but there wasn't a movement saying Nintendo was violating our fundamental rights by not allowing users to overwrite or modify the code inside the actual console.
Then consoles started shipping with recognizable internals, and we had waves of people very frustrated at things like Sony's removal of OtherOS, or Nintendo's attempts to squash the exploits that enabled Wii Homebrew.
Yes, you absolutely should have the right to install (or uninstall) whatever software you want on any of those, assuming it contains writable program memory. The alternative is a nightmarish dystopian future where your washing machine company is selling its estimate of your political inclinations, sexual activities, and risk aversion to your car insurance company, your ex-husband, your trade union representative, and your homeowners' association.
I thought I had this line, but I imagined if my credit card had writable program memory, I'd be fine with a third party preventing me from using it for its intended purpose if it wasn't trusted there. There must be some purpose for my own good for preventing me from writing to my own program memory, and I should be able to void this purpose if I deem it worth it.
Likewise, I'd be fine with banking apps on phones requiring some level of trust, but it shouldn't affect how the rest of my phone works so drastically.
Why would your credit card need to act against your interests? The only thing it should be doing is signing transactions to signal that you approve. The credit card company has their own computers that can be consulted to ask them if they approve a transaction. They don't need one in your pocket. They can rent a rack in a data center. It's not that expensive.
Similarly, the banking app on your phone should be representing your interests, 100%. It may need to keep secrets, such as a private transaction signing key, from your bank or from your boyfriend, but not from you. And it definitely should not be collecting information on your phone against your will or without your knowledge. But that is currently common practice.
My washing machine could be programmed to do all of those things you're worried about without any writeable memory. Why does the parts the manufacturer puts into it turn it from an appliance that washes my clothes to a computer that I have a right to install custom code on?
The principle is that the owner should have full control of their own device, because that's what defines private property. In particular, everything that the maker can make the device do must be something that the owner can make the device do. If the device is simply incapable of doing a certain thing, that might be bad for the owner, but it's not an abrogation of their right to their own property, and it doesn't create an ongoing opportunity for exploitation by the maker.
Maybe in theory your washing machine could be programmed to do those things without writable program memory. Like, if you fabricated custom large ROM chips with the malicious code? And custom Harvard-architecture microcontrollers with separate off-chip program and data buses? But then the functionality would be in theory detectable at purchase time (unlike, for example, Samsung's new advertising functionality: https://news.ycombinator.com/item?id=45737338) and you could avoid it by buying an older model that didn't have the malicious code. This would greatly reduce the maker's incentives to incorporate such features, even if it were possible. In practice, I don't think you could implement those features at all without writable program memory, even with the custom silicon designs I've posited here.
If you insist that manufacturers must not prevent owners from changing the code on their devices, you're insisting that they must not use any ROM, for any purpose, including things like the PLA that the 6502 used to decode instructions. It's far more viable, and probably sufficient, to insist that owners must be able to change any code on their devices that manufacturers could change.
>Splitting hairs about the origin of the term "sideload" does not change the fact that those who promote the term tend to do so in order to make it feel deviant and hacker-ish.
Can you corroborate this? At least for me, the whole idea that "sideloading" has negative connotations only came up as a result of this debacle, and the only evidence I've seen are some very careful readings of blog posts from Google. The word itself hardly has any negative connotations aside from something like "not primary", which might be argued as negative, but is nonetheless correct.
>You don't "sideload" software on your Linux, Windows, or macOS computer: you install it.
Right, because those devices don't have first party stores. Windows and Mac technically do, as does some Linux distros, but they're sufficiently unpopular that people don't think of them as the primary source to get apps. Contrast this to a typical Android or iOS phone.
I don't think this is so much a question of sources & corroboration as it is of language.
Regardless of the origins of the term "sideload", the language implies a non-standard practice. The prefix "side-" may be used in some software contexts to describe normal, non-deviant software, but only in cases where the software in question is considered auxiliary. In general, anything described as "side-*" is connoted to be surplus / additional / non-primary at best - adding that to the term "load" & the loading action itself is surplus/additional/non-primary. It's automatically considered non-standard.
> those devices don't have first party stores
This only supports the argument. If somebody felt an alternative term was required on Android because the first-party store was the primary source of software, the only reason they could have for needing such an alternative term would be to explicitly differentiate that alternative source as unofficial/non-standard.
>Regardless of the origins of the term "sideload", the language implies a non-standard practice.
Because it is non-standard. Like it or not, the intended experience is that you get apps from the play/app store, and for most people that's exactly what they do. This is a descriptive statement, not a normative one. Accepting it doesn't imply you oppose the freedom to run whatever code you want. The language of "sideload" or whatever is directly downstream of this. Just because google is using language that reflects the current state of affairs, doesn't mean they're engaging in some sort of sinister psyop with their word choice, as the OP is trying to imply.
> This is a descriptive statement, not a normative one.
It's both. It's not like "sideloading" is a part of natural language that just happened to evolve this way to describe the practice. The terminology was consciously chosen by the same people who designed the OS to describe it. The people who argue against using this term aren't doing it in some accusatory way, like "you use this term, therefore you're an evil brainwashed minion of the enemy", but rather by using language to not set up their argument on the enemy's terms, no matter how insignificant.
It's like how "jaywalking/jay walking" was popularized - the term itself was pretty crass for the time, the word "jay" conjuring thoughts of some kind of drooling, unintelligent yokel. Back when car infrastructure was still in its infancy, how would you argue that cars shouldn't dominate all streets and cities when the government- and industry-approved name for your action was literally "stupid walking"?
>It's like how "jaywalking/jay walking" was popularized - the term itself was pretty crass for the time, the word "jay" conjuring thoughts of some kind of drooling, unintelligent yokel. Back when car infrastructure was still in its infancy, how would you argue that cars shouldn't dominate all streets and cities when the government- and industry-approved name for your action was literally "stupid walking"?
That makes sense because as you said, "the word "jay" conjuring thoughts of some kind of drooling, unintelligent yokel". The same can't be said for "side", aside from vague accusations that it's not "official" therefore normies think it's bad, but I can't see how you can get away from that accusation without using meaningless phrases like "type 2 install" or whatever (though I'm certain that would get similar amounts of ire for being "second class citizens" or whatever).
Well, yeah, it's not nearly as extreme, companies have become much better at PR. Still, the insinuations of something being unofficial, unrecognized, unsecured, really half-unintended still paint a picture of how Google wants its software to be seen. Like, I have no doubts that if Microsoft decided to start locking down Windows PCs to the Microsoft Store (the "intended experience" that they probably already imagine for their model customers), the temporary bypass will be accompanied with a prompt like "DANGEROUS: Are you sure you want to enable Unsecured Mode? (Y/N)"
> the intended experience is that you get apps from the play/app store
Once again, this is the point.
> it doesn't imply you oppose the freedom to run whatever code you want
But it does.
Let's first look at what's good about "intended experience" & possible legitimate reasons to have a differentiation between "vendor-approved" 3rd-party apps & non-"vendor-approved" 3rd-party apps.
The connotation of an "intended experience" is that the experience is supported by the OS vendor. If you have issues with your experience, these are issues that can be reported & the OS vendor will endeavor to fix. Leaving aside the fact that Google has no user support to speak of, even if they did, this isn't something they would every offer for 3rd-party Play Store apps regardless. So 3rd-party Play Store apps are not doing anything for users to provide them with an "intended experience" that isn't equally available sideloading.
The only other legitimate reason to have a differentiation would be to ensure the user doesn't install malware. Play Protect currently does this with sideloaded apps, so once again there is no difference in the "intended experience" from the user's perspective.
If there are no legitimate reasons to differentiate the experiences, the only reasonable conclusion remaining is that they're differentiates to dissuade user freedom.
>Let's first look at what's good about "intended experience" & possible legitimate reasons to have a differentiation between "vendor-approved" 3rd-party apps & non-"vendor-approved" 3rd-party apps.
It's pretty obvious that they think the distinction is worth having because they can vet apps they signed, rather than random apks from the internet. You might think that's a flimsy justification, but that's not a reason to reject such a distinction exists at all.
>The only other legitimate reason to have a differentiation would be to ensure the user doesn't install malware. Play Protect currently does this with sideloaded apps, so once again there is no difference in the "intended experience" from the user's perspective.
That's purely reactive (you can't scan for stuff that you don't know about), and doesn't ensure identity validation. Again, you can argue how good those reasons are, but there's at least a plausible justification for it.
>The connotation of an "intended experience" is that the experience is supported by the OS vendor. If you have issues with your experience, these are issues that can be reported & the OS vendor will endeavor to fix.
When was the last time anyone got "support" for Android/iOS from Google/Apple? At best you have random forums that google/apple staff check once in a blue moon, if you're lucky.
Debian has had a "first party store" since the early 90s, and the truth is the diametrical opposite of "they're sufficiently unpopular that people don't think of them as the primary source to get apps". It's been almost the only way I install software (that I didn't write) on my Debian and Ubuntu machines since I moved to Debian. This is true of most Debian and Ubuntu users.
>Debian has had a "first party store" since the early 90s, and the truth is the diametrical opposite of "they're sufficiently unpopular that people don't think of them as the primary source to get apps".
Aren't those all considered first party apps? Sure, debian aren't the authors of nginx or whatever, but they're the people building, packaging it, and adding patches for it. It's a stretch to compare them to the play store or app store.
So is Debian the first party? Or the clone hosted by a university near you? You probably had a mirror there, not Debian's own host. Because they used to be the slowest.
It only goes through "apt the program", but apt is just serving as a method of installing a package, which is hosted on one of the configured apt sources.
Calling all software installed through apt "first party" is a wild stretch, since you can apply the same logic to git, wget, or a web browser. For instance, it would probably be correct to say that most Windows software is downloaded and installed through Chrome, but nobody in their right mind would claim Google owns the largest first party store for Windows.
No, it's not a stretch at all. The user experience is the same, except that Debian and F-Droid apps don't come with antifeatures built in. The only friction is around who to report bugs to.
For one, it doesn't contain non-free software, and therefore can't be the primary source of software. Maybe you're a Stallman acolyte who only runs free software, but that's not feasible for the average user.
The average user might have one or two non-free programs they depend on that aren't websites. Maybe AutoCAD, or Photoshop, or SketchUp, or Excel, or the driver for their oscilloscope, or Dark Souls. Everything else can easily be free software or webapps. So an "app store" that doesn't contain non-free software can be the primary source of software, and for almost all Debian or Ubuntu users, it always has been.
The average Ubuntu user doesn't even have those one or two non-free programs. After all, Autodesk doesn't provide a version of AutoCAD for Linux in the first place.
> The word itself hardly has any negative connotations aside from something like "not primary", which might be argued as negative, but is nonetheless correct.
Android has an APK installer built in. Opening an APK file launches the installer and installs the application, just like opening an MSI file on Windows launches built-in Microsoft Installer and installs the application.
Google have gradually added impediments to this over this years, such as a requirement to toggle a checkbox in the settings to enable installation, and later some prompts about letting Google scan the package, but calling the system's built-in application installation mechanism "not primary" is absurd.
>but calling the system's built-in application installation mechanism "not primary" is absurd.
So you're arguing that because play store installs and random .apk installs both goes through packageinstaller, the concept of a "primary" install method doesn't exist?
If we're using "primary" to mean "first-party" (as in your original comment), then the system's built-in package installer is the most first-party of all, so it's definitely not "not primary".
If we're using "primary" to mean something like "most popular", then I don't see how the term "sideloading" would make any sense to describe "not primary". Are we side-commenting here, and side-submitting HTTP requests, because we're not posting to Facebook, the primary website?
Yeah, and they are the primary way to install software for nearly every distro that has them.
And even when people install software on their user's home only, we don't call it anything different.
It's correct to say that "sideloading" was created to emphasize it's a deviant activity. I believe it was created by the people doing it, when they discovered hacks that enabled them. But I wouldn't be too surprised it was created by the companies trying to prohibit software installation.
>Yeah, and they are the primary way to install software for nearly every distro that has them.
>And even when people install software on their user's home only, we don't call it anything different.
But even on Android the word used is "install". When you try to install an apk, the button says "install", not "sideload". "Sideload" is only used in the context of google's blog post, where it's there to differentiate between installs from first party sources vs others. This is an important distinction to capture, because their new restrictions only apply to the latter, so something like "installing isn't going way" wouldn't make sense. "sideload" captures this distinction, and is far more concise than something "installing from third party sources". Moreover this sort of word policing reeks of ingroup purity tests from the culture wars, eg. "autistic vs person with autism" or whatever.
It doesn't, but that doesn't mean people can't call out disingenuous statements made by the OP. Posts can be directionally correct even if they contain errors, but the errors are still worth calling out.
The contradiction exists because you wrote it. If you wanted to avoid having to write a false statement and then walk it back, you could've left it out and skipped straight to explaining why those platforms' first party stores don't count in your estimation. As I recommended.
That's also a large part of the issue IMO. I currently _have_ root on my rooted and Lineaged Poco F3. But as hardware attestation is becoming the norm I am deeply worried about the future. I have been a pretty eager Android fan due to its achievable-if-savvy openness. If I lose root and sideloading, then Android is dead to me. There would be nothing valuable in it, just another corporate walled garden.
My HSA just implemented some bullshit where even the web interface requires a near-new phone to even log in. For now I'm just switching HSA providers rather than buying a new phone. I'm also worried about the future.
As an iOS user who's been frustrated with Apple's approach to "self-loading" (i.e., running your own code on your own devices) and who's actually gone out and gotten Android devices to write PoC/PoV apps on instead, I really don't like Google's stance on this--even if I would not, at this time, choose to daily drive an Android device, I do rely on F-Droid for getting software on six or seven different devices _right now_ and they would be useless to me if I couldn't do it.
This year, I discovered SideStore on iOS, and its wonderful auto-refresh feature. Since then, I have written two iOS apps and am happily using them daily with zero issues. This plus the new Google announcement mean no going back to Android for me any time soon.
Sorry, but "welcome to HN?" Commenters here regularly miss the forest for the trees, ratholing on minutiae and nitpicking one or two words in a 1000 word article. Often totally missing the overall point. We're notorious for it.
You know, this would be a fantastic time for Google to get their sandbox in order. If we need to do it like this, go ahead and create a secondary user, call it sandbox and let me install all my wild and unapproved apps there. SecureNet can automatically fail in Sandbox.
But I don't think they're going to do that, ultimately users who actually care about this are an absolute tiny percentage of the market.
And weirdos like us can always just import a Chinese phone that doesn't have mandatory Google verification crap.
> And weirdos like us can always just import a Chinese phone that doesn't have mandatory Google verification crap.
No, we can't. One of the first countries with that mandatory Google verification is Brazil, and we can't import phones which are not certified by ANATEL, they will be rejected by customs in transit.
I knew Brazil was kinda weird with tech import taxes but I didn't know they banned non-certified phones, jezz. Here in Chile they get disconnected from the cell towers after 30 days, but you just need register it^.
Do you know if the Brazilian gov or regulators asked for this first from Google or something?
^: It's less spooky than it sounds, any phone in Chile needs to be compatible with the natural disaster alert system.
With elections coming next year, and this being practically a "law" created in partnership with the banks cartel, this may be the time to make some noise about the change.
The point parent is making, if Google makes it so difficult sharing the software with other people, who is going to make those itch-the-scratch software going through so much trouble?
We would miss out a lot of creative people making software.
There is still a few points of course like being able to modify the base system. Just being able to say, kill the built in facebook is a quality of life improvement.
But it just feels like the benefits of a self owned phone os are going away even when you have it, because everything else changes around it and out from under it, so you don't get the functional benefit from it any more even when you have it.
You give up the use of things like tap to pay (would have been nice a couple times when I forgot my wallet) and drm content, hell, I can't use the stupid LG app that controls an air conditioner, and (increasingly) don't get something else important in return.
Today, there is still some benefit, because this latest change is only just now happening. I can use say, open source password manager and totp apps instead of google authenticator, and can use a pandora client that Pandora absolutely does not approve of, because the author doesn't need anyone's approval to produce the app and there is no choke point that Pandora can petition to block it. Hell why am I even talking about Pandora instead of Youtube and Newpipe? In what universe does Google EVER ratify the developer of Newpipe? (Wait, for that matter, what developer? what if there's an ever-changing fuzzy cloud of 20?) Or full-fat ublock origin...or countless other things whos sole purpose and value is to thwart some will of Googles? Or like the game emulator apps that Nintendo shuts down so aggressively, etc. Those ICE tracking or merely documenting apps. Countless...
Will those various authors still bother putting in the time and effort it takes to make these apps so good when only about 18 people will be able to use them?
I imported a Sony phone to the US because they don't sell it here, and no one else sells a current flagship with a headphone jack and removable sd card and high end cameras.
I successfully found and imported the phone, and got it working on a US carrier. Yay me. It's even rootable! Yay me. Yet I still can't run Lineage on it, because there is probably not a dozen other people like me to be an audience for Lineage on this hardware, and it's too much work to do for no audience.
The fact that today most phones are unrootable means that even if you somehow get around that, you still don't get the benefit because you're such a small audience that no one is producing say LineageOS for example for you.
My individual success bucking the system still did not result in me getting what I want.
I haven't tested it myself, but as far as I know you can run ADB in the phone itself via Termux. Perhaps it's possible to make a wrapper that install apps from F-Droid with ADB? It would mean that you would only need to be tethered to the your PC once.
Obviously they'll eventually remove this because Google is hostile to things like ReVanced / some spook wants this power.
* Search for "Smartphone-1 to Smartphone-2" "adb tcpip 5555" in "Motorola moto g play 2024 smartphone, Termux, termux-usb, usbredirect, QEMU running under Termux, and Alpine Linux: Disks with Globally Unique Identifier (GUID) Partition Table (GPT) partitioning": https://old.reddit.com/r/MotoG/comments/1j2g5gz/motorola_mot... (old.reddit.com/r/MotoG/comments/1j2g5gz/motorola_moto_g_play_2024_smartphone_termux/)
* Search for "termux-adb" in "Motorola moto g play 2024 Smartphone, Android 14 Operating System, Termux, And cryptsetup: Linux Unified Key Setup (LUKS) Encryption/Decryption And The ext4 Filesystem Without Using root Access, Without Using proot-distro, And Without Using QEMU": https://old.reddit.com/r/MotoG/comments/1jkl0f8/motorola_mot... (old.reddit.com/r/MotoG/comments/1jkl0f8/motorola_moto_g_play_2024_smartphone_android_14/)
AFAICT it only works on non-rooted devices when used over USB to access another device, because without root it has no access to the adb server on the phone running termux.
I'm definitely not 100% sure about that though, so someone please correct me if not.
Just tested⁰, it works with WiFi ADB but it has some limitations.
- The pairing process is kinda awkward, you need to split screen Termux and the Wireless debugging submenu, if you change windows the pairing IP and code are changed.
- The pair survives a reboot and WiFi change. You can disable the 7day revocation, so the pairing process is a one time thing.
- After a pair you still need to connect (adb connect localhost:port) and the port changes after a WiFi change or disconnect. I searched for solutions and apparently it's simple as running nmap twice¹
- It obviously doesn't work without a WiFi connection (unless is there some dark magic to connect your phone to its own hotspot).
So a wrapper seems viable if you are ok only installing apps on trusted networks.
[0]: I'm on GrapheneOS but I believe the dev menu is the same.
More googling, Shizuku² does this already in a polished way and exposes an API for other apps. Some related-ish apps are SAI³ (for installing split apks) and Canta⁴ (removing system apps).
EDIT: Even more googling, the whole setup already exists in
Obtainium (i.e. F-Droid but with Github Releases) apparently so apps show up as being installed via Play Store and subsequently be usable in Android Auto⁵.
So hypothetically you can install stuff day one on a stock phone after this atrocity is turned on.
wifi adb is a clever workaround, lol. I haven't seen that before, but it does kinda make sense. I've used SAI before (though it has been having lots more problems in the past year or three), but haven't seen Shizuku.
In the past, they forced Steam to implement proper refund policies, and they are currently suing Microsoft about the way subscribers were duped into paying more for "AI features" they didn't want.
It makes me a little sad that there’s no mention of Raymond Carver in this thread.
https://en.wikipedia.org/wiki/What_We_Talk_About_When_We_Tal...
The current state of dominant mobile OS’s is about as bleak as the bleakest Carver story.
Since I’m on a tangent I’ll also highly recommend the movie Shortcuts.
On MacOS it warns you when you're about to open an app you've downloaded and installed yourself. "Foo has been downloaded from the internet, are you sure you want to open it?". It doesn't stop you from installing it. Why should doing so on your phone be any different?
On the other hand, it used to be very common for malware on Windows to email itself to all your contacts using your real email client. It's probably reasonable for an OS to add a little friction to the process in the modern era, though it probably shouldn't lie and claim the binary is damaged when that's not the problem.
chmod to dequarantine doesn't sound like "a little friction" to me.
On your point about security, this kind of aggressivity from the platform owner tend to backfire.
The user was already convinced to open that mail, download that file, and try to run it. Pushing the process to the terminal just means your clueless users now run the provided incantations in the shell instead, and the attack vector now becomes huge (the initial program doesn't even need to be malware)
I agree having to go to the command line is too much friction. Just clicking `overdue-invoice.doc.pif` is too little. About right is somewhere between a prompt and setting the file executable in the GUI.
> If i send a golang binary to someone with a mac via signal or other mediums, apple simply displays a dialog that the app is damaged and can't be run.
Has this changed? I thought it failed to launch, but if you go to Privacy & Security in Settings it would give you the option to allow it to run?
Though yes, macOS doesn't prompt you to do that, you have to know where to find it.
I believe they are saying that this update will remove the ability to decide if you want to install it and will require developers to register and pay for their applications to be installable at all. It's been several years since I developed for Mac, but they operated a similar way, secretly marking a file as quarantined and saying "XYZ Is Damaged and Can’t Be Opened. You Should Move It To The Trash" if you didn't pay to play. Maybe this has since changed, or maybe I'm just a dummy. Regardless, whether a platform has any business funneling a user into their walled garden is another philosophical argument altogether.
In my experience the quarantine flag gets added if the file is downloaded via browser, chat program, email, or some other way that isn’t curl/wget/other CLI tool. At least for the past 6-8 months this has been my experience. Not that it excuses anything, but for what I have had to deal with it’s been somewhat helpful.
Usually the hurdle is just a pop-up informing you that it's been downloaded from the Internet. Sometimes the malware checks go wrong though and try to prevent you from opening it at all.
macOS warns you literally about every downloaded app not from MAS (signed!), unless you build it yourself or remove quarantine manually.
I think it is mostly about expectations, macOS trained people that it is relatively safe to install signed apps. If your app is unsigned, Gatekeeper will refuse to run it.
it also sometimes says `"Foo" Not Opened` `"Apple could not verify “Foo” is free of malware that may harm your Mac or compromise your privacy."` This is frankly pretty insulting to the intelligence of the user and /does/ stop them. I think the paradigm is flowing towards "less" rather than "more"
> Why should doing so on your phone be any different?
Because it's obscenely profitable for the platform holder to have complete control over app distribution.
Can we stop pretending it's about anything else than that? Just imagine if Microsoft got a 30% commission on every PC software purchase in the world...
Why are OEMs like Samsung just letting this happen? A lot of power users who buy flagships will leave for iPhones if Android ceases to be an open platform. (This segment is what is preventing the “green bubbles = poor” narrative from taking over.)
> This segment is what is preventing the “green bubbles = poor” narrative from taking over.
In the US maybe. In Europe, not so much. With Apple having a market share of "only" about one third and WhatsApp being the de facto default messaging app, this discussion never happened here.
Therefore your argument doesn't apply to Europe at all. Android is more than the "hacky" part. Albeit I'd really love to keep that.
There are countries like China, Russia, Iran, and Venezuela where installing an APK is the primary or only way to get most software, including essential bank and government apps.
Outside of the Western market, installing Android apps not from Google Play is a completely normal and regular thing. In countries like India, Brazil, Indonesia, Nigeria, and the Philippines (which represent a massive portion of global Android users) it is a standard part of using a phone.
I have coded some apps that are customized for my mother's usage and accessibility. I plan on coding some more. I need to install them on just 2 phones - my own for testing and my mother's.
As of now, I can create APKs of my apps and install them on my mother's phone by unchecking the "prevent apps from other sources" option.
Even after going through so many articles, I still don't know unambiguously whether I can continue this workflow in future, or I'll need Google's approval to install on just our own 2 family phones.
There's a failure in communications here from both sides.
Ambiguity suits Google perfectly fine.
But it's counterproductive to its opponents because every dev who's confused will remain a fence-sitter rather than an ally, even if only motivated by personal inconvenience rather than any principled stand.
I doubt I'm the only Android dev who's confused. I hope at least f-droid communicates more clearly the consequences of this policy to all types of developers and deployment scenarios.
>Regardless, the term “sideload” was coined to insinuate that there is something dark and sinister about the process, as if the user were making an end-run around safeguards that are designed to keep you protected and secure.
I also recall a time in the nascent era of web file hosts, like Rapidshare.de and Mega upload, and some others that came and went so quick that I don't even remember their names, some services offered the option to "sideload" (as opposed to download) straight to their file server.
The entire App Store system is broken. It should have always been sideloadable apps by default. And app stores for verified app makers. Instead we have Google withholding play store. And now withholding sideloading.
You cannot beat them at their own game without some other Goliath like the EU getting involved. The complain and watch strategy doesn't make a difference.
As a person that tried the Pine64 ecosystem and not being able to will drivers/C++ apps into existence (like I can with web/cross platform), I did not contribute much other than buying the device/doing some videos on YT. (I bought: PP, PPP, PineBook, PineNote, PineTab)
It depended on few people working on it eg. through Discord communities
Anyway point is I saw Expensify I think they have these GitHub PRs which have $ values on them, would be interesting to take that approach, just pay for it literally eg. a GoFundMe for a feature.
I feel that the root problem is that there aren't enough highly skilled low level developers willing to spend their time writing free software for mobile phones. Why do we have Linux and things around it? Because a lot of very skilled developers decided to work on it and offer it to the world.
They wanted to call it freeloading, but showed a bit of self-restraint.
Whenever you side load anything, you are robbing someone's app store of income. You are not visiting their portal to be exposed to ads, you are not seeing ads in the middle of an application, you are not paying for anything.
Or at least, not paying to them. The only streaming service I pay for in my household is Japanese TV, which uses a side-loaded application. I'm freeloading on the Android TV platform because I only paid for the hardware, and for a streaming service not related any Google revenue funnels whatsoever.
That's what it's about.
It's either a derogatory term for "software loading" or an euphemism for "freeloading", or both.
I bought the hardware, for the price they chose to sell it at. Why should I be obligated to use any of their services, if I can avoid it?
I'm not sure if your comment is satire. So I'll respond as is.
"Not providing potential further income" is not "robbing"... what is being stolen from them? Something they never had in the first place? When I lose a bet I willingly entered, am I being "robbed" of the gains?
Furthermore, who is losing if I go to F-Droid to install an open source app people wrote with no expectation of income? If Google had a better app, I would have installed it from there. Too bad everything is riddled with ads detracting from the core purpose.
> I bought the hardware, for the price they chose to sell it at. Why should I be obligated to use any of their services, if I can avoid it?
Their answer would be something like, that the hardware vendor has nothing to do with them and is also a freeloader, taking advantage of their software ecosystem to sell hardware.
You mean Microsoft? No backwards-compatibility with Windows Mobile to begin with (so companies can't reuse their existing investment into line-of-business apps on actually nice modern devices either), then they reset the ecosystem 2 times (once during the WP7->WP8 transition, another time during the Windows 10 transition).
I was a telco product manager at the time and I can tell you right away that it wasn't developers that killed Windows Phone. This book (https://asokan.org/operation-elop/) tells part of the story, but the telcos I worked for (and competed with) definitely played a big role.
I did own a Treo and loved it up to the OG iPhone - I repaired the eff out of it in the hope that something worthy would come along. I kidded myself I would write apps for it. I'd previously played with Simbian tech (and met a very bitter Simbian team dev in London one "eXtreme Tuesday Club" meetup in 2003). I had a Psion Organizer way back and Palm pilot. I thought Palm's WebOS stood a chance. I still own a Ubuntu Phone that I don't use - single script QML apps would have been the killer, but all that's passed now.
Currently it seems that Google is pushing for hardware attestation, so you might be able to install Graphene/Lineage if your phone manufacturer allows you to unlock your bootloader, but many Play Store apps won't work as they'll detect your root. It's actually gotten pretty insane how every low-value app considers themselves the centre of the world and unable to run on a rooted device.
Example: the loyalty card app for a local store chain - there's no money in it, I can just get some discounts when I use it. So an attacker would have to steal my phone, somehow unlock it, and then they can use my loyalty card (btw which is free to obtain for anyone and there are no tiers) to get some discounts. And for that, they have implemented a pretty decent root checker which i had to put in some effort to overcome. And there are many more like it.
There might be insurance and bank contracts higher up the chain that classify it as a financial dealing and thus require stricter conformance. I'm speculating tbh I have no idea for sure.
Note that the Android permission system is designed so that you are not in control by design, some permissions are "not for you" and only for "system apps" which you can't control. This gives Google and device manufacturers advantage over third party software developers in the name of security...
I think we should focus on defending the slowly-vanishing ability to unlock the bootloader and fight for the core parts of Android to stay open source.. without these two, installing an APK will mean less and less until it might eventually become synonymous with installing a PWA.
A great example of this is the 'networking' permission. Being able to control which app can speak to the WAN/LAN is a very important security consideration. Instead, every Android app can send any data it wants without the user being able to have a say in the matter. A lot of apps work just fine without being able to 'phone home'.
Thankfully there's the likes of GrapheneOS, however, with Google's recent changes, unless their OEM partner pulls through, their days are likely numbered.
Interestingly, on Xiaomi HyperOS they have added the ability to individually control each app's access to mobile data 1/2/WiFi. I didn't know this wasn't a general Android feature.
I guess if it was, people would be turning off the network permission of all the "apps that perform a trivial function, but with ads", like I always do.
Is this seeking Google’s approval for the app? Or is the condition app be signed by a verified user? The latter means side loading is still viable for apps from known developers. This way anyone who is known who may create malware and will not be free from prosecution
> You'll need to prove you own your apps by providing your app package name and app signing keys
Needless to say, Google will throw out NewPipe, ad-blockers and anything else that might endanger their profits. For example, Google does not allow F-Droid to be published in Google Play (distributing competing app stores is against their ToS). This policy was in action as long as Google Play/Android Market existed.
It is the latter. The app has to be signed, and the signer has to register "real" identity with Google. Approval of the app itself is not a part of the process.
Yes, sideloading will still be viable from known developers.
Probably malware developers will still be free from prosecution -- what moron is going to distribute malware with their own identity attached to it? But it means when the malware gets caught (which it does) you can't just roll a new APK with a different signature. You've burned a developer identity and need a new one. Those are harder to come by, and so it rate-limits malware distribution.
Fwiw I've been getting random email offers over the years to buy my old dev account for like $100-300. Dev accounts are going to become a prized commodity on the black market with this move.
> The latter means side loading is still viable for apps from known developers. This way anyone who is known who may create malware and will not be free from prosecution
Important corrections:
This way anyone who is known to create malware or any software which interferes with Google's current or potential future revenue, strategic interests, and unpredictable whims will not be free from prosecution in the case of distributing malware, nor from digital exile and unpersoning in the case of causing inconvenience to Google.
As a power user, and software creator, I absolutely hate this decision. Side loading and power features are a main reason I use android.
That being said, as a grandchild, I also completely understand where google is coming from. A surprisingly high percentage of users do need protecting from themselves. They are so technology illiterate that someone random tells them to install something, "it will say it's not safe, but it's actually okay, just click approve" and they will.
This is why HSTS exists, to prevent uneducated users from getting pwned, by preventing them from disabling safeguards.
So, having some system of "no really, I am a power user" makes sense, even if I hate it.
Is the title an intentional mirror of Carver's short story collection "What we talk about when we talk about love"? If so, can someone smarter than me explain what the author means by this connection?
> As a reminder, this applies not just to devices that exclusively use the Google Play Store: this is for every Android Certified device everywhere in the world, which encompasses over 95% of all Android devices outside of China.
So what happens in China? Should we buy Chinese Android phones?
I want to make a report to to US Department of Justice Antitrust Report Online and US Federal Trade Commission: Antitrust Complaint as suggested but I will appreciate some guidance on the wording. Could anyone share a sample?
“Sideloading “ is the original app installing by sync or copying.
You used a wire, or Bluetooth that transferred the app file.
Then it ran.
This is how it was.
iPhone 1 was vehemently against third party apps of any kind.
The use of iTunes to have a “store” helped transfer and install apps digitally, and I believe using a wire too.
You either own your device or you don’t.
At a software level mobile has been a challenge to keep secure and locking it all down might not secure it either as there might be side doors still instead of side loading.
It has been 15-17 years since we got this batch of mobile operating systems, maybe we’re due for a new one since there’s a critical mass of users already on smartphones, unlike when Android/iOS began.
The only reason Google has decided to lock-down Android is because of apps like ICEblock and the ability for anonymous individuals to mass distribute information that governments do not like. Now, they'll be able to hunt you down by requesting Google hand over every ID document that they process. This sets a chilling precedent for free speech. It enables governments to go after those who dare 'speak out' by using platforms to their advantage. You can no longer 'hide in the shadows' and will need to put your entire identity on the line for your morals and convictions.
Of course, if they could do this with Windows, Linux et al they absolutely would. And general purpose computing will, eventually, be closed and locked down, much like what we are seeing with the internet and ID laws. People would have, and did, think such ideas would be unthinkable 10-15 years ago. Yet little-by-little the screws are being ever tightened. The government wishes to tightly control the information flow and decide what is 'best for you' to see. Preferably their chosen propaganda.
Work-arounds that exist today will likely be closed and forbidden in the future. VPNs to bypass age laws, ADB to bypass install-blocks will all be obsolete. You will be required to identify yourself at all times. I half-expect Google to deprecate and remove the concept of VPN's/ADB on Android entirely and laws will be passed to that affect (restricting the apps themselves, or access to the APIs to verified Android devices/Google accounts). If you don't believe me, you only need to see [1] for the direction of travel.
There is little interest from the regulators to stop this. Perhaps the useless CMA will 'investigate' in 5 years time, decide Google perhaps abused its monopoly and then do absolutely nothing because they have no real re-course over an American company. It's likely governments support this position and will not do anything to influence a change of direction.
Eventually, Linux itself will go the same way, people are just waiting for Torvalds to retire from the project to make their moves, but make no mistake, open general-purpose computing is under threat and there is going to be little we can do to reverse the current trends towards closely monitored and controlled computing.
This will most likely be expanded in the future to limit access to certain 'dangerous' APIs like ADB/VPN's etc. This can also be used 'in app' and across the entire OS to shape your experience of what you can see and do. I wouldn't be surprised if 'unlocking bootloader' required an 18+ verified device.
> The only reason Google has decided to lock-down Android is because of apps like ICEblock and the ability for anonymous individuals to mass distribute information that governments do not like.
That's why the solution CAN'T be more regulation ...
Again, I don’t really see Google as a ‘moral’ or ‘pro-user’ company since they just pushed out Manifest V3. But unlike ad blockers, they’re not losing millions from sideloaded apps, so the only reason for their sudden policy shift is probably government pressure. With all the ongoing antitrust lawsuits, they’re just trying to stay on the good side of whatever the current or next administration wants.
> The only reason Google has decided to lock-down Android is because of apps like ICEblock and the ability for anonymous individuals to mass distribute information that governments do not like.
Nah. The only reason Google has decided to lock-down Android is because they think they can get away with it. They would have done it from the first minute except that not doing it gave them a competitive advantage in the market over Apple - back when pretending to be into FOSS and to "not be evil" was a major part of their marketing. They're ready to make the move. If it fails, they'll try to make the move again a few years from now. They don't give a shit about ICE or whatever.
seems well coordinated with the recent escalation of aggression around google accounts without a cell phone number attached “to help make sure you don’t lose access to your account.” complete horseshit, but they can get away with it.
> Regardless, the term “sideload” was coined to insinuate that there is something dark and sinister about the process, as if the user were making an end-run around safeguards that are designed to keep you protected and secure.
This is a conspiracy theory; as there is no evidence that it was deliberately invented to be malicious (it started as a trademark from a company called i-drive). The term almost certainly became popular after the name of the Android Debug Bridge command, `adb sideload`. The adb command naming makes sense considering the phone is plugged into a computer, for installing content externally when the phone could not otherwise "load" the content.
Yes, I think quibbling over the origin of the term and attempts to coin an alternative are a useless distraction. The term emerged organically for good reasons, and doesn't have any negative connotations as far as I'm concerned. Trying to talk about "direct loading" instead is confusing and doesn't even make sense because alternative app stores like F-Droid don't count as "direct loading" under their own definition.
I think defining sideloading as "the transfer of apps from web sources that are not vendor-approved" is a good definition, because "not vendor-approved" is precisely the part I care about. The owner being able to install stuff without Google or anyone else's approval is a good and important capability for every computing device to have.
In any case, I fully agree with the substantive portions of this article. What Google is doing here is a terrible attack on consumer freedom.
While I wont argue about it feeling like a conspiracy theory, I will argue that pretty much no one knows sideloading as a term with regards to what i-drive meant by it.
And the fact that `adb sideload` is where the concept originated does nothing to dispel the way the term is frequently used in a derogatory fashion these days. It's wielded as a bogey man to make people afraid of unsigned applications. Despite the fact that many perfectly signed applications are full of malware and dark patterns.
Also, FFS, this is hacker news. Why on Earth would be arguing in favor of Google locking down how I can install software on my device.
I bought an iphone knowing that Apple has a review process and that I'm limited to apps sold in their store. Similarly, when I had an Android device I knew what I was getting in to.
I appreciate the fairly high level of review that apps get and I completely back Apple's right to control what runs on the OS they developed. Similarly, if _you_ want to run an OS you got from XDA on your Android device and install random stuff, I'll be the last person to stop you.
Hacker news readers are part of the small circle of people who have probably developed a decent intuition for whether software we download is clean or not. Most folks I know do not have this intuition, and many will not bat an eyelash when their new app asks for access to their contacts, etc. Sideload should absolutely continue to be a term that discourages the average person from doing it.
hah, thanks. It's a bit more nuanced than that. Let me try again.
I completely support Apple's right to publish software that makes it difficult for unapproved software to run on it.
Similarly, I support your right to try running something else on it.
Just like my neighbor has the right to publish a browser that makes it difficult to run extensions in it, and I have the right to use a different browser.
Some people would like the phone OS to be regulated like a public utility. I do not support that, and if we _had_ to have it that way, it would be important to have the same standards for everyone and regulate _all_ phone OSes equally. I don't like the thought of what that would do to the chances of any "open" offering.
We should just call it loading. Loading from an app store we can call simply, mortgaging our cognitive liberty and liquidating the middle class for comfort or MOCLALTMCFC.
I realize F-droid has an understandably strong opinion here, but this writing is disingenuous.
From the post:
> Regardless, the term “sideload” was coined to insinuate that there is something dark and sinister about the process, as if the user were making an end-run around safeguards that are designed to keep you protected and secure. But if we reluctantly accept that “sideloading” is a term that has wriggled its way into common parlance, then we should at least use a consistent definition for it. Wikipedia’s summary definition is:
> the transfer of apps from web sources that are not vendor-approved
The opening two sentences of the linked-to Wikipedia page on sideloading:
> Sideloading is the process of transferring files between two local devices, in particular between a personal computer and a mobile device such as a mobile phone, smartphone, PDA, tablet, portable media player or e-reader.
> Sideloading typically refers to media file transfer to a mobile device via USB, Bluetooth, WiFi or by writing to a memory card for insertion into the mobile device, but also applies to the transfer of apps from web sources that are not vendor-approved.
The phrase after the "but" in the second sentence isn't the "summary definition". It's the part of the definition that best supports your argument. Cutting the Wikipedia definition down to that part is deceptive.
Also in the post:
> Regardless, the term “sideload” was coined to insinuate that there is something dark and sinister about the process, as if the user were making an end-run around safeguards that are designed to keep you protected and secure.
Immediately later in the same Wikipedia page is a paragraph that is literally about how the word was coined:
> The term "sideload" was coined in the late 1990s by online storage service i-drive as an alternative means of transferring and storing computer files virtually instead of physically. In 2000, i-drive applied for a trademark on the term. Rather than initiating a traditional file "download" from a website or FTP site to their computer, a user could perform a "sideload" and have the file transferred directly into their personal storage area on the service.
That's funny. The history of how the word was coined and the post's claim about how it was coined aren't similar at all. Weird.
> The phrase after the "but" in the second sentence isn't the "summary definition". It's the part of the definition that best supports your argument. Cutting the Wikipedia definition down to that part is deceptive.
Wat?
Everything after the "but" is what Google means when they use the term sideload and is the only important part of the definition for f-droid's purposes. The other definition is completely irrelevant and, I would argue, hardly ever used anymore.
You argue here that google is technically correct because they’re correctly using sideload.
But that isn’t the point people are angry about. The point is that sideload was a misnomer. Correctly Android users were able to install packages and now cannot. This is anti consumer and breaks the social contract.
Anyway this is so disingenuous that I think it’s astroturf. Here’s the meme we should’ve spreading: Chrome and Android should be broken off from Google. Apple should be forced to allow sideloading, at a minimum, same as any other computer. Phones and tablets should be valid targets for custom OS.
I’m honestly very tired of this argument, everything about it is bad.
Features aren’t rights, if you want a phone that let’s you run whatever you want, buy one or make it yourself.
What you’re trying is to use the force of the state to make mandatory a feature that not only 99% users won’t use, it vastly increases the attack surface for most of them, specially the most vulnerable.
If anyone were trying to create a word that gives a “deviant” feel, they wouldn’t use “sideload”, and most people haven’t even heard the term. There’s a world of difference between words like “pirate”, “crack”, “hack” and “sideload”.
If anything I’d say it’s too nice of a term, since it easily hides for normies the fact that what you’re doing is loading untrusted code, and it’s your responsibility to audit it’s origin or contents (something even lot’s of devs don’t do).
If you want to reverse engineer your devices, all the power to you, but you don’t get to decide how others people’s devices work.
It's a proper argument on its surface, complete with claim, warrant, and impact.
"Features aren't rights"
> see: Consumer Rights.
"Force of the state making sideloading mandatory is bad"
> ...Except we have antitrust laws? The Play Store becomes the only source of apps, all transactions are routed through Google Billing? Not a problem for you?
"99% users won't use"
> Except for when Google demands that transactions happen exclusively through Google Billing, which resulted in the release of the Epic Games Launcher for the world's highest grossing games by download.
"Sideloading is too nice"
> Listen, either it's the case that "sideloading" is a threat to normies or it's not. Are normies your 1% or 99% of users? I thought according to you 99% of users won't sideload.
"You don't get to decide"
> That language ties in pretty well with your fear of the use of the 'force of the state'; that tells me that you support freedom. Great-- you're right, why not let corporations be corporations and do anti-consumer things, they'll be very good to us (while they lobby the state).
Consumer rights aren’t features, and they’re very intentionally written to not be.
> "Force of the state making sideloading mandatory is bad" > ...Except we have antitrust laws?
Then sue them over those.
> Listen, either it's the case that "sideloading" is a threat to normies or it's not. Are normies your 1% or 99% of users? I thought according to you 99% of users won't sideload.
I meant that 99% of users aren’t afraid by the term “sideloading”. That you’re not using something doesn’t mean you’re afraid of it, it just means you don’t want it.
> you're right, why not let corporations be corporations and do anti-consumer things, they'll be very good to us (while they lobby the state).
Because corporations tend to die when they do anti-consumer things, but governments keep doing anti-citizen things without much trouble.
"Consumer rights aren’t features" > Any attempt to weasel out of a marketed feature set is generally and colloquially known as "false advertising"; consumers have a right to the features of a product they purchase under the original conditions of the purchase agreement.
"Then sue them" > My point was that the force of the state is a necessary evil to ensure fair competition. Yours implied that the force of the state is overreach, but if you warrant that, then you wouldn't enjoy protections against corporations afforded to us by antitrust law.
"That you're not using something..." > For you to claim that sideloading presents additional threat surface to the normie consumer, you need to also claim that normie users are sideloading. This means that if 99 percent of users are not sideloading, there is no threat surface.
"Because corporations tend to die when they do anti-consumer things, but governments keep doing anti-citizen things without much trouble." > Absolutely not. The paradigm has changed from the time when you could vote with your dollar. You and I are economically and legally irrelevant (where is Congress, anyway?), and corporations like the Big G are too big to fail. They are -already- colluding with government to do both anti-consumer and anti-citizen things.
Nominatively, this is why both the government AND google do not want you to side-load software outside of their control.
> You don’t get to decide how others people’s devices work.
Perfectly reasonable. It's important that people can decide how their devices work for themselves. No one else should decide for them.
But I'm genuinely curious how you see this principle working in practice when there's effectively a duopoly. What's the path for someone who wants to still have any choices for their device? I'm not seeing an obvious answer, but maybe I'm missing something.
It's not possible to build your own phone in most markets anymore. Without iOS or Google Play Integrity you won't be able to install or run essential apps required for banking, taxes, healthcare, public transport, etc. This makes it impossible to compete because anyone who buys your phone are required to also buy a secondary Google approved Android or iPhone to lug around in order to function in society.
Actually sideloading is not a made-up term. It's an existing term, that was (20yrs ago) used regarding to cracks and trainers software. Sideloaders loaded (mainly in DOS but Atari had it too) the main executable along with additional program, a routine or interrupt that would allow disabling of copy protection, cheat on the amount of lives, energy in games (trainers) or simply do something more like play demo music before the game's proper launching. One example - prehistorik game that was distributed by pirates with a "pretrain.com" which allowed to select unlimited lives and sideloaded this routine along with the main program, that would periodically check the counters and keep them up.
-- edit --
Apparently after checking this term in the internet, I am not so sure that this process had been called this way. Maybe I'll leave it here to provoke a correct answer according to the internet rule #1 - to learn what is the correct answer, just post an incorrect answer in the internet and wait
I know that this is a controversial take here, but this sideloading crackdown is just fallout from the inevitable disaster that is mixing general purpose computing with high security and reliability requirements.
There's just no way at this time in which a single computing device can run software with high reliability expectations (emergency calls), high security expectations (controlled calling/texting, banking, money transactions) at the same time as random crap from the internet and keep the user safe and secure.
The HN community is far to fixated on their own use cases to properly understand this issue and its implications which can potentially upset a person's entire existence.
I always buy this argument....to the extent that the more powerful, dangerous capabilities are still allowed but locked behind some (one time) process that indicates you have a base level of knowledge and understanding. If you want to make it default safe for normies, fine, but let me turn my own device into the dangerous thing it is capable of being.
The version of the your view that we are actually getting is _incredibly_ paternalistic and condescending to the general populace. The kind of society that is capable of protecting everyone from every conceivable harm comes with the kinds of tradeoffs that no one, not even the people who actually need the protection, are going to want.
Sadly, your view isn't less paternalistic in reality. It effectively amounts to telling people who have better things to do than care about their personal IT security to just suck it up. Billions of smartphone users worldwide are in this position.
Look, I'm not saying that this outcome is ideal and I hate the idea of a single, almighty platform gatekeeper. But with the world being what it is right now, draconian device lockdowns of some kind are the best option that is immediately available.
`abd install` will still work as per[0] so to me sideloading is still possible, so the statement 'Google’s message that “Sideloading is Not Going Away” is clear, concise, and false' is not correct.
I think users should be able to install whatever software they want, without any charge or other external permissions, but at the same time device and OS makers should be able to make it difficult to do so, within reason. Apparently scam apps are more common in some countries than others and is actually a problem in some countries, although I'm not sure.[1] Google did cite that as the reason for the change.[2] However, combined with the way Google has been locking down Android APIs more and more, (eg. the file system, but other APIs as well) it is concerning. At the same time those changes were also about security. I think every phone should be able to have full root permissions if you go through enough hoops without having to install another ROM. That seems to solve most of the issues here.
So are we going to download APKs from fDroid to our computers and then adb install them to our phones? For every update? I see a lot of people, even developers, giving up.
You can run adb from the phone itself via wireless debugging. From what I understand, you can do this via Shizuku or Termux, and there are apps that can give you a user interface for this. What changes is that users have to enable developer mode to get this, which adds another warning label. Although admittedly they may remove this feature or add more hoops to jump through to use it.
Wireless debugging not only requires an initial setup, but it also requires being connected to a Wi-Fi network to work. Considering the number of Android users in countries where many don't have Wi-Fi, it's not an option for many.
There's also the problem of some banking apps refusing to work if developer tools are enabled.
"adb install" is such a far cry from a normal install that it's laughable to call it an alternative or jumping though hoops "within reason". I imagine it won't allow to update an app without another adb install, for one thing. And controlling adb is even easier for google, so how long till you can "adb install" only from within Android Development Studio and only if you have a verified account? Because otherwise all the spooky skammers would be installing stuff on people's phones willy-nilly!
I'm struck with how long the history of Apple's earliest iPhone has shaped and produced long-term damage to the concept of digital ownership. Apple originally didn't allow anybody but Apple to create software for the 1st gen iPhone, and only later was forced "opening" it my market forces.
People who realized they actually owned the thing they bought wanted to do what they wanted, which required circumventing Apple's control or "jailbreaking". This differentiator stimulated Google to "allow" installing on Android without "jailbreaking" the device aka "sideloading", giving the illusion of the kind of freedom that was never in question on normal computers.
It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles or other embedded computing devices where the controls against arbitrary applications is even stronger.
The fact that mobile phones aren't yet just a standard type of portable computer with an open-ish harware/driver ecosystem that anybody can just make an OS for (and hence allow anybody to just install what they want) is kind of wild IMHO. Why hasn't the kind of ferver that created Linux driven engineers to fix their phones? Is Android and iOS just good enough to keep us complacent and trapped forever? I can't help but think there might be some effect here that's locking us all in similar to how the U.S. healthcare system can't seem to shake for profit insurance.
I'm sometimes surprised at the plethora of cheap handheld gaming systems coming out of China that support either Linux, Android, or sometimes both, and seem to be based on a handful of chipsets. If anybody ever slapped an LTE module and drivers onto one of those things we'd have criminally cheap and powerful, open phone ecosystem.
> It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles
Historically, when the first game consoles with game cartridges existed, the hardware was much more niche than the available personal computers. Game system developers designed hardware specifically for games, and game developers developed for those specific systems. Also, physical media for games provided an ownership model and DRM.
In 2003, Apple released the iTunes Music Store partnering with music labels to counteract the prevalence of music pirating. That was the first major digital marketplace with DRM and way before the App Store in 2008!
In 2005, digital distribution for video game consoles came with the Xbox 360, PlayStation 2, and Wii. Being game consoles with unique hardware, they kept their restricted licensed development model of previous generations.
The iPhone and App Store just followed that pattern. Unique hardware and a licensed digital marketplace to go with it.
Now, the hardware between video game consoles, smartphones, and personal computers are mostly unified; and the only real difference is software, but the restricted marketplace model still remains.
---
> The fact that mobile phones aren't yet just a standard type of portable computer with an open-ish harware/driver ecosystem that anybody can just make an OS for (and hence allow anybody to just install what they want) is kind of wild IMHO. Why hasn't the kind of ferver that created Linux driven engineers to fix their phones?
DRM. There are already devices where you can unlock the bootloader and install any OS on it. But then you won't be able to install apps that use the Play Integrity API to ensure DRM. Companies/developers want revenue and develop apps that require Play Integrity.
Any device that doesn't have DRM will never support a paid digital marketplace or paid content streaming.
> Is Android and iOS just good enough to keep us complacent and trapped forever?
Probably. Microsoft tried a DRM supported OS with Windows Phone and that failed.
---
That being said, digital marketplaces and DRM have there place to prevent piracy and allow developers and creators to make a living.
If someone has a solution to prevent piracy without a root of trust that would be ideal.
"That being said, digital marketplaces and DRM have there place to prevent piracy and allow developers and creators to make a living.
If someone has a solution to prevent piracy without a root of trust that would be ideal.'
This is the equivalent statement to inspecting everyone's bag at any point because they might have something illegal. It's not an acceptable move from google.
I think it's more equivalent to when game consoles check the license on disc media.
It used to be via hardware in the disc reader, then online license checking. And now it's fully digital, media and license.
The fucked up part is the fact that we can't transfer digital ownership of purchases. Maybe this is what we should use blockchains for, but it would still require a locked device with root-of-trust.
---
> It's not an acceptable move from google.
By all means, you can have an unlocked Android device with a non-Google sanctioned OS and not use Google Play. That way you can use any app that doesn't require Google Play Protect.
Companies are OK with it because it makes them money. The majority of users are OK with it because they can use those companies' apps.
> Any device that doesn't have DRM will never support a paid digital marketplace
Yet here am on linux buying games on steam
Steam is a bit different, since that originated as a PC digital marketplace before complete root-of-trust DRM from HW->bootloader->OS->SW.
If anything, I would bet on a shift where Steam on Linux requires a signed OS like Windows Secure Boot. Wait, a signed Linux OS with Secure Boot already exists... It's Android Play Protect.
Also on Linux, you only get Widevine L3, which limits video and audio quality for DRM web content.
It took years before Apple relented and allowed the concept of a file be exposed to end users.
It's less likely that game consoles and smartphones will become fully unlocked like personal computers. I would bet on the opposite where personal computers have the same HW/SW model as smartphones. We are already almost there with macOS SIP and Windows Secure Boot. The only thing missing is removal or isolation of root privilege escalation.
Don't prevent piracy
> I can't help but think there might be some effect here that's locking us all in similar to how the U.S. healthcare system can't seem to shake for profit insurance.
Yup. The Amish have had no trouble implementing a single payer healthcare system in the USA. It can be done, where the people want it. But, by and large, the people really don't care. In the back of their minds they might think it would be nice to have in the same way they think it would be nice to have a muscly six pack, but when it comes down to putting in the effort to see it happen...
I understand what you're saying, but I still think it's wrong to blame the people "not wanting it". The corporations and politicians are really powerful and they go far and wide to protect their profits and interests.
Yes, the people could care more and could stand up for it, but it's so easy to blame them and that's exactly what the corporations & politicians want.
Maybe in some magical AGI future computers can do the work, but until then where else is the effort going to come from? It isn't going to randomly appear out of thin air, that is for sure. There is nothing else to "blame" but them.
It's not the "corporations" (which, in this context, is just another way to say people — and in this case often the very same people) keeping you from that six pack, nor it is it keeping you from building a single payer healthcare system. Not wanting to put in the toil to make it happen will certainly get in the way, though. We all understand why nobody really wants to put in the hard work and suffering to make the necessary changes, but that doesn't change the fact that it won't happen until you do it.
> It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles
This is part proprietary pedigree too.
You had to buy Nintendo cartridges to play Nintendo games, so no one ever questioned the Nintendo seal.
> It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles
Yes, there needs to be a lot more uproar for these cases as well. One of the most appalling cases is that of macOS. To distribute your app (as a .dmg for instance), you need to sign up and pay for a Developer ID, sign the app with a Developer ID certificate and then notarize it, EVEN if you don't intend to use their App Store.
You can self sign without a developer account and self distribute and all it does is notify the user that the software is from the internet the first time they run it. They can still use the app. If it is completely unsigned, users may have to bypass gatekeeper, but that is just a setting.
If you want to sign using a cert trusted by apple, and distribute on their infrastructure, you do need a paid account.
This seems like a reasonable compromise, quite honestly. That is based on remembering the bad old days of just having to trust that the software you downloaded from some random shareware site hadn't been modified maliciously.
99% of users are not going to understand why they can't just double click the app to run it. And the second they see macOS gaslight them into thinking self-signed applications are radioactive biohazards via scary warnings, they aren't going to take additional complicated steps to run the app they wanted to run in the first place.
Users will just assume the app is broken, a virus or that you're a hacker, all because of the way macOS treats apps from developers who didn't pay the Apple tax or submit the app to Apple's panopticon for approval.
Users should not have to know some cursed and arcane ritual to run the apps they want to run.
I think a little informative friction letting novice users know they are choosing to load/launch without Apple Store protections is reasonable.
However, any attempt by Apple to scare vs. just inform/confirm would be a dark pattern we don’t need.
Wait, do you need to do that? I've never attempted distribution, but I've created multiple local apps with Electron and Tauri for myself, and they are just a .app on my Applications folder. Wouldn't it be as easy as sharing this file with anyone else if I wanted to distribute them?
They need to try to open it, visit Settings > Privacy & Security, scroll down quite a bit, hit Open Anyway, try to open it again, and confirm one last time.
(Might be quicker for some in Terminal if supported.)
I think it used to be Right Click > Open, then confirm.
No, macOS treats your machine's self-signed certificates in a special way so that running apps signed with them is transparent to you, but a nightmare to anyone you dare to distribute the apps to without Apple's approval.
> I can't help but think there might be some effect here that's locking us all in similar to how the U.S. healthcare system can't seem to shake for profit insurance.
Yeah. It's called capitalism, where the reasoning behind everything is "How can businesses make a profit?". And in the U.S., it's also, if the business doesn't make a profit I'll starve.
> The fact that mobile phones aren't yet just a standard type of portable computer with an open-ish harware/driver ecosystem that anybody can just make an OS for (and hence allow anybody to just install what they want) is kind of wild IMHO. Why hasn't the kind of ferver that created Linux driven engineers to fix their phones?
It's because each phone SoC is essentially its own bespoke architecture. You can't build one arm64 Linux ISO that will work on all phones like you can an x86_64 ISO on a PC. Each and every model of phone requires 0) unlocked bootloaders and either 1) full support from the vendor for Linux or 2) dedicated hackers willing to reverse engineer the board to get it to boot Linux in the first place & then developers willing to write missing device drivers & then maintainers willing to keep the fork up to date or mainline the changes.
It will always be cheaper for phone manufacturers to develop bespoke SoCs than it is for them to implement protocols and interfaces that make booting and hardware discovery standardized like they are on the PC. Making a phone as accessible as a PC to booting generic operating systems inherently means increasing costs at every level from the design up.
> I'm sometimes surprised at the plethora of cheap handheld gaming systems coming out of China that support either Linux, Android, or sometimes both, and seem to be based on a handful of chipsets. If anybody ever slapped an LTE module and drivers onto one of those things we'd have criminally cheap and powerful, open phone ecosystem.
On the surface it seems like that, but all of those devices suffer from the same issues I described above. There will be thousands of devices that "support" Linux, but only nominally.
What happens is, if the manufacturer even releases the kernel source, you get a git dump of a forked kernel that was never modified to be upstreamed with the vanilla mainline kernel. That essentially means you are stuck using that fork unless you have the time, knowledge and skill to port that fork over to the mainline, which is a lot of work. This applies to every SoC, and SoC modification, in gaming systems. Barely any of this work crosses over or can be standardized like it is on a PC.
None of that makes a platform a real open ecosystem.
Source: I'm involved in porting and maintaining a Linux distro for those cheap Chinese handheld gaming systems. The only reason Linux runs on them is because weird nerds spent time getting it to run on them. When they get bored, your Linux "support" ends.
The best we can hope for is for ARM servers to scale down to the point we can use them in small form factors, as ARM servers implement the same standards PCs do to run generic Linux ISOs. We aren't going to get this from the mobile hardware ecosystem, there just are no incentives to make such an investment. Maybe we'll get them if ARM PCs truly take off.
> It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles or other embedded computing devices where the controls against arbitrary applications is even stronger.
The conversation takes place all the time, there are tons of people who want to, and do, run homebrew and Linux on their consoles, same thing with embedded devices. Getting Linux or Doom to run on an embedded device is a rite of passage.
One of the interesting history of the PC was when Microsoft started selling their OS to clone makers. To hear Balmer tell it, it was frighting as IBM was making their PS2 machines more proprietary. They won and IBM os2 lost. I figured android was Google’s MSDos for mobile, but it seems the temptation of ad revenue is too strong (even showing up on windows..)
Linux is the answer though on mobile it’s just starting to be a little competitive.
“Steve Ballmer: We said ooh, IBM's probably not going to like this. This is going to threaten OS 2. Now we told them about it, right away we told them about it, but we still did it. They didn't like it, we told em about it, we told em about it, we offered to licence it to em.
Bill Gates: We always thought the best thing to do is to try and combine IBM promoting the software with us doing the engineering. And so it was only when they broke off communication and decided to go their own way that we thought, okay, we're on our own, and that was definitely very, very scary.”
https://www.pbs.org/nerds/part2.html
That Balmer quote can be read in Trump's voice and it fits perfectly lol.
> It's because each phone SoC is essentially its own bespoke architecture.
Right, but that's a choice from manufacturers, not a requirement of building a mobile platform.
> It will always be cheaper for phone manufacturers to develop bespoke SoCs than it is for them to implement protocols and interfaces that make booting and hardware discovery standardized like they are on the PC.
This... seems suspect? I'm not doubting you, but I do wonder if it's a question of robbing Peter to pay Paul; perhaps it is cheaper to design a bespoke chip than it is to develop a standard for it, but over the course of many generations the benefits of standardizing would kick in?
I do know that RISC-V can support UEFI, so perhaps that's where we need to look to see how developments work out in the long run.
>It is interesting though how this same conversation doesn't exist in the same way in other areas of computing like video game consoles or other embedded computing devices where the controls against arbitrary applications is even stronger.
Far less technical people from my perspective
Not fun if you work I.T. whatever you role is
I think we could set the bar substantially higher. Don't even bother with discussion of sideloading. Talk about bounded transactions and device control.
What is needed is: Once I have purchased a device, the transaction is over. I then have 100% control over that device and the hardware maker, the retailer, and the OS maker have a combined 0% control.
First thing on the list for me is dramatically reforming the Digital Millenium Copyright Act (DMCA), which currently makes it a federal felony to provide other people any information or tools they might use to control the devices they own, ex:
> Thanks to DMCA 1201, the creator of an app and a person who wants to use that app on a device that they own cannot transact without Apple's approval. [...] a penalty of a five year prison sentence and a $500,000 fine for a first criminal offense, even if those tools are used to allow rightsholders to share works with their audiences.
https://www.eff.org/deeplinks/2020/09/human-rights-and-tpms-...
_____________
In some ways, I think this is even more important than attempting to bar companies from putting in the anti-consumer digital locks in the first place: It's easier to morally justify, easier to legally formulate, and more likely to politically pass. The average person won't be totally stuck lobbing the government to enforce anti-lock rules for them, consumers can act independently to develop lockpicks.
Plus it removes the corporations' ability to bully people using your tax-dollars and government lawyers.
The DMCA stuff is quite annoying for more reasons but all are US; my hoster and internet provider both have standard emails for DMCA and copyright violations from US companies: "We received this, we do not care if you act on it, cheers.".
"I then have 100% control over that device and the hardware maker, the retailer, and the OS maker have a combined 0% control."
the problem is transaction not done once you own the device, you must use the ecosystem
Google and Apple create this ecosystem and they own it, so even if you have 100% control of your device but you cant live without their ecosystem
OS is just "half the battle", if its so easy Microsoft would not let windows mobile died
Right, so that's what needs to change.
well, we need a platform competitor like Huawei doing for the past years
but Open Ecosystem/Platform
which is likely never happen tbh, since the amount of resources that required is a lot and would need monetization which would end up like at position like this
[dead]
What does this even mean? You don't want software updates? Or strictly only software updates that are 100% aligned with your wishes whatever they may be at the time?
No forced updates, no downgrade prohibition, no bootloader locking, kernel GPL compliance (with drivers that can be loaded in it, even if they are closed source), no remote attestation.
The bare minimum so that I can use the device I bought as I wish, even if the manufacturer later decides to "alter the deal".
Why would anyone want an update misaligned with them, ever?
You should be able to set auto update, auto update with confirmation, manual update only, for any or all apps.
What someone does with that, and why, isnt something anyone should have to explain or excuse.
It could be as simple as not wanting any new features beyond but what an original version of an app has. Or not wanting an update that takes user data surveillance to another level.
> You don't want software updates?
Most of the time, software updates remove features, change things around for no good reason (breaking our workflows), or add unwanted features.
We really should separate pure bugfix updates (which include security updates) from feature updates. We nearly always want the former, but not necessarily the latter.
So much this. I totally want security fixes, but I only want security fixes. I don't want UI changes, features removed or altered, or anything with my usability upset.
My computing devices are tools I use to do my job and run my life. I don't want those tools changing without my consent.
Unfortunately, even for desktop software, this has shifted today: you can hardly get a security update without a feature upgrade too.
Except in cases like Debian (or Ubuntu LTS main collection, Redhat distribution...) which assumes the burden of backporting security fixes to a stable collection of software.
Unironically, I want finished software. I don't like it one bit how the vast majority of software products today are in an "eternal beta", so to speak.
Android, in particular, is a finished product. It doesn't need yearly updates. It may need an occasional update to patch a vulnerability, but this whole "we changed the notification shade UI for tenth time because we're so out of ideas" thing has to stop.
Yeah, that's the problem. As soon as it became feasible to push upgrades over the wire, software companies started relying on it. And unfortunately that mentality is viral, because as soon as one thing starts doing that, anything that else that interoperates with that other thing winds up having to do it to some extent. It's a tragedy of the commons.
But I'd definitely love to not be shipped alpha or beta software. MVPs are great when hacking, but why are we shipping hacked together stuff. "It works" doesn't mean it actually works...
> I don't think software is ever finished.
Back when it came on physical media, it was very much finished. Needing an update to fix a critical bug or a UX issue was a very costly problem to have, both in money and in reputation. Users had to be convinced to buy and install major updates, instead of being strong-armed into it. Staying on an older version was easier, and in case of operating systems, much more widely accepted.
Many video games fall into that category even today. Sure, the "we can always release an update" mentality did infest game developers as well, but, unlike apps and OSes, most games do have a finite scope and stop being developed once that scope has been realized.
It's a great situation when a bug is discovered and it is hard to patch.
You're fantasizing about a time that never existed. Software isn't "ever finished" because we are not omniscient writers who can foresee all problems, fix all bugs, and write software that is unhackable. That's the mindset that "all tests pass" or "it works for me" means the software "works."
We can't address the problems, as discussed in the article and that I mentioned in my comment, if we're going to retcon history and redirect ourselves to a worse environment. That doesn't fix anything.
We'll never be omniscient, sorry. The world changes. Hardware changes. Software rots. Time marches on. These do not change and we have to operate in a world where we acknowledge these basic facts of reality. We'll never make decent software if we can't acknowledge reality first.
On Google Play, it's only finished for a few years at best. If it's not updated to the latest version, eventually it gets delisted.
That's exactly my point — if Android itself doesn't have meaningless updates every year, then apps won't need them either.
I want it exactly as it is in Linux land. This is a solved problem. How are you so dumbfounded?
I think this is a good point, even if you're presenting it as a false dichotomy.
Obviously saying "Apple shouldn't be allowed to touch my device after I purchase it" as well as "Apple should be compelled to provide security updates" is nuts.
But I think saying, "Apple shouldn't be allowed to touch my device after I purchase it" as well as "I should be able to provide my own security updates, if Apple doesn't want to" is totally reasonable.
But Apple would never allow that. So allowing sideloading seems like a reasonable amount of pain Apple should be forced to put up with...
I don't think Apple should be compelled to provide security updates. I think Apple should be held accountable for security vulnerabilities in anything they release. You can't evade liability by patching it later.
I'll take that deal 9 times out of 10. Why would I want updates tied to a phone if I'm going to be installing my own software with its own updates? This is already done on most software, browsers, etc. CVE on text messages? Cool, wasn't using the manufacturer's app anyway.
Pure security updates are often better than the status quo, but yes I'd prefer to have zero updates instead of the current mess.
Maybe software updates could contain things users actually want, that provide a competitive incentive for users to choose to buy the phones from specific makers?
> Or strictly only software updates that are 100% aligned with your wishes whatever they may be at the time?
Um, yes? Constant push-updates are one of the worst tech trends of the last 10-20 years.
Maybe I do, maybe I don't. It's for me to decide what updates I want, if any. Apple and Microsoft do not give you a choice. Precisely zero people wanted Copilot on their computers, but it's there anyway whether you want it or not.
You can choose not to update in both Android and iOS. Same with running Windows.
Security bugfixes are tied to feature upgrades, unfortunately.
>only software updates that are 100% aligned with your wishes whatever they may be at the time?
wild that you seem to think this is a gotcha question. yes, all the software I want on my devices, and only software I want on my devices
That bar would require infinitely good software on the hardware. Then it will be your device. Otherwise, they will constantly need to improve it. then it will be their software on your device.
Would you consider Microsoft Windows or Linux infinitely good software? The scenario described by the GP applies 100% to most personal desktop and laptop computers.
I don't think it matters if it's their software on your device, just like it's their chips inside the box. The key is that you choose whether or not to buy the product, or install their software.
People always say things like these, and I wish it were that way too. Maybe if history had gone a little differently.
But what's the point of defining these standards now? Is the world where this is the reality still feasible? It seems nearly impossible, unless you're an extremely wealthy and influential individual. What I'm seeing is that we never will move to a world where a device that you bought is truly "yours" anymore. Instead, we'll be renting one of the approved devices, ran by one of the tech megacorporations and overseen by your government. They will give no real way to execute any random code that you want, unless you're also licensed and vetted as a developer. They will be tightly surveilled, all information will be saved, every interaction between these devices will be controlled for the sake of security. It will be an entire web of trust, defined by the powers that be. We're seeing early attempts at it now, but we still haven't hit full centralization. But once we do, what happens then?
I said it elsewhere in the thread, but the current model is already falling apart: it has led to random IoT devices becoming parts of widespread botnets, affecting Internet functioning, and putting unwitting consumers at risk.
Fixing that problem might turn out to be cheaper for competitors by making their platforms more open and avoiding the full responsibility as a vendor.
Basically, combine current and future legislation about electronic waste, cybersecurity of IoT and connected devices, and the carve-outs for free software and open source platforms, and suddenly it becomes much cheaper to ship a product that will run for 20 years (say a washing machine) if you as a vendor can guarantee some of this for the warranty period (1-5 years), and open up the platform to consumers and shift the responsibility at that point. Also imagine the case of a vendor going under which needs to be covered too (this would make subscriptions infeasible too).
If legislation demands this (imagine no insecure devices for 20 years), markets will do the rest.
> I said it elsewhere in the thread, but the current model is already falling apart: it has led to random IoT devices becoming parts of widespread botnets, affecting Internet functioning, and putting unwitting consumers at risk.
But isn't this also exactly how the pitch will sound for what I proposed? You know, "The internet is too important and random people are allowed to upload and run random dangerous code within it with no oversight, this has to be stopped." The manufacturers will never bear the consequences of their choices, the consumers will. There might be a push to make the internet watertight by requiring all major websites and services to only allow access to "secure" devices and block all other traffic. After all, why spend money on cybersecurity when everyone can only use the (important parts of the) internet with their real names, and developers are de-anonymized?
Will this actually improve security? It seems very unlikely. But despite it, this move seems like exactly the kind of thing that's coming, because it massively benefits both companies and governments.
You are right, which is why I stress the time component and e-waste concerns. If combined they end up meaning that a vendor ships you a device and they need to take it back for recycling in 2-7 years when they stop providing security updates, market will force a change.
At the moment, laws are disjoint even in EU, and not strict about what happens when you stop fixing security bugs.
I mean, maybe, but I think what you're describing is a view so bleak and fatalistic that it amounts to saying the world may as well self-destruct because there's nothing we can do about it.
Ubuntu for android?
How's Ubuntu (or hell, any Linux distro) for mobile going to change what I outlined? It's not going to matter what OS you're running once all the important websites and services you use every day (up to and including government services) start requiring some form of attestation or other layers of security that will no doubt only be provided by a few locked-down vendors. Once that happens, your Ubuntu Touch phone will be about as useful as a Nokia 3310, at least online. After all, it's <0.01% of the market and open (therefore dangerous), Google or Microsoft or Apple aren't going to sign off on that. A natural consequence of that will be that "unsecured" devices will be stamped out, perhaps not by force, but just economically. That's the day when what I described will just become mundane reality.
When that happens we'll abandon the web as you described it and build a new one that better resists the cancer. Honestly there are a lot of bad decisions baked into out default stack that it's gonna be refreshing to be rid of. Not just malware and corporate overreach, but 1980s thinking that seemed fine at the time and turned out to not be.
So to answer your question: Ubuntu will let you access the next web, and Android probably won't.
Why the assumption that there will be a new web?
If you're talking about developing some brand new means of worldwide communications, this seems extremely improbable if done by the 1% of the rest of us (basically, hobbyists and techy people). The internet required tens of billions of dollars worth of development and infrastructure to get to this point, how will it ever happen without the sponsorship of large centralized entities?
If you're talking about leeching off the existing internet infrastructure to communicate with some brand new protocols over them, who's going to let you do that? Both companies and governments would have incentive to put a stop to this in any way possible, because it drives away customers from the manufacturers and signers of all "secure" devices and lessens the amount/value of surveilled data. It may be allowed at a small scale, but I'm not seeing how anything long-term could be established that could threaten the existing powers in any way.
Its just a pattern I see repeated. The innovators find a playground, its cool for a while, then it succumbs to grift of some kind or another, and the innovators move on.
There was a time when "pamphlets" were an edgy new social medium, now its just a certain kind of ad. Same thing happened with radio. And now it has happened to the web also.
Why should this be the last time?
As for threatening the existing powers... I don't see what power they have if all they're guarding is a pile of stuff that nobody wants anymore.
It may be a bit inconvenient, but if you really need a device with radios that you can run arbitrary code on, you can get one for something like $4 and you can use your existing phone to drive it over something generic like http (There are plenty of people on meshtastic doing this).
I don't have the answers re: next steps but I know that its far more difficult to prevent people from communicating in novel ways than it is to come up with novel ways to communicate. I figure we've been playing this cat and mouse game with authority for millennia: they always win eventually and we always find a new way to make that victory irrelevant.
We lost. OK. What's left to do but invent the next battleground? We're hackers, its what we do.
No, that obviously won't happen.
I think this misses the forest for the trees here. The platforms behavior here is a symptom and not the core problem. I think the following are pretty clearly correct:
1. It's your damn phone and you should be able to install whatever the hell you want on it
2. Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices
Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store. 99.9% of users would never see the warning either because almost all developers would register their apps through the official store.
But there is a reason why Apple/Google won't do that, and it's because they take a vig on all transactions done through those apps (a step so bold for an OS that even MSFT never even dared try in its worst Windows monopoly days). In a normal market there would be no incentive to side load because legitimate app owners would have no incentive not to have users load apps outside of the secure channel of the official app store, and users would have no incentive to go outside of it. But with the platforms taxing everything inside the app, now every developer has every incentive to say "sideload the unofficial version and get 10% off everything in the app". So the platforms have to make it nearly impossible to keep everything in their controlled channel. Solve the platform tax, solve the side loading issue.
> 2. Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices
I would instead say that having a trustworthy channel for verified app loading is a valuable security tool. F-Droid is such a channel; the Google Play Store is not. So Google is trying to take this valuable security tool away from users.
Sure, but you'd probably also agree it should be up to the device owner (end user) which parties are to be considered 'trusted'
Yes, I think the end user is in a better position than Google to decide who to trust. Some end users will make bad decisions, but Google's interests are systematically misaligned with theirs.
Not really. Google has maybe the best security researchers in the world, most end users have no idea, Hacker News is not representative of the general population.
I am not saying it justifies locking down devices, but that's the kind of situation where I think a bit of friction is a good thing. For example having to connect your phone to a computer and run some command line tool (like for unlocking a bootloader). You still have your freedom, but it is also something you are less likely to do by accident. In the sideloading situation, it looks like you could make yourself a developer account and repack apps under your own identity, which is one of these high friction workarounds.
For F-Droid specifically, maybe they should negotiate with Google before going to the offensive. Maybe they did and it didn't work, but I think a good compromise would be to let F-Droid has a key to sign the apps they compile, making F-Droid accountable for the apps they distribute.
And by the way, Firefox is in a similar situation for extensions. Over the years, they made it really hard to install anything from outside the official Mozilla repository, citing security concerns. It is not just Google.
Even if you allow package distribution whitelists, and even if we allow Google, by virtue of essentially owning/steering Android to, by default, be on the whitelist in their distributions...
At some point you need to just let the user say "I'm OK with being accountable for the installation" and get out of the way.
Yes, Google has much greater competency. But when their interests run counter to their users' interests, as in the particular case we're talking about where they are nuking F-Droid from orbit, thus depriving users of access to NewPipe and other apps that don't try to rip users off, that higher competency is a disadvantage, not an advantage.
Neither incentive alignment nor competency is sufficient without the other.
"Trustworthy" requires a qualifier of "for what" and I do trust Google to not intentionally install malware on my device and to take reasonable steps to prevent other people from doing it. I will admit that I don't know the details of how the app stores work, but they are at least checking the hashes of the binaries right? The probability of trying to install Instagram from Meta, but actually installing Instapwned from some malicious third party is zero when you go through the app store, right?
I assume that's correct, for your very narrow definition of malware and a nonzero definition of zero, and it's a good point that trustworthiness is context-dependent. As Alan Karp used to say, "I trust my relatives with my kids but not my money. I trust my bank with my money but not my kids."
Yes, but app stores like F-Droid, if you trust them, provide an even stronger security statement: they guarantee that you can check out the full source code of the app you are running.
This is what has made Linux distributions the go to for secure OS to run on your server: even if malware or bug leaks in, you have a full security trail about when and how that happened right in the open.
Wrong, plenty crap make it into the store, that is true for both Android and iOS. And the advertisement in the Android store is designed specifically to try to trick you into installing a different but similar app to the one you wanted.
I'm unclear on why F-Droid is any safer than the playstore and not possibly worse since using it tells potential malware purveyors that you're into sideloading in the first place.
F-Droid provides curated applications vetted by parties that *the user* chooses to trust.
By default, F-Droid provides only the applications that they themselves have verified and built from source. They also allow the user to add other sources from other parties who the user trusts (e.g. GuardianProject, IzzyOnDroid, and others[0]).
Google provides any application uploaded by any anonymous third-party who signs up as a developer (and in future, provides the required ID).
[0] https://forum.f-droid.org/t/known-repositories/721
Because F-Droid inspects the source code of the applications they build, removes malware and other antifeatures from them, and compiles them from source to ensure that the binaries they deliver correspond to the source code they've inspected. The Google Play Store doesn't do any of those things. Consequently it's full of malware.
Not to be an asshole, but you must not be very familiar with F-Droid.
It’s not just a random hodgepodge of “third party” binaries. It’s all FOSS software that was actually built from source and verified.
Probably much safer than a random app on the Play Store.
If I had to install a random app from the play store or from F-droid, I would pick F-droid every time. The level of vetting they apply is miles ahead of Google.
> it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store
That's close enough to how Android already works. Google wants to additionally prohibit installation of apps unless they're signed by a developer registered with (and presumably bannable by) Google.
> Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.
It is an obvious solution, and it's a good first solution. This popup already exists.
A problem in security engineering is that when people are motivated (which is easy to achieve), they will just click through warnings. That is why, for example, browsers are increasingly aggressive about SSL warnings and why modifying some of the Mac security controls make you jump through so many hoops.
The usual take on HN is take the attitude that the developer is absolved of responsibility since they provided a warning to the user. That's not helpful. Users are inundated with stupid warnings and aren't really equipped to deal with a technical message that's in between them and their current desire. They want to click the monkey or install the browser toolbar. The attitude that it's not my problem because I provided a warning they didn't understand doesn't restore the money that was stolen from them by malware.
I guess this is a difference in philosophy then, but I think that the goal of security engineering should be to protect users from malicious actors, not to protect them from their own bad choices. If I give you a safety feature, and you turn it off, that's not my problem. There is a special level of hatred that I have reserved only for the busybodies who limit my choices and justify it as protecting me.
That said, your point about messaging is really good, and so many times I see security warnings I roll my eyes at how badly the message is written.
I agree that our choices should not be limited to protect us.
However, we need a better solution than pop-up warnings. I guarantee that you have clicked through a pop-up warning that was standing between you and the thing that you wanted to do (as have I, and everyone else who has used a computer for more than a day). We very quickly learn that most warnings aren't going to affect us, and that they're just saying "are you sure" to things that we're already sure of.
We've all selected a file, hit the delete key, got the pop-up saying "are you sure you want to delete wrong_file.txt", hit "yes" (because we always have to hit yes after hitting delete), then looked at the outcome and thought "oh, that was the wrong file" too late...
Which is why the default is often move to trash these days, or includes an undo option for a bit instead of a confirmation dialog.
But some actions are pretty hard to undo (eg installing malware), so the issue in general stands.
>Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.
Android already does this. It's the thing that's going away.
I don't trust the Google Play Store.
"I don't trust the Google Play Store."
then you trust who??? Apple app stores?
Too bad. Pay up and ask big daddy google for permission if you want to use your device. /s
> a step so bold for an OS that even MSFT never even dared try in its worst Windows monopoly days
I don't think it's like "MSFT didn't dare to try", but rather "MSFT was too stupid to come up with the idea". They didn't have the ability to manage it either (and till this day their Windows Store app still sucks with tons of bugs). Not to mention that Windows was already wide open, never with a restriction "you can only install these approved apps" to begin with.
Basically, not that Microsoft didn't do it, but it couldn't.
Also can you imagine trying to download software over the Internet in the 90s? They couldn't depend on their users having high speed connections because most didn't. App stores probably couldn't work before 2000.
This comment is very uninformed and misleading.
> Having an approved channel for verified app loading is a valuable security tool and greatly reduces the number of malicious apps installed on users devices
These are claims that Apple and Google make to justify their distribution monopolies, and you are repeating them as fact. I don't think it's true, and cite as evidence both major app stores and the massive amount of malware in them.
Don't parrot anti-competitive lies from monopolists.
> Given that both of these things are obviously true, it seems like a pretty obvious solution is to just have a pop up that has a install at your own risk warning whenever you install something outside of the official app store.
Google already does this. They've always done this, and it has always been a bad thing because it disadvantages app stores that try to compete with Google Play. Imagine you want to sell an app, and your marketing materials need to include instructions on how to enable "side loading" and tell people to ignore the multiple scary popups warning about vague security risks and malware.
> because they take a vig on all transactions done through those apps
This has already been litigated and federal judges ruled that they must allow devs to use third party payment processors. Look up the Epic Games cases against Apple and Google.
> In a normal market there would be no incentive to side load because...
This is nonsense. "sideload" just means to install something outside the Play store. In a normal market, there would be every incentive to do so, as consumers would be able to choose from multiple app stores. Users don't care where an app comes from, as long as they can figure out how to get it.
> both major app stores and the massive amount of malware in them
This is true, but it's also not the main vector of attack. The primary threat is that the user is intending to download $WELL_KNOWN_APP and instead downloads a compromised binary from a malicious third party and is instantly compromised. The app stores make the probability of this essentially zero.
Question: if the OS does proper app sandboxing how is this basically any different from having unrestricted access to a web browser or email?
Oh no granny tapped a bad Google ad and got phished! I guess we should kill the open web and use the officially sanctioned “web store” from now on (where you have to apply, pay a fee, and of course a % commission to host a website). It’s much safer for us!
It is not funny, but this already happens. ID verification mandated in some countries already take care for that under disguise for children protection.
Despite all the bad moves, one of the reasons why I use android and not iPhone is installing apps from places like fdroid.
If this stops, it fundamentally disallows me to have the privacy that Apple app store can't provide. The amount of garbage apps in play store is horrible. I don't try out any new apps from there cos of this. So I will just switch to iPhone.
Already degoogled for pretty much most things. This will be the last. And maybe switch my website from netlify which I think is using google cloud (need to check).
To me this seems analogous to the motivation of certain people, as soon as they were able to work from home during the pandemic, to move to some arbitrary other cheaper place only because they were no longer required to go into the office.
Specifically it's weird to me that those people, akin your statement about platforms, don't seem to have a sense of place within which they do their stuff, whether that stuff is talking to the friends in your neighborhood regularly or checking your email; there aren't any other reasons you prefer Android, iOS is the default?
I personally don't fucking like iOS at all, never have, but I've always let myself re-evaluate it when the opportunity comes up. I find the UI clumsy and primitive, lacking in personality, customization, versatility. It was just fine on my old iPad for a few basic tasks, and it's still just as fin and just as basic, relatively speaking, on newer devices. However I am a career-long macOS user by choice. I usually admire both macs and iPhones for their hardware design.
Likewise, even though I moved to my relatively high cost of living city for a job years ago, if my current one let me WFH exclusively, I'd move... nowhere, this is exactly where I want to be. There is always some threshold of course whereby favoring one choice over another is too costly to maintain, but even though this particular freedom topic is important to me, I'm not about to just switch platforms because I've secretly hated it otherwise.
> To me this seems analogous to the motivation of certain people, as soon as they were able to work from home during the pandemic, to move to some arbitrary other cheaper place only because they were no longer required to go into the office.
Because that is important to them. Everybody has different opinions on different things. Their priorities are different. I prioritise privacy. I had a workflow with convenience and privacy setup I can do with Android now. It had a lot of loopholes but it is something I am satisfied with. Its something I have developed it by making compromises and adjustments based on privacy, convenience and functionality. So FOR ME, it becomes valueless after this change. And the better would become iOS. So I would change.
I could also argue that yours is a boiling frog situation where you are fine with bad changes around you but you keep getting adjusted to it and making excuses.
For example, due to my privacy setup, I rarely see ads, I rarely get scam calls. There are convenience I get because of it.
All you have to think is... If whatever these companies do online... Will you be OK with it if they do it offline and in person?
Imagine I follow you everywhere and keep telling me to buy a burger from McDonalds. Stalk you around, noting everything you do. And about your family. How long will it take for you to call the cops on me or confront me? Why are you complacent when these companies do the same online? End result is literally the same. Only difference is scale and the fact that one is happening in your face while other is out of your view.
In conclusion, Everybody's threshold (like you mentioned) to different changes are different based on their views and priorities.
And most importantly, as a software professional, we definitely should hold ourselves to higher standards. I am doing what I CAN now.
Instead it would be great if you join the fight against Google (and Apple) by using FOSS and independent distributions like GrapheneOS. It is the most secure and private option we have today. Most apps work as it is except a few those who purposefully use Google Play Integrity API to block independent platforms.
As much as I'd like to, the vast majority of android phones are incapable of installing grapheneOS.
Author here. I admit I am rather startled by the tone of many comments here and the accusations of disingenuity. Splitting hairs about the origin of the term "sideload" does not change the fact that those who promote the term tend to do so in order to make it feel deviant and hacker-ish. You don't "sideload" software on your Linux, Windows, or macOS computer: you install it.
You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on. I'm dismayed to see that this sentiment is not more widespread in this of all communities.
This is mostly a framing war. Calling it "sideloading" makes it sound risky or unusual, but if we called it "installing software on your own device", Apple's and Google's restrictions would seem absurd - like telling homeowners what kind of light bulbs they're allowed to use.
Or what kind of store you can drive to.
Imagine if your car was locked to certain manufacturer-permitted destinations.
That's what our smartphones have done.
[dead]
This community has pockets of people who like authoritarian control, and genuinely believe in Apple or Google Play as some kind of superego that they need to defend, that they believe is protecting us.
This surfaces in many types of discussions, including discussions where they may be prompted to defend the locked down nature of mobile devices.
I say it's just pockets. A vocal pocket. It's not everyone here. But it elicits comments justifying that stuff, which can feel surprising for those who don't share those views.
> This community has pockets of people who like authoritarian control,
Alternatively, we've spent our lives helping our parents out. Last year my mom just got completely owned, total taken over of all her financial accounts. The most likely vector was that her phone was out of date and not receiving security patches anymore.
Luckily her bank's anti fraud systems kicked in before too much damage was done.
Prior to smart phones, many of us remember making monthly, or even weekly, trips to family members houses to remove malware and viruses from personal computers.
Things were bad.
> my mom just got completely owned
Any evidence this was caused by "sideloading"?
You're assuming that the drawbacks of Google's peddled response are worth the alleged fix. Given that the primary malware vector for your mom's phone is the play store, this has all the hallmarks of a nonsolution: no benefit, only drawbacks.
It is the equivalent of restricting car use to paved roads only as a "solution" to car crashes.
Perhaps, as a fellow developer and a HACKER News user, you can understand that the underlying problem is the device security. Amplifying the problem is the surveillance capitalism ecosystem. Your data is valuable, to the trillion dollar companies and to hackers. Which means they need to collect that data and try to drive a fine line of giving them access but no one else. I thought we were all aware that trying to make backdoors is a foolish endeavor.
Your desktop computer is still a desktop computer. The smart phone didn't change anything there. If you're getting fewer viruses it is because either 1) the user is becoming more proficient, 2) the hackers are becoming less proficient, or 3) (the actual answer) security is getting stronger. Critical to #3 is noting that this has happened without the requirement of app stores.I also want to stress, the enforcement of app stores is the death of phones and general purpose computers.
What makes computers (phones included) so great is that they are an ecosystem. You can't make a product for everyone, but you can make an ecosystem that can be adapted to anyone. Without programs these things aren't very useful. We're back in the old days like with the IBMs. Just remember, it took Google and Apple years before they put a flashlight app on their phones, but it only took weeks for developers. If we wait for them to build everything we're going to wait forever and won't get half the stuff we need.
It is a hill I'll die on too> This community has pockets of people who like authoritarian control, and genuinely believe in Apple or Google Play as some kind of superego that they need to defend, that they believe is protecting us.
Perhaps you meant Leviathan instead of superego?
The correct term was always “download”. We should be allowed to download and run anything we want on our own phones.
The fact that Apple and Google have taken away digital freedom on the most important device of our time is shameful and gross.
That they've convinced everyone that this is okay, and that they've maintained regulatory capture to keep doing it, is absurd.
We need web downloads and installs on Apple and Android immediately. With no "scare walls" or deeply nested and hidden menu settings to enable it.
We need the ability to run any kind of tech, including JIT runtimes. Apple and Google shouldn't be able to tell consumers or the industry what type of computing is permissible.
Smartphones are the most important device category in the world. They're how people bank, work, navigate, shop, order, communicate, date, order food at restaurants, take photos, -- life without them is impossible.
It would be nice to see as much competition as we do with the automotive industry, but the next best thing would be to rid Apple and Google of their draconian overlording of the platforms.
Consumers do not have the expertise to articulate this or really understand what is happening to them. This requires regulators and industry professionals to push forward.
I would say the situation is worse as this "subscription-esque" model is "spreading" to areas beyond software. Exercise equipment like ellipticals and bicycles - whose software is/could be borderline +/- resistance level trivial - has been moving to "only works with an online subscription" business models for a long time.
I mean, I have had instances that controlled resistance with like a manual knob, but these new devices won't let you set levels without some $30+/month subscription. It's like the planned obsolescence of the light bulb cartels of the 1920s on steroids.
Personally, I have a hard time believing markets support this kind of stuff past the first exposé. I guess when you don't have many choices or the choices that you do have all bandwagon onto oligopoly/cartel-like activity things, pretty depressing, but stable patterns can emerge.
Heck, maybe someone who knows the history of retail could inform us that it came to software "from business segment XYZ". For example, in high finance for a long-time negotiated charging prices that are a fraction of assets under management is not uncommon. Essentially a "percent tax", or in other words the metaphorical "charging Bill Gates a million dollars for a cheeseburger".
EDIT: @terminalshort elsethread is correct in his analysis that if you remove the ability to have a platform tax, the control issues will revert.
That planned obsolescence thing on light bulbs isn't the entire story. Light bulbs will last longer if driven less hard, due to the lower temperature. But that lower temperature also means much lower efficiency because the blackbody spectrum shifts even further into the infrared. So some compromise had to be picked between having a reasonable amount of light and a reasonable life span.
But yeah agree, this subscription thing is spreading like a cancer.
I'm not an expert on the case law, but supposedly United States v. General Electric Co. et al., 82 F.Supp. 753 (D.N.J. 1949) indicates that whatever design trade-offs might have existed, corporate policy makers were really just trying to screw consumers [1] (which is why they probably had to agree on short lifespans as a cartel rather than just market "this line of bulbs for these preferences" vs. "this other line for other people" -- either as a group or separate vendors). I keep waiting for the other shoe to drop where they figure out how to make LED bulbs crappy enough to need replacement.
EDIT: and, shucks, @kragen beat me to it! :-)
[1] https://en.wikipedia.org/wiki/Phoebus_cartel#cite_ref-USvGE-...
Leds are already awful. I already lost 4 of 10 led light bulbs I boughtast year. I hope they will be replaced. It's because every led bulb has a small transformer inside and it fails quite quickly
I think its a heat dissipation issue. I have some overhead LED lights that replaced some halogen bulbs and they have huge metal heat sinks on the back and have all lasted 10+ years. Unfortunately they are no longer sold but I did buy a few spare just in case.
It depends a lot on the bulbs. When we moved into our current house 11 years ago, we replaced everything with LEDs. Many of those original bulbs are still going strong, including all of the 20 or so integrated pot lights we put in to replace the old-school halogen ones. Others died within a year, and replacements have been similarly hit and miss. To some extent you get what you pay for; most of the random-Chinese-brand LEDs I've picked up off of Amazon have failed pretty quickly. Most of the Philips and similarly expensive ones have lasted. Also the incandescent-looking ones that stuff all the electronics into the base of the bulb tend to fail quickly, as do anything installed in an enclosed overhead light fixture, due to heat buildup.
> as do anything installed in an enclosed overhead light fixture, due to heat buildup
This is my problem. My house has a lot of enclosed overhead light fixtures, and LEDs just do not last long in them. And renovating all of them to be more LED friendly would be quite expensive.
Interesting, that's been the opposite of my experience.
My Mum converted her homes down lights to LEDs over a decade ago. Hasn't lost a single one.
I moved into my current house 5 years ago, haven't lost a single one either.
I think the quality ranges a lot.
I got one of these free energy audit things which included swapping out up to 30 or so bulbs with LEDs. Whatever contractor did it seems to have gotten the cheapest bulbs they could, and the majority of them have failed by 4 or 5 years later. So far so good on the name brand ones I replaced them with.
I think the solution is something like this.
https://atx-led.com/
"That planned obsolescence thing on light bulbs isn't the entire story."
Whilst that's certainly true the Phoebus cartel's most negative aspect was that it was a secret organisation, its second was that it was actually a cartel. These disadvantaged both light bulb consumers and any company that wasn't a member of the cartel—a new startup company that wasn't aware of or a member of the cartel would be forced out of business by the cartel's secret unfair competition.
Without the cartel manufacturers could have competed by offering a range of bulbs based on longevity versus life depending on consumers' needs. For example, offering a full brightness/1000h type for normal use and a 70% brightness/2000h one for say in applications where bulbs were awkward to replace (such product differences could even be promoted in advertising).
Nowadays, planned obsolescence is at the heart and core of much manufacturing and manufacturers are more secretive than ever about the techniques they've adopted to achieve their idea of the ideal service lives of their products—lives that optimize profits. This is now a very sophisticated business and takes into account many factors including ensuring their competition's products do not gain a reputation for having a longer service life or better repairability than their own (still a likely corrupting factor that originally drove the formation of the Phoebus cartel).
Right, the philosophy's not changed since Phoebus but the sophistication of its implementation has increased almost beyond recognition. There's not space to detail this adequately here except to say I've some excellent examples from the manufacture of whitegoods and how production has changed over recent decades to manufacturers' advantage often to the detriment of consumers.
In short, planned obsolescence and the secrecy that surrounds it has negative and very significant consequences for both consumers and the environment. When purchasing, consumers are thus unable to make informed decisions about whether to trade off the reduced initial costs of products with a short service live against those that have increased longevity and or improved repairability. Similarly, shortlived products only add to environmental pollution, witness the enormous e-waste problem that currently exists.
As manufacturers won't willingly give up panned obsolescence or secrecy that surrounds it, one solution would be to tax products with artificially shortened service lives. In the absence of manufacturing information governments could statistically determine product tax rates based on observable service lives.
Yes, but the compromise didn't have to be an industrywide conspiracy with penalties for manufacturing light bulbs that were too long-lasting and inefficient. But it was. Consumers could have freely chosen short-lived high-efficiency bulbs or long-lived low-efficiency ones.
In fact, they could have chosen the latter just by wiring two lightbulb sockets in series, or in later years putting one on a dimmer.
They will also last longer if the metal filament is thicker. Which is the way they artificially limited the lifespan.
But if the filament is thicker you need much more current to get the same level of light, hence much lower efficiency, like your parent comment said.
That changes the resistance and thus efficiency
An even more grotesque practice is to charge a stratosphere level premium for the product itself AND put its control behind a subscription e.g. 8sleep
I agree, but why you buy it then? Everyone should be allowed to price how they want it. If they price at 1m + 100k/month would sell much less. Therefore the price they charge is “reasonable” for correct customers
The reason subscriptions are spreading everywhere is that stock markets and private investors usually value recurring revenue at a much higher multiple than non-recurring revenue. The effect can be so large that it can be better to have less recurring revenue than more non-recurring revenue, at least if you are seeking investment or credit.
It creates a powerful incentive to seek recurring revenue wherever possible. Since it affects things like stock prices and executives and sometimes even rank and file employees often have stock, it's an incentive throughout the organization. If something is incentivized you're going to get more of it.
In the past it was structurally hard to do this, but now that everything is online it becomes possible to put a chip in anything and make it a subscription. We are only going to see more and more of this unless either consumers balk en masse or something is done to structurally change the incentives.
This argument, though true, can be simplified to "investors are greedy so you will pay more". And it's really sad and discouraging
All very true and "balk en masse" is what I meant by "first exposé". (Ancient wisdom, even, if you think about individuals and mortages/car loans and having a steady job, etc. rather than just businesses.) Maybe we'll anyway see some market segments succeed with "pay 2x more for your screwdriver, but it will at least be your screwdriver" slogans, and then have screwdrivers to do with what we will, like the proverbial "pound sand". ;-)
"resistance level trivial"
Could literally replace the control software with a potentiometer (a resistor)! :)
I mentioned a knob - it did the trick with literal mechanical friction { instead of electrical friction = potentiometer :-) }.
I know I'm on a tech website but so much consumer stuff is entirely too complicated for relatively spare benefits to the consumer.
Anyone buying internet-connected exercise equipment is getting exactly what they deserve.
FWIW, thank you and the team for all the hard work. Me and my family use it to install, discover, and try out many of the genuinely useful and really cool, high-quality Apps on our de-Googled devices and truly appreciate it. I could never imagine using that ad-ridden, user-tracking, scam-infested, filth-flinging abomination they call Play "Store". The only thing that's worse is GCM - you don't even see it's there as a regular user.
Could you make the claim that F-Droid is actually safer than "Google Play Store"
The plea Google makes against so-called "sideloading" always refers to "malware"
But how much malware has been distributed via F-Droid versus "Google Play Store"
It could be that smaller, independent "app store" might be better managed than Google's
> Could you make the claim that F-Droid is actually safer that "Google Play Store"
That is essentially the assertion that we made in the prequel to this post (at https://f-droid.org/en/2025/09/29/google-developer-registrat...).
> But how much malware has been distributed via F-Droid versus "Google Play Store"
There's been only a single case of malware that we know of that has slipped into distribution on F-Droid (through a supply-chain attack on a transitive dependency), and it was caught within a day. So if we were feeling glib, we might have made the claim that "there is over 224 times as much malware on the Play Store than on F-Droid".
To me, the question is not even relevant. Whatever the quality of f-droid,each use should be free to decide if they want to use it or not without Google having a life or death choice on the app that you want to use.
Why would one make this claim
Because Google is suggesting that "malware" is a motivation/reason/justification for their new "sideloading" policy
It can be useful to show that Google's alleged justification is bogus
Google themselves have mentioned that about half of all malware is installed through their Play Store.
The freedom of installing whatever you want indeed brings more opportunity to come across malware, but as long as you lose the freedom, it's up to Google to decide which apps are "safe", which are not. Google will be the only, sole source of apps, they control everything.
It's not about immediate safety, it's about safety in the long run.
Yes, software on F-droid is free and reviewed for anti-features before publishing. Google Play has the worst, ad ridden, dark pattern filled, data guzzling, subscription packed, commercial slop with no real oversight on what gets published. Malware frequently gets on the Play Store, never heard of it being a problem on F-Droid.
Google is a malware services company. They profit when malware OBS is the first search result when you search for OBS.
I don't even understand how this is an interesting or relevant point. "Can I install what I want on my service how and when I want" is the end of the conversation.
Regardless of its origin, its usage in context clearly implies it's supposed to be understood as a non-standard, non-default process. Making preferred software design choices feel like defaults, or making preferred app or distribution ecosystems feel like default is the product of extraordinary and intentional effort to set expectations, and so I don't see it as an accident that the nomenclature would be used for the purposes you describe.
I did make a comment in this thread about the historical usage of the term sideload, although for my purposes, I was noting a historical quirk frim a unique time in the history of the internet rather than disputing any premise in your post. It was the first and only comment at the time I posted it and I was not anticipating such an unfortunate backlash that seized on terminology for the purpose of disputing your point, or for otherwise missing your point.
But it is indeed missing the point. Requiring developer registration to install is exercising a degree of control over the software ecosystem that's fundamentally out of step with something I regard as a pretty important and fundamental ideal in how software is able to be accessed and used.
Hey, I hope you have a nice day. F-droid is one of the communities which was really a key role in, what open source project should I recommend if given the power to, for people to gain maximum impact on, and f-droid was one of the tops in that charts, so much so that I really tinkered with android apps creation with rust/tauri just to create an android app for f-droid (building android apps is hard I must admit, which makes my appreciation for apps on f-droid even more lovely)
> You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on
I feel like there are some phones, I will say my honest experience, I had a xiaomi phone which required me to unlock the bootloader for me to root it/ remove the spyware that I feel it has, I never felt safe really (maybe paranoia?) but I wanted an open source operating system on it and that required me to unlock my bootloader
Which required me to create an MI Unlock / MI account which then later required me to open up a windows computer and try to do things with the windows computer
I didn't have a windows computer, I am a linux guy and I didn't want to touch windows and I tried any option available on linux (there was a java thing and some other exploit too but both failed)
Later, I tried to actually install win-boat and tried to install the mi tool in it after so many nights of work and I tried and it actually opened but it asked me for the otp to sign up but I don't know if I overwhelmed their system or not but their OTP just straight up didn't show on the phone's sim I had registered on.
That OTP not coming after 5-6 tries, I am not sure if they had detected it was win-boat or what, but idk, that effectively locks me out of ways to unlock the device and remove some spyware functionality I think it has.
I feel like this case made me feel as if although I had a device, it feels like a license when you think about it. This is true for many other consumer devices as well and thus, people accepting the fact that their devices have become similar to licenses, not hardware which they own, but rather software which they rent
> I'm dismayed to see that this sentiment is not more widespread in this of all communities.
I feel like your message is in the right heart, and its honestly okay, sad even, that some part of the community didn't respond to your message in agreement.
But Honestly, please don't lose hope because of this, You and people/foundations like f-droid,linux etc. inspire a sense of confidence for a good future while actively working on it. I was thinking of trying to host some f-droid mirror but I didn't personally because I was a little skeptical of getting any notices or anything after the f-droid team had created a blog post about something similar.
Also one thing, I would try to tell you is that you are trying your best. And that's all that matters. What doesn't matter is the past or the future or how the community responds but rather doing what you think is right with correct intentions which I think you do a perfect job in.
Doing the right thing can be difficult but maybe in a world where doing the right thing isn't rewarded as much in even mere appreciation or sharing the sentiment whereas doing the wrong thing is financially rewarded. its a complicated world we live in, but hopefully, we all can try to make it a little more beautiful for us and our future generations by trying to do things the right way no matter how hard they are, just because its the right thing.
I may speak these things but I myself regularly contradict these. So I don't feel the best guy speaking this stuff but I just want to say that f-droid really means a lot to me, a recent example is how I ditched that xiaomi phone, used my mum's old moto phone, tried to install termux from playstore but it couldn't download for some reason from play store because it was android 8 yet theoretically it should work, but I then opened up f-droid and installed it from there and I am running a termux/gitea server on it now :)
Please, have a nice day, F-droid/you deserve it, I just hope that you recognize that there are people's lives that you have touched (like my termux thing and there are countless other stories as well) and how impactful the project is.
Lets use this comment as a way to show our appreciation to f-droid in whatever ways it has touched our lives and how effectively google's recent moves are really gonna impact f-droid/ hurt us as well. How I wouldn't have been able to run git server on my phone if it wasn't for f-droid and so much more.
>You have the right to install whatever you want on your computer, regardless of whether that computer is on your desk or in your pocket. That's a hill I'll die on. I'm dismayed to see that this sentiment is not more widespread in this of all communities.
agreed, but i'm not going to die on any hill. i don't see much point in this discussion, these corps will do whatever they like. for me it is simple: iphone never was an option precisely because of this reason, and i've been quite content with android, but i don't think my current smartphone will run android for much longer, and the next one will definitely not.
Very curious what you expect to move to. The market outside those options is extremely limited.
it is, but i'm willing to compromise. grapheneos can be an option for a while, ultimately a linux phone. worst case i can settle with 2 phones for a while, one cheap/old stock android exclusively for the bank and such, another one for everything else.
it's also a long run, the way things are shaping up i don't expect alternatives to become mainstream but nevertheless getting improved support over time.
if we indeed end up in a situation where there is no viable alternative then screw that, i might as well go completely off grid.
It’s a hill you don’t have to die alone on!
I too am flabbergasted at the utter lack of integrity some show and vocally proclaim in this of all places… corporate shills every last of them.
There is a lot of money to be made in locking down Android and iOS. We should be surprised if companies like Google and Apple are not spreading lies and trying to decieve the public.
No morals can be expected from publically traded companies. Finding a "PR firm" willing to do the lowly dirty job of going on HackerNews, MacRumors or wherever people are and blatantly lie and make stuff up shouldn't be too hard either, I can imagine.
Another supporter here, chiming in to let you know you're not alone on this hill.
Sorry about this. This hairsplitting is common on HN comment threads. We lose track of the main theme and nitpick at great length on some word.
.. A grateful F-Droid supporter and user.
Have to constantly remind others (and myself!) at work that "we aren't focusing on that right now, that's not what this conversation is about". Technical minded people seem to have a real problem of missing the forest for the trees.
[flagged]
> In general HN skews towards an incredibly privileged and spoiled crowd
> This poem sums up most of HN's politics on control structures.
Please let's not have these sweeping generalisations about the HN community or this grandiose "first they came" rhetoric. The HN community is a bell curve like any other large group of people. All the evidence I see from looking at the discussions for hours each day is that it skews left-libertarian - i.e., supports individual freedoms and opposes government and corporate authoritarianism. This is what you would expect from a cohort of people dominated by technology employees and freelancers, of whom most are deeply supportive of the principles of open-source software and the freedom to do what you please with your devices. It also includes huge numbers of people from different places around the world who are not at all "privileged" and "spoiled". Of course there will always be exceptions in a large group of people – or really, the other end of the bell curve. But this broad-strokes characterisation of the HN community as a whole makes no sense at all.
The guidelines ask us to do better than this, in all these different ways:
Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.
Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.
Please don't fulminate. Please don't sneer, including at the rest of the community.
Eschew flamebait. Avoid generic tangents. Omit internet tropes.
https://news.ycombinator.com/newsguidelines.html
put a fork in it, it's done,almost! android that is. linux phones are comming up fast, and will be set up to run the droid apps we like. but big props to fdroid just used "etchdroid" to transfer a linux iso to a thumb drive and boot a new desk top, and if I get a few bucks ahead I will buy a dev board from these guys https://liberux.net/ flinuxoid?, flinux?
Linux phones are...what? Oh, just like Linux won the desktop. Never mind.
As far as I'm concerned, it did. Linux is far and away the best OS for my needs so I'll keep using it.
Did it "win" more of some metric of perfusion / capital versus the other big two? Perhaps some, mostly not. Who cares. The market is dumb.
What matters here is whether the capability exists at all. When it comes to phones, I'm still leery about linux. Support isn't quite wide enough and for a device that I need 110% reliability out of we ain't there yet.
I do know one thing - the effects of closed ecosystems that caused 99.99999% of servers to use linux, will eventually come for interface hardware. Companies have periodic bouts of psychosis that make their walled gardens inherently unreliable. It's just a whole lot slower in a realm that doesn't iterate at web-speed. Will that mean everybody uses linux phones in the future? Of course not. But I do hope it will mean I get to put my own phone together with an OS I own, someday. That would be an unequivocal good.
> linux phones are comming up fast
How much does it cost to build a barebones phone that (A) runs tuxracer and (B) makes phone calls? Librem: almost as much as an iPhone. PinePhone: You have to travel to the moon to find one for sale. FLX1: Not for sale yet (so PinePhone 2.0)
Maybe when I can buy a $100 barebones board that I can hook some AA batteries up to and make calls, and develop a little flappy bird clone, people will take notice of the market. As long as every Linux phone is some dude with too much money in his pocket thinking he'll make the next Android, it's not going anywhere. Even with tech nerds.
Google really knew what they were doing by hiring Marc Levoy. The Google camera is the only thing keeping me from getting something other than a pixel phone.
Google camera is not exclusive to Pixel.
It was ported[0] by enthusiasts to literary almost every Android phone. I have it on my $100 Xiaomi.
[0] https://xdaforums.com/tags/google-camera/
I agree with your point about "install" vs "sideload".
> Google’s message that “Sideloading is Not Going Away” is clear, concise, and false
Given your(and my) definition, this statement is false. Google isn't taking away sideloading, you can still use adb. I'd say using adb to load an apk from another device is the proper use of "sideloading".
What Google is doing is much worse, they are taking away your ability to _install_ software.
And yes, HN loves splitting hairs. But if it wasn't for the hairsplitting, there probably would be be much discussion. Just most people agreeing with you and a few folks who would prefer to give up freedom for security.
I agree it's a pointless distraction, but it's a distraction you instigated by trying to language police your own supporters. I and most others who use the term sideloading don't use it because we want to make sideloading "feel deviant and hacker-ish", we use it because it's the commonly accepted term for installing apps outside the app store. I'm open to alternative phrasing, but "direct install" doesn't work because installing apps from F-Droid isn't a "direct install" and "installing" doesn't work because that doesn't distinguish from installing from the Play Store. "Sideloading" is simply the correct word, and I've yet to see a better alternative. There's no reason to be ashamed of it, or accuse people of being part of some conspiracy for calling it that.
If anything, the fact that Google feels the need to disingenuously argue "sideloading isn't going away" suggests to me that the term sideloading has a good reputation in the public consciousness, not a negative one.
Let's just focus on the fact that Google is trying to take away Android users' ability to install software that Google doesn't approve of, and not stress so much about what words people use to describe that.
Because Google isn't trying to prevent installing, just "sideloading".
This comment is funny because you have defined these words to be as such
You have defined installing to be specifically from play store and sideloading as everything except it.
Google isn't trying to prevent installing, just sideloading works in this sentence because of what you have already defined but you are using this sentence in defense of that....
As OP stated, installing can mean on debian as an example, installing from both apt or either tarballs. Both are valid installations
So it is the same for google/android as well yet google is trying to actively prevent one part of the installing or make it really extremely hard to do so.
It is a dangerous precedent. And I would say that it severely limits what you mean by installing.
I got an PC, and I got internet connection, usually it isn't trying to prevent what I install if I am on linux.
Yet I am on android and earlier it used to do the same but now its a slippery slope where it either requires me to use adb or keep another device at me at all times if I ever want to install software on it.
Not because its not that these phones can't do it, In fact that they already do but they are removing it, simply because they can.
No, that is not the definition I was using. "Sideloading" is a subset of installing, not disjoint from it. If Google were to prevent installing, it would prevent sideloading, but it would also prevent installing from the Play Store, which clearly they don't want.
It's a very dangerous precedent, but one that's difficult to discuss without having a name for the kind of installing that Google is trying to prevent.
This is why this specific definition is problematic: both "sideloading" and "install from Play store" are subsets of "installing".
If one limited the ability to "install from Play store", while keeping the ability to "sideload", would you say it's fair to say "installing is restricted"?
Yes, just as if one limited the ability to "sideload", one would be restricting installing.
“Install from play store” vs the unspecific “install”, obviously.
Neither of those is a name for the kind of installing that Google is trying to prevent.
I feel like although sideloading could be correct term maybe but at the same time as the author stated, people might refer something shady to something which is a genuinely normal part, maybe even more safer when you download from f-droid compared to play-store
I feel like you are having this discussion in good faith which is really nice but I just feel like saying that google is oppressing other open source appstores or just using the word installing and later clarifying can make the people feel about how dangerous it really is.
Let me be really clear. If Google can prevent sideloading and the only feasable way for 99% users is their play store which uses their policy terms which can be ever changing, chances are, that they can also prevent people from downloading your app, and can remove your app etc. as well so they can very definitely prevent installing in general as well
The only escape hatch is maybe adb but please, for the 99% of use cases, I doubt how many people would operate a computer open up the terminal and try to use adb or other scenarios, but in all ways, I think that speaking of it as an installing itself isn't so bad after all.
If Google can genuinely go ahead and do this, it would definitely prevent installation of certain app in and in of itself because play store is also controlled by google and they can also remove/prevent apps installs from there too.
I would still recommend to you / the community to say it as an installation as earlier I was also used to saying sideloading but it was only while writing this comment when I realized of how google can actually prevent installation from play store as well since they own it, its an effective lock/restriction in installation itself for all purposes.
Have a nice day.
Ultimately the only escape hatch is to build hardware that isn't dependent on Google, then stop being dependent on Android, which is what Huawei has done. https://news.ycombinator.com/item?id=45721022 goes into more detail.
If anything, it's the playstore which is a side channel and the website of the software producer the main one.
That's a good point.
I hereby name the thing that Google wants to allow "supplicating an app(lication)". Installing puts software on a device. Supplicating asks Google for an app, and maybe it gets installed.
> why do you need a term to distinguish from installing from the Play Store?
Because the Play Store is a proprietary ecosystem that's being often used as a political tool.
If Google starts to ban alternative stores then Android will fragment and much of the world will move to Chinese alternative OS's.
I don't know, why do we need a term to distinguish brown from dark orange? The term emerged organically because the built-in app store is the most common way to install apps on mobile phones (and the only way on iOS), but on Android you can also install apps from other sources without needing Google's permission so people came up with a catchy name for that.
It's convenient because now we can say "Google is killing sideloading" as a very succinct way to describe what's happening when we're arguing against it. "Blocking users from installing apps not approved by Google" works equally well but is a bit more wordy. I personally prefer the latter because I think it's a little more precise, but trying to imply people have to phrase things that way or they're part of some conspiracy does nothing but alienate your supporters and distract from the real issue.
Hey, question. While I'm also miffed about Google's decision and see your point about the term sideloading, there is another elephant in the room you seem to not be addressing here.
You write:
> “Sideloading is Not Going Away” is clear, concise, and false_
But isn't Google saying that you will still be able to sideload via ADB? Which would mean their statement is true, and that your claim that Google's statement is files is itself false?
I'm so confused why you never even mention ADB or its relevance to sideloading, which they refer to rather explicitly in their blog post. At the very least, if you think ADB doesn't change anything, you could mention it and say so. Could you explain this seemingly critical omission?
Forcing ADB may as well be a ban, if you don't see that, you're pretty out of touch with consumers. Sideloading is already hard enough for many, forcing the use of an extra computer, a dev tool in the CLI, and dev mode is way way outside what people will do
Also if the majority of sideloaders go away because it's become more difficult, what will happen to the development scene? Will it stall out from lack of developer interest because there's such a small audience compared to before? (Despite it still being possible.)
I see googles actions as lashing out at everyone because theyre being attacked for their monopoly activities.
They want to punish customers for electing regulators who care about consumer protections.
This is large scale abusive boyfriend behavior, doubling down.
Anyone who defends google/Android has been heeled in fear.
There's no spite or emotion, it's a company. They want to kill NewPipe etc. to force everything through apps they control and can monetize. It's just about money.
You could make a glossy PC client around it. On the meta quest there's an app called SideQuest that does just that because meta doesn't permit apps to install other apps. It's still a fairly big thing there.
I'm happy about the adb loophole, but I'm worried this would be just the start of the slippery slope, and Google would find a way to lock down adb next, citing the risk of malware sideloaded by fancy tools wrapping adb, once they start popping up.
The number of people that don't even own a general purpose computer is huge. And for those that do, ADB is a ridiculous thing to get setup for a particular device. I get paid to work on android software, and I don't even want to put up with the hassle.
Yes. And a bigger question is, why should I have to? This is a perfectly functional computer, it is more than capable of downloading a file and running it.
It's really sad that Apple and Google (and to some extent MS though they're just behind in this race to the anti-consumer bottom) happened upon this "solution to malware" (note: not a real solution) of "OS vendor vets and controls all software." It's a lazy way, it's an ineffective way, and it has made computers - incredibly flexible, programmable devices - more like cable boxes or telephones from past decades, that you had to rent from a monopolist and had no control over.
you don't need a computer to run adb. there's install with options
For now
As I understand it, the delivery mechanism won't matter: Play Store,ADB, F-Droid, Bluetooth, or website. If the APK isn't signed by a Google-approved developer, it's not going to install.
If there's some ADB command that one can issue to install unsigned APKs for now, it's a temporary reprieve at best. Two Android versions later, the update from Google will read "Only 0.02% of users installed apps using adb, but the corresponding malware incidence rate was 873% more than the Play Store. Due to the outsized risk, we're disabling adb installations going forward"
No, that adb command is how you test install things. They wouldn't want to force public uploads to Play just to test.
Not so. The new mandate isn't that all APKs must be uploaded anywhere, only that all APKs must be signed by approved developer keys. So to test new builds, devs will only have to sign with their approved key, then upload. No extra hassle once you already have an approved key.
I'm not sure it works that way. _In general_ before the recent announcement you are supposed to sign the debug build (what you feed into adb to install) with your debug key that's different from the release nor upload key, and the debug key is never submitted to google.
Of course _maybe_ at some point google will also force you to submit your debug key to them. But I don't believe that's the case now.
Sure, you would test-install apps via any delivery method of your choice, including USB-C cable or WiFi, after Google attests that your test-app signature is whitelised[0]. After all, there is no legitimate reason[1] to not sign your app, since you want it to closely match the distributed version as much as possible, and there won't exist unsigned distributable apps.
0. Developer has valid signatures and in Google's good graces, and application hasn't been installed on more than 16 devices
1. Oh, you CI/CD signing infra won't let you? You better fix your workflows to match the Google way.
They could go the apple way and sign an annoyingly shortlived cert.
adb is a developer tool. You need a tethered and trusted computer to be able to transfer an app using adb, and you need to enable "developer mode" on the device, which is an arcane dance that involves navigation through an obscure tree of settings and then quickly tapping a mystery spot 5+ times. Google can't block adb, because that is how Android apps are developed and tested, just how Apple cannot block their developer tools from being able to transfer apps onto an iPhone.
This is so far from a realistic and acceptable substitute that I question the honesty of anyone who claims that "adb will still work, so no problem!"
I hope that explains my seemingly critical omission.
> just how Apple cannot block their developer tools from being able to transfer apps onto an iPhone.
If I recall correctly (I might be wrong, because this was 10+ years ago), but Apple did exactly this when the iPhone was first released. When the iPhone first came out, Apple released its XCode devtools for free, including an iOS emulator that you could use to test your iPhone app. But you had to pay a $99 USD per year "developer program" free in order to use the devtools to test the app on your physical device.
If Google is also blocking preventing you from loading your own software onto your own phone with adb unless you pay a free, then this would be a very important thing to call out explicitly.
You recall correctly, but that did end in 2015, when Apple ended the requirement that developers sign up for their paid developer program to be able to develop and test iPhone apps. I've written about that elsewhere: https://appfair.org/blog/gpl-and-the-app-stores#fn:3
The adb workaround for Android is essentially on par with being able to use Xcode's tooling to install apps on an iPhone: technically possible without paying a fee, but enough friction that no one would seriously consider as an alternative solution for publishing their apps to a general audience.
[dead]
I think your position is valid.
Note: Apple restricts apps uploaded with Xcode, (depending on how it is signed I believe) to 7 days or 1 year. adb currently doesn't have this limit.
But what if they find that somebody made 'sideloading' 'too easy' again. E.g. somebody could come up with the idea of running adb or an adb emulator on another phone, or even a small hardware dongle, integrating it with a pretty UI that looks like a regular app shop. Then their currently proposed new rule would become ineffective and due to whatever thought process they arrived at their current conclusion, could place similar limits on adb.
The reason for its omission should be obvious. First, most people who "sideload" apps do not have ADB installed, and may not have the technical knowledge to do so. Second, the ability to do so can be taken away just as arbitrarily as the right to do so without it.
Perhaps the author is speaking purely from a "consumer" point of view, rather than developer/pro types who of course can bypass restrictions using common dev tools.
I believe f-droid strives to be a simple platform of from-source builds for non-Googled apps that anyone can use.
Can you provide supporting evidence? A place where they say Sideloading is now becoming ADB installing?
This is what they say in their blog post:
You will continue to be able to build and run an app even if your identity is not verified. Android Studio is unaffected because deployments performed with adb, which Android Studio uses behind the scenes to push builds to devices, is unaffected. You can continue to develop, debug, and test your app locally by deploying to both emulators and physical devices, just as you do now.
If you see a loophole in the clear argument they're making there, I'd love to know. I don't see any obvious ones.
I'm just not sure people have been referring to that method when saying 'sideloading' and Google didn't mention sideloading specifically there.
This is what they say in the quote this article is about:
"Does this mean sideloading is going away on Android?
Absolutely not. Sideloading is fundamental to Android and it is not going away. Our new developer identity requirements are designed to protect users and developers from bad actors, not to limit choice. We want to make sure that if you download an app, it’s truly from the developer it claims to be published from, regardless of where you get the app. Verified developers will have the same freedom to distribute their apps directly to users through sideloading or through any app store they prefer."
In this paragraph they don't mention ABD at all similar to how in your paragraph they don't mention sideloading.
I see, wow. That's such a frustrating lack of clarity on Google's part and (consequently?) those responding to the blog post...
As far as I now, historically, "sideloading" has always meant "installing from some mechanism other than the Play Store", and everyone has been referring to adb-based installations as "sideloading" as long as I can remember (example [1]). If Google or others don't call using adb sideloading, then I have no idea what they would call it, and I'm thoroughly confused.
[1] https://www.xda-developers.com/how-to-sideload-apps-android-...
TVs are an entirely different class of sideloading than Phones.
Not only will sideloading via ADB continue to work, installing from most other third-party app stores will continue to work. The developers on the Amazon, Samsung, and Epic app stores won't have a hard time with the developer verification process. F-Droid is in a uniquely inconvenient position that they have a legitimate app store, but its design causes them to have a hard time with developer verification.
> won't have a hard time with the developer verification process
Unless any government powerful enough has reason to make Google reject developers. Hell, doesn't even have to be a government. Do anything that annoys Google, goodbye rights for your app to be installed on any Android. Why would you ignore the obvious and main caveat? It doesn't matter what store it "continues to work on". Google can revoke privileges overnight with little to no recourse for the developer, regardless of the merit of such action, the usefulness of the app, or how much people want/need that app. This is literally heading in the direction of Kafkaesque.
F-Droid is also the only one that does reproducible builds which is a big security feature. One that is precisely the cause of making this hard. But it also makes it safer than even the play store. It should really be accommodated.
>But isn't Google saying that you will still be able to sideload via ADB?
No, it will not. Nothing will install an application without a Google approved signature on it. They will remove ad blocks from your Android and you will like it. "The beatings will continue until morale improves" sort of behavior.
I'm hopeful that the mystery OEM that GrapheneOS is targeting is in fact Sony Xperia. If it isn't, I'm just going to stop carrying a smartphone when all my installed apps stop working on it.
> No, it will not. Nothing will install an application without a Google approved signature on it.
How do you interpret this then:
>> You will continue to be able to build and run an app even if your identity is not verified. Android Studio is unaffected because deployments performed with adb, which Android Studio uses behind the scenes to push builds to devices, is unaffected. You can continue to develop, debug, and test your app locally by deploying to both emulators and physical devices, just as you do now.
Isn't that the opposite of what you wrote? What am I missing?
I interpret that as you will be able to install an unverified app. And you will get the annoying unverified app screen every time you launch it. And it will very likely be crippled in other ways, as it is unverified.
>Lando: But that wasn't our deal!
>Vader: I have modified our deal. Pray I do not modify it further.
I think it's better to shut down the project. I used to contribute to privacy projects, but then after being slandered for damaging youtube's "creators" by blocking the trackers, I realize that people enjoy getting f*cked by google and enjoy shilling google collecting personal data. So I stopped, it's better for my mental health and I have more free time for myself.
That's just the price of developing open source software. People will complain. Don't worry about the people who don't want to use your software. They can make their own. You should only consider stopping your own project when there is a better alternative.
> Splitting hairs about the origin of the term "sideload" does not change the fact that those who promote the term tend to do so in order to make it feel deviant and hacker-ish.
That is not a fact, that is your opinion. Lots of people say "sideload" without trying to convey such negative meanings. For better or for worse, the term has entered the common lexicon and I very rarely see it used with negative connotations attached to it.
> Lots of people say "sideload" without trying to convey such negative meanings
Sure, but they effectively do even if they're not trying to. It comes off like you're up to no good or doing something dangerous. Like GP said: deviant.
>Sure, but they effectively do even if they're not trying to.
What specific acts are referring to? Is it just their recent plans to restrict sideloading? This feels circular. "Google is evil because they're trying to restrict sideloading. They're also extra evil because trying to demonize sideloading. How? By restricting sideloading!"
>It comes off like you're up to no good or doing something dangerous. Like GP said: deviant.
Yes, but only insofar as if you're not taking the primary route, you're taking the "side" route. Or you're "deviating" from the intended route. None of that actually implies you're a "deviant" for doing so, any more than a driver taking side streets to shave 30s is a "deviant".
I think the recent push to restrict "sideloading" made people realize that the term itself helps Google frame it to normies as a fringe, non-standard thing that needs controls around it. When in reality you're just installing software on a device.
>I think the recent push to restrict "sideloading" made people realize that the term itself helps Google frame it to normies as a fringe, non-standard thing that needs controls around it.
No, it made all the pro-sideloading people (for lack of a better term) find any reason to hate google even more, including flimsy arguments about how "sidleoad" is some sort of sinister psyop. I still haven't seen any evidence to suggest "sideload" has any negative connotations to the average "normie", beyond its meaning of "install from third party source"[1]. All I've seen are endless speculation that it's a google psyop in techie/hacker[2] circles, like this post.
[1] see also: https://news.ycombinator.com/item?id=45738997
[2] as in "hacker" news
There's been a concerted effort by smartphone manufacturers to demonize side loading explicitly for some time now. This is actually about code signing rather than sideloading, so it's kind of funny that we have this sub thread that's explicitly about the term sideloading, but regardless, that term has been demonized by Apple.
https://www.apple.com/tr/privacy/docs/Building_a_Trusted_Eco...
instead of sideload you could use the more correct term "install software on a device you own without permission from Google"
> those who PROMOTE the term
> Lots of people SAY "sideload"
It's almost like you didn't read the post
I think the verb "promote" was chosen over "say" here very deliberately
[dead]
[dead]
Is there no line, in your opinion? At this point, there are computers (many of which run variants of Linux in many cases) in my:
1. Laptop
2. Phone
3. Car
4. Washing machine
5. Handheld GPS
6. E-reader
7. TV
Is there some intrinsic different between a device where the manufacturer has programmed it using an ARM/x86-based chip vs a microcontroller vs some other method that means in the 1st case I have the right to install whatever I want? Because that feels like what's happened with cell phones: manufacturers started building them with more capable and powerful components to drive the features they wanted to include, and because those components overlapped what we'd seen in desktop computers, we've decided that we have an intrinsic right to treat them like we historically treated those computers.
For everything on that list, I'd say that if you figure out how to run software of your choice on them the manufacturer shouldn't be able to legally stop you. (And specifically, the anti-circumvention clauses of the DMCA are terrible).
Phones get a lot of attention in this regard because they've replaced a large amount of PC usage, so locking them down has the effect of substantially reducing computing freedom.
This is sort of delightfully circular?
> I'd say that if you figure out how to run software of your choice on them the manufacturer shouldn't be able to legally stop you.
That's already the case. The manufacturer can't come after you for anything you do to your device. They can:
1. Set up their terms of service so that things you do to alter the device are grounds for blocking your access to cloud/connected services that they host on their infrastructure
2. Attempt to make it difficult to run software of your choice.
3. Use legal means to combat specific methods of redistributing tools to other people that compromise things they do in number 2.
There is already a widespread notion of "general computing" device.
For all intents and purposes, a laptop computer and a smart phone are one. This is, for example, evidenced by the fact we run general purpose "applications" on them (not defined ahead of time), including a most general app of them all (a web browser).
For other device types you bring up, I would go with a very similar distinction: when you can run an open ended app platform like a browser, why not be able to install non-browser based applications as well? Why require going through a vendor to do that?
"why not" isn't a compelling case for something to be a fundamental right.
I'm not saying I dislike the concept of being able to run my own code on my devices. I love it. I do it on several devices, some of which involve circumventing manufacturer restrictions or controls.
I just don't think that because manufacturers started using the same chips in phones as computers, they magically had new requirements applied to them. Phones had app stores before they were built using the same chips. My watch lets me install apps from an app store.
You've asked for an intrinsic difference between a class of devices: no, you are unlikely to want to run general purpose apps on your washing machine. Yes, you are likely to do so on your smart phone. Probable on your modern "smart TV". Low probability on your eReader.
Legislation like EU Cybersecurity Act hopefully pushes things into more of a fundamental rights thing by demanding that devices don't go into the trash pile as soon as the vendor stops issuing security updates by mandating an ability to keep operating these devices without negatively affecting Internet at large (by, for example, becoming a part of a botnet).
This is already possible with many general compute devices by putting a version of up-to-date GNU/Linux or FreeBSD or... on it. And for a smaller subset of GC smartphones, with AOSP-based Android.
I'm not asking for an intrinsic difference: I'm suggesting that if "I can install custom applications/code on this device I own" is a fundamental right, there would need to be an intrinsic difference. My personal opinion is that there is not an intrinsic difference. That "I want to do it to these devices and not those" can't be the justification for it being a right that I'm able to.
To counter your claim, I've tried to explain what that intrinsic difference is in my previous comment.
I am not sure if you are disagreeing with me or ignoring my point :)
The only one that sounds potentially harmful is the car and in that case I think it should have to meet emissions standards and prove you aren't running a defeat device but like... Yeah. I should be allowed to run my own infotainment system that doesn't crash and doesn't spy on me
I'd like to be able to install my own software on all of these
I'm not asking what you'd like to do. I'd like to be able to customize all of those things too.
I'm asking why taking a device that uses a microcontroller and making a new model with an ARM chipset and a Linux-based OS seems to suddenly make people treat the ability to install custom software on it as a fundamental right.
If I own it, regardless of if it's Linux or ARM based, I should be able to install things on it.
Video game consoles?
Good catch. They are similarly noteworthy to phones: there are all kinds of projects and tools built around making custom and modded games for the Gameboy, or hacking the NES, but there wasn't a movement saying Nintendo was violating our fundamental rights by not allowing users to overwrite or modify the code inside the actual console.
Then consoles started shipping with recognizable internals, and we had waves of people very frustrated at things like Sony's removal of OtherOS, or Nintendo's attempts to squash the exploits that enabled Wii Homebrew.
Yes, you absolutely should have the right to install (or uninstall) whatever software you want on any of those, assuming it contains writable program memory. The alternative is a nightmarish dystopian future where your washing machine company is selling its estimate of your political inclinations, sexual activities, and risk aversion to your car insurance company, your ex-husband, your trade union representative, and your homeowners' association.
I thought I had this line, but I imagined if my credit card had writable program memory, I'd be fine with a third party preventing me from using it for its intended purpose if it wasn't trusted there. There must be some purpose for my own good for preventing me from writing to my own program memory, and I should be able to void this purpose if I deem it worth it.
Likewise, I'd be fine with banking apps on phones requiring some level of trust, but it shouldn't affect how the rest of my phone works so drastically.
Why would your credit card need to act against your interests? The only thing it should be doing is signing transactions to signal that you approve. The credit card company has their own computers that can be consulted to ask them if they approve a transaction. They don't need one in your pocket. They can rent a rack in a data center. It's not that expensive.
Similarly, the banking app on your phone should be representing your interests, 100%. It may need to keep secrets, such as a private transaction signing key, from your bank or from your boyfriend, but not from you. And it definitely should not be collecting information on your phone against your will or without your knowledge. But that is currently common practice.
Why?
My washing machine could be programmed to do all of those things you're worried about without any writeable memory. Why does the parts the manufacturer puts into it turn it from an appliance that washes my clothes to a computer that I have a right to install custom code on?
The principle is that the owner should have full control of their own device, because that's what defines private property. In particular, everything that the maker can make the device do must be something that the owner can make the device do. If the device is simply incapable of doing a certain thing, that might be bad for the owner, but it's not an abrogation of their right to their own property, and it doesn't create an ongoing opportunity for exploitation by the maker.
Maybe in theory your washing machine could be programmed to do those things without writable program memory. Like, if you fabricated custom large ROM chips with the malicious code? And custom Harvard-architecture microcontrollers with separate off-chip program and data buses? But then the functionality would be in theory detectable at purchase time (unlike, for example, Samsung's new advertising functionality: https://news.ycombinator.com/item?id=45737338) and you could avoid it by buying an older model that didn't have the malicious code. This would greatly reduce the maker's incentives to incorporate such features, even if it were possible. In practice, I don't think you could implement those features at all without writable program memory, even with the custom silicon designs I've posited here.
If you insist that manufacturers must not prevent owners from changing the code on their devices, you're insisting that they must not use any ROM, for any purpose, including things like the PLA that the 6502 used to decode instructions. It's far more viable, and probably sufficient, to insist that owners must be able to change any code on their devices that manufacturers could change.
>Splitting hairs about the origin of the term "sideload" does not change the fact that those who promote the term tend to do so in order to make it feel deviant and hacker-ish.
Can you corroborate this? At least for me, the whole idea that "sideloading" has negative connotations only came up as a result of this debacle, and the only evidence I've seen are some very careful readings of blog posts from Google. The word itself hardly has any negative connotations aside from something like "not primary", which might be argued as negative, but is nonetheless correct.
>You don't "sideload" software on your Linux, Windows, or macOS computer: you install it.
Right, because those devices don't have first party stores. Windows and Mac technically do, as does some Linux distros, but they're sufficiently unpopular that people don't think of them as the primary source to get apps. Contrast this to a typical Android or iOS phone.
> Can you corroborate this?
I don't think this is so much a question of sources & corroboration as it is of language.
Regardless of the origins of the term "sideload", the language implies a non-standard practice. The prefix "side-" may be used in some software contexts to describe normal, non-deviant software, but only in cases where the software in question is considered auxiliary. In general, anything described as "side-*" is connoted to be surplus / additional / non-primary at best - adding that to the term "load" & the loading action itself is surplus/additional/non-primary. It's automatically considered non-standard.
> those devices don't have first party stores
This only supports the argument. If somebody felt an alternative term was required on Android because the first-party store was the primary source of software, the only reason they could have for needing such an alternative term would be to explicitly differentiate that alternative source as unofficial/non-standard.
>Regardless of the origins of the term "sideload", the language implies a non-standard practice.
Because it is non-standard. Like it or not, the intended experience is that you get apps from the play/app store, and for most people that's exactly what they do. This is a descriptive statement, not a normative one. Accepting it doesn't imply you oppose the freedom to run whatever code you want. The language of "sideload" or whatever is directly downstream of this. Just because google is using language that reflects the current state of affairs, doesn't mean they're engaging in some sort of sinister psyop with their word choice, as the OP is trying to imply.
> This is a descriptive statement, not a normative one.
It's both. It's not like "sideloading" is a part of natural language that just happened to evolve this way to describe the practice. The terminology was consciously chosen by the same people who designed the OS to describe it. The people who argue against using this term aren't doing it in some accusatory way, like "you use this term, therefore you're an evil brainwashed minion of the enemy", but rather by using language to not set up their argument on the enemy's terms, no matter how insignificant.
It's like how "jaywalking/jay walking" was popularized - the term itself was pretty crass for the time, the word "jay" conjuring thoughts of some kind of drooling, unintelligent yokel. Back when car infrastructure was still in its infancy, how would you argue that cars shouldn't dominate all streets and cities when the government- and industry-approved name for your action was literally "stupid walking"?
>It's like how "jaywalking/jay walking" was popularized - the term itself was pretty crass for the time, the word "jay" conjuring thoughts of some kind of drooling, unintelligent yokel. Back when car infrastructure was still in its infancy, how would you argue that cars shouldn't dominate all streets and cities when the government- and industry-approved name for your action was literally "stupid walking"?
That makes sense because as you said, "the word "jay" conjuring thoughts of some kind of drooling, unintelligent yokel". The same can't be said for "side", aside from vague accusations that it's not "official" therefore normies think it's bad, but I can't see how you can get away from that accusation without using meaningless phrases like "type 2 install" or whatever (though I'm certain that would get similar amounts of ire for being "second class citizens" or whatever).
Well, yeah, it's not nearly as extreme, companies have become much better at PR. Still, the insinuations of something being unofficial, unrecognized, unsecured, really half-unintended still paint a picture of how Google wants its software to be seen. Like, I have no doubts that if Microsoft decided to start locking down Windows PCs to the Microsoft Store (the "intended experience" that they probably already imagine for their model customers), the temporary bypass will be accompanied with a prompt like "DANGEROUS: Are you sure you want to enable Unsecured Mode? (Y/N)"
Do you sideload packages on a Linux computer? Do you sideload a game you purchased on GOG?
I'm using Android built-in Package Installer. That's not non-standard.
> the intended experience is that you get apps from the play/app store
Once again, this is the point.
> it doesn't imply you oppose the freedom to run whatever code you want
But it does.
Let's first look at what's good about "intended experience" & possible legitimate reasons to have a differentiation between "vendor-approved" 3rd-party apps & non-"vendor-approved" 3rd-party apps.
The connotation of an "intended experience" is that the experience is supported by the OS vendor. If you have issues with your experience, these are issues that can be reported & the OS vendor will endeavor to fix. Leaving aside the fact that Google has no user support to speak of, even if they did, this isn't something they would every offer for 3rd-party Play Store apps regardless. So 3rd-party Play Store apps are not doing anything for users to provide them with an "intended experience" that isn't equally available sideloading.
The only other legitimate reason to have a differentiation would be to ensure the user doesn't install malware. Play Protect currently does this with sideloaded apps, so once again there is no difference in the "intended experience" from the user's perspective.
If there are no legitimate reasons to differentiate the experiences, the only reasonable conclusion remaining is that they're differentiates to dissuade user freedom.
>Let's first look at what's good about "intended experience" & possible legitimate reasons to have a differentiation between "vendor-approved" 3rd-party apps & non-"vendor-approved" 3rd-party apps.
It's pretty obvious that they think the distinction is worth having because they can vet apps they signed, rather than random apks from the internet. You might think that's a flimsy justification, but that's not a reason to reject such a distinction exists at all.
>The only other legitimate reason to have a differentiation would be to ensure the user doesn't install malware. Play Protect currently does this with sideloaded apps, so once again there is no difference in the "intended experience" from the user's perspective.
That's purely reactive (you can't scan for stuff that you don't know about), and doesn't ensure identity validation. Again, you can argue how good those reasons are, but there's at least a plausible justification for it.
>The connotation of an "intended experience" is that the experience is supported by the OS vendor. If you have issues with your experience, these are issues that can be reported & the OS vendor will endeavor to fix.
When was the last time anyone got "support" for Android/iOS from Google/Apple? At best you have random forums that google/apple staff check once in a blue moon, if you're lucky.
Debian has had a "first party store" since the early 90s, and the truth is the diametrical opposite of "they're sufficiently unpopular that people don't think of them as the primary source to get apps". It's been almost the only way I install software (that I didn't write) on my Debian and Ubuntu machines since I moved to Debian. This is true of most Debian and Ubuntu users.
>Debian has had a "first party store" since the early 90s, and the truth is the diametrical opposite of "they're sufficiently unpopular that people don't think of them as the primary source to get apps".
Aren't those all considered first party apps? Sure, debian aren't the authors of nginx or whatever, but they're the people building, packaging it, and adding patches for it. It's a stretch to compare them to the play store or app store.
Apt has supported multiple sources since inception. Debian is not the only supplier.
Right, but those would hardly be considered first party. Just because it goes through apt, doesn't mean it's first party.
So is Debian the first party? Or the clone hosted by a university near you? You probably had a mirror there, not Debian's own host. Because they used to be the slowest.
It only goes through "apt the program", but apt is just serving as a method of installing a package, which is hosted on one of the configured apt sources.
Calling all software installed through apt "first party" is a wild stretch, since you can apply the same logic to git, wget, or a web browser. For instance, it would probably be correct to say that most Windows software is downloaded and installed through Chrome, but nobody in their right mind would claim Google owns the largest first party store for Windows.
No, it's not a stretch at all. The user experience is the same, except that Debian and F-Droid apps don't come with antifeatures built in. The only friction is around who to report bugs to.
>No, it's not a stretch at all.
For one, it doesn't contain non-free software, and therefore can't be the primary source of software. Maybe you're a Stallman acolyte who only runs free software, but that's not feasible for the average user.
The average user might have one or two non-free programs they depend on that aren't websites. Maybe AutoCAD, or Photoshop, or SketchUp, or Excel, or the driver for their oscilloscope, or Dark Souls. Everything else can easily be free software or webapps. So an "app store" that doesn't contain non-free software can be the primary source of software, and for almost all Debian or Ubuntu users, it always has been.
The average Ubuntu user doesn't even have those one or two non-free programs. After all, Autodesk doesn't provide a version of AutoCAD for Linux in the first place.
If you are running Linux non free software in the exception, not the rule. I myself can’t think of any that I run.
Try
Virtual Richard M. Stallman. This is hilarious, I'd never heard of this. Thanks for sharing.
No surprises on my system except for the firmware-intel-* packages. I thought those were free software? Must be binary blobs.
Yup. Which is why the real Richard M. Stallman has often used MIPS laptops.
> The word itself hardly has any negative connotations aside from something like "not primary", which might be argued as negative, but is nonetheless correct.
Android has an APK installer built in. Opening an APK file launches the installer and installs the application, just like opening an MSI file on Windows launches built-in Microsoft Installer and installs the application.
Google have gradually added impediments to this over this years, such as a requirement to toggle a checkbox in the settings to enable installation, and later some prompts about letting Google scan the package, but calling the system's built-in application installation mechanism "not primary" is absurd.
>but calling the system's built-in application installation mechanism "not primary" is absurd.
So you're arguing that because play store installs and random .apk installs both goes through packageinstaller, the concept of a "primary" install method doesn't exist?
If we're using "primary" to mean "first-party" (as in your original comment), then the system's built-in package installer is the most first-party of all, so it's definitely not "not primary".
If we're using "primary" to mean something like "most popular", then I don't see how the term "sideloading" would make any sense to describe "not primary". Are we side-commenting here, and side-submitting HTTP requests, because we're not posting to Facebook, the primary website?
Linux had "stores" long before android
Yeah, and they are the primary way to install software for nearly every distro that has them.
And even when people install software on their user's home only, we don't call it anything different.
It's correct to say that "sideloading" was created to emphasize it's a deviant activity. I believe it was created by the people doing it, when they discovered hacks that enabled them. But I wouldn't be too surprised it was created by the companies trying to prohibit software installation.
>Yeah, and they are the primary way to install software for nearly every distro that has them.
>And even when people install software on their user's home only, we don't call it anything different.
But even on Android the word used is "install". When you try to install an apk, the button says "install", not "sideload". "Sideload" is only used in the context of google's blog post, where it's there to differentiate between installs from first party sources vs others. This is an important distinction to capture, because their new restrictions only apply to the latter, so something like "installing isn't going way" wouldn't make sense. "sideload" captures this distinction, and is far more concise than something "installing from third party sources". Moreover this sort of word policing reeks of ingroup purity tests from the culture wars, eg. "autistic vs person with autism" or whatever.
Personally, the first time I hear that word, it was about video game consoles. Smartphones weren't popular at the time.
The AI says the term sideloading, apart from its origin, was used to describe loading music via USB without iTunes on iPods.
I view Debian apt as helpful. I view Apple App Store as limiting and controlling.
> Right, because those devices don't have first party stores. Windows and Mac technically do, as does some Linux distros
If you find yourself making a statement only to immediately contradict it, consider whether or not that statement is worth making at all.
Plus, I don't see how it is even relevant if a platform has a first party store when it comes to allowing the user to install software.
It doesn't, but that doesn't mean people can't call out disingenuous statements made by the OP. Posts can be directionally correct even if they contain errors, but the errors are still worth calling out.
Errors are according to you. According to me, they are not errors.
Maybe you should consider reading a few words beyond the passage you quoted, because the "contradiction" only exists with your selective quoting.
The contradiction exists because you wrote it. If you wanted to avoid having to write a false statement and then walk it back, you could've left it out and skipped straight to explaining why those platforms' first party stores don't count in your estimation. As I recommended.
"Sideloading" definitely has subpar connotations. Something you do which is not the "main approach". Let's be real here.
Exactly
The fact that we don't have root access to our phones is insane. This "sideloading" part is just the cherry on top of the dystopia we live in.
That's also a large part of the issue IMO. I currently _have_ root on my rooted and Lineaged Poco F3. But as hardware attestation is becoming the norm I am deeply worried about the future. I have been a pretty eager Android fan due to its achievable-if-savvy openness. If I lose root and sideloading, then Android is dead to me. There would be nothing valuable in it, just another corporate walled garden.
I have no idea what to do when they lock everything up. I just hope my bank app works with a non google phone.
My HSA just implemented some bullshit where even the web interface requires a near-new phone to even log in. For now I'm just switching HSA providers rather than buying a new phone. I'm also worried about the future.
Wow, what are they checking for, newer OS?
The result of this is very deep. Apple/Google effectively control what consumer technologies and services are allowed to gain traction.
main di jo777 seru banget sihhh, gapercaya ?? cobain aja langsung!!
As an iOS user who's been frustrated with Apple's approach to "self-loading" (i.e., running your own code on your own devices) and who's actually gone out and gotten Android devices to write PoC/PoV apps on instead, I really don't like Google's stance on this--even if I would not, at this time, choose to daily drive an Android device, I do rely on F-Droid for getting software on six or seven different devices _right now_ and they would be useless to me if I couldn't do it.
This year, I discovered SideStore on iOS, and its wonderful auto-refresh feature. Since then, I have written two iOS apps and am happily using them daily with zero issues. This plus the new Google announcement mean no going back to Android for me any time soon.
The existing comments here somehow display a big amount of discomfort with the semantics of the article, not so much with the points argued...
Dear F-droid, please edit your article to be technically correct so that HN can like it. All you have to do is change "coined" to "popularized".
Sorry, but "welcome to HN?" Commenters here regularly miss the forest for the trees, ratholing on minutiae and nitpicking one or two words in a 1000 word article. Often totally missing the overall point. We're notorious for it.
Perhaps when you comment on one little thing, its a sign that you agree with the article overall, but have one little nitpick.
It's not "sideloading". It's called installing software on your own device!
You know, this would be a fantastic time for Google to get their sandbox in order. If we need to do it like this, go ahead and create a secondary user, call it sandbox and let me install all my wild and unapproved apps there. SecureNet can automatically fail in Sandbox.
But I don't think they're going to do that, ultimately users who actually care about this are an absolute tiny percentage of the market.
And weirdos like us can always just import a Chinese phone that doesn't have mandatory Google verification crap.
> And weirdos like us can always just import a Chinese phone that doesn't have mandatory Google verification crap.
No, we can't. One of the first countries with that mandatory Google verification is Brazil, and we can't import phones which are not certified by ANATEL, they will be rejected by customs in transit.
I knew Brazil was kinda weird with tech import taxes but I didn't know they banned non-certified phones, jezz. Here in Chile they get disconnected from the cell towers after 30 days, but you just need register it^.
Do you know if the Brazilian gov or regulators asked for this first from Google or something?
^: It's less spooky than it sounds, any phone in Chile needs to be compatible with the natural disaster alert system.
Yes, Brazil doesn't allow the commerce of uncertified radio transmitters. It has been like that for close to a century.
If you are asking why the change is happening in Brazil first, the banks cartel met with google and decided to rely on that, for security.
With elections coming next year, and this being practically a "law" created in partnership with the banks cartel, this may be the time to make some noise about the change.
But the purpose of prohibiting sideloading isn't security. It's preventing of apps like NewPipe and Vanced.
But what would be the point when no one would bother writing an app for such a small user base?
So I can test my own apps on my own devices, or upload them to itch for other weird people.
I don't feel like giving Google a large amount of my personal information just so I can distribute free games. Why do they need a copy of my lease ?
The point parent is making, if Google makes it so difficult sharing the software with other people, who is going to make those itch-the-scratch software going through so much trouble?
We would miss out a lot of creative people making software.
Correct.
What I am saying is:
There is still a few points of course like being able to modify the base system. Just being able to say, kill the built in facebook is a quality of life improvement.
But it just feels like the benefits of a self owned phone os are going away even when you have it, because everything else changes around it and out from under it, so you don't get the functional benefit from it any more even when you have it.
You give up the use of things like tap to pay (would have been nice a couple times when I forgot my wallet) and drm content, hell, I can't use the stupid LG app that controls an air conditioner, and (increasingly) don't get something else important in return.
Today, there is still some benefit, because this latest change is only just now happening. I can use say, open source password manager and totp apps instead of google authenticator, and can use a pandora client that Pandora absolutely does not approve of, because the author doesn't need anyone's approval to produce the app and there is no choke point that Pandora can petition to block it. Hell why am I even talking about Pandora instead of Youtube and Newpipe? In what universe does Google EVER ratify the developer of Newpipe? (Wait, for that matter, what developer? what if there's an ever-changing fuzzy cloud of 20?) Or full-fat ublock origin...or countless other things whos sole purpose and value is to thwart some will of Googles? Or like the game emulator apps that Nintendo shuts down so aggressively, etc. Those ICE tracking or merely documenting apps. Countless...
Will those various authors still bother putting in the time and effort it takes to make these apps so good when only about 18 people will be able to use them?
I imported a Sony phone to the US because they don't sell it here, and no one else sells a current flagship with a headphone jack and removable sd card and high end cameras.
I successfully found and imported the phone, and got it working on a US carrier. Yay me. It's even rootable! Yay me. Yet I still can't run Lineage on it, because there is probably not a dozen other people like me to be an audience for Lineage on this hardware, and it's too much work to do for no audience.
The fact that today most phones are unrootable means that even if you somehow get around that, you still don't get the benefit because you're such a small audience that no one is producing say LineageOS for example for you.
My individual success bucking the system still did not result in me getting what I want.
Maybe so I can develop a service without forking over profit to a company that deserves none of it.
I haven't tested it myself, but as far as I know you can run ADB in the phone itself via Termux. Perhaps it's possible to make a wrapper that install apps from F-Droid with ADB? It would mean that you would only need to be tethered to the your PC once.
Obviously they'll eventually remove this because Google is hostile to things like ReVanced / some spook wants this power.
ADB using two Android smartphones and Termux (https://github.com/termux/termux-app):
* Search for "Smartphone-1 to Smartphone-2" "adb tcpip 5555" in "Motorola moto g play 2024 smartphone, Termux, termux-usb, usbredirect, QEMU running under Termux, and Alpine Linux: Disks with Globally Unique Identifier (GUID) Partition Table (GPT) partitioning": https://old.reddit.com/r/MotoG/comments/1j2g5gz/motorola_mot... (old.reddit.com/r/MotoG/comments/1j2g5gz/motorola_moto_g_play_2024_smartphone_termux/)
* Search for "termux-adb" in "Motorola moto g play 2024 Smartphone, Android 14 Operating System, Termux, And cryptsetup: Linux Unified Key Setup (LUKS) Encryption/Decryption And The ext4 Filesystem Without Using root Access, Without Using proot-distro, And Without Using QEMU": https://old.reddit.com/r/MotoG/comments/1jkl0f8/motorola_mot... (old.reddit.com/r/MotoG/comments/1jkl0f8/motorola_moto_g_play_2024_smartphone_android_14/)
It's not necessary to use two phones, see https://news.ycombinator.com/item?id=45740033
AFAICT it only works on non-rooted devices when used over USB to access another device, because without root it has no access to the adb server on the phone running termux.
I'm definitely not 100% sure about that though, so someone please correct me if not.
Just tested⁰, it works with WiFi ADB but it has some limitations.
- The pairing process is kinda awkward, you need to split screen Termux and the Wireless debugging submenu, if you change windows the pairing IP and code are changed.
- The pair survives a reboot and WiFi change. You can disable the 7day revocation, so the pairing process is a one time thing.
- After a pair you still need to connect (adb connect localhost:port) and the port changes after a WiFi change or disconnect. I searched for solutions and apparently it's simple as running nmap twice¹
- It obviously doesn't work without a WiFi connection (unless is there some dark magic to connect your phone to its own hotspot).
So a wrapper seems viable if you are ok only installing apps on trusted networks.
[0]: I'm on GrapheneOS but I believe the dev menu is the same.
[1]: https://www.reddit.com/r/tasker/comments/1dqm8tq/project_sim...
More googling, Shizuku² does this already in a polished way and exposes an API for other apps. Some related-ish apps are SAI³ (for installing split apks) and Canta⁴ (removing system apps).
EDIT: Even more googling, the whole setup already exists in Obtainium (i.e. F-Droid but with Github Releases) apparently so apps show up as being installed via Play Store and subsequently be usable in Android Auto⁵.
So hypothetically you can install stuff day one on a stock phone after this atrocity is turned on.
[2]: https://shizuku.rikka.app/
[3]: https://f-droid.org/en/packages/com.aefyr.sai.fdroid/
[4]: https://f-droid.org/en/packages/io.github.samolego.canta/
[5]: https://github.com/ImranR98/Obtainium/issues/1859
wifi adb is a clever workaround, lol. I haven't seen that before, but it does kinda make sense. I've used SAI before (though it has been having lots more problems in the past year or three), but haven't seen Shizuku.
thank you for the testing and details!
Australian users of alternative app stores should make a complaint to the ACCC: https://www.accc.gov.au/about-us/contact-us-or-report-an-iss...
In the past, they forced Steam to implement proper refund policies, and they are currently suing Microsoft about the way subscribers were duped into paying more for "AI features" they didn't want.
Done, thank you for the link.
It makes me a little sad that there’s no mention of Raymond Carver in this thread. https://en.wikipedia.org/wiki/What_We_Talk_About_When_We_Tal... The current state of dominant mobile OS’s is about as bleak as the bleakest Carver story. Since I’m on a tangent I’ll also highly recommend the movie Shortcuts.
Also recommended: BIRDMAN or (The Unexpected Virtue of Ignorance)
On MacOS it warns you when you're about to open an app you've downloaded and installed yourself. "Foo has been downloaded from the internet, are you sure you want to open it?". It doesn't stop you from installing it. Why should doing so on your phone be any different?
Depending on your app this is not all.
If i send a golang binary to someone with a mac via signal or other mediums, apple simply displays a dialog that the app is damaged and can't be run.
You need to use chmod to manually remove the quarantine flag to run it.
That for me is something that should be fined ad infinitum, because it is clearly designed to disallow non technical people to run custom apps.
On the other hand, it used to be very common for malware on Windows to email itself to all your contacts using your real email client. It's probably reasonable for an OS to add a little friction to the process in the modern era, though it probably shouldn't lie and claim the binary is damaged when that's not the problem.
chmod to dequarantine doesn't sound like "a little friction" to me.
On your point about security, this kind of aggressivity from the platform owner tend to backfire.
The user was already convinced to open that mail, download that file, and try to run it. Pushing the process to the terminal just means your clueless users now run the provided incantations in the shell instead, and the attack vector now becomes huge (the initial program doesn't even need to be malware)
I agree having to go to the command line is too much friction. Just clicking `overdue-invoice.doc.pif` is too little. About right is somewhere between a prompt and setting the file executable in the GUI.
I wish it would run in a stricter sandboxed mode and prompt the user on the first network requests and file writes outside of it's directory.
That wouldn't be perfect, but at least the user could be prompted for a concrete action instead of a vague "this script is scary" warning.
> If i send a golang binary to someone with a mac via signal or other mediums, apple simply displays a dialog that the app is damaged and can't be run.
Has this changed? I thought it failed to launch, but if you go to Privacy & Security in Settings it would give you the option to allow it to run?
Though yes, macOS doesn't prompt you to do that, you have to know where to find it.
I believe they are saying that this update will remove the ability to decide if you want to install it and will require developers to register and pay for their applications to be installable at all. It's been several years since I developed for Mac, but they operated a similar way, secretly marking a file as quarantined and saying "XYZ Is Damaged and Can’t Be Opened. You Should Move It To The Trash" if you didn't pay to play. Maybe this has since changed, or maybe I'm just a dummy. Regardless, whether a platform has any business funneling a user into their walled garden is another philosophical argument altogether.
I sure hope they still allow `xattr -r -d com.apple.quarantine /Applications/*`
Quarantine is for any executable downloaded from the Internet. It doesn't prevent it from being opened, it only marks it to be checked for malware.
In my experience the quarantine flag gets added if the file is downloaded via browser, chat program, email, or some other way that isn’t curl/wget/other CLI tool. At least for the past 6-8 months this has been my experience. Not that it excuses anything, but for what I have had to deal with it’s been somewhat helpful.
It definitely adds hurdles to running it.
Usually the hurdle is just a pop-up informing you that it's been downloaded from the Internet. Sometimes the malware checks go wrong though and try to prevent you from opening it at all.
This is the key and only difference. Scanning is great, and security is great.
but macOS lets you override any system determination, iOS does not, and Google is proposing the iOS flavor.
macOS warns you literally about every downloaded app not from MAS (signed!), unless you build it yourself or remove quarantine manually.
I think it is mostly about expectations, macOS trained people that it is relatively safe to install signed apps. If your app is unsigned, Gatekeeper will refuse to run it.
Do they have to be from the App Store, or "just" notarized?
Notarized works just fine.
If you install the binary directly, but obviously it does not ask when you are installing through a store like brew...
it also sometimes says `"Foo" Not Opened` `"Apple could not verify “Foo” is free of malware that may harm your Mac or compromise your privacy."` This is frankly pretty insulting to the intelligence of the user and /does/ stop them. I think the paradigm is flowing towards "less" rather than "more"
> Why should doing so on your phone be any different?
Because it's obscenely profitable for the platform holder to have complete control over app distribution.
Can we stop pretending it's about anything else than that? Just imagine if Microsoft got a 30% commission on every PC software purchase in the world...
Why are OEMs like Samsung just letting this happen? A lot of power users who buy flagships will leave for iPhones if Android ceases to be an open platform. (This segment is what is preventing the “green bubbles = poor” narrative from taking over.)
> This segment is what is preventing the “green bubbles = poor” narrative from taking over.
In the US maybe. In Europe, not so much. With Apple having a market share of "only" about one third and WhatsApp being the de facto default messaging app, this discussion never happened here.
Therefore your argument doesn't apply to Europe at all. Android is more than the "hacky" part. Albeit I'd really love to keep that.
whatsapp is a different form of the same malignant cancer, or so the unremovable meta-ai overlay seems to say.
> A lot of power users who buy flagships will leave for iPhones if Android ceases to be an open platform.
99.9% of people who use Android have never, and never will, install apps outside the Play Store, and aren't even aware that they can do so.
Did you consider piracy?
I'd guesstimate that close to 50% of Android users know how to install an apk.
You think 50% of the 3.6 billions of android users know that?
There are countries like China, Russia, Iran, and Venezuela where installing an APK is the primary or only way to get most software, including essential bank and government apps.
Outside of the Western market, installing Android apps not from Google Play is a completely normal and regular thing. In countries like India, Brazil, Indonesia, Nigeria, and the Philippines (which represent a massive portion of global Android users) it is a standard part of using a phone.
https://xkcd.com/2501/
I have never seen people in the EU talk about the bubble colours. Texting is virtually dead in the EU as I know it, it's all in messaging services.
Samsung's fought Google on a few different fronts over the years and conceded most of those fights.
why would I leave for IPhones? I want the other direction of freedom.
I have coded some apps that are customized for my mother's usage and accessibility. I plan on coding some more. I need to install them on just 2 phones - my own for testing and my mother's.
As of now, I can create APKs of my apps and install them on my mother's phone by unchecking the "prevent apps from other sources" option.
Even after going through so many articles, I still don't know unambiguously whether I can continue this workflow in future, or I'll need Google's approval to install on just our own 2 family phones.
There's a failure in communications here from both sides.
Ambiguity suits Google perfectly fine.
But it's counterproductive to its opponents because every dev who's confused will remain a fence-sitter rather than an ally, even if only motivated by personal inconvenience rather than any principled stand.
I doubt I'm the only Android dev who's confused. I hope at least f-droid communicates more clearly the consequences of this policy to all types of developers and deployment scenarios.
> https://keepandroidopen.org/
The UK petition link appears to be broken:
https://petition.parliament.uk/petitions/744446
The EU page is also no longer accepting new feedback
* https://ec.europa.eu/info/law/better-regulation/have-your-sa...
Right, the period closed:
Feedback: Closed Consultation period 17 July 2025 - 24 October 2025 (midnight Brussels time)
>Regardless, the term “sideload” was coined to insinuate that there is something dark and sinister about the process, as if the user were making an end-run around safeguards that are designed to keep you protected and secure.
I also recall a time in the nascent era of web file hosts, like Rapidshare.de and Mega upload, and some others that came and went so quick that I don't even remember their names, some services offered the option to "sideload" (as opposed to download) straight to their file server.
The entire App Store system is broken. It should have always been sideloadable apps by default. And app stores for verified app makers. Instead we have Google withholding play store. And now withholding sideloading.
You cannot beat them at their own game without some other Goliath like the EU getting involved. The complain and watch strategy doesn't make a difference.
Tangent about open source development
As a person that tried the Pine64 ecosystem and not being able to will drivers/C++ apps into existence (like I can with web/cross platform), I did not contribute much other than buying the device/doing some videos on YT. (I bought: PP, PPP, PineBook, PineNote, PineTab)
It depended on few people working on it eg. through Discord communities
Anyway point is I saw Expensify I think they have these GitHub PRs which have $ values on them, would be interesting to take that approach, just pay for it literally eg. a GoFundMe for a feature.
ex. https://github.com/Expensify/App/issues/73681
Installing software via Google play store is the actual side loading. You don't install it yourself, Google install it for you.
What is to be done?
Install LineageOS or GrapheneOS?
I feel that the root problem is that there aren't enough highly skilled low level developers willing to spend their time writing free software for mobile phones. Why do we have Linux and things around it? Because a lot of very skilled developers decided to work on it and offer it to the world.
Most (some sources say ~80%) Linux contributors are paid by their employer.
They wanted to call it freeloading, but showed a bit of self-restraint.
Whenever you side load anything, you are robbing someone's app store of income. You are not visiting their portal to be exposed to ads, you are not seeing ads in the middle of an application, you are not paying for anything.
Or at least, not paying to them. The only streaming service I pay for in my household is Japanese TV, which uses a side-loaded application. I'm freeloading on the Android TV platform because I only paid for the hardware, and for a streaming service not related any Google revenue funnels whatsoever.
That's what it's about.
It's either a derogatory term for "software loading" or an euphemism for "freeloading", or both.
I bought the hardware, for the price they chose to sell it at. Why should I be obligated to use any of their services, if I can avoid it?
I'm not sure if your comment is satire. So I'll respond as is.
"Not providing potential further income" is not "robbing"... what is being stolen from them? Something they never had in the first place? When I lose a bet I willingly entered, am I being "robbed" of the gains?
Furthermore, who is losing if I go to F-Droid to install an open source app people wrote with no expectation of income? If Google had a better app, I would have installed it from there. Too bad everything is riddled with ads detracting from the core purpose.
> I bought the hardware, for the price they chose to sell it at. Why should I be obligated to use any of their services, if I can avoid it?
Their answer would be something like, that the hardware vendor has nothing to do with them and is also a freeloader, taking advantage of their software ecosystem to sell hardware.
Everyone developer who worked hard to make windows phone die. Hope you're happy.
> who worked hard to make windows phone die
You mean Microsoft? No backwards-compatibility with Windows Mobile to begin with (so companies can't reuse their existing investment into line-of-business apps on actually nice modern devices either), then they reset the ecosystem 2 times (once during the WP7->WP8 transition, another time during the Windows 10 transition).
Well put. Microsoft following the "Double barrel shotgun, apply one wad per foot." (Reset ecosystem 2 times.)
I was a telco product manager at the time and I can tell you right away that it wasn't developers that killed Windows Phone. This book (https://asokan.org/operation-elop/) tells part of the story, but the telcos I worked for (and competed with) definitely played a big role.
That book is new to me. I wrote https://paulhammant.com/2013/05/07/android-and-the-art-of-wa... on Google vs MSFT and phones before the book. Mine's a perspective that doesn't mention Nokia or its leadership.
I did own a Treo and loved it up to the OG iPhone - I repaired the eff out of it in the hope that something worthy would come along. I kidded myself I would write apps for it. I'd previously played with Simbian tech (and met a very bitter Simbian team dev in London one "eXtreme Tuesday Club" meetup in 2003). I had a Psion Organizer way back and Palm pilot. I thought Palm's WebOS stood a chance. I still own a Ubuntu Phone that I don't use - single script QML apps would have been the killer, but all that's passed now.
Let's not pretend that MSFT would have been one tiny bit better here.
I am, mostly because Windows Phone 7 always did what Google is attempting to do here.
https://stackoverflow.com/questions/4229029/can-you-install-...
At least we got 10+ years of real sideloading on consumer devices thanks to WP7's death.
Windows RT "sideloading" denied for ordinary users, costly for Line-of-Business apps (2012).
Microsoft UWP only Microsoft Store. Microsoft backtracked their walled garden Windows plans for a while as result of Windows Phone fiasco.
Yes, we are.
I don't understand this sentence. Can someone rephrase?
Will I be allowed to add keys to verify developers over ADB?
After Google implements this, will I still be able to "side-load" (install any software) on Android-derivative OSes like GrapheneOS?
Currently it seems that Google is pushing for hardware attestation, so you might be able to install Graphene/Lineage if your phone manufacturer allows you to unlock your bootloader, but many Play Store apps won't work as they'll detect your root. It's actually gotten pretty insane how every low-value app considers themselves the centre of the world and unable to run on a rooted device.
Example: the loyalty card app for a local store chain - there's no money in it, I can just get some discounts when I use it. So an attacker would have to steal my phone, somehow unlock it, and then they can use my loyalty card (btw which is free to obtain for anyone and there are no tiers) to get some discounts. And for that, they have implemented a pretty decent root checker which i had to put in some effort to overcome. And there are many more like it.
> as they'll detect your root
A small clarification, neither GrapheneOS or LineageOS runs as root. Rooting is different from "installing an alternate OS".
There might be insurance and bank contracts higher up the chain that classify it as a financial dealing and thus require stricter conformance. I'm speculating tbh I have no idea for sure.
Yes (but see my comment about the permission system), however, the future of bootloader unlocking and AOSP is uncertain... :(
With one switch, one nasty update (disabling bootloader unlocking on Pixels), Google could kill GrapheneOS..
Note that the Android permission system is designed so that you are not in control by design, some permissions are "not for you" and only for "system apps" which you can't control. This gives Google and device manufacturers advantage over third party software developers in the name of security...
I think we should focus on defending the slowly-vanishing ability to unlock the bootloader and fight for the core parts of Android to stay open source.. without these two, installing an APK will mean less and less until it might eventually become synonymous with installing a PWA.
A great example of this is the 'networking' permission. Being able to control which app can speak to the WAN/LAN is a very important security consideration. Instead, every Android app can send any data it wants without the user being able to have a say in the matter. A lot of apps work just fine without being able to 'phone home'.
Thankfully there's the likes of GrapheneOS, however, with Google's recent changes, unless their OEM partner pulls through, their days are likely numbered.
Interestingly, on Xiaomi HyperOS they have added the ability to individually control each app's access to mobile data 1/2/WiFi. I didn't know this wasn't a general Android feature.
I guess if it was, people would be turning off the network permission of all the "apps that perform a trivial function, but with ads", like I always do.
Is this seeking Google’s approval for the app? Or is the condition app be signed by a verified user? The latter means side loading is still viable for apps from known developers. This way anyone who is known who may create malware and will not be free from prosecution
Approval is tied to individual apps. From https://developer.android.com/developer-verification:
> You'll need to prove you own your apps by providing your app package name and app signing keys
Needless to say, Google will throw out NewPipe, ad-blockers and anything else that might endanger their profits. For example, Google does not allow F-Droid to be published in Google Play (distributing competing app stores is against their ToS). This policy was in action as long as Google Play/Android Market existed.
It is the latter. The app has to be signed, and the signer has to register "real" identity with Google. Approval of the app itself is not a part of the process.
Yes, sideloading will still be viable from known developers.
Probably malware developers will still be free from prosecution -- what moron is going to distribute malware with their own identity attached to it? But it means when the malware gets caught (which it does) you can't just roll a new APK with a different signature. You've burned a developer identity and need a new one. Those are harder to come by, and so it rate-limits malware distribution.
Fwiw I've been getting random email offers over the years to buy my old dev account for like $100-300. Dev accounts are going to become a prized commodity on the black market with this move.
(I didn't sell my acct, for the record.)
> The latter means side loading is still viable for apps from known developers. This way anyone who is known who may create malware and will not be free from prosecution
Important corrections:
This way anyone who is known to create malware or any software which interferes with Google's current or potential future revenue, strategic interests, and unpredictable whims will not be free from prosecution in the case of distributing malware, nor from digital exile and unpersoning in the case of causing inconvenience to Google.
As a power user, and software creator, I absolutely hate this decision. Side loading and power features are a main reason I use android.
That being said, as a grandchild, I also completely understand where google is coming from. A surprisingly high percentage of users do need protecting from themselves. They are so technology illiterate that someone random tells them to install something, "it will say it's not safe, but it's actually okay, just click approve" and they will. This is why HSTS exists, to prevent uneducated users from getting pwned, by preventing them from disabling safeguards.
So, having some system of "no really, I am a power user" makes sense, even if I hate it.
Is the title an intentional mirror of Carver's short story collection "What we talk about when we talk about love"? If so, can someone smarter than me explain what the author means by this connection?
Perhaps an unintentional one: https://lithub.com/what-we-talk-about-when-we-talk-about-thi...
I've switched my main phone to GrapheneOS, specifically because of what Google is doing here. I'm sure alot of others will do the same.
Where do I send my money to fight this?
https://keepandroidopen.org/ is about sending messages, which I have done and will continue to do. But I want to open my wallet.
You may be looking for something more specifically targeted, but here two somewhat relevant ways to donate money:
- https://f-droid.org/en/donate/
- https://supporters.eff.org/donate/join-eff-today
Sideloading is just a deliberately pejorative term which replaces "software installation".
When you install Git Bash, Vim or GIMP on Microsoft Windows, you are side loading.
> As a reminder, this applies not just to devices that exclusively use the Google Play Store: this is for every Android Certified device everywhere in the world, which encompasses over 95% of all Android devices outside of China.
So what happens in China? Should we buy Chinese Android phones?
I want to make a report to to US Department of Justice Antitrust Report Online and US Federal Trade Commission: Antitrust Complaint as suggested but I will appreciate some guidance on the wording. Could anyone share a sample?
I've stopped trusting Google and it's products entirely.
They say one thing, then do another.
Hackers it’s time to get money and get a life run away for good. Get more.and run away to get money
“Sideloading “ is the original app installing by sync or copying.
You used a wire, or Bluetooth that transferred the app file.
Then it ran.
This is how it was.
iPhone 1 was vehemently against third party apps of any kind.
The use of iTunes to have a “store” helped transfer and install apps digitally, and I believe using a wire too.
You either own your device or you don’t.
At a software level mobile has been a challenge to keep secure and locking it all down might not secure it either as there might be side doors still instead of side loading.
It has been 15-17 years since we got this batch of mobile operating systems, maybe we’re due for a new one since there’s a critical mass of users already on smartphones, unlike when Android/iOS began.
Didn't know this community have so many corporate bootlickers
The only reason Google has decided to lock-down Android is because of apps like ICEblock and the ability for anonymous individuals to mass distribute information that governments do not like. Now, they'll be able to hunt you down by requesting Google hand over every ID document that they process. This sets a chilling precedent for free speech. It enables governments to go after those who dare 'speak out' by using platforms to their advantage. You can no longer 'hide in the shadows' and will need to put your entire identity on the line for your morals and convictions.
Of course, if they could do this with Windows, Linux et al they absolutely would. And general purpose computing will, eventually, be closed and locked down, much like what we are seeing with the internet and ID laws. People would have, and did, think such ideas would be unthinkable 10-15 years ago. Yet little-by-little the screws are being ever tightened. The government wishes to tightly control the information flow and decide what is 'best for you' to see. Preferably their chosen propaganda.
Work-arounds that exist today will likely be closed and forbidden in the future. VPNs to bypass age laws, ADB to bypass install-blocks will all be obsolete. You will be required to identify yourself at all times. I half-expect Google to deprecate and remove the concept of VPN's/ADB on Android entirely and laws will be passed to that affect (restricting the apps themselves, or access to the APIs to verified Android devices/Google accounts). If you don't believe me, you only need to see [1] for the direction of travel.
There is little interest from the regulators to stop this. Perhaps the useless CMA will 'investigate' in 5 years time, decide Google perhaps abused its monopoly and then do absolutely nothing because they have no real re-course over an American company. It's likely governments support this position and will not do anything to influence a change of direction.
Eventually, Linux itself will go the same way, people are just waiting for Torvalds to retire from the project to make their moves, but make no mistake, open general-purpose computing is under threat and there is going to be little we can do to reverse the current trends towards closely monitored and controlled computing.
[1]: https://developer.android.com/google/play/age-signals/overvi...
This will most likely be expanded in the future to limit access to certain 'dangerous' APIs like ADB/VPN's etc. This can also be used 'in app' and across the entire OS to shape your experience of what you can see and do. I wouldn't be surprised if 'unlocking bootloader' required an 18+ verified device.
> The only reason Google has decided to lock-down Android is because of apps like ICEblock and the ability for anonymous individuals to mass distribute information that governments do not like.
That's why the solution CAN'T be more regulation ...
Again, I don’t really see Google as a ‘moral’ or ‘pro-user’ company since they just pushed out Manifest V3. But unlike ad blockers, they’re not losing millions from sideloaded apps, so the only reason for their sudden policy shift is probably government pressure. With all the ongoing antitrust lawsuits, they’re just trying to stay on the good side of whatever the current or next administration wants.
> The only reason Google has decided to lock-down Android is because of apps like ICEblock and the ability for anonymous individuals to mass distribute information that governments do not like.
Nah. The only reason Google has decided to lock-down Android is because they think they can get away with it. They would have done it from the first minute except that not doing it gave them a competitive advantage in the market over Apple - back when pretending to be into FOSS and to "not be evil" was a major part of their marketing. They're ready to make the move. If it fails, they'll try to make the move again a few years from now. They don't give a shit about ICE or whatever.
seems well coordinated with the recent escalation of aggression around google accounts without a cell phone number attached “to help make sure you don’t lose access to your account.” complete horseshit, but they can get away with it.
[dead]
> Regardless, the term “sideload” was coined to insinuate that there is something dark and sinister about the process, as if the user were making an end-run around safeguards that are designed to keep you protected and secure.
This is a conspiracy theory; as there is no evidence that it was deliberately invented to be malicious (it started as a trademark from a company called i-drive). The term almost certainly became popular after the name of the Android Debug Bridge command, `adb sideload`. The adb command naming makes sense considering the phone is plugged into a computer, for installing content externally when the phone could not otherwise "load" the content.
Yes, I think quibbling over the origin of the term and attempts to coin an alternative are a useless distraction. The term emerged organically for good reasons, and doesn't have any negative connotations as far as I'm concerned. Trying to talk about "direct loading" instead is confusing and doesn't even make sense because alternative app stores like F-Droid don't count as "direct loading" under their own definition.
I think defining sideloading as "the transfer of apps from web sources that are not vendor-approved" is a good definition, because "not vendor-approved" is precisely the part I care about. The owner being able to install stuff without Google or anyone else's approval is a good and important capability for every computing device to have.
In any case, I fully agree with the substantive portions of this article. What Google is doing here is a terrible attack on consumer freedom.
While I wont argue about it feeling like a conspiracy theory, I will argue that pretty much no one knows sideloading as a term with regards to what i-drive meant by it.
And the fact that `adb sideload` is where the concept originated does nothing to dispel the way the term is frequently used in a derogatory fashion these days. It's wielded as a bogey man to make people afraid of unsigned applications. Despite the fact that many perfectly signed applications are full of malware and dark patterns.
Also, FFS, this is hacker news. Why on Earth would be arguing in favor of Google locking down how I can install software on my device.
> Why on Earth would be arguing in favor of Google locking down how I can install software on my device.
They didn't argue for that anywhere in their comment.
I bought an iphone knowing that Apple has a review process and that I'm limited to apps sold in their store. Similarly, when I had an Android device I knew what I was getting in to.
I appreciate the fairly high level of review that apps get and I completely back Apple's right to control what runs on the OS they developed. Similarly, if _you_ want to run an OS you got from XDA on your Android device and install random stuff, I'll be the last person to stop you.
Hacker news readers are part of the small circle of people who have probably developed a decent intuition for whether software we download is clean or not. Most folks I know do not have this intuition, and many will not bat an eyelash when their new app asks for access to their contacts, etc. Sideload should absolutely continue to be a term that discourages the average person from doing it.
> I completely back Apple's right to control what runs on the OS they developed.
Praytell, what right is this?
hah, thanks. It's a bit more nuanced than that. Let me try again.
I completely support Apple's right to publish software that makes it difficult for unapproved software to run on it.
Similarly, I support your right to try running something else on it.
Just like my neighbor has the right to publish a browser that makes it difficult to run extensions in it, and I have the right to use a different browser.
Some people would like the phone OS to be regulated like a public utility. I do not support that, and if we _had_ to have it that way, it would be important to have the same standards for everyone and regulate _all_ phone OSes equally. I don't like the thought of what that would do to the chances of any "open" offering.
We should just call it loading. Loading from an app store we can call simply, mortgaging our cognitive liberty and liquidating the middle class for comfort or MOCLALTMCFC.
I realize F-droid has an understandably strong opinion here, but this writing is disingenuous.
From the post:
> Regardless, the term “sideload” was coined to insinuate that there is something dark and sinister about the process, as if the user were making an end-run around safeguards that are designed to keep you protected and secure. But if we reluctantly accept that “sideloading” is a term that has wriggled its way into common parlance, then we should at least use a consistent definition for it. Wikipedia’s summary definition is:
> the transfer of apps from web sources that are not vendor-approved
The opening two sentences of the linked-to Wikipedia page on sideloading:
> Sideloading is the process of transferring files between two local devices, in particular between a personal computer and a mobile device such as a mobile phone, smartphone, PDA, tablet, portable media player or e-reader.
> Sideloading typically refers to media file transfer to a mobile device via USB, Bluetooth, WiFi or by writing to a memory card for insertion into the mobile device, but also applies to the transfer of apps from web sources that are not vendor-approved.
The phrase after the "but" in the second sentence isn't the "summary definition". It's the part of the definition that best supports your argument. Cutting the Wikipedia definition down to that part is deceptive.
Also in the post:
> Regardless, the term “sideload” was coined to insinuate that there is something dark and sinister about the process, as if the user were making an end-run around safeguards that are designed to keep you protected and secure.
Immediately later in the same Wikipedia page is a paragraph that is literally about how the word was coined:
> The term "sideload" was coined in the late 1990s by online storage service i-drive as an alternative means of transferring and storing computer files virtually instead of physically. In 2000, i-drive applied for a trademark on the term. Rather than initiating a traditional file "download" from a website or FTP site to their computer, a user could perform a "sideload" and have the file transferred directly into their personal storage area on the service.
That's funny. The history of how the word was coined and the post's claim about how it was coined aren't similar at all. Weird.
> The phrase after the "but" in the second sentence isn't the "summary definition". It's the part of the definition that best supports your argument. Cutting the Wikipedia definition down to that part is deceptive.
Wat?
Everything after the "but" is what Google means when they use the term sideload and is the only important part of the definition for f-droid's purposes. The other definition is completely irrelevant and, I would argue, hardly ever used anymore.
You argue here that google is technically correct because they’re correctly using sideload.
But that isn’t the point people are angry about. The point is that sideload was a misnomer. Correctly Android users were able to install packages and now cannot. This is anti consumer and breaks the social contract.
Anyway this is so disingenuous that I think it’s astroturf. Here’s the meme we should’ve spreading: Chrome and Android should be broken off from Google. Apple should be forced to allow sideloading, at a minimum, same as any other computer. Phones and tablets should be valid targets for custom OS.
> Correctly Android users were able to install packages and now cannot.
Not only has nothing happened yet, but this is also untrue.
Maybe they meant coining the usage of "side load" for any non-appstore method of acquiring an app.
Per the original definition, how exactly am I "side loading" if I go to the epic games store and download and install their epic game store APK?
I’m honestly very tired of this argument, everything about it is bad.
Features aren’t rights, if you want a phone that let’s you run whatever you want, buy one or make it yourself.
What you’re trying is to use the force of the state to make mandatory a feature that not only 99% users won’t use, it vastly increases the attack surface for most of them, specially the most vulnerable.
If anyone were trying to create a word that gives a “deviant” feel, they wouldn’t use “sideload”, and most people haven’t even heard the term. There’s a world of difference between words like “pirate”, “crack”, “hack” and “sideload”.
If anything I’d say it’s too nice of a term, since it easily hides for normies the fact that what you’re doing is loading untrusted code, and it’s your responsibility to audit it’s origin or contents (something even lot’s of devs don’t do).
If you want to reverse engineer your devices, all the power to you, but you don’t get to decide how others people’s devices work.
It's a proper argument on its surface, complete with claim, warrant, and impact.
"Features aren't rights" > see: Consumer Rights.
"Force of the state making sideloading mandatory is bad" > ...Except we have antitrust laws? The Play Store becomes the only source of apps, all transactions are routed through Google Billing? Not a problem for you?
"99% users won't use" > Except for when Google demands that transactions happen exclusively through Google Billing, which resulted in the release of the Epic Games Launcher for the world's highest grossing games by download.
"Sideloading is too nice" > Listen, either it's the case that "sideloading" is a threat to normies or it's not. Are normies your 1% or 99% of users? I thought according to you 99% of users won't sideload.
"You don't get to decide" > That language ties in pretty well with your fear of the use of the 'force of the state'; that tells me that you support freedom. Great-- you're right, why not let corporations be corporations and do anti-consumer things, they'll be very good to us (while they lobby the state).
> "Features aren't rights" > see: Consumer Rights.
Consumer rights aren’t features, and they’re very intentionally written to not be.
> "Force of the state making sideloading mandatory is bad" > ...Except we have antitrust laws?
Then sue them over those.
> Listen, either it's the case that "sideloading" is a threat to normies or it's not. Are normies your 1% or 99% of users? I thought according to you 99% of users won't sideload.
I meant that 99% of users aren’t afraid by the term “sideloading”. That you’re not using something doesn’t mean you’re afraid of it, it just means you don’t want it.
> you're right, why not let corporations be corporations and do anti-consumer things, they'll be very good to us (while they lobby the state).
Because corporations tend to die when they do anti-consumer things, but governments keep doing anti-citizen things without much trouble.
"Consumer rights aren’t features" > Any attempt to weasel out of a marketed feature set is generally and colloquially known as "false advertising"; consumers have a right to the features of a product they purchase under the original conditions of the purchase agreement.
"Then sue them" > My point was that the force of the state is a necessary evil to ensure fair competition. Yours implied that the force of the state is overreach, but if you warrant that, then you wouldn't enjoy protections against corporations afforded to us by antitrust law.
"That you're not using something..." > For you to claim that sideloading presents additional threat surface to the normie consumer, you need to also claim that normie users are sideloading. This means that if 99 percent of users are not sideloading, there is no threat surface.
"Because corporations tend to die when they do anti-consumer things, but governments keep doing anti-citizen things without much trouble." > Absolutely not. The paradigm has changed from the time when you could vote with your dollar. You and I are economically and legally irrelevant (where is Congress, anyway?), and corporations like the Big G are too big to fail. They are -already- colluding with government to do both anti-consumer and anti-citizen things.
Nominatively, this is why both the government AND google do not want you to side-load software outside of their control.
> You don’t get to decide how others people’s devices work.
Perfectly reasonable. It's important that people can decide how their devices work for themselves. No one else should decide for them.
But I'm genuinely curious how you see this principle working in practice when there's effectively a duopoly. What's the path for someone who wants to still have any choices for their device? I'm not seeing an obvious answer, but maybe I'm missing something.
There isn’t a duopoly, it’s just that the two top contenders are way ahead of the rest, so wanting that niche feature requires a big sacrifices.
Nowadays it’s not even that hard to build your own phone, but it’s not going to be a slick smartphone for sure
It's not possible to build your own phone in most markets anymore. Without iOS or Google Play Integrity you won't be able to install or run essential apps required for banking, taxes, healthcare, public transport, etc. This makes it impossible to compete because anyone who buys your phone are required to also buy a secondary Google approved Android or iPhone to lug around in order to function in society.
Actually sideloading is not a made-up term. It's an existing term, that was (20yrs ago) used regarding to cracks and trainers software. Sideloaders loaded (mainly in DOS but Atari had it too) the main executable along with additional program, a routine or interrupt that would allow disabling of copy protection, cheat on the amount of lives, energy in games (trainers) or simply do something more like play demo music before the game's proper launching. One example - prehistorik game that was distributed by pirates with a "pretrain.com" which allowed to select unlimited lives and sideloaded this routine along with the main program, that would periodically check the counters and keep them up.
-- edit --
Apparently after checking this term in the internet, I am not so sure that this process had been called this way. Maybe I'll leave it here to provoke a correct answer according to the internet rule #1 - to learn what is the correct answer, just post an incorrect answer in the internet and wait
I know that this is a controversial take here, but this sideloading crackdown is just fallout from the inevitable disaster that is mixing general purpose computing with high security and reliability requirements.
There's just no way at this time in which a single computing device can run software with high reliability expectations (emergency calls), high security expectations (controlled calling/texting, banking, money transactions) at the same time as random crap from the internet and keep the user safe and secure.
The HN community is far to fixated on their own use cases to properly understand this issue and its implications which can potentially upset a person's entire existence.
I always buy this argument....to the extent that the more powerful, dangerous capabilities are still allowed but locked behind some (one time) process that indicates you have a base level of knowledge and understanding. If you want to make it default safe for normies, fine, but let me turn my own device into the dangerous thing it is capable of being.
The version of the your view that we are actually getting is _incredibly_ paternalistic and condescending to the general populace. The kind of society that is capable of protecting everyone from every conceivable harm comes with the kinds of tradeoffs that no one, not even the people who actually need the protection, are going to want.
Sadly, your view isn't less paternalistic in reality. It effectively amounts to telling people who have better things to do than care about their personal IT security to just suck it up. Billions of smartphone users worldwide are in this position.
Look, I'm not saying that this outcome is ideal and I hate the idea of a single, almighty platform gatekeeper. But with the world being what it is right now, draconian device lockdowns of some kind are the best option that is immediately available.
`abd install` will still work as per[0] so to me sideloading is still possible, so the statement 'Google’s message that “Sideloading is Not Going Away” is clear, concise, and false' is not correct.
I think users should be able to install whatever software they want, without any charge or other external permissions, but at the same time device and OS makers should be able to make it difficult to do so, within reason. Apparently scam apps are more common in some countries than others and is actually a problem in some countries, although I'm not sure.[1] Google did cite that as the reason for the change.[2] However, combined with the way Google has been locking down Android APIs more and more, (eg. the file system, but other APIs as well) it is concerning. At the same time those changes were also about security. I think every phone should be able to have full root permissions if you go through enough hoops without having to install another ROM. That seems to solve most of the issues here.
[0] https://android-developers.googleblog.com/2025/09/lets-talk-...
[1] see eg. https://techcrunch.com/2024/02/07/google-starts-blocking-use... at the end of the article for some examples
[2] https://android-developers.googleblog.com/2025/08/elevating-...
So are we going to download APKs from fDroid to our computers and then adb install them to our phones? For every update? I see a lot of people, even developers, giving up.
You can run adb from the phone itself via wireless debugging. From what I understand, you can do this via Shizuku or Termux, and there are apps that can give you a user interface for this. What changes is that users have to enable developer mode to get this, which adds another warning label. Although admittedly they may remove this feature or add more hoops to jump through to use it.
Wireless debugging not only requires an initial setup, but it also requires being connected to a Wi-Fi network to work. Considering the number of Android users in countries where many don't have Wi-Fi, it's not an option for many.
There's also the problem of some banking apps refusing to work if developer tools are enabled.
This actually seems worse from a security perspective to me than allowing installing apps on device.
Your email client from F-Droid has an RCE? Too bad - better hope you update manually!
"adb install" is such a far cry from a normal install that it's laughable to call it an alternative or jumping though hoops "within reason". I imagine it won't allow to update an app without another adb install, for one thing. And controlling adb is even easier for google, so how long till you can "adb install" only from within Android Development Studio and only if you have a verified account? Because otherwise all the spooky skammers would be installing stuff on people's phones willy-nilly!