F-Droid calls for regulators to stop Google’s crackdown on sideloading
- Thread starter JournalBot
- Start date
Setting up a different app store and pushing app developers to upload their apps would be easy. As long as it's not needlessly complex and there's a push for it by the EU.
But what do you do when Google decides this app store and alternative android fork is not allowed to run the following?
Gmail
Google Maps
YouTube
Google Wallet
They would also have to get all major apps to implement an alternative push notification system. We have UnifiedPush, so something like that. Doable but would take some time.
Oh and ensuring most apps implement whatever safetynet alternative they'll have.
Upvote
2
(5
/
-3)
It's galling that F-Droid, which actually cares about security, may be shut down using the phony pretext of security which Google demonstrably cares little about. It's what passes for the free market today. You can vote with your dollars from the choices you're allowed to have. Such freedom. Let's hope this one ends well, for once.
Upvote
22
(22
/
0)
Sideloading is the ONLY appeal that Android has over iOS. I've used Android exclusively for the last 15 years, if they make this change, my next phone will not be Android-based.
Upvote
-4
(5
/
-9)
Upvote
7
(7
/
0)
Gnafu the Great
Ars Centurion
That's a really good point. For example, I specifically sought out the A6003 variant of the OnePlus 6 to get the US bands (and my coverage has been great). I believe my wife's OnePlus 9 Pro is the LE2125.
Upvote
2
(2
/
0)
Switching to a new o/s or fork isn't entirely useful in this context. FOSS android development is already a niche endeavor when it's trivially easy for users to load the software. Making flashing a new rom a prerequisite will decimate the user base, and many will decide it isn't worth the trouble to create/update apps. An android fork will allow running old apps after they quit getting updates, but those are gonna get crusty, and quit working after awhile. It would be nice if there was a solid competitor to google and apple, but the contenders are a rounding error in market share at this point. Hard to get something going.
Upvote
8
(8
/
0)
Gnafu the Great
Ars Centurion
As someone who hasn't used any of those apps in over four years (or never in the case of Google Wallet), I don't see why a concerted effort at a non-Google Android fork by the EU couldn't supply decent alternatives. There are already decent FOSS email and navigation apps, and it would be good to encourage video streaming that doesn't involve YouTube. I'd dream of nation-level funding for LineageOS, F-Droid, CoMaps, Thunderbird, and something maybe PeerTube-based. Nothing I've seen makes me want to tie my banking or payment methods to my mobile device, but I imagine there can be open alternatives for that.
Upvote
12
(12
/
0)
First off, thank you for your service. Secondly, is it possible for you to make a a Progressive Web App with the same functionality? A lot of hardware functionality is available through browser APIs now (even odd things like WiFi and USB), and they tend to be far more stable than native APIs too.
Upvote
4
(4
/
0)
Could someone explain what exactly would have to be done to allow (1) a single
F-Droid app, or (2) all F-Droid apps?
F-Droid app, or (2) all F-Droid apps?
Upvote
2
(2
/
0)
I don't think it would be any more successful than they are currently, or have been historically.
I think the Librem 5 is off the market now, and I'm not sure the PinePhone is being sold anymore.
Upvote
4
(4
/
0)
Which would be a dumb move in multiple ways. One being that nobody is actually asking for an AI powered phone, and when the bubble inevitably bursts in a year or two that could be a major disadvantage. Then, the weird class warfare about phone models exists in some places, but many places it's nowhere near what it is in the US. The Android based models run from cheap budget phones to flagship models that cost as much or more than iPhones, and for a lot of the bigger ones people refer to the make not the US - i.e. people with Galaxy phones will tell you they have a Samsung phone, not an Android.
Where I've lived in Europe, nobody cares which you have either - they don't have the obsession with iMessage colours that exists in the US, you either use your free texts or something like Whatsapp to communicate cross-platform, and nobody cares what the receiver is using unless you're trying to get them to use an app that's not in common use.
Internationally, that could be a very harmful action for very little, if any, benefit.
Upvote
6
(6
/
0)
The problem here is that Google is requiring that all sideloaded software on Android be signed by the developer in order to be installable. To sign the software, you need a Google issued certificate. Only the developer themselves will have access to this certificate. This means that the software will have to compiled, packaged, and signed by the developer.
But this is a problem for F-Droid. F-Droid receives packages as source code from the developers. Then F-Droid compiles and packages the software it distributes so that it can verify that the source code doesn't have back doors or malware in it, among other reasons.
This is a big conflict here. The only solutions are: 1) Google abandon this plan OR 2) F-Droid stop accepting source code and start accepting signed, compiled packages, OR 3) F-Droid sign all the packages themselves.
Option 3 seems to be the most obvious, but there's a problem with that: trademarks. You can't sign just any old package to distribute. It has to be your package, in your name. For this to work, F-Droid would have to claim to own these packages, including the name. But they can't do that, because trademark law doesn't allow it. It would require that the projects all turn themselves over to be officially run by F-Droid instead of owned and run by their respective projects. That's a nonstarter if I ever heard one.
Upvote
20
(20
/
0)
Upvote
11
(11
/
0)
What do I do? I walk away
In this context this means that I would (and do) use:
Gmail -> Migrate to Protonmail (or whatever else strikes your fancy)
Google Maps -> Waze
Youtube -> ReVanced
Gooogle Wallet ->
Ha! You gave Gaaaaargle you credit card number?Do not automatically capitulate to the apocalyptic rethoric that google itself its trying to push.
I belive that Big Tech objective right now is precisely that, making you think that the world (web) is a very dangerous place (not that it isn't on many levels, especially if you are careless) so that they can sell you a security blanket for your mind, or to justify the latest turning of the screw that way.
Upvote
2
(4
/
-2)
If Google makes the decision and manufacturers follow it, there's not much we can do. Well, we can make a free mobile OS. We can build smartphones (using Chinese ODM/OEM). But we can't get all the drivers for the devices. Just hope that hardware manufacturers support mainline Linux.
Upvote
2
(2
/
0)
What do I do? I walk away
In this context this means that I would (and do) use:
Gmail -> Migrate to Protonmail (or whatever else strikes your fancy)
Google Maps -> Waze
Youtube -> ReVanced
Gooogle Wallet ->
While I don't disagree in general, it does seem like walking away from Google Maps to (Google) Waze... isn't a very long walk.
(But I sympathise - Maps is the Google product that I use the most and get the most value from. I don't know about Apple maps, but at least where I live nothing else comes close for up-to-date info)
Upvote
10
(10
/
0)
I have some of the least technical friends, partner, family, colleagues, etc imaginable. Most of them have sideloaded apps installed... Whether it's some service from back home, automation for some proprietary web service they have to use for their business, video apps, IPTV apps, DJI software. I've got one app from the play store (installed via Aurora Store) for my bank, I've used FOSS apps from F-Droid exclusively otherwise.
Switch to CoMaps, OsmAnd~, or Organic Maps. There's no reason to use any data harvesting operations' services or software nowadays.
Switch to CoMaps, OsmAnd~, or Organic Maps. There's no reason to use any data harvesting operations' services or software nowadays.
Upvote
6
(7
/
-1)
Pinephone, and linux phones exist, I really wiah something like that would really take off: https://pine64.org/devices/pinephone/We basically need an entirely new open-source hardware and software paradigm. Phones are now too fundamental to have it all in the hands of a sociopathic advertising agency that designs complete garbage software. Everything's optimized for their own advertising interests. Enough.
Entirely open-source and modular hardware and software that you can modify, upgrade, assemble. It won't be easy but entirely doable with enough interested engineers and international cooperation. It's not actually that difficult - one person could actually do it with enough time, hypothetically: it would be super limited and low-performance. That's where the entire hypothetical OpenPhone group comes in.
Both apple and google need to be destroyed; they don't operate for any greater good.
Upvote
4
(4
/
0)
Unfortunately device maker cannot sell gogole-free android if they also want to sell devices with the google junk. It's part of the "agreement" with google. IIRC this was under (perhaps still is) investigation by EU
Upvote
6
(6
/
0)
I think google had to stop doing this IIRC, but the damage to the market is already done.
Upvote
1
(1
/
0)
As a "whenever possible" user of Organic Maps, the one big thing missing for me are the ratings and reviews*. Try finding decent coffee/food/whatever even in an unfamiliar part of your own city and you'll see what I mean.
* yes, I know they are quite often garbage, but one can learn to read between the lines, and ratings are pretty reliable if a place has at least high double-digit amount of reviews.
Upvote
0
(0
/
0)
Where on earth are you getting this idea from? There's absolutely nothing in trademark law that stops you from signing a project you don't have the trademark to. That would depend entirely on the terms of the trademark and any FOSS project with trademarks will have some sort of license for using the trademark.
How do you think Samsung can sign their Android builds?
Upvote
3
(3
/
0)
They will have account banned the moment any malware appears in f-droid repo, cause they signed the app. Same with any hacked apps like revanced - and with ban on unsigned apps you can be sure someone will try to push it to store, even if the only "source" they can provide is decompiler output.
Upvote
6
(6
/
0)
I recently moved to Graphene, pretty much after hearing the first announcements about this side-loading stuff. It is working out great for me but something which is concerning me is that I have started seeing notifications that WhatsApp is accessing the "Play Integrity API", which (as far as I can tell) means that it is trying to figure out if it is running on a fully official Google version of Android. Other users have seen it too and some of them have had WhatsApp break completely, showing a message that they aren't running the latest official version of WhatsApp from the Play Store (but they are, as am I). It might be that Meta are using various factors to decide whether to allow WhatsApp to be used on an OS like Graphene and I'm just lucky that (so far) it is still working for me.
If it stops working it will be tricky because unfortunately there are a fair few people / groups that I need to stay in contact with who will never use Signal (or even know / care what it is). It is concerning for non-official Google Android implementations in general I think, so whether or not Google Play Services are used it might be that the apps themselves will stop working if they think they are not on an official Google OS.
If that does happen to me then it might be that I do end up moving to iOS, which is something that 5+ years ago I'd never have thought I would be saying.
Upvote
7
(7
/
0)
Question: suppose I want to sign an app called com.arstechnica.whatever. Is there anything preventing me doing that? I don't own that domain but I don't think the signing is checking that? However if I try to upload to the Play Store will Google reject it as I'm impersonating Ars?
Presumably the new developer registration thing will limit me to publishing apps under my own domain, even if side loading. So for Fdroid it would have to be org.f-droid.com.arstechnica.whatever. But then they might get their developer account revoked if Google didn't like any of the apps they published, which is highly likely.
Upvote
0
(0
/
0)
I've had that a few times, and generally the solution is to sideload the .apk of a slightly older version of Whatsapp. It's not a permanent solution but it generally kicks the can down the road a bit, and when WA insists I upgrade then usually I can find a newer version that works. (Aurora Store allows you to install older versions of apps from the Play Store servers if you know the version ID, or there's apkmirror to download apks)
I did have a banking app which previously worked and stopped after an upgrade due to Play Integrity, but I just use their website instead.
I have all auto app upgrades turned off, because otherwise it's likely to take you by surprise that suddenly an app updates and no longer works because of Play Integrity. It sucks for security, but IMHO better to run out of date apps than no app at all, and just manage upgrades on your schedule and be a bit more careful with apps that are actually security critical to you.
(The boat that app updates actually improve things for the user, rather than provide new ways to abuse their existing users, has long since sailed, sadly)
Upvote
3
(3
/
0)
That interesting and good to know, thanks! Having just invested in a used Pixel Pro 9 I'm definitely prepared to try a few things before giving up on the idea that's for sure!
Upvote
0
(0
/
0)
I think it depends what you mean by 'called'.
If you mean that the java source is all in that domain then I can't see any possible problem, after all even if your app was in com.yourpersonaldomain.whatever it would undoubtedly contain 3rd party libraries from com.somebodyelse and you'd have to sign ALL of those components as part of the signature.
If you mean an app whose user facing name included Arstechnica, well then you might legitimately have TM issues.
Upvote
0
(0
/
0)
Phones like Xiaomi (and Redmi and Poco) or Honor come with their own app stores pre-installed along with the Google Play Store here in the EU and most people I know have/had one of these. I sort of remember my old Samsung had its own app store too. What happens to that?
Upvote
3
(3
/
0)
A fourth option is for F-Droid to insist on reproducible builds. In that case, F-Droid could accept both the signed compiled package and the source code, and then verify that the source code matches the code in the signed package. Then their model of verifying source code isn't broken.
There are a lot of problems with this as well (in particular, anyone unwilling to send identity details to Google, as well as the general pain that is reproducible builds), but it is doable.
Upvote
6
(6
/
0)
Yep. Plain as day.
They've already proven they can't run the Play Store and keep malware out. So we're supposed to believe this is for security? Shouldn't they be requiring it for ONLY the Play Store then so they can verify (and certainly not just a big AI system with absolutely no human oversight because Google certainly wouldn't farm out important stuff like that to just computers. /s)
Praying (and donating) for Linux phones personally. PostmarketOS could use some love showered by Amazon, the EU, whomever to really take off. Something not controlled by anyone. Companies don't like that they can't control it but they certainly should welcome not being controlled by one company themselves. Android will never be free until it's unshackled from Google entirely.
Would absolutely love it too if Sailfish became a big "third" OS in this space. Maemo/Meego/Sailfish was always such a pleasure to use (still the absolute best UI IMHO.)
Last edited:
Upvote
5
(5
/
0)
The app ID, being the unique name of the app. eg Reddit is com.reddit.frontpage and YouTube is com.google.android.youtube. I guarantee Google won't be happy if you set your app's ID to be com.google.something even if you don't mention Google in the human readable name.
Upvote
0
(0
/
0)
install graphene. Pixels are the only supported devices. And Graphene won't be affected by this
Upvote
2
(2
/
0)
I'd consider doing that, but my banking app will just stop working. Custom roms, open bootloaders, rooted roms, unverified devices just don't work anymore. So I need to opt into either branch of the smartphone duopoly.Important to note, as stated in the original ArsTechnica article, that none of this applies if you aren't running Google Play Services on your phone. So custom ROM users can continue to do as they please. I've got to believe most F-Droid users would consider Google Play Services to be malware anyway. I know I did when I was an F-Droider
The days of the "Don't be evil" are long gone, Google needs to be held by the balls and squeezed hard. Hopefully the EU picks up this bone, G won't listen to devs or users, but they'll comply to avoid getting fined or being booted out of the European markets.
Upvote
2
(2
/
0)
Boy, do I have some bad news for you.
https://www.forbes.com/sites/urilev...ecision-founder-of-waze-reflects-on-the-deal/
And that's even less "walking away", you're still using the same API and same services, just through a slightly modified app.
Upvote
5
(5
/
0)
Gnafu the Great
Ars Centurion
I've found I'm perfectly happy having my navigation app handle navigation and my web browser handle looking up information from the Web. I look up business information using DuckDuckGo (which usually leads to TripAdvisor and Yelp, but often I'll also check a business' own site for their hours), and then I navigate to businesses in CoMaps. I really ought to do more to contribute to OSM data.
Imagine if 10% of Google Maps users switched to OSM-based alternatives and then even just 10% of those started actively contributing business and other information to OSM. I think that would be amazing.
Upvote
3
(3
/
0)
Upvote
-18
(0
/
-18)