Nextcloud accuses Google of “Big Tech gatekeeping” over Android app permissions
- Thread starter JournalBot
- Start date
I'm a moderate user of Nextcloud and have the Android app installed, but I've never used it for auto-upload as I mainly use it to access files that come into my Nextcloud repository from elsewhere.
Still--this really chaps my ass.
Nextcloud, for anyone who's not familiar with it, is a FANTASTIC self-hosed alternative to a wide and growing number of cloud-based apps. It's trivially easy to set up and use and is only getting better with time.
Well... mostly better I guess.
Still--this really chaps my ass.
Nextcloud, for anyone who's not familiar with it, is a FANTASTIC self-hosed alternative to a wide and growing number of cloud-based apps. It's trivially easy to set up and use and is only getting better with time.
Well... mostly better I guess.
Upvote
252
(254
/
-2)
While I like the host-your-own-cloud idea, I'm too gun-shy about external access to my home storage to do it. So, I don't do "cloud". I'm never signed into Google for longer than it takes to do my business there, then I explicitly sign out, and delete the account on my phone (since it will still sign in for some functions even when I tell it not to).
I get that a lot of people don't exactly follow my example, and that's fine. It's their choice. I choose not to because the security headaches that come from opening up a direct pathway to your data is a hurdle I just can't emotionally take. I'm too distrustful of the technology (and I believe justifiably so, given how many breeches of data storage there seems to be) to implement it.
That said, it's pretty pissy of Google to hamstring competition.
Headline should be something along the lines of "Anti-trust violator violates anti-trust laws", because they're in a dominant position to make programs and features like this not work at all if they don't want them to. Making rules for thee, but not for me, that limits consumer choices is the epitome of monopolistic behavior.
Gonna bet this won't be remediated in the settlement about their antitrust behavior, either.
I get that a lot of people don't exactly follow my example, and that's fine. It's their choice. I choose not to because the security headaches that come from opening up a direct pathway to your data is a hurdle I just can't emotionally take. I'm too distrustful of the technology (and I believe justifiably so, given how many breeches of data storage there seems to be) to implement it.
That said, it's pretty pissy of Google to hamstring competition.
Headline should be something along the lines of "Anti-trust violator violates anti-trust laws", because they're in a dominant position to make programs and features like this not work at all if they don't want them to. Making rules for thee, but not for me, that limits consumer choices is the epitome of monopolistic behavior.
Gonna bet this won't be remediated in the settlement about their antitrust behavior, either.
Upvote
40
(79
/
-39)
- Add bookmark
- Featured
- #4
I thought the whole point of permissions was to put the power in the hands of the user/owner of the device.
It really is a sad state of computing that users no longer have control over their own computing hardware.
It really is a sad state of computing that users no longer have control over their own computing hardware.
Upvote
373
(377
/
-4)
I mean, this isn't surprising. These kinds of wide-ranging APIs are wide open for abuse so Google is locking them down, following in Apple's footsteps in some cases to make Android as locked down as iOS. It's kind of a natural outcome of trying to provide security to the "regular user" who has no understanding of security. One difference though is that Google resists provide human interaction in their support at all costs, whereas Apple is more happy to provide that, so when Google decides "you can't" it's often difficult to find a human who will change the decision.
Upvote
43
(106
/
-63)
Upvote
262
(262
/
0)
Seems like the sort of thing that will get resolved fairly quickly with a little bit of public pressure like this story.
Upvote
56
(58
/
-2)
AFAIU the official dropbox app already has limited sync support, probably to only sync media files. I would guess that the 3rd party "dropsync" app and ones like it would be affected in the same way.
Upvote
9
(17
/
-8)
Yeah, but Google's own apps are not subject to the same permissions - I'm fully expecting I would have no issues should I choose to enable Google Photos/Drive sync for things. Same for iCloud on iOS.
In my opinion, both Google and Apple need a slap on the wrist with a morningstar - either put speed bumps for all apps(including yours) or let users decide to use different "OS-level" services than the ones you want them to use.
I'll grant that giving random apps wide-ranging permissions is a bad idea, but maybe we can take a page out of Windows's way of doing things? You need a certificate for your app, IIRC a paid one, and Microsoft can revoke it if you've been naughty.
Upvote
201
(209
/
-8)
A similar app called Syncthing also got booted off the Play Store for the same reason. I still have it on my phone and it's a fantastic Cloud-free way to backup my phone to my NAS, even over the internet.
Permissions are supposed to be laid in front of me and then I can make an educated decision whether to install it or not. Why is Google blocking useful apps that can compete with their Cloud Storage while allowing data-slurping malware masquerading as shopping apps and games on the store?
Permissions are supposed to be laid in front of me and then I can make an educated decision whether to install it or not. Why is Google blocking useful apps that can compete with their Cloud Storage while allowing data-slurping malware masquerading as shopping apps and games on the store?
Upvote
291
(291
/
0)
It doesn't sound like they hosed themselves; Google offered that as a service to the developer.
Or maybe you have a typo
Upvote
63
(69
/
-6)
Google now appear hellbent on proving that all the anti trust efforts by the authorities are not just political stunts and theater but actually have merit. Who would have thought that when Google dropped the "do no evil" mantra that they would actively pursue evil as a business strategy instead ?
and yes that last one was a rhetorical question indeed
and yes that last one was a rhetorical question indeed
Upvote
120
(123
/
-3)
Syncthing is great, I use it from F-Droid, so I actually can sync anything I want.
Upvote
80
(80
/
0)
One of the problems WRT NextCloud is that it's a communications framework wrapper. You can enable all sorts of plugins to add different features, and those plugins are all created as individual open source (or not) projects. But it's the NextCloud app that gets signed.
So unlike Google and Apple, where they know exactly what code is going to run when someone enables access for their apps and services, if you enable full access for NextCloud, all it takes is enabling the wrong plugin server-side, and suddenly Bad Things can happen on the client.
This doesn't mean that just outright blocking full file access is the right way to go, but the risk landscape is vastly different in these cases, and it's going to be relatively complex to maintain the same level of security while opening access up to solutions like NextCloud.
And I say this as someone who uses specific NextCloud plugins to replace Google and Apple services... because NextCloud does things the way I want and on my own hardware, so I'm not forced to do things The Apple/Google Way.
Upvote
62
(86
/
-24)
For clarity, the on-device permission experience here is the same for Google's apps as it is for Nextcloud's. What Nextcloud is running into is that certain permissions need to be justified to Google before they'll let them into the app store at all. For example, the Android SDK and OS will let you write and sideload a RSS app that requests 24/7 background location access, but Google won't let it into the Play Store without submitting additional justification. The policy isn't unreasonable in itself, its just that its impossible to talk to an actual person at Google if they reject your explination.
Upvote
105
(116
/
-11)
This is pretty blatantly anticompetitive. I understand the security implications of allowing an app access to everything on the phone, but I don't believe that they outweigh the lock-in that you get instead.
Upvote
67
(71
/
-4)
Yeah. It's not hard to see why a read/write everything permission would be wide open to abuse and dangerous. On the other hand you can't make permissions to numerous or confusing for users or they don't help any.
My favorite example on the Android side of things was always every free to play game wanting internet access even if the game was otherwise a completely local single player thing. They need internet access to pull up the ads but the permission is all or nothing and I can't just allow them to show ads while not having any other internet acess.
Upvote
65
(65
/
0)
While I generally agree - this is a good example of security being hard - it's hard to understate just how much of a feature the poor customer service is for them in circumstances like this. These are pretty big name apps (relatively speaking) that compete directly with a lot of Google's offerings. I have absolutely no doubt that their leadership considers this a win-win - tighten security for their product AND give them that fig leaf to cover clearing out a couple of competitors from easy access.
I'm actually in the process of implementing local service hosting for myself and my immediate circle, and NextCloud was on my list to implement as soon as I get some bulk storage situated. Guess I'm gonna have to check how people feel about sideloading!
Upvote
46
(46
/
0)
OK good. Was confused as to how widely Google could actually cripple this permission.
Upvote
35
(35
/
0)
I host a NextCloud Pi setup in my garage, and I never have a problem accessing it from my LineageOS phone. I use LineageOS instead of Google Android to avoid just this kind of problem. I was delighted to get word (via Ars, if I recall) that Google was deleting all Gmail accounts that hadn't logged in for more than 2 years. I abandoned Google entirely more than three years ago, and I've never missed it.
Upvote
27
(31
/
-4)
You could use Tailscale. You have to choose to trust that Tailscale is secure and not intentionally doing anything nefarious, but I feel infinitely more confident about that than my ability to not fuck up opening up ports on my devices to the wide open internet.
I've been using it and it's really a gamechanger, last big thing I need to figure out is local subnet routing so I don't have to use different IP addresses depending on whether I'm at home or connecting remotely. The other nice to have would be is I'm still not sure if it's possible to get it to play nicely with a typical VPN service without using Mullvad specifically. I've been using Mozilla VPN for a few years, it's skinned Mullvad but I think they don't expose a couple of things you need to plug everything together correctly.
(I think you could also use Tailscale to get around the new remote streaming charge on Plex, since it'd look to Plex like it's local network streaming.)
Upvote
21
(21
/
0)
Gnafu the Great
Ars Centurion
I've been using LineageOS without GApps for over two years now. I highly recommend it. Long live F-Droid! Syncthing-Fork works great over here.
Upvote
27
(28
/
-1)
I've personally never been able to get NextCloud to function on UNRAID. That being said, I have not tried since 7 released with Tailscale support built in, so I may give it a go again.
Upvote
-6
(1
/
-7)
It isn't using their servers to manage the user access, so it is local streaming as far as they're concerned. That's the downside to local streaming - you can create managed user profiles, but it's the same login and MFA. You have to set up a PIN to prevent other users from watching on your profile.
Upvote
5
(5
/
0)
typo:
"Nextcloud states that it has had read and write access to all file types since its first Android app. In September 2024, a Nextcloud Android update with "All files access" was "refused out of the blue," with a request that the app user "a more privacy aware replacement," Nextcloud claims. The firm states it has provided background and explanations, but received "the same copy-and-paste answers or links to documentation" from Google."
"user" should be "use" I think.
"Nextcloud states that it has had read and write access to all file types since its first Android app. In September 2024, a Nextcloud Android update with "All files access" was "refused out of the blue," with a request that the app user "a more privacy aware replacement," Nextcloud claims. The firm states it has provided background and explanations, but received "the same copy-and-paste answers or links to documentation" from Google."
"user" should be "use" I think.
Upvote
10
(10
/
0)
It's hard for me to put down the amount of rage I have for shit like this.
Suffice to say I'll be throwing a party when Google is broken up
It's my phone Google, not yours. stop trying to restrict it.
And in the same vein, who does Android photo picker not let me any other folders on my device other than camera, screenshots and a couple of others
Suffice to say I'll be throwing a party when Google is broken up
It's my phone Google, not yours. stop trying to restrict it.
And in the same vein, who does Android photo picker not let me any other folders on my device other than camera, screenshots and a couple of others
Upvote
6
(15
/
-9)
In the case of NextCloud (which I don't use because it's a massive overcomplicated monolithic mess just begging for bugs to creep in), the "server side" is typically owned and operated by the very person who owns and uses the client. And the data.
I, not Google, own the "risk landscape" on my device. Period.
... and I am not convinced that any of this actually protects anybody. A simpler and more understandable way of organizing data might.
On the other hand, the Play Store trying to second guess the owner of the data might cause people to go elsewhere, helping to break up that monopoly.
Upvote
-10
(15
/
-25)
FYI, the version on F-Droid is also no longer being updated, you should switch to "syncthing-fork"
Upvote
22
(22
/
0)
Because Syncthing and co are competition that removes googles access to your data. That malware just increases googles power of users.
PS: https://github.com/Catfriend1/syncthing-android If you are like me and can't live without Syncthing despite google shits doing their best to kill it (Apple never even allowed it properly so they are even worse).
Upvote
21
(23
/
-2)
This is very weird as Apple solved this a while back by allowing apps to write all they want to their storage space, and if you want to share a file with that app, you use the iOS interface to manually do that.
As far as I know I can save anything to third party apps, they may have some odd limitations but even windows prevents .c files without some heavy excepting through hoops.
MacOS has even better controls (allowing apps to access certain directories) that I wish were brought to iOS, but it is what it is.
As far as I know I can save anything to third party apps, they may have some odd limitations but even windows prevents .c files without some heavy excepting through hoops.
MacOS has even better controls (allowing apps to access certain directories) that I wish were brought to iOS, but it is what it is.
Upvote
-10
(6
/
-16)
I dislike Google as much as anyone else here, but in this case it is Nextcloud being lazy and disingenuous.
There is a recommended way of creating the kind functionality that Nextcloud seeks to provide in android - by creating a document provider, which crucially does not require giving the app carte blanche to every file in the system.
The way it works is that the app gets a dedicated storage location in the local file system to store the files in user's cloud storage to be synced and available locally, and it integrates with system dialogs for opening/saving files. It's the same concept as Placeholder Files in Windows.
This is especially annoying to me as I'd love to host my own cloud storage, but Nextcloud's client expecting full filesystem access to work makes it a no go.
There is a recommended way of creating the kind functionality that Nextcloud seeks to provide in android - by creating a document provider, which crucially does not require giving the app carte blanche to every file in the system.
The way it works is that the app gets a dedicated storage location in the local file system to store the files in user's cloud storage to be synced and available locally, and it integrates with system dialogs for opening/saving files. It's the same concept as Placeholder Files in Windows.
This is especially annoying to me as I'd love to host my own cloud storage, but Nextcloud's client expecting full filesystem access to work makes it a no go.
Upvote
9
(39
/
-30)
that’s… optimistic. Apple’s developer relations are atrocious. they never really did manage to scale their dev support to match the expanded base of developers when iphone went big. Apple is legendarily capricious during app review, and has earned itself a lot of enmity. Even die hard Apple supporters like John Gruber see the mess for what it is and been trying to bring attention to it for years.
perhaps this is grass is greener situation? Google and Apple both have pretty awful track records for developer support, even if in different ways.
what you describe is a lot like iOS, where each sync service (even icloud) has its own separate data store location, and users can then choose to put files there or not. here’s mine:
(i quickly installed the nextcloud app to see if it registered as a file provider to ios. it does.)
but this is clearly different from
how Nextcloud on Android has worked for the past 9 years. from their blog:
i, too, would be upset that the rules were changed on me with no warning and no appeal possible. It does seem like a helluva big feature regression to get without notice.
Upvote
56
(58
/
-2)
Upvote
20
(21
/
-1)
No, that's not it at all. What's being prevented here is using NextCloud to sync/backup arbitrary folders on the device. So if I have data in MyCoolApp and want to keep that says in NextCloud, I just point NextCloud directly to that folder.
Using the system you describe, that is impossible.
Upvote
65
(68
/
-3)
But what if I want to give NextCloud or Syncthing carte blanche access to every file in the file system so it can be effectively backed up automatically?
With how my Syncthing is set up, I intentionally gave it full access permissions so it can back up my SMS/MMS and Call Logs, my 2FA Aegis Authenticator encrypted backup files, my photo and video reel, my browser downloads, documents folder, etc. all of which is more difficult or impossible as a document provider.
I dread moving on to a newer phone, the strict Scoped Storage restrictions that you can't remove would make my Cloud-free backup system harder or even impossible to implement.
Upvote
42
(43
/
-1)