Yep, it's as bad as everyone expected it to be. "We aren't taking away sideloading, we're just going to fully control it now! No Google-unapproved code on user devices! For security reasons!"
Chrome isn't enough. We need Android to get clawed away from Google too.
> We want to make sure that if you download an app, it’s truly from the developer it claims to be published from, regardless of where you get the app. Verified developers will have the same freedom to distribute their apps directly to users through sideloading or through any app store they prefer.
Not to mention this doesn't even solve the problem. What's preventing someone from registering and then releasing an app with a similar name to a famous app? Sure, the registration means there's someone you can sue, but it doesn't allow the user to identify the publisher. A "verified publisher" field when you're installing an app would solve both issues (similar to windows[1]), and not require every app developer to register with google.
However, if you prefer not to, we are also introducing a free developer account type that will allow teachers, students, and hobbyists to distribute apps to a limited number of devices without needing to provide a government ID.
So much bullshit, I'm really revolted. They want to pretend that they are nice, it is not locked down. But for real, now you will need to be registered to even only be allowed to have your app installed on maximum "a few" of your relative or friends. On hardware devices owned by consenting adults, without anything related to Google, or touching their servers, still they allow themselves a right to review.
Worse than that, you test an app, want some contacts to test? Even if not giving your id, everything will have to be traced to Google HQ. Who are you? Who are your friends? ...
I lobbied everyone for years against Apple devices, switching people to Android to have a little bit more freedom. Now Google Android will be the same shit.
If people working on Google are hanging out around here, please know that your company really sucks now...
> On hardware devices owned by consenting adults, without anything related to Google, or touching their servers, still they allow themselves a right to review
Aren’t the changes only for Google certified Android devices, AKA those that come with the play store?
Samsung's store contains virtually no original third-party software, anything that's worth installing and is not from Samsung is available on the Play Store.
So this is saying you have to have an Android developer account and sign the app with your identity… so a one-time $25 cost and that’s it? You can still distribute and sideload apps as long as you sign them.
Microsoft does this for Windows apps if you don’t want scary warnings popping up everywhere. Apple doesn’t even let you sideload at all for iOS and for macOS they do the forced trash malware thing unless you run commands to allow the app in the terminal.
Am I missing how this is different from what we already have on most platforms? Is it because you can’t force it to install the apps? Is there not a developer mode that lets you install unsigned apps, or a way to root the device to install apps?
The fact that other platforms do something similar is not an excuse, and this is more restrictive than both windows and macOS, even if technically less restrictive than iOS.
(The fact that all those platforms still have malware, as well as the officially sanctioned google store, should also inform you about how effective this measure is for its stated goal)
> Am I missing how this is different from what we already have on most platforms?
Most? The only platform that is like that is ios.
On linux, in any form, I can run what I want.
On a mac I can run what I want.
On windows I can run what I want.
Obviously on BSDs, Illumos, etc, I can run what I want.
On android up to now, I can run what I want.
The one and sole exception where I don't really own the device and can't run what I want it ios (therefore I don't own anything that uses ios). And now google wants to join that evil club.
I'm guessing Windows gets a pass because you can still fairly easily bypass the signature check - it's effectively a warning rather than a hard block. It sounds like for (mainstream) Android, the only workaround will be to plug it into a PC and use adb there to install an unsigned app, which is considerably harder. Installing a custom ROM will presumably get around it too, but that's tough, and various government and banking apps etc tend to refuse to run because of attestation.
Apple is of course locked down, but that's not news. The anger is because Android was the better option on this dimension.
No. That other people are doing bad things doesn't make it okay. It's like going to have to ask the government who I can buy stuff from. I am free to give my money to whoever and whenever I want in exchange for what I want to put in my house. None of your damn business. And none of google or the house makers business either
There sadly isn't a single viable option for a Linux mobile phone out there.
- Purism runs ancient hardware, charges way too much and has questionable business ethics.
- Pine64 has equally bad hardware but reasonable prices. I don't like the Hong-Kong connection though. Not sure how the security patching environment is in practice.
The only option on the table as I see it is buying from the devil and installing GrapheneOS.
Look, Google. You and me both, we don't want EU bureaucracy to get involved again...
(It's going to be a different group than the chat control people. If the chat control people win bigly, this would actually support what they want. Is there, like, any connection between that and the timing of these new rules?)
DMA does nothing to prevent this, Google claims it's about security which will satisfy the DMA. Same as for Apple (the EU is going after them because of the fees, not because of the complicated process). The EU is not interested in letting you run unapproved software because they want to use it for themselves with their digital wallet app and ID checks.
> If your team’s current test process relies on distributing APKs to testers for installation using methods other than adb, you will need to verify your identity and register the package.
Absolute bullshit Google.
You have no right telling me what I can and cannot run on my own devices. Regardless of how I choose to install it.
Googles decisision to add developer verification killed my interest in handset development entirely. But hey, at least I know what to focus my time on rather than third party app development ie. F-Droid. I look at my android phone differently now that its on the table which sucks but hey they made me switch my development time to linux drivers now instead.
This mostly confirms that it's exactly as bad as we thought. The only clarification is that building from source and installing via adb will continue to be allowed. For now.
One interesting aspect of this is that when using a personal Android with a work profile, developer options and ADB is (or at least can be) disabled. BYOD will then imply you can't sideload at all.
And nothing of value was lost. BYOD means Corporate can push whatever spyware they want onto your personal phone. I tell any employer I work for, if you really need me to be reachable by phone via an app, you can supply me a work phone. Otherwise I'll do without. I keep a bright-line distinction between personal devices and work devices, and never mix the two. My boss knows this explicitly.
I'm not an android developer, so I'm missing some context and key information. But I have a question: When Google is asking developers to "register" their apps as part of this new program, are they just trying to keep a mapping from some code signing key to a government ID? Or are they trying to do a code review process that is similar to submitting to an app store?
I know both are objectionable in their own way, but these two scenarios are quite different and I want to understand this better.
The first one for sure, second one — to an extent. If you publish “objectionable” apps (we are told this will be used to combat malware) — your certificate will be revoked.
android is the notness, and well, so is the whole fucking web
next year this time, linuxphon/computer with removable drives and wired periferals ,do the stuff thay needs done, ignore the rest
the security theater can continue for those who want it,over there, yes, yes, up against the wall will be fine
Interesting comment. Do you have more information about this please:
> The industry-wide standards for character design, costume design, theming, even mechanics are all set based on these guidelines, which have evolved into ironclad requirements. You will not get funding for your game, nor support or approval from the major platforms (particularly consoles) without complying with these guidelines.
I don't personally play video games but have noticed a lot of disgruntled discourse around things such as "Body Type 1" and "Body Type 2" in lieu of "Male" and "Female" being implemented in new releases. Is that as a result of these guidelines?
Can an non-profit LLC verify itself and submit apps on behalf or anonymous developers after vetting their code? If so, that would probably a nice middle-ground.
The reaction to this change has truly changed my opinion that developer's opinions on a lot of subjects affecting the public's safety and security shouldn't be valued much (and yes, I realize I am on HN). If this is a bridge too far, then why should anyone listen to devs about "we can't backdoor cryptography" and things like chat control and more? You can't make every hill the hill you die on. I wouldn't even be against requiring a professional certification organization for developers before they're allowed to publish software to the masses. I would very much find it unpleasant, but we live in a society. You need a license to drive, to be a doctor, engineer and just about any profession where people's safety and well being is in jeopardy. Even real estate agents are licensed! and people all up in arms about a simple id verification.
This is just to address malicious code. How does the public know your code isn't full of vulnerabilities, that you're not selling their data to the highest bidder? How do they know that you have a good understanding of secure coding practices and knowledge of privacy laws? Let's talk about that instead, if you publish software for a private group of people, there should be no restrictions. If you're publishing it on a platform that would expose your software to billions of people, get a license after id verification and passing a globally standardized exam (multiple choice and a practical coding exam!).
See, the big disconnect is that most developers see software as something similar to writing a book or selling a home-made item on etsy or ebay. But in reality, it's more like manufacturing a car or a gun, or opening a bank (if your app takes payments), or even opening a restaurant or a food truck. all these things require licensing. The malware and privacy loss people suffer is akin too food poisoning, car accidents,etc.. but since it all happens virtually and there is typically no physical harm, developers are dismissive of it. This isn't the 90's anymore, people's lives and livelihoods are all online, all the security measures you can take, using signal for chat, passkeys and password managers for creds,vpns,etc.. and you're still one legit looking app install away, one convincing phish away from your phone being compromised along with all your accounts, finances , job and your entire life as you recognize it from being harmed or destroyed.
I urge you all to temper passions with reason and practicality.
The umbrella organisation signing apps is not impossible, as far as I know. But it would need to be pretty cautious, because if Google revokes its registration, that could block all the apps it has signed at once.
It's hard to see how you could get the necessary level of careful code review with just volunteer effort. But I suspect that most developers who don't want to register with Google are also unlikely to pay money to a third party to work around this.
> I wouldn't even be against requiring a professional certification organization for developers before they're allowed to publish software to the masses
Is Google that organization? Because they themselves have decided that they are. I think what people are worried about is that Google is positioning itself to be the judge, jury, and executioner within such a licensing framework, not necessarily the licensing itself.
> This is just to address malicious code.
Yes, and if Google had shown that it's capable of identifying and rejecting malicious code distributed via its own app store, then maybe their proposed expansion of that security program to the entirety of the Android app ecosystem would carry some weight. But as it stands, their Play Store is full of user-hostile and often malicious apps[1].
> If you publish software for a private group of people, there should be no restrictions. If you're publishing it on a platform that would expose your software to billions of people, get a license after id verification
But that's exactly the opposite of what Google is doing, here, and why people are mad. Google isn't adding a new policy to their app distribution platform (the play store that grants exposure to billions of users), but rather they are forcing ID verification on any form of app distribution: If you want any regular user to be able to install your code, no matter how small the audience, you'll need to first give your identity to Google, and obtain a (paid[1]?) license. So the restrictions do apply to "a private group of people" too.
The crux, and what has people up in arms I think, is the overreach of Google's peoposed licensing policy to cover not only their own app distribution ecosystem, but all others targeting Android.
Many technical users of Android consider it to be a general purpose computing platform, and they want to retain the freedom to install and run whatever software they trust.
Google should focus their supposed concerns about regular user's safety on the user-hostile apps that they allow to exist in their own app store, rather than grasping for broader control that they'll "probably use at some point but only for good things like user security".
This isn't so bad. Unlike other mobile OSes (namely iOS and HarmonyOS), you will still be able to install whatever you like on Android over a USB debugging connection (adb) without any developer verification.
It doesn't take much effort to enable Developer Options, plug into a laptop and run "adb install whatever.apk". It's kind of like the floppy disk era again, having to physically insert things into one's computer to install software. Not a big deal.
At least as far as I understand, this would be a huge issue for F-Droid, to the extent that it isn't clear if it can continue at all. Half of my apps come from there, and gets automatically updated. Starting to download APKs manually and install them with ADB isn't impossible, but a huge downside.
ACCount37|5 months ago
Chrome isn't enough. We need Android to get clawed away from Google too.
thewebguyd|4 months ago
In a healthy market, Chrome, Android, and YouTube would and should be their on entities.
runting|5 months ago
prameshbajra|5 months ago
This makes no sense at all.
gruez|4 months ago
[1] https://en.wikipedia.org/wiki/File:User_Account_Control.png
samat|5 months ago
DecentShoes|5 months ago
itopaloglu83|4 months ago
We’ve got to a point where corporations are bigger than some countries and getting almost unlimited powers again.
yanosc|5 months ago
tokioyoyo|5 months ago
greatgib|4 months ago
I lobbied everyone for years against Apple devices, switching people to Android to have a little bit more freedom. Now Google Android will be the same shit.
If people working on Google are hanging out around here, please know that your company really sucks now...
wilsonnb3|4 months ago
Aren’t the changes only for Google certified Android devices, AKA those that come with the play store?
unknown|5 months ago
[deleted]
pr337h4m|5 months ago
realusername|5 months ago
Kwpolska|5 months ago
lukevp|5 months ago
Microsoft does this for Windows apps if you don’t want scary warnings popping up everywhere. Apple doesn’t even let you sideload at all for iOS and for macOS they do the forced trash malware thing unless you run commands to allow the app in the terminal.
Am I missing how this is different from what we already have on most platforms? Is it because you can’t force it to install the apps? Is there not a developer mode that lets you install unsigned apps, or a way to root the device to install apps?
rcxdude|5 months ago
(The fact that all those platforms still have malware, as well as the officially sanctioned google store, should also inform you about how effective this measure is for its stated goal)
jjav|5 months ago
Most? The only platform that is like that is ios.
On linux, in any form, I can run what I want.
On a mac I can run what I want.
On windows I can run what I want.
Obviously on BSDs, Illumos, etc, I can run what I want.
On android up to now, I can run what I want.
The one and sole exception where I don't really own the device and can't run what I want it ios (therefore I don't own anything that uses ios). And now google wants to join that evil club.
takluyver|5 months ago
Apple is of course locked down, but that's not news. The anger is because Android was the better option on this dimension.
Spivak|4 months ago
a456463|4 months ago
saubeidl|5 months ago
Goodbye NewPipe. Goodbye anything that doesn't align with Google's capitalist interest or American imperial interest.
john61|5 months ago
MrDresden|5 months ago
- Purism runs ancient hardware, charges way too much and has questionable business ethics.
- Pine64 has equally bad hardware but reasonable prices. I don't like the Hong-Kong connection though. Not sure how the security patching environment is in practice.
The only option on the table as I see it is buying from the devil and installing GrapheneOS.
samat|5 months ago
ahartmetz|5 months ago
sunaookami|4 months ago
notrealyme123|5 months ago
Seems like that will change soon.
nine_k|5 months ago
MrZander|5 months ago
Absolute bullshit Google. You have no right telling me what I can and cannot run on my own devices. Regardless of how I choose to install it.
Spivak|4 months ago
I mean hey, at least we all know now that they aren't.
u5wbxrc3|5 months ago
MrDresden|5 months ago
Just wished there was a viable* FOSS Linux based mobile OS project out there that I could offer my time and energy to instead.
orangecat|5 months ago
MrDresden|5 months ago
rom1v|5 months ago
No, it's not.
realusername|5 months ago
hn92726819|5 months ago
bitwize|4 months ago
eminence32|5 months ago
I know both are objectionable in their own way, but these two scenarios are quite different and I want to understand this better.
samat|5 months ago
curiousgal|5 months ago
ExpertAdvisor01|4 months ago
unknown|5 months ago
[deleted]
unknown|5 months ago
[deleted]
mrlonglong|4 months ago
It's disappointing that google has turned evil.
I loved how easy it waa to mod things in the beginning. All that is now gone.
metalman|4 months ago
Cameri|4 months ago
valeriaortiz|4 months ago
[deleted]
bitwize|4 months ago
[deleted]
wrf|4 months ago
> The industry-wide standards for character design, costume design, theming, even mechanics are all set based on these guidelines, which have evolved into ironclad requirements. You will not get funding for your game, nor support or approval from the major platforms (particularly consoles) without complying with these guidelines.
I don't personally play video games but have noticed a lot of disgruntled discourse around things such as "Body Type 1" and "Body Type 2" in lieu of "Male" and "Female" being implemented in new releases. Is that as a result of these guidelines?
add-sub-mul-div|4 months ago
notepad0x90|5 months ago
The reaction to this change has truly changed my opinion that developer's opinions on a lot of subjects affecting the public's safety and security shouldn't be valued much (and yes, I realize I am on HN). If this is a bridge too far, then why should anyone listen to devs about "we can't backdoor cryptography" and things like chat control and more? You can't make every hill the hill you die on. I wouldn't even be against requiring a professional certification organization for developers before they're allowed to publish software to the masses. I would very much find it unpleasant, but we live in a society. You need a license to drive, to be a doctor, engineer and just about any profession where people's safety and well being is in jeopardy. Even real estate agents are licensed! and people all up in arms about a simple id verification.
This is just to address malicious code. How does the public know your code isn't full of vulnerabilities, that you're not selling their data to the highest bidder? How do they know that you have a good understanding of secure coding practices and knowledge of privacy laws? Let's talk about that instead, if you publish software for a private group of people, there should be no restrictions. If you're publishing it on a platform that would expose your software to billions of people, get a license after id verification and passing a globally standardized exam (multiple choice and a practical coding exam!).
See, the big disconnect is that most developers see software as something similar to writing a book or selling a home-made item on etsy or ebay. But in reality, it's more like manufacturing a car or a gun, or opening a bank (if your app takes payments), or even opening a restaurant or a food truck. all these things require licensing. The malware and privacy loss people suffer is akin too food poisoning, car accidents,etc.. but since it all happens virtually and there is typically no physical harm, developers are dismissive of it. This isn't the 90's anymore, people's lives and livelihoods are all online, all the security measures you can take, using signal for chat, passkeys and password managers for creds,vpns,etc.. and you're still one legit looking app install away, one convincing phish away from your phone being compromised along with all your accounts, finances , job and your entire life as you recognize it from being harmed or destroyed.
I urge you all to temper passions with reason and practicality.
takluyver|5 months ago
It's hard to see how you could get the necessary level of careful code review with just volunteer effort. But I suspect that most developers who don't want to register with Google are also unlikely to pay money to a third party to work around this.
avaq|5 months ago
Is Google that organization? Because they themselves have decided that they are. I think what people are worried about is that Google is positioning itself to be the judge, jury, and executioner within such a licensing framework, not necessarily the licensing itself.
> This is just to address malicious code.
Yes, and if Google had shown that it's capable of identifying and rejecting malicious code distributed via its own app store, then maybe their proposed expansion of that security program to the entirety of the Android app ecosystem would carry some weight. But as it stands, their Play Store is full of user-hostile and often malicious apps[1].
> If you publish software for a private group of people, there should be no restrictions. If you're publishing it on a platform that would expose your software to billions of people, get a license after id verification
But that's exactly the opposite of what Google is doing, here, and why people are mad. Google isn't adding a new policy to their app distribution platform (the play store that grants exposure to billions of users), but rather they are forcing ID verification on any form of app distribution: If you want any regular user to be able to install your code, no matter how small the audience, you'll need to first give your identity to Google, and obtain a (paid[1]?) license. So the restrictions do apply to "a private group of people" too.
The crux, and what has people up in arms I think, is the overreach of Google's peoposed licensing policy to cover not only their own app distribution ecosystem, but all others targeting Android.
Many technical users of Android consider it to be a general purpose computing platform, and they want to retain the freedom to install and run whatever software they trust.
Google should focus their supposed concerns about regular user's safety on the user-hostile apps that they allow to exist in their own app store, rather than grasping for broader control that they'll "probably use at some point but only for good things like user security".
1: https://f-droid.org/en/2025/09/29/google-developer-registrat...
saubeidl|5 months ago
Where "malicious" is defined as anything that Google or the American Empire doesn't agree with.
runting|5 months ago
It doesn't take much effort to enable Developer Options, plug into a laptop and run "adb install whatever.apk". It's kind of like the floppy disk era again, having to physically insert things into one's computer to install software. Not a big deal.
yoavm|5 months ago
po1nter|5 months ago
maest|4 months ago
This is clearly a troll, confirmed by the green username.