Does anyone here actually support Google’s Developer Verification?

I don’t. I’ve put a warning about it in my repo because I’m against policies like sideloading restrictions, forced ID verification.

Curious what other devs here think. Is Play Store still worth the hassle?

  • vapeloki@lemmy.world
    link
    fedilink
    arrow-up
    8
    arrow-down
    65
    ·
    edit-2
    1 day ago

    Yes I am.

    I spend a long time of my career in IT Sec.

    80% of android users will freely install whatever APK from wherever.

    Info stealer infected fake apps are a massive risk to a huge part of the user base.

    Yes, it will get a little bit more complicated to sideload. But nobody is prevented from it.

    And everybody that is against user protection (and yes, this is fucking user protection, just not for you) is invited next Christmas to de-worm the android devices of my family without wiping them.

    EDIT for all those that only read the memes. Sideloading will NOT be disabled. You have to jump though extra hoops.

    Yes, the way they do this is not even testable yet and we can argue over details.

    I support the principal idea, as someone who had to live with the fallout of people who installed “it support apps” because someone told them to

      • flyingSock@feddit.org
        link
        fedilink
        arrow-up
        8
        arrow-down
        2
        ·
        1 day ago

        maybe because it was to easy to upload to the googleplay store. Maybe there should be some kind of verification of the person uploading. How could this be accomplished?

        Joking aside I don’t think side loading should be encoumbered like this, but for the official app store it makes sense.

    • altkey (he\him)@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      1
      ·
      1 day ago
      1. Google being a private american company that claims the authority of what is okay and not okay on most devices over the world is problematic, especially in the context of ICE tracking apps, VPN apps, private messaging apps etc. They take this power but don’t take responsibility and would not be put into court if this measure would be proven useless if not harmful. I still remember how they complied with deleting Navalny’s app from russian app store and nothing stops them from revoking said IDs as well if they don’t like what dev does for a reason they’d not care to explain.
      2. The side-benefit of that is a manifest v3-style hunt for those who still use their computing devices without watching ads. Alternative apps for social networks and google’s own resources is probably the only category I know half-savvy people still intentionally install, sometimes going out of their way for that. While this seems small, adblocking was too, and piracy was never anyone’s problem, but by totally crumbling it once again some CEO can get a bonus.
      3. We are talking about Google’s Android, they had around 15 years to fix the swiss cheese their OS is, to clean obvious garbage from their app store, with modern phones you need to jump through the hoops to enable apk installation and even more hoops to root it, and it still isn’t perceived as safe, but does feel like a closed garden iPhone without benefits of having an iPhone - quality basic apps, curated store and need of israeli hack tools to reliably break in. Small scammers still get their bread and butter by sending links to infected files, big scammers vacuum everything you ever have with no explicit user’s agreement, and I don’t see how that would change with ID requerement they are no bank or government to ask for, but they’d, soon.

      I think you should invite people to join you on not one, but two Christmasses to compare before and after. I’m sure they won’t magically fix things this time, at best it would be a little setback not changing much in the end. What it would do is directly giving Google even more power while hurting open source community, alternative appstores and OSes.

    • hneerqe@lemmy.world
      link
      fedilink
      arrow-up
      12
      arrow-down
      1
      ·
      1 day ago

      80% of android users will freely install whatever APK from wherever.

      I should care because? Do they care about me not wanting google shoved in every aspect of my life?

        • Danitos@reddthat.com
          link
          fedilink
          arrow-up
          11
          ·
          1 day ago

          “Google shouldn’t have restricted Android, that’s their (anti-user) choice, isn’t it???”

          The other party shouldn’t be able to unilaterally chance the terms. It is my phone, after all, and I strongly believe I should be able to do whatever I can with the devices I own.

          Even then, what other choice for an usable but actually of property of the user phone do you suggest? iPhone?

          It’s also extremely convenient for Google, a company lobbying ID laws, to add ID harvesting; or for Google, a company pushing for anti-user behaviour to add anti-user behaviour. If this was about security, they would stop shipping spyware, and take security seriously, something they do not.

          • vapeloki@lemmy.world
            link
            fedilink
            arrow-up
            2
            arrow-down
            2
            ·
            1 day ago

            How about an apple phone?

            Or how about that: projects like Linux and Ubuntu phones died because there was no interest in it, because there was Google. And now, everybody wants an alternative.

            They are out there, you can use opensource Android forks, you don’t have to use Google

            • hneerqe@lemmy.world
              link
              fedilink
              arrow-up
              8
              arrow-down
              1
              ·
              1 day ago

              Android forks

              Soon to be locked out from participating in society because of play integrity, digital IDs and age verification. The EU is very likely to use strictly Apple/Google, the very monopolists they “despise”. Don’t give me the “just go to the post office by foot”… I could also “technically” live in a cave, I guess. Man stfu, your bullshit doesn’t stick here.

              • vapeloki@lemmy.world
                link
                fedilink
                arrow-up
                2
                arrow-down
                2
                ·
                1 day ago

                Ah another myth “the EU App”, I will not go I to detail, but each member state must implement its own app. Yes, the reference implementation uses Google services currently, but there is not a single , working , published app! Not one.

                • hneerqe@lemmy.world
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  24 hours ago

                  So I’ll be back at the end of the year, be proven right and you got your pay and your karma anyway.

                  • vapeloki@lemmy.world
                    link
                    fedilink
                    arrow-up
                    1
                    arrow-down
                    1
                    ·
                    24 hours ago

                    Proven right with what? To be clear; I can not see in the future and if member states copy the EU implementation 1:1, then at least we can fight against it in that level. Because, an implementation relying ok US Google would violate multiple European regulations.

                    But as it seems, misinformation and propaganda won, facts are now subjective and we just give up and bow to big corpo, because those shit hats profit from exactly this kind of bullshit.

      • vapeloki@lemmy.world
        link
        fedilink
        arrow-up
        1
        arrow-down
        7
        ·
        1 day ago

        Because I think we should protect people that are not tech savvy. I am open for a debate

        • thingsiplay@lemmy.ml
          link
          fedilink
          arrow-up
          10
          ·
          1 day ago

          Total control and taking away freedom is not negotiable. Not literally, but: “Maybe we should ban programming languages on Windows and Linux too, because it could be used to program viruses. We should protect the not so tech savvy.” See what I mean? Instead we should look forward to a better way of helping them. The proposed way of Google is not acceptable.

        • dubyakay@lemmy.ca
          link
          fedilink
          arrow-up
          7
          ·
          1 day ago

          Your heart is in the right place, but your mind is not.

          Google et.al. is pushing for IDV in every segment due to lobby pressure from meta to build REAL user database for advertisement purposes in the age of LLM drivel. Every “protect the *” has meta’s government lobbyists behind it.

          There could be alternative approaches, but meta’s goals just so happens to align well with a fascist government’s that thinks they need to stamp out dissenting voices and anonymity.

          • vapeloki@lemmy.world
            link
            fedilink
            arrow-up
            2
            arrow-down
            1
            ·
            1 day ago

            Not denying that there could be better ways, and also, that was never the question .

    • lime!@feddit.nu
      link
      fedilink
      arrow-up
      21
      ·
      edit-2
      1 day ago

      so the real-world id requirement is also user protection? play store is basically an info stealer at this point.

    • TrickDacy@lemmy.world
      link
      fedilink
      arrow-up
      11
      arrow-down
      1
      ·
      1 day ago

      80% of android users will freely install whatever APK from wherever.

      A ridiculous and absurd lie. 90% have zero clue what one is, let alone go into the developer settings (there are one, maybe two settings you have to enable) to change the settings to even make that possible. Why are you lying about this? It’s weird.

      • vapeloki@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        8
        ·
        1 day ago

        I am lying? OK, so is:

        I have over 2 decades of background in hardcore IT-Sec, i know my stuff. And you? What is your qualification, where are your sources?

        • TrickDacy@lemmy.world
          link
          fedilink
          arrow-up
          8
          arrow-down
          1
          ·
          edit-2
          1 day ago

          I have over 2 decades of background in hardcore IT-Sec, i know my stuff. And you? What is your qualification, where are your sources?

          I wonder if a statement like this ever once convinced anyone of anything. My guess would be it nearly always has the opposite effect. You basically told me that whatever I know doesn’t matter because “trust me bro”. For all I know, you’re the worst source ever for literally every topic. Your articles didn’t back you up. Why do people bother with shit like this? “I’m an expert so what I say goes” is idiotic and in no way addresses the common sense point I was making: the average person definitely doesn’t know or install apks because of fucking course they don’t. If you said 80% would if scammed, that’s at least plausible but I’m not even sure I could believe that. The well is poisoned now in any case so you’re not convincing anyone here after this… Whatever masturbatory shit this was. Or just shilling for a corporation? Who the fuck knows

          • zod000@lemmy.dbzer0.com
            link
            fedilink
            arrow-up
            6
            ·
            edit-2
            1 day ago

            He just using the old “Argument from Authority” logical fallacy. I’ve worked with tons of people, even those that did in fact “know their stuff”, that thought it was perfectly valid to dismiss others because of their experience being more extensive than others. Ironically, after I’d prove these people wrong in serious matters (usually several times), I somehow got added to the nebulous authority whitelist in their head. I don’t want to just be believed became I’m dammit, believe me when I’m correct and provide evidence!

            • TrickDacy@lemmy.world
              link
              fedilink
              arrow-up
              3
              arrow-down
              1
              ·
              1 day ago

              You do, actually.

              I have over 2 decades of background in hardcore IT-Sec, i know my stuff. And you? What is your qualification, where are your sources?

              This translates to anyone who isn’t you to:

              I know a lot, you know very little. Trust me, not you.

              And again if you’re going to make this 80% claim and then say you sourced it, don’t link shit that’s sort of related but in no way backing up that claim. No one here is saying malware isn’t a problem. You’re getting downvoted for making specific claims which are absurd.

              • vapeloki@lemmy.world
                link
                fedilink
                arrow-up
                3
                arrow-down
                1
                ·
                1 day ago

                That is a general issue of online debates.

                I can not squash 20 years of daily learning into a comment.

                I can point you to sources where you can verify it our self. Social engineering studies, blog post about campaigns from other researchers.

                Placing m credentials there is my kind of saying “I have insight, ask”, but how do you think should something like this communicated.

                We have a highly sensitive topic, with a lot of obsolete or just misinformation.

                It is a highly complex topic that can not be simply understood by most persons, but social media opens a place for debate anyways.

                There are many other examples for this happening and it is bad. Very bad.

                Another example Google wants to get rid of third party cookies. Instead they want to to adspace action on your local system. In our browser, protected. But bad, because Google. Firefox could implement the same API on better, but no, bad because Google.

                Google is not the good guy. But just throwing out every fucking Idea because Google Had it (or was forced into it, allowing sideloading again was because of pressure) is just not what we need

                • TrickDacy@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  edit-2
                  1 day ago

                  This is so much beating around the bush. Somehow you’ve managed to ignore the 15 times I’ve pointed it out: most users do not install apks. That’s all. You claimed they did and I said that was dumb. So anything else is just a distraction from the point I was trying to make. Google is pretty shitty but you might have a point that not everything they do is shitty… But that’s not what the conversation started as. And I don’t really care to change the subject at this point.

                  • vapeloki@lemmy.world
                    link
                    fedilink
                    arrow-up
                    2
                    arrow-down
                    1
                    ·
                    1 day ago

                    How do you now that?

                    Again, the ability to install a completely unverified APK is used in real, successful, attacks.

                    The user DOES NOT KNOW WHAT HE IS DOING! That is the entire point!

                    If users would know what this is and understand, maybe it would be less if a risk.

        • TrickDacy@lemmy.world
          link
          fedilink
          arrow-up
          5
          arrow-down
          2
          ·
          1 day ago

          Given that your first article says nothing about 80% I’m not continuing to click your links.

          I was being generous when I said 90%.

          Source: I have ever spoken to another human.

          • vapeloki@lemmy.world
            link
            fedilink
            arrow-up
            2
            arrow-down
            2
            ·
            1 day ago

            Because people do not know what apps are and that they can be installed via sideloading, faked appstores and more, they are vulnerable.

            If I ask a “normal” person if the ever drunk di-hydrogen-monoxid they would say no, because they have no idea this is water

            • TrickDacy@lemmy.world
              link
              fedilink
              arrow-up
              3
              arrow-down
              3
              ·
              1 day ago

              Okay either you’re trolling or clueless. Because you just made my argument for me. How exactly are people who don’t know what an app is going to enable side loading and then do it? That makes no sense whatsoever.

                  • vapeloki@lemmy.world
                    link
                    fedilink
                    arrow-up
                    3
                    arrow-down
                    1
                    ·
                    1 day ago

                    I am 100% serious. Maybe you should look up what social engineering is and how it works.

                    People install TeamViewer and other stuff on their desktop, the execute commands in their terminal without nowing what it is.

                    ou have clearly 0 qualifications to talk about it security

    • Cassa@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      17
      ·
      1 day ago

      so your family’s devices get their apps from outside the play store?

      people are effectivly prevented from sideloading. not “just a little more complicated”

      • iByteABit@lemmy.ml
        link
        fedilink
        arrow-up
        14
        arrow-down
        1
        ·
        1 day ago

        of course nana uses adb exclusively to install apps on her smartphone, after all this is a totally real story about user protection right?

    • skyline2@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      8
      ·
      1 day ago

      Alternate stores like Accrescent and FDroid are blocked by this policy, and Google refuses to implement any mechanism for authorising at the store level either. Store level authorization is an obvious alternative to verification of each individual app.

      Both Accescent and FDroid have some oversight processes in place, and do not contain “random” APKs. Googles actions show the real motive, which is control… not security.

        • skyline2@lemmy.dbzer0.com
          link
          fedilink
          arrow-up
          5
          arrow-down
          1
          ·
          1 day ago

          They are de-facto “blocked” for developers that refuse to submit their identity to Google. I think you might not be understanding the implications of Google’s policy, please read this open letter to learn more: https://keepandroidopen.org/open-letter/

          If a developer doesn’t submit to identify verification, under the new system their app could not be installed regardless of what store it is distributed on.

          Needing individual devs to identify themselves directly to Google is invasive. Stores, however, could identity themselves to Google (or the world) as having security processes in place. Then they could be allowed as official 3rd party stores, similar to how the Linux repository system works.

              • vapeloki@lemmy.world
                link
                fedilink
                arrow-up
                1
                ·
                21 hours ago

                You have to enable it. And I would love a dedicated switch.

                Currently, you need to enable third party install sources.

                And one could argue that the fact that most people will not enable developer mode is a clear sign that this is a protection.

                In my very very personal opinion: people that do not want to enable developer mode should maybe not install apps from third parties. Developer mode itself unlocks a few switches, and none of them is enabled per default. This is a pretty safe action IMHO.

                There is a way to avoid this, but this is the device owner mode. You need an app that takes full control over device ownership, and those apps are allowed to do anything including installing any app.

                One example is OwnDroid.

                An opensource app that is signed by a dev and allows to manage install sources would be a working solution with better security.

                If someone builds it

                • skyline2@lemmy.dbzer0.com
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  18 hours ago

                  IMO the answer from a security perspective is that the Linux distro “official repo” model is about as good as it gets. However somehow we still have Fedora COPR, openSUSE OBS, Arch AUR, etc. Those are essentially like FDroid. If someone can solve the problem of why apps can’t be easily just added and controlled in the official repos, maybe we’d be getting somewhere. Seems to be an industry issue.

    • Avid Amoeba@lemmy.ca
      link
      fedilink
      arrow-up
      7
      ·
      1 day ago

      for all those that only read the memes.

      For someone who possibly considers themselves better informed than others, you’re seem to be missing the fact that Google’s plan had no option for sideloading unverified apps until a sizeable outcry from us (a lot of professional developers and users). Unverified app installation was only allowed (via new hoops) after this action. For now. The fact that Google’s plan did not have an option for installing unverified apps shows us what they really want. Therefore it won’t be surprising if they make it increasingly difficult or impossible in the future.

      • loutr@sh.itjust.works
        link
        fedilink
        arrow-up
        2
        ·
        1 day ago

        I’m pretty sure they originally planned to allow sideloading through ADB, but I might be mistaken.

        • Avid Amoeba@lemmy.ca
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          1 day ago

          I think I recall the same. Otherwise development would be a nightmare. But then again, that isn’t remotely equivalent to sideloading (as colloquially understood) and would still kill F-Droid. Not saying you’re saying it’s equivalent.

          • forestbeasts@pawb.social
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            12 hours ago

            What Apple does is they give you a temporary certificate that expires in like a week.

            Works for development. Makes actually using your own apps impossible.

            – Frost

    • Pollo_Jack@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 day ago

      At least make it a toggle, like you need to request access for your account for your phone.

      Kneecapping everyone because idiots exist is idiotic.

      • Pika@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 day ago

        It is a toggle. they just locked said toggle behind a 24 hour time lock. It’s ridiculous. I think if they kept it the way it was without said time lock it wouldn’t be anywhere near as controversial.

        • thingsiplay@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          20 hours ago

          I don’t want Google to control how many and often I install apps or update them. Imagine having this 24 hour time lock on your PC. Do you know how many people get scammed or malware on PC? Should this be adopted everywhere, because its a good solution? Off course its ridiculous. 24 hour time lock is not acceptable solution. The is literally the worst toggle I have seen in my life.

          That’s not even the only issue. Developers have to give their identity / pass to Google. That alone is a multi-worm-level of issue. Google doesn’t care about its users, they only care about controlling the market and everyone.

    • curbstickle@anarchist.nexus
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      1 day ago

      So with your career in ITSec, you’re aware of the massive amount of malware found in the play store? That it has historically been the main distribution vector for malware?

      You have to jump though extra hoops.

      You are downplaying the hoops here by a lot. To install software on my own phone.

      Stop calling installing software “side loading”. Its nonsense.

      • vapeloki@lemmy.world
        link
        fedilink
        arrow-up
        2
        arrow-down
        2
        ·
        1 day ago

        I k ow that the Playstore is also full of crap, I don’t deny this.

        But, just because our back window does not close correctly, do you leave the front entrance open?

        Not the best analogy maybe, but a visual one

        • curbstickle@anarchist.nexus
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 day ago

          Except you have it backwards. The play store is the primary vector. The play store is also pre-installed on Android devices, and even without the whole verification nonsense, you still need to allow a different app repository to install.

          Not cleaning their own play store up first means it has nothing to do with what they are claiming. And lets be candid - they have absolutely not.

          The analogy is bad specifically because its not reflecting the issues anywhere near accurately. This is closing a window on the second floor while the front door is wide open with a sign that says “Come on in!”.

          • vapeloki@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            1 day ago

            That assumes that Google does not do anything about the appstore and that is objectively not true.

            Is it enough? No ideas, but still, it does not change the need for better endpoint security.

            • curbstickle@anarchist.nexus
              link
              fedilink
              English
              arrow-up
              4
              ·
              1 day ago

              I firmly disagree. The issue has nothing to do with the endpoint. They have done very little with the play store relative to this massively impactful change to installation practices in creating a walled garden - precisely the reason many, myself included, chose not to go with iOS in the first place.

              So the very idea that this is an endpoint security issue rather than an app store issue is, to me, laughable at best.

              • vapeloki@lemmy.world
                link
                fedilink
                arrow-up
                1
                ·
                1 day ago

                Then we agree to disagree.

                I think we are manly on the same page, but different opinions on priority and that’s fine.

                I declare both as a risk.

                From my perspective, with this change, we could make Google directly reliable for malware in the appstore.

                While this started as a very anti consumer change, as long as sideloading stays possible, this is a good measure.

                • curbstickle@anarchist.nexus
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  edit-2
                  1 day ago

                  we could make Google directly reliable for malware in the appstore.

                  There is no reason they shouldn’t be now. Developer verification for the play store is one thing. Developer verification for installing an application on your own device is wholly separate.

                  I declare both as a risk.

                  And one is substantially higher risk than the other. Namely, the play store. As we recently saw with tens of millions of downloads from just a handful of apps in the play store. Does requiring this developer verification on a device resolve that problem? No. Not even remotely, does it?

                  While this started as a very anti consumer change

                  As long as it impacts the device use (it does), it still is.

                  I’m leaving Android over this. I doubt I’ll be the only one.

                  • vapeloki@lemmy.world
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    1 day ago

                    I’m leaving Android over this. I doubt I’ll be the only one.

                    Good! I hope alternative mobile operating systems get traction out of this!

                    And again, there is no verification need anymore! That is exactly why I am so pissed about this debate in general.

                    Is the workflow simple? No. Is the 24hour period comfortable? No. Do I understand why? Yes, but one or two hours would be enough