alt.hn

3/30/2026 at 10:05:21 PM

Android Developer Verification

 https://android-developers.googleblog.com/2026/03/android-developer-verification-rolling-out-to-all-developers.html

by ingve

3/30/2026 at 11:23:57 PM

The Android verification is such a broken experience. Recently I decided to purchase a dev account for my company, so far:

1) Provided my company DUNS number etc. once to create the payment profile. I did this some times ago, don’t remember the details but it was an involved verification process and it is marked as verified business payment profile.

2) Later on the payment step verified myself with a passport and bank statement to be able to actually pay with a proper HSBC bank card. Not shady pre-paid card or something, those are not accepted anyway.

3) After I paid I was told that now I need to verify my identity once more but this time with the passport and the incorporation certificate or some other company document.

fingers crossed that in few days it will be verified. While waiting, it tells me that there are still website and email verification to do once the previous step is done. I already verified my e-mail a few times before paying.

It’s painful, slow and annoying because if you fail at a step(i.e. needs verification that takes days and you are told about it at the payment step) you have to start again with the forms.

I just remembered why I never use Android. It seems like no one owns the process and as a result you get unpolished shitty experience that fulfills the requirements of god knows how many people who work in the same company but don’t talk to each other.

by mrtksn

3/31/2026 at 4:24:52 PM

I released an Android app to the Play Store ~10 years ago and the most important advice people were always sounding alarms about online in Android dev communities was to not publish under your real Google account you care about, because it's not unlikely a bot will ban your entire account because of some vague infraction that's near impossible to appeal.

Google seems to actively hate people who develop for their platforms. Which I don't believe is a good move with their current hand, where young people in wealthy countries (i.e. the future of people who will spend money on apps) are something like 90% iPhone users these days.

by hbn

3/31/2026 at 1:58:18 AM

The whole Google Play experience is awful.

Recent things I've had to do:

1) Re-submit an app after it was rejected and labelled a gambling app (it wasn't even close - a 15 second look by a real human would have seen that. This one was even appealed and the support was utterly useless. I ended up changing one word and re-submitting the app, approved no problem.

2) An existing app, in the Play store for years but a nice app - only about 500 installs. I had to submit a new version for no reason whatsoever... Except to keep the customers developer account active.

Those are just issues I've dealt with in the last month or two.

Every single time, Google Support is completely useless - including the appeals process, which is an absolute joke.

by lm411

3/31/2026 at 2:03:55 AM

Not to mention if you made one app in college and then didn't keep up with the SDK updates, Google perma-closes the entire Play account such that the only way to publish a new app is by creating a brand new gmail account

by umvi

3/31/2026 at 2:15:22 AM

Forcing people to keep up with SDK updates is a bad thing in itself. Let people target the earliest possible feature set and make the app run on as many phones as possible rather than showing scary messages to people due to targeting an older API.

by Dwedit

3/31/2026 at 2:58:09 AM

I think the problem is that older SDK versions allowed you to do things like scan local WiFi names to get location data, without requiring the location permission.

So bad actors would just target lower SDK versions and ignore the privacy improvements

by AussieWog93

3/31/2026 at 3:24:28 AM

The newer Android version could simply give empty data (for example, location is 0,0 latitude longitude, there are no visible WiFi networks), when the permission is missing and an app on the old SDK version requests it.

Of course, they don't like this because then apps can't easily refuse to work if not allowed to spy.

by john01dav

3/31/2026 at 4:43:28 AM

That can have some very extreme legal ramifications.

Consider - it's a voip dialing client which has a requirement to provide location for E911 support.

If the OS vendor starts providing invalid data, it's the OS vendor which ends up being liable for the person's death.

e.g. https://www.cnet.com/home/internet/texas-sues-vonage-over-91...

which is from 2005, but gives you an idea of the liability involved.

by jpollock

3/31/2026 at 5:41:36 AM

Phone companies are required to make sure 911 works on their phones. Random people on the internet aren't required to make sure 911 works on random apps, even if they look like phones.

by pocksuppet

3/31/2026 at 3:57:48 PM

The comment you're replying to literally has an example of an internet calling service being fined $20,000 for not properly directing 911 calls.

I guess Vonage should try to appeal the case and say pocksuppet said they're not required to do that.

by squeaky-clean

3/31/2026 at 5:40:19 AM

It can't have "extreme ramifications", Google's own phone couldn't call 911 for a while.

And you can manually force only the voip dialing apps instead of everyone

by eviks

3/31/2026 at 2:13:15 AM

Yeah the SDK updates... For sure. Another pain in the ass.

by lm411

3/31/2026 at 3:16:12 AM

Maybe it's better now, though I doubt it, but my experience publishing on the Apple app store years ago wasn't any better.

by thayne

3/31/2026 at 3:04:21 AM

So what was the word you changed?

by fakwandi_priv

3/31/2026 at 3:20:50 AM

That sounds a lot like my experience as an Apple Developer too, with the added bonus (unclear from your description if you experienced this too) that they took my money before the verification process was finished and wouldn't refund it once their AI couldn't connect my face to my ID and wouldn't let me connect with a real person (the first dozen times were on them, but after that it was maybe my fault for including a middle finger in the photographs).

Is there a way around this shitocracy?

by hansvm

3/31/2026 at 6:41:18 AM

Develop only Web applications, that are mobile friendly, notice I said mobile friendly, not PWA.

However, thanks to many of us that only favour Chrome like IE of yore, and ship it alongside their "native" applications, the Web is nowadays ChromeOS Application Platform, so we are only a couple of years away of Google owning that as well.

by pjmlp

3/31/2026 at 5:40:57 AM

Going through hell with Apple Developer too. I didn't have to do much in terms of verification (probably because I created an account as an individual) but app submission is another story: - first time I got rejected for mentioning a name of a third party in my app description. The app description said: DISCLAIMER: not affiliated with xxx

- after fixing the app description I got rejected for using my app name(?!), multiple back and forths with the reviewer got me nowhere, they just copy pasted the same response not addressing my messages at all

- filled the app store review board appeal, it's been 5 days and I've got no response.

At this point I'm seriously considering rewriting the app for MacOS and distributing myself. I can't imagine going through all of this with every app update, it's beyond ridiculous.

by _66o

3/31/2026 at 3:19:43 PM

Lieutenant Appleby rejected my submission almost immediately. The notice informed me that I had committed the grave offense of impersonating a third party in the description.

"I didn't impersonate a third party," I explained in my message to Lieutenant Appleby. "I only wrote a disclaimer stating: Not affiliated with ACME."

"Exactly," lieutenant appleby replied. "By stating you have nothing to do with ACME, you have involved ACME. Therefore, you are unlawfully impersonating an unaffiliated party."

"But I only mentioned them to prove I wasn't affiliated with them!"

"Which is a violation," Lieutenant Appleby pointed out.

It was a Catch-22. The Guidelines stated that to prove you were not affiliated with a third party, you had to write a disclaimer. But to write the disclaimer, you had to type the third party’s name, which was a strict violation of the rule against mentioning third parties you were not affiliated with.

I deleted the disclaimer, thereby making myself safely affiliated with nobody by refusing to acknowledge anyone. I resubmitted the app.

Lieutenant Appleby rejected it again.

"What is it this time?" I asked.

"You are using your app's name," Lieutenant Appleby replied.

"Of course I am using my app's name," I replied back. "It is the name of my app."

"You cannot use that name. It is trademark infringement."

"Infringing on whose trademark?"

"The app's."

"But I am the app! It is my app!"

"Which is exactly why you cannot use it," Lieutenant Appleby wrote patiently. "If you use the app's name, you are impersonating the app. And impersonation is strictly forbidden by the Guidelines. An app cannot go around pretending to be itself!"

by GCUMstlyHarmls

3/31/2026 at 2:28:45 PM

At this point, my phone is PDA level, mostly useful for quick checks. I use a laptop for computing. I know as a tech nerd, I’m far out of the bell curve, but I can’t really bother with those shenanigans unless they’re paying me for it.

by skydhash

3/31/2026 at 7:12:19 AM

Play the GDPR card, even if you're not from Europe. Find their DPO and state that you want to appeal the automated decision to a human.

Companies operating in Europe must provide a clear way to appeal automated decisions: https://www.edps.europa.eu/data-protection/our-work/publicat...

You might not have a way to actually file a complaint against them but quite often, their legal department will just have a quick look at your case and just give you what you want without bothering to tell you anything. Worth a shot.

by edarchis

3/31/2026 at 4:52:13 AM

> Is there a way around this shitocracy?

Refuse to play. Switch to technologoy that the shitocracy has not gotten around to yet, or, eventually, pick up woodworking.

by cuu508

3/31/2026 at 7:05:54 AM

I am doing leatherworking as well as woodworking. No idea if it is possible to actually make money with this¹, but damned if I'm not giving it a go just to have skills in an area where AI is not a threat for the coming decade. At the very least these crafts allow me to make things which do not exist and cannot be purchased off the shelf.

1: I mean, it is, certainly. I'm just not sure if I can make money by making leather gear.

by Freak_NL

3/31/2026 at 6:44:22 AM

Exactly. This is why I love building web apps, shipping features easily without needing any one's approval.

by kaizenb

3/31/2026 at 6:37:31 AM

Do what everyone is doing a web app.

by ozim

3/31/2026 at 4:00:23 PM

> Is there a way around this shitocracy?

If you are in EU you could try complaining to your local DPA. That certainly sounds like "automated decision which produces legal effects concerning him or her or similarly significantly affects him or her" which is against article 22 of GDPR. Or you could consider suing them directly at least for the refund.

Outside of EU maybe try passing law like GDPR to actually get some rights back.

by buzer

3/31/2026 at 12:39:32 AM

If this is a business account why do they want your passport? And why are you paying with a personal bank card rather than a business one? Or do I misunderstand?

by fc417fc802

3/31/2026 at 1:34:58 AM

They may want proof that you, the human filling out this form, are authorized to publish apps, communications, etc. as the company you say you represent.

by __float

3/31/2026 at 2:04:06 AM

How does a passport solve that? Most small private companies are entirely opaque. A government ID doesn't help you determine authorization. It won't even help you determine ownership since anyone doing things sensibly will be using a registered agent to hold the company on his behalf.

The correct approach here (AFAIK) is to punt the trust decision to the bank by requiring payment with a method that you can confidently trace to the company.

by fc417fc802

3/31/2026 at 2:19:47 AM

Yeah I would imagine that the value the get out of a passport is not anything to do with validating a company (they’re cheap and easy to make anyway) but validating the person (which is not a throwaway entity)

by kube-system

3/31/2026 at 2:41:26 AM

Fair point.

However that invites those bad scenarios where someone gets blacklisted by BigTech in some manner, later gets hired by a small business, the new employer adds an association to the blacklisted account, and suddenly the company app is banned from the app store seemingly without reason. At least a few such stories have appeared on HN over the years.

I feel like pay to play ought to be sufficient because in addition to being a barrier to entry it also provides funds for moderation efforts.

by fc417fc802

3/31/2026 at 8:17:21 AM

>suddenly the company app is banned from the app store seemingly without reason. At least a few such stories have appeared on HN over the years.

Which is not that unreasonable even. If a person is flagged for making scam apps, them having publishing rights in a reputable place makes taints the reputation of such place.

You should be able to appeal of course and the oauth should not be towards google in the first place, but being associated with known fraudsters and scammers is not what you want.

by Muromec

3/31/2026 at 11:16:28 AM

That seems at odds with how our society is structured. We treat employees as interchangeable cogs. If someone commits a crime they are tried but their family, friends, and coworkers are not. Guilt by association without any act having been committed seems wholly incompatible with both our principles and common practices.

It's even more nefarious when it comes to BigTech because you can be blacklisted without having committed any actual crime and without anything resembling a trial.

Individual accounts and employee accounts are conceptually distinct. Permitting anything less gives large companies free reign to run roughshod over the individual by unilaterally depriving him of his livelihood.

by fc417fc802

3/31/2026 at 1:34:53 PM

> If someone commits a crime they are tried but their family, friends, and coworkers are not. Guilt by association without any act having been committed seems wholly incompatible with both our principles and common practices.

This is no longer the case, see the example of Hüseyin Dogru, a journalist who faces political EU sanctions (no trial) and now cannot transact with EU citizens or travel. Authorities have now siezed the bank account of his wife and are treating her as if she is sanctioned, even though she is not, so their family is now broke and cannot even pay for food. Because they are not allowed to travel they cannot return to Switzerland.

This kind of blacklisting also comes up in non-sanctioned contexts with de-banking and political de-platforming based on government pressure. The world is headed to a very dark place.

by iamnothere

3/31/2026 at 4:10:05 AM

There are better ways to do it but Google has long demonstrated they’re not primarily concerned with accuracy or user experience, but instead, whichever solution can be automated and effective.

by kube-system

3/31/2026 at 4:20:11 AM

My government ID card expired and I was too lazy to renew it but I had my passport at hand so why not?

BTW both the id card and the passport have cryptographic authentication and you are able to open a bank account or use govt services completely online by scanning it with the phone Rfid . They could have make me scan that, scan my face and be done with the identity verification. My identity is already verified and tied to my company the same way and also listed in the companies registry which means they could have had skipped all the other company verification stuff too.

by mrtksn

3/31/2026 at 7:48:58 AM

That all makes perfect sense but consider that if they simply punted to the bank as I described they would still get the same benefits only with even less complexity. The bank fundamentally has to do robust identity verification. Any party that needs to handle payments while also lacking a reason to be good at performing in house identify verification really ought to make use of the bank because you are highly unlikely to be better at it than they are.

The entire cumbersome process you describe can be viewed as Google doing a significantly worse job of verifying your identity than the bank would have.

As an aside, I suspect that leaving it to the bank would also provide additional legal protection. Specifically anyone attempting deception will most likely be forced to commit fraud against the bank which will probably be taken much more seriously than otherwise.

by fc417fc802

3/31/2026 at 7:59:09 AM

I agree, in Europe(EU, UK, Turkey and other countries) banks are considered perfect for proof of ID. In UK a bank statement is as good as an ID, in Turkey for example, you can sign in into the government portal through your online banking and it is considered higher level secure authentication and you can take high risk actions(like signing legally binding contracts) that you can't do by signing in just with password and 2FA.

by mrtksn

3/31/2026 at 8:13:56 AM

The bank has to perform the authorization and identity checks, but the bank will not make them for you, they do them for themselves based on their own risk analysis. The scope of authorization could also be different based on who it's presented to.

The authorization is not transitive so to say.

>As an aside, I suspect that leaving it to the bank would also provide additional legal protection

If it would, they will have to pay the bank for it and the bank should also be willing to accept the liability (spoiler alert -- the will not be willing to accept the liability)

by Muromec

3/31/2026 at 8:29:29 AM

Google wants the authority of a gatekeeper without the overhead of human accountability. They automate the "no" but offer no path to a human "yes."

by afferi300rina

3/31/2026 at 8:37:14 AM

That's all fine, they can want their wants, but then, once the bad cop writes them strongly worded letter and they start throwing tantrums over "regulation".

by Muromec

3/31/2026 at 11:24:03 AM

> The bank has to perform the authorization and identity checks, but the bank will not make them for you

We aren't talking about authorization, only about identity verification. I'm no domain expert but it is my understanding that banks provide these sorts of services. They certainly already have all the necessary information on hand both for practical reasons (security) as well as legal (KYC and AML laws).

> If it would, they will have to pay the bank for it ...

For the identity verification? Probably, depending on how you went about it. What's the issue? This is already a paid process we're talking about here.

For the additional legal assurance that I described? No, that doesn't cost extra. Please read what I wrote more carefully. It's a transitive property due to the penalties involved in addition to the degree to which the legal system and the bank care (at least assuming my understanding of that legal environment is correct).

by fc417fc802

3/31/2026 at 2:24:44 AM

It’s entirely ordinary to carry on a business as a sole trader.

That is you, for tax and legal purposes in the jurisdictions within which you reside, an individual, operating a business by yourself as yourself.

by nandomrumber

3/31/2026 at 2:41:24 AM

Feels like too many owners. Each step makes sense, but the whole thing doesn’t.

by heyethan

3/31/2026 at 5:05:07 AM

You should see the account recovery workflows.

by intended

3/31/2026 at 12:05:48 AM

Can you pay with Google Play GC or Google Play points, and if not, why not?

by hnburnsy

3/31/2026 at 12:10:30 AM

I believe you can’t. BTW Apple allows you to pay for a developer account with in app purchase from the developer app on your iPhone. Still has limitations and you may be rejected depending on your payment method and some other factors but even the fact that it’s possible makes it 1000 better than Google’s way of handling it.

by mrtksn

3/30/2026 at 11:41:04 PM

What you're describing is not "broken", it's the process and it appears it hasn't even failed for you.

My experience with getting a verified "business" developer account from Google mirrors the experience as getting one from Apple, except it's a one-time fee and much less than Apple.

Yes there are hoops to jump through, identification usually requires some hoops, but pretty it's straightforward. I am not commenting on the requirements of these hoops, yes, it's BS that they exist but it's their platform so it's their rules.

What type of "experience" are you expecting to have anyway?

by mcsniff

3/30/2026 at 11:47:19 PM

With Apple I filled the forms, accepted the agreements, entered the DUNS and paid with a card on my name and that was it.

How does that mirror uploading my passport many times, entering company details many times, typing my e-mail and phone numbers many times both because I had to start over and because I was asked many times even if I provided these some steps back? Now I paid and waiting, hopefully I will later be verifying my e-mail address or something that I verified a few times prior.

> What type of "experience" are you expecting to have anyway?

The Apple experience. An experience that is well thought and streamlined, that doesn’t keep me entering the same information over and over again. I don’t mind paying a little more for well designed products. The $75 difference is nothing to justify this charade, I don’t think that that Google was short of $75 and designed this low quality experience, I think it’s engraver in their DNA.

by mrtksn

3/31/2026 at 12:07:35 AM

> What type of "experience" are you expecting to have anyway?

Being told upfront what is required to complete the process so you don't have to start over again multiple times?

by debazel

3/31/2026 at 8:32:45 AM

It's not broken, it's the process ???

What would you consider broken?

by 63stack

3/31/2026 at 1:39:25 AM

> However, our recent analysis found over 90 times more malware from sideloaded sources than on Google Play

Google has seemingly never seen an elderly person's phone, where it is completely infected with crap including literal popup ads (that somehow overlay other apps), yet all of it was downloaded from GPlay.

by creatonez

3/31/2026 at 1:56:16 AM

100.00% this take. Google is redefining "malware" to fit their corporate narrative so ads-with-ads-with-tracking is labeled as fine wine. It simply cannot be malware because that truth would decimate their shareholders. Malware by any other definition remains software that disrupts the user's ability to operate the device:

https://en.wikipedia.org/wiki/Malware

https://www.ibm.com/think/topics/malware

https://www.cloudflare.com/learning/ddos/glossary/malware/

https://www.cisco.com/site/us/en/products/security/what-is-m...

https://www.britannica.com/technology/malware

https://www.fortinet.com/resources/cyberglossary/malware

https://www.kaspersky.com/resource-center/threats/what-is-ma...

https://www.mcafee.com/learn/malware/

https://www.trendmicro.com/en_us/what-is/malware.html

https://www.t-mobile.com/home-internet/the-signal/internet-h...

https://www.merriam-webster.com/dictionary/malware

by 1970-01-01

3/31/2026 at 1:16:36 PM

Remember when we had the term "spyware" for a class of malware?

I remember

by VHRanger

3/31/2026 at 3:37:45 AM

Both things might be true. Sideloaded apps are probably way more likely to be malicious, but also most installed malware/crapware is quite likely coming from Google Play.

by CobrastanJorji

3/31/2026 at 5:04:33 AM

I’ve never found a malicious app on F-Droid.

by xigoi

3/31/2026 at 6:10:02 AM

To be honest the limited popularity of F-Droid also helps it be less targetted by bad actors. If it was more popular I would bet the situation would surely be different

by SkiFire13

3/31/2026 at 8:17:19 AM

This argument can be refuted by considering Debian repositories. No malware exists there despite it being a good target. It's the FLOSS that solves the malware problem, with a bit of moderation.

by fsflover

3/31/2026 at 11:35:00 AM

I'd argue OSS isn't sufficient on its own and that I suspect moderation only plays a small role. I think it's primarily the separation of roles. For a complete outsider whose only interest is exploiting users publishing a sufficiently popular piece of software and also gaining the ability to add things to the debian repos is a huge barrier. You'd have to invest years of work to do both of those things and then hope that no one happened to notice anything before it was too late.

Of course the FLOSS aspect adds an additional hurdle that this popular piece of software will have to somehow avoid having much of a contributor community around it since that would greatly increase the risks of your malicious changeset being reviewed. I guess what happened with XZ was about the best case scenario that an attacker could realistically hope for.

by fc417fc802

3/31/2026 at 12:46:45 PM

There were a few mishaps with PyPI and npm - including in the past week and even today. Not sure if those meet your criteria of FLOSS, but if it does I wouldn't call it solved.

by duckmysick

3/31/2026 at 8:58:22 PM

Yeah but supply chain attacks like that can hit literally anything. Debian repos, Play store, an individual publishing on his own website, it's all vulnerable.

by fc417fc802

3/31/2026 at 2:41:27 PM

F-Droid is a teeny store and requires extra steps like open sourcing such that it is not an appealing vector for malware authors.

Either you want to target the Play store so that you can get a wider install base but need to deal with tighter controls or you want to distribute flagrantly malicious stuff to people for banking trojans or whatever via social engineering to get them to sideload. F-Droid doesn't help with either of these things.

by UncleMeat

3/31/2026 at 3:24:11 PM

> requires extra steps like open sourcing such that it is not an appealing vector for malware authors

So choosing FLOSS protects you from malware.

by fsflover

3/31/2026 at 7:22:07 PM

It can, sure.

by UncleMeat

3/31/2026 at 6:48:28 AM

Are you really unable to comprehend just how small of a userbase F-droid represents for Android ecosystem?

by izacus

3/31/2026 at 7:01:32 AM

If it’s that small, how does killing it help anything?

by xigoi

3/31/2026 at 8:04:07 AM

Nobody said it did. Google is not doing this to kill F-Droid.

by IshKebab

3/31/2026 at 9:58:38 AM

Google already knows whether an app is being installed from an app store, such as fdroid, or not.

Just like they allow installing apps from the Play Store without the 24h verification, they should allow installing apps from F-Droid or the Epic Games Store without verification.

by kuschku

3/31/2026 at 8:26:58 AM

Why do you think they are doing it?

by xigoi

3/31/2026 at 8:46:55 AM

To stop scammer-guided malware installation, and probably those "download whatsappupdate.apk for free new emoji" ads that pop up all the time.

Google doesn't care about F-Droid one way or the other. It's a niche project that barely registers on the scale of all Android users.

by jeroenhd

3/31/2026 at 11:40:22 AM

They don't care about F-Droid but they do care to choke out any potential competitors to their ecosystem before they can get a foothold. See their behavior surrounding device certification for example. They want to abuse the network effects of their ecosystem to prevent consumers from leaving. This is just more of that - vendor lock-in masquerading as an unfortunate necessity.

by fc417fc802

3/31/2026 at 8:45:39 AM

F-Droid still works the same as it did before. This just means that McDonald's can distribute its apps on its website without showing a scary warning on install on Google's Android builds.

by lern_too_spel

3/31/2026 at 9:19:07 AM

No it doesn’t. You will now have to follow a lengthy process before being allowed to install apps from F-Droid.

by xigoi

3/31/2026 at 4:47:50 PM

To defeat scammers. Not everything is a conspiracy.

by IshKebab

3/31/2026 at 12:36:13 PM

Likely true, but also many technically oriented people (myself included) would turn away from Android if f-droid stopped working. And I would actively start recommending friends and family against it. What is the benefit of Android at this point? an extended Ads platform, controlled by Google.

by dr_hooo

3/31/2026 at 6:38:59 AM

Worst of all is that the ad that leads to that download is usually in Googles Youtube app

by TiredOfLife

3/31/2026 at 12:53:45 PM

Which analysis, where is the data? Where is the independent peer review to conclude what you see is actually real?

I'm so tired of companies claiming stuff with "we did research, just trust me bro" and providing no source to be scrutinized.

by Xunjin

3/31/2026 at 10:45:03 AM

My recent analysis found that Google is 90 times scummier than other companies.

My analysis consisted of pulling a completely baseless number out of my arse that fit my agenda.

by badpenny

3/31/2026 at 1:49:11 PM

"Confirm the accessibility permissions to get $7 SolitaireBux"

by xnx

3/30/2026 at 10:50:33 PM

What % of Android users actually want this? Do they know or care?

I've been using Android since 2010 because it was open in ways that the Apple ecosystem wasn't. I do not want this and imagine hardly any other power users (for lack of a better term) do. I'm already using a mostly deGoogled device but this really seals the deal. I have been longing for a true Linux phone for years and now seems like a good time to get serious about the search and migration plan.

by ethagnawl

3/30/2026 at 11:02:14 PM

Being able to side load apps was why I switched to android 10 years ago

by JLCarveth

3/31/2026 at 1:34:33 AM

Please call it what it is and always has been:

   I.N.S.T.A.L.L.I.N.G   S.O.F.T.W.A.R.E
"side load" is like "jay walking' seeks to stigmatize humans being human.

by tejtm

3/31/2026 at 5:53:08 PM

"Being able to install software is why was why I switched to Android"

This doesn't make sense to me. iOS and Android (and HarmonyOS) all allow you to "install software".

by throwawayk7h

3/31/2026 at 6:31:23 AM

I call it "direct install" personally, implying the play store is the indirect install.

by realusername

3/31/2026 at 12:55:12 PM

actualy yeah its way more direct than google play store technically

by mastermage

3/31/2026 at 12:03:55 PM

Please don't try and police my language

by JLCarveth

3/31/2026 at 1:05:33 PM

Tbh I do not think the idea is to "police" you, I do believe he means to show that "side load apps" is a corporate speech to say "don't do this, but we allow it". However it's literally just installing software.

Let's apply the "side load" apps logic to Desktop applications, imagine you have to pass for an entire process just to install an app you downloaded?

by Xunjin

3/31/2026 at 5:53:47 PM

telling someone not to use corporate speech is policing their language.

by throwawayk7h

3/31/2026 at 6:54:47 PM

valid.

n.b. "you" were not considered in my statement save as an agent.

by tejtm

3/31/2026 at 4:36:49 AM

When you jay walk you take the risk of being hit by a car, causing injuries to you, to the driver, and to other nearby people.

So I don't understand your analogy? Are you suggesting that pedestrians own the streets and should do what they please, as users own their phone and should have the right to do as they please? Or something else?

by tredre3

3/31/2026 at 5:11:01 AM

The term jaywalking was invented (or possibly hijacked) by automotive lobbyists as part of a campaign in 1910s and 1920s to convince the public and the lawmakers that crossing streets outside designated points is bad and should be made illegal. Before then, it was generally considered basic human right to walk anywhere on a street. Whether you agree that jaywalking is bad or not, that's the history of the term.

Grandparent is saying that the term sideloading was invented in a similar fashion to delegitimize a previously completely normal way to use an electronic device.

by Xirdus

3/31/2026 at 8:54:18 AM

"Jaywalking" is one of those things that's uniquely American. Most other countries have realized that the risk of being hit by a car is its own deterrent. Or restrict the legal ban on crossing to highways, not all streets.

The UK Highway Code has a RFC-like use of MUST/SHOULD; MUST parts are legally binding, the parts relating to pedestrians are SHOULD.

by pjc50

3/31/2026 at 10:12:05 AM

The German regulation is also really interesting:

Jaywalking is only illegal if there's a crossing less than 50m away. (And even then it's only a misdemeanor, not a crime).

That also means that city planners have to balance between people jaywalking, putting crossings everywhere, and how crossings slow down traffic.

And every time a car makes a turn, pedestrians automatically have priority. Which creates an implicit zebra crossing.

The only roads exempt from this are autobahn/motorways. These are by law prohibited from having direct access to anything.

That's IMO also a way for the US to get out of its current situation. Set up a rule like that, with a large distance at the beginning, and slowly reduce it over the next few years, forcing local planners to introduce additional crossings, which also reduces through traffic. The separation of streets vs autobahn also mostly prevents stroads.

by kuschku

3/31/2026 at 11:49:23 AM

I believe most jurisdictions in the US have largely the same framework. At least everywhere I've lived all street corners were implicit pedestrian crossings with a legal requirement (often blatantly ignored) that vehicles yield. Similarly jaywalking is a misdemeanor and only applies within a certain distance of a crossing.

The only situations where it's enforced (from what I've seen so obviously biased) is major highways, city streets with dense traffic and a marked crossing within half a block, and when they want to search someone for contraband. In the latter case it's just an excuse to stop and harass you in the hopes they will manage to generate sufficient articulable suspicion to justify a search.

by fc417fc802

3/31/2026 at 6:14:07 AM

> Are you suggesting that pedestrians own the streets and should do what they please

In the cities? Yes, absolutely.

by wiseowise

3/31/2026 at 5:20:21 AM

Yeah, I'm willing to use my brain and look at incoming cars and just walk when it's empty and safe to do so? Where's the problem in that? I have eyes and can judge distance and speed?

by spaqin

3/30/2026 at 11:07:37 PM

Yeah. Computing freedom to have a root shell and do as I please is the entire reason I put up with Android. Google is positioning Android to just be nothing more than a worse iOS. There's pretty much no point to it anymore.

by ux266478

3/31/2026 at 12:16:19 AM

Same. If Google does this, my next phone will be an iPhone. Freedom is the only reason to put up with Android's shittiness. If they turn it into a walled garden, then we'll choose the better kept garden and it sure as hell isn't Google's.

by matheusmoreira

3/31/2026 at 2:16:46 AM

What? So you dont value freedom at all? Theres other alternatives too.. graphene, lineage

by foxes

3/31/2026 at 9:48:07 AM

GrapheneOS is Android's last hope. They're making great progress with deals with smartphone manufacturers. However, the threat of remote attestation looms eternal. I have essential apps that I cannot afford to lose and if they refuse to work on a non-Google phone the usefulness of GrapheneOS is severely degraded.

by matheusmoreira

3/31/2026 at 11:51:46 AM

If attestation ever became ubiquitous the difference between iOS and Android would cease to exist for me. I'd need a black box that lived in a desk drawer for interfacing with specific services and otherwise I'd cart around a camera in my pocket that happened to double as a linux tablet.

by fc417fc802

3/31/2026 at 10:09:39 AM

No, the solution is having a linux micro-computer. You buy an iPhone shitphone to do banking and whatnot, and never touch it, then just do everything you need off a retroconsole since it runs literally 120% of the other apps a phone would.

by linuxmobile

3/31/2026 at 2:38:54 AM

Sailfish OS - they even run a device preorder right now.

by m4rtink

3/31/2026 at 6:17:52 AM

But is it open? Seems not; parts are closed so is that not just more of the same?

by anonzzzies

3/31/2026 at 8:22:39 AM

postmarketOS, Mobian, PureOS are open.

by fsflover

3/31/2026 at 1:52:42 AM

I switched from iOS to Android about three years ago. I saved all the APKs for everything I installed (or updated) on that first phone. When I got a new phone last fall it was pleasantly like getting a new PC. I imported my SMS and contacts from my last backup (taken with an open source took I'd installed from an APK), then installed all the apps I use and imported or manually set any settings I wanted to customize.

Every non-stock app on my phone was installed from an APK directly downloaded from the manufacturer or open source developer's site / Github releases. I've never had a Google Play account and have never used any Android "app store".

The biggest pain was having to manually logon the couple of sites I allow to keep persistent cookies since device owners aren't allowed to just import/export cookies from mobile Chrome.

It has been a very nice experience. I appreciate the feeling of sovereignty and ownership of my device (even though it does have a locked bootloader and I don't actually have root).

Of course Google would take this away. >sigh<

by EvanAnderson

3/31/2026 at 2:45:12 AM

I did something similar. Wanted a Pixel with Graphene OS but the screen hurt my eyes. Went with a Motorola with an IPS screen. Uninstalled or disabled all the crap. Never logged into Google. Went with Obtanium and F-Droid for most software. Aurora for a couple of apps that were only on the Play Store. Used NetGuard with a whitelist to lock it all down.

After all that was done, the phone felt like mine in a way that my iPhone doesn't. Was a good feeling. With luck, the Motorola + Graphene partnership will produce phones with screens better than the Pixel and I can keep doing this.

by wishfish

3/31/2026 at 5:29:36 PM

It may be worth checking Motorola's OLED models in person (for example the Razr Fold, Razr Ultra and Signature) so see if their Flicker Prevention mode helps. I don't think any IPS models are likely to be supported in the first wave/generation of supported devices in 2027.

by ysnp

3/31/2026 at 2:49:20 AM

I ended up with a Motorola phone, too (albeit with an AMOLED screen so not the model you have). I got hooked on Motorola phones because of the "chop/chop" flashlight gesture. I don't think I can use a phone without that gesture ever again! >smile<

I'm hopeful, too, re: Motorola + Graphene. I wanted to use Graphene last fall wehn I got the new phone but I was committed to not giving Google any money.

by EvanAnderson

3/31/2026 at 4:44:16 AM

This, but fortunately I don't find the Pixel screen offensive, and so I use Graphene on a Pixel.

by drnick1

3/30/2026 at 11:04:20 PM

Rounded to the nearest percent, I'd guess power users make up 0% of android user base.

by cosmotic

3/31/2026 at 6:59:17 AM

That is true but they are also some of the most vocal advocates of certain systems. It is a king of trust errotion that doesnt show up for a very long time but by the time it does it is too late to reverse.

Tge flipside of that is that Google and Apple have no viable alternatives. It would take years to build what they have.

It took Huawei about 5 years with Harmony OS to do it but odds if that making it far out side of China is limited.

by HerbManic

3/31/2026 at 6:18:41 AM

Is it because people genuinely don't care, or because the barrier to become a power user is becoming taller and taller every passing year?

by blackbear_

3/31/2026 at 6:50:47 AM

Is it because Android literally has billions of users across the world.

by izacus

3/31/2026 at 8:51:33 AM

A large portion of which are using it in a feature phone capacity. Many only use smartphones because it’s what their carrier gave them after their old candybar dumbphone either broke or became unable to connect to cell towers.

The other groups are those who use it identically to how they would iOS (and don’t root or sideload), those that use it as computer replacement, and those who just like to tinker. Those last two groups are a tiny, tiny sliver relative to the others.

by cosmic_cheese

3/31/2026 at 8:11:06 AM

Especially once you start counting car entertainment systems, POTS terminals, digital signage, and hundreds of other classes of devices that are not genera-purpose toys.

by TeMPOraL

3/31/2026 at 4:35:57 AM

And what is your view on the percentage of power users among iphone user base? Also zero? One hundred? So interesting.

by eimrine

3/31/2026 at 8:57:07 AM

The share of power users on iOS might be larger than expected because a lot of people working in tech fight computers for a living and prefer their phones to be simple appliances assigned to a relatively focused set of tasks.

by cosmic_cheese

3/31/2026 at 9:24:20 AM

You are talking not about Apple's walled garden. Don't confuse a skilled power user with a pesky celebrity who always prefers one button over two buttons because of complexity issue.

by eimrine

3/31/2026 at 9:47:13 AM

I am, though. Someone who uses their phone for mail, chat, music, and calls with everything else being done on a proper computer has little to gain from sideloading, and plenty of computer power users use their phones that way.

I know because I’m one of them and something like 70% of my SWE colleagues I’ve known — including Android users — fit that description too. Most have never sideloaded anything and maybe 20% have flashed their phone with an alternative ROM or rooted at some point.

An individual being good with computers or even being capable of programming has little bearing on if they’re also a phone power user.

by cosmic_cheese

3/31/2026 at 2:39:00 PM

Why installing software for power users should be in a sideloading form?

Maybe the sideloader is a power user in comparison to the celebrities, but who is a real power user is those who can to sideload without the sideloading. Power users of your smartphone are: top-management of the vendor, the Government and 0-day scene. Sideloading actor IMO is just a poser to the idea of a power user.

Snoop-phone useds are powerless.

by eimrine

3/31/2026 at 10:15:51 AM

> Most have never sideloaded anything

I have never told anyone what I, ahem, install.

by linuxmobile

3/31/2026 at 2:16:03 AM

> What % of Android users actually want this? Do they know or care?

If Apple announced that they were going to allow installing apps like how you can install APKs you will have a whole group of people on here arguing against it because they want Apple to have control over everything. You could have seen those people in action on the Epic v. Apple and Digital Markets Act discussions.

by Rohansi

3/30/2026 at 11:46:25 PM

It would be good if there was less malware and outright scams in the play store but that's really orthogonal to the developer verification issue.

by throwaway85825

3/31/2026 at 1:05:13 AM

Not sure why your observation was received poorly. It's true. If they actually wanted to fight bad actors they could (for example) introduce a voluntary verification program where an app cost $$$ per year to list, is permitted only a fixed number of updates per year, and the uploads are manually audited by an actual person. This would add a second tier to the app store.

Just to drive the point home. Not that you would do this but you _could_ even implement such a system fully anonymously - with uploads via tor and payments via XMR - and it should still work just as well.

Add in a third even more expensive tier for those providing source code to the auditor where google verifies a signed deterministic build the same way fdroid does. Now clearly mark the three different tiers in the app store.

And if they went this route the next logical step for highly sensitive stuff like banking and password management would be a fourth licensed and bonded tier where a verified individual located in a friendly country took on liability for any fraud or other malpractice. That tier would be the equivalent to the situation for civil engineers.

Instead we're stuck in a reality where I don't trust sourcing password managers (among other things) from the play store. Those only ever come from fdroid for me - you know, an actually secure model for how to do app distribution and verify builds.

by fc417fc802

3/31/2026 at 6:35:50 AM

What you are proposing won't solve anything, the #1 source of malware on Android is Play Store ads, here I said it.

And Google benefits financially from the problem.

by realusername

3/31/2026 at 7:41:39 AM

Financial incentives aside, a higher assurance tier on the app store would enable me to tell my relatives "all apps that handle money or government details will always have this mark next to them" among other things. Whereas the current situation has me actively investigating moving them over to graphene.

by fc417fc802

3/31/2026 at 6:51:12 AM

You "saying it" doesn't make it true.

by izacus

3/31/2026 at 7:21:11 AM

You "refusing to believe it" doesn't make it go away.

by sayamqazi

3/31/2026 at 2:36:39 AM

Google/Android don't want AI bots spamming marketplaces with dodgy apps.

Tie in the app to a verified identity/individual and it makes the audit process easier as well as engagement with authorities from the user's country if required (e.g. app facilitating child abuse).

by tedk-42

3/31/2026 at 4:39:03 AM

> e.g. app facilitating child abuse

I'm going to go on a limb and say that the amount of apps dedicated to facilitating child abuse is close to 0, and the popular apps from verified developers being used for child abuse is close to 100%.

by tredre3

3/31/2026 at 5:44:22 AM

Session Messenger comes to mind. It's available in the Play Store and also in F-Droid.

by pocksuppet

3/31/2026 at 6:16:34 AM

Of course it’s the apps that checks notes facilitate child abuse.

by wiseowise

3/31/2026 at 3:19:40 AM

But they don't have a problem with using unreliable AI bots to audit apps and deal with support.

by thayne

3/31/2026 at 12:35:48 AM

> What % of Android users actually want this? Do they know or care?

2%, according to the keepandroidopen.org poll[^1]

[^1] https://techhub.social/@keepandroidopen/116251892296272830

by marcprux

3/31/2026 at 12:43:59 AM

Do we think that maybe the 3,732 people who responded to a poll on Mastodon by an account centered around one side of this disagreement might potentially not be a representative sample of all Android users?

by akerl_

3/31/2026 at 8:50:20 AM

It's a bit hard to poll 4 billion devices, but out of all 4 billion devices I think it's safe to assume that the percentage of users who do care can be rounded up to maybe 1% at most.

Developers and enthusiasts are an extreme minority that's incredibly vocal. I think most people here disagree with Google's approach but too many people are pretending like their interests and use cases are significant on a "half the planet" scale.

by jeroenhd

3/31/2026 at 12:45:15 AM

Sampling bias.

by satvikpendem

3/31/2026 at 1:50:22 AM

Perhaps. And yet … 98% opposition from 4K respondents? I'd be very surprised to see any other poll that tilts the other way, regardless of sampling bias.

by marcprux

3/31/2026 at 6:42:43 AM

Why?

by akerl_

3/31/2026 at 4:51:56 AM

Does this count? Putin won 88% of the vote in the 2024 Russian election. Not sure of the sampling bias there.

by warkdarrior

3/31/2026 at 1:35:12 AM

Android is becoming more Apple-ized everyday; it's horrible and more and more APIs get neutered or disappear, further limiting functionality available to developers.

by binkHN

3/31/2026 at 7:40:29 AM

It's worse than Apple because not only are they locking it down in the same way but the whole thing is funded by adverts.

by tonyedgecombe

3/30/2026 at 11:01:36 PM

But but but it is for your security! You need to be protected!

Android isn't open source for a while. They started by pushing device certification which crippled any abilities of OEMs to make a better framework. Then they took many of the opensource packages out of android and redistributed as applications that they controlled via play services.

Then they made it harder to publish packages and created tons of rules that they can arbitrarily decide to cut ties with you or remove your remuneration.

What they are effectively doing now is to remove any ability of individual developers to push applications. Some will say the costs ain't that high, but (1) maybe not in USD dollars for Americans and (2) both Google and Apple will push those numbers way up high soon.

Even if that is not the case, if you don't agree with anything and you decide to have your own version of your family wiki, messenger or anything, they will be able to tell the authorities about it.

This is insane....

by motbus3

3/31/2026 at 5:43:07 AM

Time to switch to Graphene.

by pocksuppet

3/30/2026 at 11:28:14 PM

You were wrong at percentage. The question is what count would want this.

by beacon294

3/31/2026 at 2:44:22 PM

I suspect that this is less driven by users and more driven by institutions. Banking trojans distributed via sideloading are a big problem. Banks are unhappy that their users are getting their shit stolen because some other app is squatting on 2fa codes or whatever. They'd rather that their apps are not installed alongside apps that are more likely to be malware given that there isn't a private channel for auth codes for the vast majority of users.

by UncleMeat

3/31/2026 at 6:50:07 AM

Significantly larger than the number of users wanting to sideload.

There are millions of people affected by targeted scams every year, significantly outnumbering the non-developer sideload community. Especially when you take into account that the sideload community doesn't all use Google Android and isn't affected by this.

by izacus

3/31/2026 at 8:48:29 AM

This change on its own doesn't make Google Android builds less open. It does the opposite. Now people can download apps directly from the websites of the publishers without getting a scary warning on Google Android builds. That's all this does.

Separately, they're going to increase friction the first time you allow installing apps outside of the Play Store or via this mechanism and also decrease friction on subsequent times, also on Google Android builds.

by lern_too_spel

3/30/2026 at 11:12:38 PM

> What % of Android users actually want this? Do they know or care?

Bold of you assuming they're doing for users. It's fear-mongering at its finest - using the threat of security to install more control that has little to no protection against the said threats.

Now you might say it's going to raise the bar for the scammers, but nobody is going to be spending time on writing scam or malware for a few bucks. When the reward is high, they can just pay out already verified developers to distribute their builds under their accounts, or just find a workaround (fake ids?) which could be still way cheaper than the potential revenue potential of a successful attack. It's just an inconvenience that didn't existed before.

This is just a policy directly targeting the legit developers distributing apps to work around some of the platform's limitations (ie. uncrappifying youtube). They were previously free to share the workarounds they've developed for themselves since it was just as easy as sharing your APK. Now with added threat of losing your developer account and probably being perma-banned from google, those devs are less likely to continue distributing their workarounds.

by misir

3/31/2026 at 12:02:37 AM

It's not about users, it's about a single judges idiotic ruling that Google play store is a monopoly, and the Apple app store is not.

Different judge you say? You're right. But when Google in their appeal asked the judge why the app store isn't a monopoly, the judge told Google with a straight face

"You can't be anti-competitive if you have no competitors."

Google took note.

by WarmWash

3/30/2026 at 11:23:11 PM

People don't want it until they've been scammed. Then they'll complain why you didn't save them.

by charcircuit

3/31/2026 at 12:49:55 AM

People will erroneously complain about all sorts of things. Doesn't mean you should act.

Anyway in this case it's nothing more than a thinly veiled excuse to justify making ecosystem changes that are in their favor. They aren't acting in good faith.

by fc417fc802

3/30/2026 at 11:49:40 PM

Do people complain about being scammed with Windows or macOS? Apparently not. So they probably also don't complain about Android. The security seems more an excuse to become more closed. Like iOS.

by cubefox

3/31/2026 at 12:00:07 AM

I don't necessarily like the idea of a company wiping their hands clean and saying "well - not our problem!" either though.

Companies shouldn't wait to solve issues like this - they should be proactively helping their most vulnerable users. That is the "do no evil" motto.

I don't know enough to say whether this method is the right approach however.

by DashAnimal

3/31/2026 at 1:00:38 AM

Saying that computer/OS manufacturers should prevent malware is effectively equivalent to saying that they should not sell general purpose computers to the public. A general purpose computer is one that can run any program the users tells it to, which necessarily includes one that's malicious.

That doesn't necessarily preclude helping the user to notice when they're doing something dangerous, but a waiting period before the computer becomes general-purpose seems pretty extreme.

by Zak

3/31/2026 at 3:44:40 AM

> Saying that computer/OS manufacturers should prevent malware is effectively equivalent to saying that they should not sell general purpose computers to the public.

(in Gilbert Huph (Wallace Shawn) voice) Yes, precisely!

by bitwize

3/31/2026 at 3:00:57 AM

The general consumer does not care about the distinction of if a product is technically a "general purpose computer" or not. They care about if the device is able to do what they want from it, providing them value.

by charcircuit

3/31/2026 at 12:43:43 AM

>Companies shouldn't wait to solve issues like this

Unless you built your house yourself, you should expect the construction company to be responsible for verifying the identities of anyone entering your house. Asking for a passport and a one time payment, just in case the person who rings the bell may not be a friend.

That should be proactively helping you in case you're a vulnerable homeowner. Not checking in on every visitor would be evil, no?

I can't think of a better approach.

by rcMgD2BwE72F

3/31/2026 at 12:47:08 AM

I lived in an apartment building, and one of the upsides was that the building had a security system and a front desk that helped control who could be wandering down my hall.

by akerl_

3/31/2026 at 12:58:19 AM

Me too.

But we, owners, collectively choose that. We choose the security company, we pay then, we can vote them out. Most importantly: the construction company has zero say in this.

Also, no one actually check the IDs of my friends, and they don't have to pay the construction company when they first come.

I give the codes, they ring, I open. I hire a company to monitor the building but I can kick then out any day.

I own the place, you see?

by rcMgD2BwE72F

3/31/2026 at 12:55:17 AM

Doesn't really seem like it fits the analogy. Even ignoring that, I doubt they were checking passports and collecting tolls from guests, right?

by fc417fc802

3/31/2026 at 6:33:08 AM

> Companies shouldn't wait to solve issues like this - they should be proactively helping their most vulnerable users.

I think they should help their median users and empower their power users, and they should absolutely throw a few "most vulnerable" users under the bus if that's necessary. Otherwise you think about banning kitchen knives to protect the "most vulnerable users" who are too stupid to handle a knife. No, we shouldn't do that. Their stupidity should be their problem, not our problem.

Some degree of collateral damage must be accepted to maximize the expected value of a product or service. Minimizing risks can't be the top priority. Don't ban kitchen knives. What you are effectively arguing for is transforming both Windows and macOS into a closed iOS. Don't do that.

by cubefox

3/31/2026 at 1:06:23 AM

> Do people complain about being scammed with Windows

They do. They absolutely do. Where have you been in the last 20 years? Windows has had a reputation as an unsafe ecosystem for decades. Even amongst non-tech people. And even with the various exploits the biggest source of viruses on windows was always that, lacking a proper channel to distribute applications, they had trained their users to double click any .exe on the internet and the next>next>next in whatever installer. I don't agree with the tightening of developer account requirements, but this argument doesn't hold at all.

by andersonpico

3/31/2026 at 6:46:10 AM

> They do. They absolutely do. Where have you been in the last 20 years?

The last time I heard these complaints were before Windows XP Service Pack 2, which added automatic Windows updates and ended the flood of viruses like Sasser or MyDoom.A. That was more than 20 years ago. On top of that, Windows Vista later added an integrated virus scanner and UAC dialogues, which gave you a big warning whenever you wanted to open an executable file. I haven't heard of any widespread viruses since. Nowadays most people don't even need to install software because most things are SAAS/cloud and run via the browser now.

Now the biggest "security issue" seems to stem from not-so-bright users being convinced by phone scammers to transfer them money or something like that. I don't think this is a problem with Windows.

by cubefox

3/31/2026 at 1:20:05 AM

Pretty much everyone would hate it if a relative lost their life savings to a scammer, though they may not know it yet.

The idea isn't to protect the power users or average users. It's to protect the most vulnerable. Android is for everyone. Us power users will have a minor speed bump, but we can deal.

by skybrian

3/31/2026 at 1:55:12 AM

I would buy this argument if the Play Store wasn't already full of garbage and viruses and scams.

by JCTheDenthog

3/31/2026 at 1:27:28 AM

Android is for everyone, provided they submit to Google exclusively. It's not about power users, and that isn't a speed bump. You can protect vulnerable users without centralizing power like they did, but that's not their motivation so here we are.

by gumby271

3/31/2026 at 4:10:54 AM

What's an example of a decentralized system that protects people from scammers?

by skybrian

3/31/2026 at 8:56:19 PM

Decentralized PKI

by Cartoxy

3/31/2026 at 5:13:34 AM

TLS.

by xigoi

3/31/2026 at 1:32:01 AM

How very noble of Google /s

by CivBase

3/31/2026 at 3:55:01 PM

Maybe it's just me but what happened to "don't send your government id to anyone". I am from the EU but this is what was indoctrinated to me. Just seems very strange to all off a sudden send all this information to any company you require a service from.

Also the person is not the company, why is Google making the developer identify oneself while many apps are released under a company? My understanding is that Google has been mishandling this for a while but with the verification linked to a government id that just seems like another can of worms.

A few scenarios to consider:

- The developer is fired/resigns and the company does not want to be associated with the developer, for example if the developer is convicted for something.

- The developer is fired/resigns and the developer does not want to be associated with the company, developer found out about certain practices of the company they don't condone.

- The developer and the company part in good faith, however one of them is being exploited/pressured by a third party to abuse the relationship to the app.

- The developer or the company is on legal hold due to legal issues, arrests, malpractice etc.

- The developer passes away or the company ceases to exist.

- How does this work if you are making an app as a developer for hire, when entering into a contract with a publisher for example. Who will verify and how will that work (especially on small scale apps).

by trashb

3/31/2026 at 1:07:24 AM

> Android is for everyone. It’s built on a commitment to an open and safe platform. Users should feel confident installing apps, no matter where they get them from.

This intro immediately tells me that whatever comes after will be horrible for users and developers. Surprise surprise, I was right. Software to "verify" side loaded apps is a bad, anti user idea.

by ecshafer

3/31/2026 at 10:07:53 AM

Whenever I find that I need to install something from the Play Store rather than from F-Droid, it fills me with dread, because I'm not confident about what those apps do behind the scenes.

by Vinnl

3/31/2026 at 3:29:48 PM

"side loaded apps" is merely a pejorative Google and Apple use for "apps".

What they call "apps" are "apps that we like and we distribute to you under our control of both yourself as a registered user and the developers".

Well, I guess I'll need to install a non-Android distribution then. I hope one would be available for my phone by the end of the year :-(

by einpoklum

3/31/2026 at 2:09:19 AM

It's like a slimy HR telling you to come over for a chat. You immediately know it's not a chat

by postsantum

3/31/2026 at 12:32:12 PM

I am waiting for Google to require bodily fluid sample to verify identity.

by varispeed

3/30/2026 at 11:05:25 PM

Hey boss: “40M users are running a cracked version of YouTube premium on mobile, what can we do ?”

by rvnx

3/31/2026 at 1:16:39 AM

Exactly this.

And that launch country list is most likely the countries where cracked YouTube Premium is most common.

App piracy is huge by copying around modded APK's, and everyone's grandma is doing it.

by londons_explore

3/31/2026 at 1:15:22 AM

I pay for YouTube Premium and I have an alt app on my phone because the user experience is just better. You're supposed to have background play in the regular YouTube app, but videos regularly pause until you return to the yt app to reload.

It all worked perfectly fine back on my iPod touch, pre-premium bs. Tech is regressing.

I'm on a family plan (cheap) and I use it for the music player for the inevitable question of why I'm doing this.

by sporp

3/31/2026 at 2:47:51 PM

Google could already flag these apps as malware or whatever. What developer verification does is enable Google to detect polymorphic apps.

by UncleMeat

3/31/2026 at 8:51:30 PM

> However, our recent analysis found over 90 times more malware from sideloaded sources than on Google Play

https://android-developers.googleblog.com/2025/08/elevating-...

> The scale of this threat is significant: our recent analysis found over 50 times more malware from internet-sideloaded sources than on apps available through Google Play

Bald face lies are getting baldier.

by solaire_oa

3/31/2026 at 3:14:18 AM

If they're taking on verification, are they also taking on liability? Do we get to sue them if grandma gets scammed through an app they allow onto their phone?

by ori_b

3/31/2026 at 10:47:28 AM

Yeah, let's hold Google accountable. Is there a way to practice anti-trust laws?

by RandyOrion

3/31/2026 at 5:51:20 AM

Nice try, but no, shit only flows down.

by eviks

3/30/2026 at 10:20:02 PM

from https://9to5google.com/2026/03/30/android-developer-verifier... -

> Starting in April, Android Developer Verifier will be installed on devices.

so they're rolling out a system app that will call home to check whether any sideloaded apps have been "verified" with the developer's government ID? and this process will happen regardless of whether the user has enabled the "advanced flow" in Developer settings?

by bstsb

3/30/2026 at 10:38:35 PM

Good of a reason as any to go google-less on my Graphene pixel, I guess. But man it sucks, mostly for all the people who can't. I can manage my financials and 2FA from my laptop, that was my last real reason to have google play installed, but it's just a convenience. (I know it's mandatory for others.)

I wonder how that sys app will be handled in GrapheneOS's google play sandbox?

by birdsongs

3/30/2026 at 11:01:30 PM

It'll probably always confirm it's been verified.

GOS have already said users won't be impacted by this clampdown.

by subscribed

3/31/2026 at 1:07:48 AM

So F-Droid will be installable without sacrificing livestock?

by kevin_thibedeau

3/31/2026 at 1:16:33 AM

That essay about being licensed to use a debugger was supposed to be an absurdist over-extrapolation for the sake of making a deeper point about software freedoms ... right? Seems more like they're using it as an instruction manual.

by fc417fc802

3/31/2026 at 3:08:03 PM

The latest shift to lock down Google's android pushed me recently to install /e/OS. On paper it makes those kind of projects a lot harder, but its prompted me to be a bit more considered about what software projects I want to use/support.

Really glad I have done that - I've been a 'boiled frog' of sorts on Android for a while now. Not happy with being continually more and more locked down, but not quite unhappy enough to shift. Feels like a breath of fresh air to have software that's built to serve me, rather than just to serve me ads.

by benrutter

3/30/2026 at 11:00:01 PM

That's seriously horrible. There are 5+ open source android apps that I use and want to continue using that are not available on Play Store, but rather through alternative stores (like Zapstore, Obtainium).

If I get a phone with preinstalled Graphene OS (like the upcoming Motorola phone), then does it avoid this stupidity? Or even with Graphene it prevents me from installing apks?

by nout

3/31/2026 at 5:19:44 PM

Having GrapheneOS preinstalled is an option they may discuss with Motorola. It is not the current plan. The current plan is that Motorola release their devices as normal, but some of the flagship devices in 2027 will support manual installation of GrapheneOS.

by ysnp

3/31/2026 at 12:15:54 AM

Graphene allows APKs

by ekianjo

3/31/2026 at 9:48:51 AM

My experience was worse than just frustrating verification - it cost me money twice.

I submitted my government-issued ID and bank statements multiple times. Each time rejected, no specific explanation why. After several rounds I gave up, assuming my developer account would at least stay dormant until I felt like trying again.

It didn't. Google deleted the account entirely. No warning, no refund of the €25 registration fee or whatever it costed. When I eventually wanted to publish again, I had to create a new account and pay again. The second time around they accepted my driving license - the same type of document category they had rejected before.

So the real cost of a bad verification experience isn't just time. If you give up and walk away, you lose your fee and start from zero. That's the part that stung, at least for me.

by Andebugulin

3/30/2026 at 11:49:21 PM

A 'safe' app store would promote and prioritize open source apps compiled on public auditable runners.

by throwaway85825

3/31/2026 at 12:10:58 AM

F-Droid is in fact what an app store concerned about user safety looks like. Nobody gets hoodwinked into installing apps that track them or sell their data or otherwise abuse them on F-Droid.

by pxc

3/31/2026 at 12:24:50 AM

It is yes. Their build system is somewhat arcane and difficult so some apps dont get updated from the git repo though. It could use some polish.

by throwaway85825

3/31/2026 at 6:55:04 AM

F-Droid is so irrelevant that it doesn't even begin being targeted by supply chain and scam attacks. Being obscure always help with this, but pretending that it's the same threat model is absolutely false.

by izacus

3/31/2026 at 8:28:48 AM

Are Debian repositories also irrelevant? If not, why aren't they targeted?

by fsflover

3/31/2026 at 9:49:26 AM

The XZ utils backdoor made it into Debian repositories undetected, although it was caught before it was in a stable version.

Debian repositories are quite secure, but also pretty limited in scope and extremely slow to update. In practice, basically everyone (I'm sure there are a few counterexamples) using a Linux distro uses it as a base and runs extra software from less tightly controlled sources: Docker hub, PyPI, npm, crates, Flathub etc. It's far easier for attackers to target those, but their openness also means there's a lot of useful stuff there that's not in Debian.

Holding up Debian as a model for security is one step up from the old joke about securing your computer by turning it off and unplugging it. It's true, but it's not really interesting.

by takluyver

3/31/2026 at 1:58:04 PM

XZ attack is an extremely rare event coming likely from a state actor, which actually proves that GNU/Linux is a very important target. It was also caught not least thanks to the open nature of the repository. Also, AFAIK it wasn't even a change in the repo itself.

In short, using FLOSS is the way to ensure security. Whenever you touch proprietary staff, be careful and use compartmentalization.

by fsflover

3/31/2026 at 12:39:36 AM

This is non-technical. F-Droid is horrible. https://privsec.dev/posts/android/f-droid-security-issues/#5...

F-Droid has not meaningfully improved since that piece was written, either. No one should use F-Droid.

by selectively

3/31/2026 at 1:06:37 AM

That article's premise is that the Android security model is something that I want. It really isn't.

The F-Droid model of having multiple repositories in one app is absolutely perfect because it gives me control (rather than the operating system) over what repositories I decide to add. There is no scenario in which I wish Android to question me on whether I want to install an app from a particular F-Droid repository.

by rpdillon

3/31/2026 at 3:33:37 AM

Can you describe the threat model / specific attack under which... any of the supposed flaws on that page matter? (Most of the particular section you've linked appears to be about extra defenses that could be added, but which are unlikely to make a difference in the face of Android's TOFU signature verification on installed APKs.)

by yjftsjthsd-h

3/31/2026 at 5:26:16 AM

Reads like a cheap hit piece to me.

The section you linked in particular is a load of editorialized bullshit IMO. As far as I can tell the only legitimate complaint is that there is (or was?) some sort of issue with the signing methodology for both APKs and repository metadata. Specifically they were apparently very slow to replace deprecated methods that had known issues. However it's worth noting that they appear to have been following what were at one point standard practices.

The certificate pinning nonsense is particularly egregious. APT famously doesn't need TLS unless you're concerned about confidentiality. It's the same for any package manager that securely signs everything, and if there's ever a signing vulnerability then relying on TLS certainly might save you but seems extremely risky. On top of that the Android TOFU model means none of this matters in the slightest for already installed apps which is expected to be the case the vast majority of the time.

As far as I'm concerned F-Droid is the best currently available option. That said of course there are places it could improve.

by fc417fc802

3/31/2026 at 6:25:23 AM

Yeah like npm! Don’t think there’s ever been security issues in that.

by tubs

3/31/2026 at 1:45:54 PM

I download all apps on my phone from the bleeding edge of npm. /s

When npm has supply chain attacks it's still news.

On Google Play Store its actually noteworthy when an app isn't some level of malware loaded with ads and questionable permissions.

by saintfire

3/31/2026 at 1:25:44 AM

I am part of the team running keepandroidopen.org and corralling the signatures for the open letter opposing this program. We've been trying to get Google to reverse course on this program ever since it was announced.

As it stands, Android Developer Verification (ADV) is a death sentence for F-Droid, Obtainium, and other competitors to the Google Play Store, both commercial and non-commercial. We are disappointed that they are still trying to steamroll this through in the face of overwhelming public opposition.

There are numerous reasons to object to the program, but a few of the top ones are:

1. You own your computer, and you should be the sole decision-maker for what software you can install on it.

2. "Malware" means whatever Google says it means, and their terms and conditions change daily; today malware is banking scams, tomorrow it is … ad-blocking? VPNs? Their decisions are un-reviewable and opaque, and they have obvious commercial incentives to block certain kinds of (otherwise-legal) software.

3. Centralizing global developer registrations through a US corporation makes it subject to the rules (and whims) of the current regime. Citizens of sanctioned countries or members of sanctioned entities (like the International Criminal Court) will be legally barred from registering, blocking them from creating and distributing software _anywhere_ in the world (not just the US).

4. Scenarios that Google claims ADV will protect against — such as high-pressure phone calls manipulating vulnerable users into installing scam apps — have _already_ been addressed by incremental improvements to Android security over the years, such as "Enhanced Fraud Protection" introduced in Android 13 (and expanded in Android 15). Android has incrementally improved its security features over its near 20 years of existence. There is no evidence that anything has suddenly changed to justify such a disproportionate and extreme lockdown.

5. Being required to pay Google for the privilege of uploading your government identification so that you might be permitted to contribute to the Android software ecosystem is such an abominable insult to the developers that helped build the platform. It deserves all the utter contempt that has been heaped upon it thus far, and begs regulatory scrutiny from those few countries that still have the courage to stand up to these bullies.

We emphatically recommend against developers signing up for this program or endorsing it in any way.

by marcprux

3/31/2026 at 10:35:19 AM

Thank you for standing against the Android Developer Verification enforced by Google. Now in addition to stopping using Youtube, replacing chrome with ungoogled chromium, I'm moving to de-googled AOSP builds, e.g., lineageOS, insted of stock OEM ROMs.

by RandyOrion

3/31/2026 at 10:41:48 AM

Are there any anti-trust angles to this?

by curt15

3/31/2026 at 8:30:42 AM

> I am part of the team running keepandroidopen.org

Perhaps your team should promote GNU/Linux phones instead, which do not depend on a megacorp.

Sent from my Librem 5.

by fsflover

3/31/2026 at 12:25:46 AM

Is there any information about how the "advanced flow" will be implemented? According to keepandroidopen.org, this is going to be handled by Google Play Services. Does it mean it will be automatically installed via the silent, always-on GMS update mechanism and I should root my devices and remove GMS altogether if I don't want this?

by m132

3/31/2026 at 10:04:21 AM

Even once you've managed to verify, Google love throwing more challenges at you if you want to keep your apps in the store. "You need to declare your blood type or we will remove your apps in 30 days". I removed my apps myself as it was turning from a hobby to an unpaid job just to keep the apps in the store.

by Steve16384

3/31/2026 at 8:48:27 AM

> It’s only when a user tries to install an unregistered app that they’ll require ADB or advanced flow, helping us keep the broader community safe while preserving the flexibility for our power users.

So, we have a sideloaded app now. Which has been increasingly tricky for our users to install. The warning they get is hard to understand. Does this mean essentially the end of sideloading?

by sgt

3/31/2026 at 9:20:25 AM

If you get 'verified' by Google and sign your app, sideloading shouldn't change. That means money and ID checks, or a free 'hobbyist' carve out if you have <20 users.

If you don't want to play their game, sideloading will get substantially harder.

by takluyver

3/31/2026 at 1:20:37 PM

> our recent analysis found over 90 times more malware from sideloaded sources than on Google Play.

So, what I'm being told is; there's lots of malware on Google Play? Thank goodness for f droid (for now).

by ChoGGi

3/30/2026 at 11:17:14 PM

"However, our recent analysis found over 90 times more malware from sideloaded sources than on Google Play."

Has anyone seen the report for that analysis. I bet most people here would love to read it too.

by bossyTeacher

3/31/2026 at 10:51:15 AM

Suppose for argument this statistic were true. It still does not fully capture people's risk.

P(malware) = P(nalware | Google Play) * P(Google Play) + P(malware | non-Google Play) * P(non-Google Play)

It's the combination of both factors that counts. Even if Google Play has a lower malware rate, a user is still far more likely to try to install apps through Google Play given the sheer size of its catalog and its prominent, default placement on people's devices.

by curt15

3/30/2026 at 11:46:14 PM

I mean, I’m sure “Fortnite with infinite vbucks.apk” has a much worse malware rate than the play store, but I’m almost certain that fdroid has a lower malware rate than the play store and I honestly suspect even “random apks off github” might have a similar rate to the play store

by Macha

3/30/2026 at 11:54:05 PM

tl;dr how to install an app from unverified developer ("advanced flow")

  1. enable developer mode
  2. confirm you aren't being coached
  3. restart your phone and reauthenticate
  4. come back after 24 hours and unlock device
  5. install app from unverified developer, option of enabling for 7 days or indefinitely
This is apparently a one-time process. Advanced flow for users launches globally August 2026. Verification requirement kicks in September 2026.

Personally I am hopeful that people work toward a completely new, non-Android OS. 15 GB of space on my phone, and 1.5 GB of RAM, is dedicated to Android OS alone. This design, and the control this company (and the mobile providers, and device manufacturers) have over the mobile world, is ridiculous. Let's start over.

by 0xbadcafebee

3/31/2026 at 4:05:15 AM

Nah. This sucks. My banking app refuses to open if devtools are enabled. 24h window means I can't do dev work on my personal phone.

by 0x1ceb00da

3/31/2026 at 4:35:58 PM

I have that problem too, and it's a banking app I use nearly every day.

Needing to turn Developer mode off and on every time I open the app is really annoying.

It was extra annoying when I needed to log all my phone's Bluetooth HCI protocol activity for a day for product development. I wouldn't be able to take that measurement using a separate dev-specific phone, because it wouldn't contain realistic usage.

by jlokier

3/31/2026 at 12:23:52 AM

>15 GB of space on my phone, and 1.5 GB of RAM, is dedicated to Android OS alone

The original Droid phone I used had only 256mb of memory, and could still multitask and run multiple apps at once with that limited memory. Its crazy how bloated things have become over the years.

by robotnikman

3/31/2026 at 8:33:34 AM

> I am hopeful that people work toward a completely new, non-Android OS

Mobian, PureOS, postmarketOS already exist. Sent from my Librem 5.

by fsflover

3/31/2026 at 12:25:15 AM

Older Androids which are fully rootable and unbrickable are cheap (maybe even monetarily free) and will let you continue to have freedom despite what Google wants.

"Those who give up freedom for security deserve neither."

by userbinator

3/31/2026 at 12:59:07 AM

Older Androids won't exist for long.

by stavros

3/31/2026 at 6:24:59 PM

My pixel 1 is still going strong. Several phones released just last year are bootloader unlockable and rootable, and those should last at least a decade if cared for.

by greentea23

3/31/2026 at 6:35:42 PM

You can always get some form of phone that will be rootable, but more and more of the ecosystem will depend on Play Integrity, and thus there will be more and more things you can't do with them.

by stavros

3/31/2026 at 1:45:27 AM

That's what Google wants, but they're not getting their way with mine.

by userbinator

3/31/2026 at 8:32:07 AM

How about security updates?

by fsflover

3/31/2026 at 7:14:45 AM

Great. This will make web apps popular again. Let's take back the web. HTML, JavaScript, CSS!

by arcmutex

3/31/2026 at 2:22:32 PM

Does anyone know if Chinese developers will be forced into paying for a Google Dev account too?

by paprikanotfound

3/31/2026 at 1:11:55 AM

At this point, I think I would prefer to carry a dumb flip phone for SMS and phone calls, and a smartphone-shaped generic touchscreen linux computer for everything else. It's becoming disturbingly impossible to find the former, and practically impossible (IME) to find the former.

Does anyone here have experience using Ubuntu Touch? That's the closest thing I've seen to "generic touchscreen linux" for mobile phone hardware. I'd love a device that works for multimedia, navigation, web browsing, and a handful of APKs like various chat apps (and really anything can can arbitrarily use the hardware), but it seems like tying a cellular modem to this ends up fucking up the whole dream because of carrier and manufacturer motivations/compensations.

by shit_game

3/31/2026 at 7:08:25 AM

Good job google. You just convinced our entire business to abandon our app (utilities company) and only target web. We are done with this shit. All our resources the next two weeks will be to fill in the gaps in our web clientzone so our thousands of customers can still buy electricity and pay water bill and have a similar experience than the app (it's 90% the same anyway).

Oh and my three personal apps that I installed via adb (not released on playstore) - the moment they stop working on my phone or hassle me about verification, I will get in my car and go buy an iPhone.

Next will be to degoogle the rest of my life, which is luckily only gmail. Guess how long it will take me to port out? Less than two days.

I only let companies violate me once. Then I'm out.

Play store is the biggest piece of trash malware system that exists today, but us normal businesses have to pull teeth and spend days jumping through hoops to get an app out, but the playstore is filled with infinite garbage that rot childrens brains.

Wake up.

by BatteryMountain

3/31/2026 at 2:53:02 AM

Does anyone know how this will work vis a vis China, where Android is everywhere, but Google is not?

Will bypassing this bureaucracy be just a matter of buying a Chinese Android phone?

by geokon

3/31/2026 at 11:08:55 AM

Please no.

If you want to install APKs directly on Android phones selling in China, you'll face even more draconian restrictions imposed by both Chinese OEMs and Chinese government, e.g., cannot install telegram [1], cannot install VPNs [2], called by local police station after installing VPNs [3], and so on. And you do not have the freedom to even talk about these restrictions freely without getting sued or censored.

[1] https://xcancel.com/whyyoutouzhele/status/168915238841261670...

[2] https://xcancel.com/whyyoutouzhele/status/197843066556268971...

[3] https://xcancel.com/whyyoutouzhele/status/170299205759627676...

by RandyOrion

3/31/2026 at 3:38:35 AM

I'd say Hackernews knows enough people at Google to raise a stink about this, but it's not going to do any good. Sometime at the last WEF or Bilderberg meeting it was decided that KYC level identity verification should be required to use a computer or the internet, with more stringent requirements to program one. This, and much worse, is going to happen whether we like it or not.

by bitwize

3/30/2026 at 10:45:20 PM

Yeah, no, going back to web native. Keep your verification and your 20%.

by Fordec

3/30/2026 at 11:54:07 PM

Let everyone who wants it be safe using the Google App Store. But please let me do stupid/experimental things with my phone.

by __fst__

3/31/2026 at 3:24:06 AM

The google app store isn't even that safe. This is all just stupid

by sylos

3/30/2026 at 11:00:30 PM

The sad thing is only a tiny minority of android users side load apps. The rest will feel their phone is one step more secure.

by hirako2000

3/31/2026 at 12:59:32 AM

How is it more secure for the people who don't sideload apps?

by stavros

3/31/2026 at 1:29:18 AM

They'll feel it's more secure. It won't actually be but they'll feel that way and vibes are important. /s

by fc417fc802

3/30/2026 at 11:44:19 PM

What Android versions is this applicable to?

by hnburnsy

3/31/2026 at 1:46:23 AM

Found the answer...

>What Android versions will the developer verification requirements be enforced on? It will apply to all certified Android devices running Android 7 or higher. These updates are delivered through Google Play services to help maintain consistent security across the ecosystem. Last updated: March 23, 2026

by hnburnsy

3/31/2026 at 5:22:03 AM

So, Google TVs too?

by ncr100

3/31/2026 at 1:44:18 AM

The only malware I've had to clean off peoples devices has come from the Google Play Store.

by jaimex2

3/31/2026 at 12:07:03 AM

So, anyway, how do we make sure that our phones don't turn into a pumpkin on a set date? I suppose it's all shit long term, but at the very least I don't want to be forced to look for a solution before I need a new phone. So, what do you do? Can you just disable android updates somehow and it will solve the issue? Or it is already a ticking bomb that will be activated on the set date no matter what?

by krick

3/31/2026 at 12:28:10 AM

Root and kill everything that could be used to remotely install software without your consent.

by userbinator

3/30/2026 at 11:16:51 PM

> our recent analysis found over 90 times more malware from sideloaded sources than on Google Play

So what's the solution then? At the same time, I'm curious how this ends up happening to end users. Enabling unknown sources is trivial in a way (it's just one check box and if you try to install an APK from, say, Firefox, it'll take you right there), but how are people even getting to that point??

by kayson

3/31/2026 at 2:00:23 AM

Phone scammers guiding users to install apps.

by lmz

3/31/2026 at 3:07:59 PM

> Android is for everyone. It’s built on a commitment to a... safe platform.

These two statements contradict. When something is public, it is not entirely safe; and to make something safe, there is exclusion of practices, behaviors, and often people.

> So as an extra layer of security, we are rolling out Android developer verification to help prevent malicious actors from hiding behind anonymity to repeatedly spread harm.

1. Well, then, surely Google can't be in charge of this process, because they are a malicious actor, known to manipulate social media search results and engage in mass surveillance of its users. And that's in addition to analyzing their personal data to try to manipulate them into buying things; which is called "targeted advertizing", but I would also characterize as harm.

2. To be slightly less tongue-in-cheek: Imagine that a two would prevent entry of unverified people - you know, to prevent malicious anonymous actors from bringing harm. That would be ridiculous - nobody should be able to restrict public space. Well, the space of computation and communications via our handheld phones/computers is enough of a public space to merit the same principle. Which means that it is not acceptable for it to be under Google/Alphabet's control. Government regulation could mitigate this problem, but then, governments collude with large corporations and often approve of such restrictions.

by einpoklum

3/31/2026 at 2:28:23 AM

I would genuinely like to know more about these supposed users who are side loading things and getting hoodwinked. It seems high enough friction that you have to have something of an idea of what you're doing to begin with. Everyone I've known who is side loaded anything has been reasonably technical.

My dad on the other hand, who worked for Control Data in the 1980s regularly installs some of the scummiest apps imaginable, and they're all from the Play Store proper.

Launchers that don't actually launch things and serve ads. Apps that launch full screen ads while you're doing things saying your device is infected. Absolute trash.

Like maybe just maybe put some energy into going after the stuff in the Play Store first. As the Play Store exists now, it is unsafe.

by donatj

3/31/2026 at 2:31:50 AM

Have you seen those YouTube videos of people punking scammers? Scammers will convince people to drive to Target, buy gift cards, and read the credentials out over the phone. Those same people can surely talk you through tapping out a dialog flow.

That's presumably why there's a lockout period - it keeps a scammer from reasonably holding the line until they can pressure you to finish it.

by bsimpson

3/31/2026 at 3:37:08 AM

> Have you seen those YouTube videos of people punking scammers? Scammers will convince people to drive to Target, buy gift cards, and read the credentials out over the phone. Those same people can surely talk you through tapping out a dialog flow.

...if the scammer can get the victim to physically drive to Target a buy a bunch of gift cards, what makes you think they need to install anything on your phone? Having RCE on a human is more useful than RCE on a device.

by yjftsjthsd-h

3/31/2026 at 9:12:32 AM

Their deception often relies on remote-controlling a PC, modifying a bank balance to show a fake number using basic "inspect element", and convincing the victim that they "accidentally" received a refund that's too high (often by having the victim type out the "refund" amount in their notepad-looking "refund system" and adding a couple of zeroes).

By making the victim believe that they're to blame for this innocent worker losing his job, they convince these people that they need to go outside normal financial systems to get the money back before anyone notices. Alternative scam scripts also have scammers pretend to be government officials threatening with fines and lawsuits, but the end goal is often to get into the victim's bank account in a way that the victim will tell the bank that everything is fine when fraud detection systems catch wire transfers or suspicious behaviour.

If the victim at any point opens up their official banking app, which scammers cannot control, they'll see that they never received the supposed "refund". With banks moving more and more functionality to apps, scammers can't pull the same tricks if they don't have access to your phone.

Scambaiting Youtubers have shown to be able to throw scammers of their guard by doing the most basic things. Disabling "inspect element" and cmd.exe will stop a scammer right in their tracks, because suddenly their phone script doesn't work any more.

If the victim needs to wait a full day, they'll be more likely to talk to someone. There are plenty of interviews with victims where they will say they realized their mistake hours or even minutes after it's too late. Stress and constant pressure is one of the primary means scammers employ to prevent people from thinking rationally so their obvious and ridiculous lies don't get spotted.

While I think developer verification is monumentally stupid and won't stop any serious scams, I do believe that the timeout measure Google makes people jump through does help.

by jeroenhd

3/31/2026 at 8:51:50 AM

Having RCE on a human is like having RCE on a SOTA LLM webservice - tricky to get, and you'll probably lose it if the other side reloads.

by TeMPOraL

3/31/2026 at 12:20:21 AM

oh so I'm not the only one, always believed Apple was the hard ass but I've been having a better experience with them.

by thomasgeelens

3/31/2026 at 6:21:35 AM

If I do software for Windows, Linux or FreeBSD I don't need verification. And potential users aren't required to get software only from a certain app store.

This is a case of companies forcing things on us "for our own good" and them knowing better than us what is good for us or not.

by DeathArrow

3/31/2026 at 10:36:17 AM

It's a pathetic excuse of a reason. Google Ads is a mechanism for scam delivery, probably 90 times more effective than sideloaded scam apps.

by mhitza

3/31/2026 at 11:01:37 AM

Sounds like age verification exp in EU....

Maybe not expose potential internet users to such as high obstacle if your goal is to get their eyeballs to buy your advertised product???

by fredgrott

3/30/2026 at 10:22:16 PM

Sorry, but absolutely not.

I stuck with Android for years as a dev as I once did Android apps and occasionally do tinker.

This is my last Android phone and Jolla is my next phone.

by stuaxo

3/30/2026 at 10:48:53 PM

I really want to like the concept of Jolla / a European mobile alternative but I see no reason why they're closed source SW in 2026. Open source everything, let the community help develop, and sell your hardware (and support/deals for B2B).

A single for-profit company owning the full HW and SW stack? My trust in companies lately is at a lifetime low. It just leaves a bad taste in my mouth.

by birdsongs

3/30/2026 at 10:51:18 PM

Ooh, are you gonna go for their Ubuntu touch alternative, or their own OS?

by amarant

3/31/2026 at 12:53:19 PM

I'll probably ship PWAs but hope those are not killed by Google.

by wg0

3/31/2026 at 1:51:09 AM

It's kinda funny. I used to run custom roms all Android phones came with a shit OS.

I stopped because Pixel AOSP phones were actually decent.

Now I guess i'll be buying phones based on which I can flash with custom roms again.

by jaimex2

3/31/2026 at 1:55:17 PM

good luck finding a phone with custom ROM support, when there will be no phones with bootloader unlock available :(

by fensgrim

3/30/2026 at 10:33:18 PM

I don't see a way out of this except government regulation. The EU has the most motivation to do it, as a huge economic bloc with a lot of motivation right now to become as independent from the US as possible.

I guess I can sort of manage to keep my head above water and keep buying secondhand phones which I unlock and install a supported version of LineageOS. But it's cumbersome, it gets more difficult and more restrictive every time. And I literally have a doctorate in computers for crying out loud! Is there any hope for Granny? For a kid? For >99% of people? Of course not.

This is so clearly a matter for government oversight: prevent abuse, monopolies, protect the citizen's safety, rights, welfare, etc. It's not reasonable to expect consumers to figure out if the meat they buy is tainted, just as it's not to figure out if their phone spies on them, manipulates information, or sells their data (especially when there's a duopoly). That's why we have laws and food inspectors, paid for by the public, working for the public. Same thing with digital rights.

by andrepd

3/30/2026 at 10:41:47 PM

> I don't see a way out of this except government regulation.

IMHO governments are partially behind those initiatives so they are unlikely to regulate themself- reason in last few years they intensified work on Digital ID, Age Verification, Chat control, KYC, etc.

by pzo

3/30/2026 at 10:54:28 PM

EU is schizophrenic enough that it often produces very conflicting directions, opinions and policies.

One thing EU loves is regulation though, so I expect they will introduce preemptive regulations to enforce strict ID verification as well as regulations to fine big companies for breaching user privacy with strict ID verification policies.

by nout

3/31/2026 at 8:53:48 AM

ID verification for app stores already discussed and voted behind closed-doors trilogue meetings, unelected governments like darkness:

https://www.patrick-breyer.de/en/end-of-chat-control-eu-parl...

"Next up in the ongoing trilogue, lawmakers will negotiate whether messenger and chat services, as well as app stores, will be legally obliged to implement age verification."

by zoobab

3/30/2026 at 10:50:44 PM

For the limits on side-loading in particular, there are a few southeast asian nations (I can't recall, Vietnam? Thailand?) where almost all internet access is via Android, including banking. And social engineering fraud, where they call someone up, pretend to be the bank, and get them to side-load malware, has become a major financial, and political problem.

AIUI, they have told Google to find a fix, or else.

by lokar

3/30/2026 at 11:16:13 PM

> pretend to be the bank, and get them to side-load malware, has become a major financial, and political problem.

I been living in SE Asia for few years each in Thailand, Malaysia, Indonesia, Vietnam and really didn't notice that this is supposed to be like major political problem.

'Fraud' is the same smoke screen and excuse as 'protect the children from social media or pedophiles'.

by pzo

3/30/2026 at 11:22:21 PM

I can't find it now, but the article I read seemed to say that the gov was specifically upset about the banking issue, and might tell the banks they can't allow apps anymore.

by lokar

3/31/2026 at 1:39:24 AM

Someone has to stop the pedophiles from using social media to scam vulnerable children out of their millions of hard earned robux.

by fc417fc802

3/30/2026 at 10:49:58 PM

There are different governments and different subdivisions within any given government. The only thing you need to get a government that had been pushing Chat Control to do some trust busting is to get more votes.

by zrm

3/31/2026 at 1:52:41 AM

But what motivation has the EU to promulgate these regulations?

* Chat control is toothless if users can simply side-load an app without snooping.

* The EU companies who successfully lobbied for regulations against Apple now see that the 15% tax is worth it when they can A/B test the counterfactual. So those companies no longer care if Google will do the same thing.

* The EU is now in an awkward position that it is ok for a newspaper to sell your personal info via pay-or-consent, but not for a social network to do it. Some will keep yammering on about "gatekeepers", but it's sort of an emperor has no clothes moment.

* Declaring that iPadOs is a gatekeeper (after it failed to meet the quantitative criteria for such) was another such emperor has not clothes moment. The whole "gatekeeper" narrative has turned into a farce.

* The people commenting on this forum are not even a rounding error in the EU electorate.

> It's not reasonable to expect consumers to figure out if the meat they buy is tainted, just as it's not to figure out if their phone spies on them, manipulates information, or sells their data (especially when there's a duopoly).

Indeed! Neither would it be reasonable for the sellers of meat to demand anonymity! If one sells tainted meat, he should be held accountable! We should identify him!

Yet, the creators and sellers of software for a General Purpose Computer (remember, that is the argument why phones should be regulated) demand that they should be above the law, anonymous and unaccountable!

Schrodinger's computing device: The one which is so vital to everyday life that we must not prohibit the user to run whatever software he likes, yet so unimportant that we have not a care in the world to identify any fraudster who might wish to distribute software.

by burnerthrow008

3/30/2026 at 11:16:01 PM

"This is so clearly a matter for government oversight: prevent abuse, protect the citizen's safety, rights, welfare, etc. It's not reasonable to expect consumers to figure out if the meat they buy is tainted, just as it's not to figure out if the APPS THEY INSTALL spies on them, manipulates information, or sells their data"

Do you see how quickly that argument can be flipped to support what google is doing here? Honestly I wouldn't be surprised if half the reason to to lock down phones is because governments keep pressuring them to do so.

by seanalltogether

3/30/2026 at 11:27:13 PM

I'm wondering if the EU is complicit in this somehow, despite claiming that they want to fight back against tech companies.

The EU Commission is currently pushing the shitty EU Identity Wallet for mandatory age verification, and it requires GooglePlay Services to be installed for "anti-tampering". That also means a ban on non official versions of Android like LineageOS and GrapheneOS.

by EmbarrassedHelp

3/31/2026 at 7:50:54 AM

The DMA team replied to me that they did not see any legal issues with Google enforcing mandatory ID for sideloading apps.

We need an urgent upgrade of the DMA v2.O, in the fast paced Omnibus package.

Feel free to post proposals here.

by zoobab

3/31/2026 at 7:59:41 AM

On the DMA, I have said that it does not go far enough, the Operating System (OS) market should be opened up, with a regulation in place so that alternative mobile and non-mobile OSes can be installed by the end user, notably by the mandatory registration and publication of technical hardware specifications, unlocking of bootloaders, etc...

30 years ago, the Linux community fought the pre-installed Windows tax and mostly lost that fight.

by zoobab

3/31/2026 at 7:51:21 AM

The "anti-tampering" excuse lands flat when sideloaded apps on stock Android can still touch the same sensitive data through Play Integrity, and the only people it shuts out are the ones technical enough to care about their own OS. That is vendor lock-in. For a bloc that spends half its time scolding Big Tech, the Comission looks weirdly happy to route age checks and state ID through Google Play Services.

by hrmtst93837

3/30/2026 at 10:58:03 PM

You'd think in 2026 regulators would finally step up their game to break up the mobile app distribution duopoly.

And Google thinks it can pull this ridiculous stunt.

by user34283

3/30/2026 at 11:10:46 PM

The thing is, the EU needs to be able to not only sell that the regulation they propose is good to the public, but also not piss off the US administration.

Most people are too non-technical to understand why this is a bad thing even when it's explained to them. Plus, whatever administration is in power in the US has a lot of influence.

Trump has already said that he wouldn't tolerate regulation that affects American companies [1], painting regulation that happens in another country as something that will affect US citizens. (I mean if you use the GDPR as an example, it's not wrong. Think of cookie pop ups while browsing the web in the US)

I would like the the EU would go harder with their regulations, because it usually results in other countries or states following their lead, but I dont see that happening. Regulation has been painted as "bad", and we have at least 3 more years until that changes.

[1] https://www.cnn.com/2026/01/12/tech/us-eu-tech-regulation-fi...

by retrodaredevil

3/31/2026 at 2:09:19 AM

> rump has already said that he wouldn't tolerate regulation that affects American companies

This lays bare the stupidity of applying the pay-or-consent law to only Facebook and not everyone. Every important newspaper in Europe has pay-or-consent. It does not matter that each one individually is smaller, the effect is the same.

The law was carefully crafted to ensure European businesses (newspapers) are not "gatekeepers" while ensuring American businesses (social networks) are. That fact did not go unnoticed in the rest of the world.

by burnerthrow008

3/31/2026 at 7:02:14 AM

So? There is a fundamental difference. The app stores have effectively become utility companies through the Android-iOS duopoly and it is neigh-impossible to make a new competitive ecosystem. Utility companies are regulated because they can distort the market with their power otherwise. E.g. if the power lines are owned my a single company (which is the case in many countries), if they were not regulated, they could pretty much ask any price. What are you going to do to compete? Roll out a completely new power grid? The Android/iOS duopoly is the same, the fact that they could ask for an insane 30% (!) of every transaction before the regulatory squeeze started should tell you enough.

The newspaper market is very different, because there are many players and you can always go to a competitor. There are even newspapers that make all content available and ask an optional donation (e.g. Taz in Germany or to some extend The Guardian, who do not seem actively block ad blockers).

by microtonal

3/30/2026 at 10:49:16 PM

Yeah, no. No one needs your spyware.

by parrellel

3/31/2026 at 3:14:47 AM

Google freaked out that Apple had a better reputation and went all in on fucking their Android store up. Everything about it is worse now than it was before. So tiring.

by myko

3/31/2026 at 11:56:31 AM

In the last few years all apps I install in a phone come outside of Play Store, because either they are full of ads, throttle their usage or simply similar ones don't exist. Without them the phone loses half of it's functionality, which is pretty much. So, I am willing to wait a day in the "advanced flow" to keep a multi-year experience.

by tsoukase

3/31/2026 at 7:42:51 AM

[dead]

by xihe-forge

3/30/2026 at 10:23:07 PM

[dead]

by 56745742597

3/31/2026 at 12:22:58 AM

Don't love it but (1) it's addressing a serious problem and I'm not sure what the alternative is and (2) if you all remember the starting place, it was staggeringly, dramatically worse, practically a death sentence for F-Droid and seemingly testing the waters for if they could simply power through and do it despite objection.

This is a major course correction that doesn't kill F-Droid. A one time 24 hour hoop to jump through and then never again is monumentally better than losing F-Droid forever.

by glenstein

3/31/2026 at 12:33:33 AM

Is it a serious problem that you can run whatever software you want on your computer? Should we make it so that no one can do that without permission to protect them?

I recommend Cory Doctorow's talk on why this is a serious problem for society:

https://en.wikisource.org/wiki/The_Coming_War_on_General_Com...

https://www.youtube.com/watch?v=HUEvRyemKSg

by supern0va

3/31/2026 at 1:08:55 PM

Could you try to put more of a effort into keeping the specifics in view and not turning the whole conversation into a view from 10,000 ft filled with drive by generalities? You might as well be linking to a Wikipedia entry on 1984.

We have moved away from an existential threat to F-Droid to a speed bump which lets it live. As is often the case, it's a both can be true situation in that I don't like the ratcheting up of restrictions, but think possible without contradiction to note how the change over time has impacted F-Droid compared to prior iterations of the proposed policy.

It disappoints me that people on HN aren't sufficiently in control of their own attention to the point of being able to show up to that conversation, as the fate of F-Droid has been central to this saga if you've been following it over previous HN threads.

by glenstein

3/31/2026 at 1:37:16 AM

Yes, lots of vulnerable users get harmed by modern tech. E.g. people have lost their minds using AI, their livelihoods using smartphones, their life savings using the Internet. In general, I prefer a solution where any mental health issue (age-related infirmity, ADHD, etc.) result in protection from modern exploitative tech like this.

Every application use for such people should be supervised by a government official trained to ensure you are not hurting yourself.

This way people who want to use AI, smartphones, or the Internet can do so if they’re healthy and the mentally disabled can be protected. We know that this need exists because even on this “Hacker” News forum everyone gets very upset when a mentally disabled person gets injured after AI use.

by renewiltord

3/31/2026 at 3:55:43 AM

Not enough people give a shit about "general purpose computing" to matter. They use computers for a few things and as long as they can do those things they're fine with it. My wife loves all her Apple gear. It provides her with a wonderful, curated experience. Okay, maybe it hasn't been so good with recent iOS releases but it still beats Android or Microslop. Being able to hack, modify, or install arbitrary stuff on your device is something only a minority of a minority care about, statistical noise in the quarterly sales figures. When you compare that to the harm done by malware, illegal or indecent material, and the negative blowback to YOUR OS's reputation—or worse, the "felony contempt of business model" enabled by a general-purpose OS (piracy, ad blocking, etc.)—it's a no-brainer to implement restrictions.

by bitwize

3/31/2026 at 5:38:34 AM

> Is it a serious problem that you can run whatever software you want on your computer?

Unfortunately. I talked about this a bit on LWN: https://lwn.net/Articles/1063741/

The problem is very, very real. I don't doubt that Google also has ulterior motives, but in this case they _are_ justified at least partially.

by cyberax

3/31/2026 at 8:35:24 AM

Why doesn't Debian have this serious problem?

by fsflover

3/31/2026 at 5:11:45 PM

Because Debian is not used by people in Asian countries in any appreciable numbers?

by cyberax

3/31/2026 at 8:15:08 PM

The xz attack proves that Debian is a big target though.

by fsflover

3/31/2026 at 12:44:58 AM

It's pretending to address a serious issue while giving Google significant power to limit distribution of apps Google doesn't like, which could sometimes include legal apps that certain governments don't like such as the recently famous ICEBlock.

Google says they don't intend to do that, but even if I believe that's their current intention, they have a strong incentive to do otherwise in the future. Incentives predict outcomes more reliably than intentions.

I say it's pretending because scammers are good at shifting tactics. If convincing users to install malware ceases to be the path of least resistance, they'll convince users to install legitimate remote access utilities, hand over credentials directly, or some other scheme I haven't thought up because I'm not a scammer.

by Zak

3/31/2026 at 1:21:42 AM

> they have a strong incentive to do otherwise in the future.

The reality is far worse than that. Remember FBI vs Apple? That defense came down to Apple not having software in place that could facilitate the demand being made of them. If they'd had such a system they would presumably have been required to comply.

The government can presumably get an illegal app forcibly removed from an app store but at present you could still install it yourself. With this system they could compel Google to block it entirely.

by fc417fc802

3/31/2026 at 1:42:38 AM

F-Droid has spent many years trying to step out of the "only for technical/power users" into the "This is a tool that normal phone users should have and use". A one time 24hr wait moves back to the "F-Droid is only for technical users" big time.

Bought a new phone? Moved from iPhone to Android? Want help from your friend/family member/librarian/other to setup your new phone for getting apps? Sorry, you need to come back a day later before you can actually use it.

Guess what the normal/non-tech user does in this 24hr period? Go to Play Store, install a bunch of apps, forget that you had the desire to use an alternative.

This indeed does make F-Droid no longer a tool for normal people, but only a tool for those willing to do a bunch of "Advanced" things on their phone. By definition, not regular users.

by pserwylo

3/31/2026 at 12:31:42 AM

"Meet me in the middle" says the unjust man.

You take a step forward.

He takes a step back.

"Meet me in the middle" says the unjust man.

by snackbroken

3/31/2026 at 12:26:37 AM

It's only a "serious problem" because they want you to think it is.

by userbinator

3/31/2026 at 7:24:05 AM

Phone sellers should enforce a mandatory 30 days no use after purchasing to ensure that people are not harmed by phone usage.

Newspapers should only report news at a minimum 7 days after the fact to ensure accurate reporting.

Toasters should lock everything in until it's completely room temperature to avoid accidental burns.

These are serious problems.

by tvbusy

3/31/2026 at 7:31:58 PM

Straw man arguers should draft a comment and not send it for 24 hours to make sure they're not strawmanning.

by glenstein

3/31/2026 at 6:42:08 AM

It addresses Youtube app showing an ad that installs malware from Google Play?

by TiredOfLife

3/31/2026 at 1:42:14 AM

What's the serious problem?

by fluoridation

3/30/2026 at 11:20:44 PM

It really seems like they are doing a lot to appease the tiny minority of us power users, adb load unaffected, one time toggle in settings to opt out, no change to alternative app stores as long as the apk was built by a verified developer. Crazy how harsh the sentiment is here, there are real people being harmed by scam apps intercepting sms one time codes and this will reduce the rate of that happening. It's not like we can't sideload anymore, though a lot of comments here seem to be implying otherwise.

by TGower

3/30/2026 at 11:59:02 PM

Because this is a glide path to what they really want, look at Apple and running unsigned apps on your Mac, how it started, simple right click, how is it going, near impossible.

by hnburnsy

3/31/2026 at 12:41:07 AM

How it started: almost everything is signed, even pirated apps

How it's going: almost everything is signed, even pirated apps.

????

by selectively

3/30/2026 at 11:22:34 PM

Because the initial announcement included none of that... it wasn't addressed at all until the harsh sentiment.

by kcb

3/31/2026 at 1:52:36 AM

It still hasn't been addressed. They walked back half of their wholly unreasonable position in an attempt to legitimize the other half.

by fc417fc802

3/30/2026 at 11:25:15 PM

Then shouldn't we celebrate the victory, drop it, and move on?

by TGower

3/30/2026 at 11:41:36 PM

Victory is my device and its OS working the same way it always worked and the way it worked when I bought it.

by kcb

3/31/2026 at 12:00:24 AM

Just don't install the OS updates then.

by TGower

3/31/2026 at 1:50:44 AM

> intercepting sms one time codes

Crazy idea, maybe they shouldn't be using those then. Maybe they should use email? Or god forbid a TOTP app. Or perhaps webauthn via the platform provided authenticator.

They very clearly aren't behaving in good faith. That's why the harsh sentiment.

by fc417fc802

3/31/2026 at 12:53:22 AM

But that "tiny minority" are the people developing apps, which all their other users use... if you drive away devs from wanting to develop on your platform that's not going to go well for you (of course, they may still be forced to develop for Android if they want a wide audience, but you're driving away hobbyists with new ideas)

by circuit10

3/31/2026 at 2:50:16 AM

I still don't get how they are driving away devs. It's super easy for us to click the setting. If I urgently need to test my app during the 24 hour waiting period, I can just adb it on my device.

Based on the reaction here, it's obvious I'm missing something here, but I just don't see any real reason devs are feeling like they are being driven away. It's hardly more of an inconvenience than enabling developer mode, and I feel like we all get why they hide the developer settings menu behind that.

by TGower

3/30/2026 at 11:25:06 PM

Those scam apps largely are installed from the Play store. Let them fix that first.

by brnt

3/30/2026 at 11:30:19 PM

Really, there are apps that will intercept and exfiltrate your bank one time code sms that are just sitting on the play store? First I'm hearing of this, what's the name of one?

by TGower

3/31/2026 at 5:29:03 AM

Many of the most popular apps on the Play Store will monitor all activity on your device and send it to a for-profit company.

by xigoi

3/31/2026 at 7:05:02 AM

The pre-installed privileged services will monitory all activity on your device and send it to a for-profit company.

by microtonal

3/31/2026 at 12:45:35 AM

Your post is an outright lie.

by selectively