11
votes
Android to debut "advanced flow" for sideloading unverified applications
Link information
This data is scraped automatically and may be incorrect.
- Title
- Android developer verification: Balancing openness and choice with safety
- Word count
- 580 words
The only thing I don't like is that they make you wait a full day. I understand the why, but it's really going to frustrate people who buy a new phone and immediately want to side load apps onto it. They'll have to wait a full day? That seems bizarre.
How the advanced flow works for users
Alphabet is trying very hard to assure us that this is not a big deal. Ultimately, I hope they are unsuccessful in that endeavor. At first glance, their pull back to this ground actually feels like a sane move. But when I spend time with it, I realize that this was probably the intention from the start. The plan was probably to make a move that was clearly too far so when they pull back there isn't outrage over what Alphabet actually cares about: government issued ID requirements for developers.
That's the problem I really have with their proposal. Developers having a government issued ID does absolutely nothing to build trust for me as a user. This move seems to serve corporations and governments in their move to increase surveillance, control, and wealth extraction of the digital realm.
I'm now extremely weary of Alphabet ever shipping a Fuschia OS based device. I hope this boosts interest and development in GrapheneOS, strengthens their partnership with Motorola and boosts development interest in true Linux based phones. I don't want to support this, and I hope there's a true alternative available to me when the time comes.
Devil's advocate: It means that if someone sends out a malware-riddled app outside established storefronts and their dev account gets shut down, it's much harder for them to just spin a new one back up, and if they were sloppy might even directly tell you who they are so you can shut them down entirely.
That said, I am worried given the broader trends you mention. As long as an opt-out process like this exists and isn't unreasonably onerous I can tentatively accept it (imo the steps listed here are justified for protecting the average user even if a bit annoying for users like me), but definitely side-eyeing it and worried for the future.
I'm cautiously thinking this is a good thing. I don't normally do this, but I'll make an argument based on ablism.
Android devices are primarily for mainstream users, not us techies. Technically adept users are the minority and we can deal with a few hoops to customize our phones the way we like. Or we can buy non-mainstream devices.
If a society should be judged by how it treats its least able members. It seems selfish to advocate against better protections for all the naive people out there who will get ripped off by scam artists, just for our own convenience?
I wouldn't necessarily have a problem with that if it wasn't also such a self-serving maneuver. Apple, Google etc. I'm so sick and tired of their endless excuses about security because it's gotten to a point where security excuses advantage themselves over everyone else. So while you gain security for the masses, you lose so much more because you enable giant vertically integrated companies to advantage themselves further, to further entrench their position and further make everyone more dependent on them.
I don't think you can easily separate the gains in security with the losses in healthy competition both now and potential futures where such compromises didn't exist or were handled differently.
It's true that it does more than one thing. I'm not sure there's any way around it? The ability to install apps written by complete strangers is both a security risk and a way of enabling competition.
But for any serious competitior, paying $25 for an id check doesn't seem like all that big a hurdle? It seems like a rather minor speedbump.
Also, I'll point out that this isn't needed for websites, which are easier to build and very capable. Writing Android apps is a real slog.
Non-mainstream devices? The mobile ecosystem is a duopoly. The choice is Google (Android), or Apple (IOS). There are a couple of tiny Linux mobile alternatives, but as devices get more and more locked down, so does the ability to switch to something less controlling- and even if you manage to, on a device which can be bootloader-unlocked (your choices are dwindling), etc, you'll be entirely unable to perform many actions, such as mobile banking (some banks provide only a mobile interface, such as Revolut).
Not to mention the false "security" justifications which Grumble has already outlined. If anybody thinks that an inability to sideload apps easily is going to fix the malware problem, then they need to look into the issues that the Play Store has with malicious apps. The walls of the walled garden are raised a brick higher, and they must be destroyed before the mortar has set.
Does that only apply to sharing said app over the play store or will little projects that distribute a bare apk on github be affected by this?
That is for bare APK verification, so they'll skip the described advance flow, but still require some form of verification.
https://developer.android.com/developer-verification/guides/limited-distribution
Honestly? Sounds like more of a hassle than allowing unverified APKs through the advanced flow once and then clicking "install anyway" when the unverified app pop up displays at install. But maybe I'm missing something here.
My impression is the limited distribution process is supposed to be easier for a non-technical user who is only ever going to install one or two things directly from someone they know to do that without having to remove the anti-scam roadblocks in other situations, not necessarily easier for developers or power users (who probably should just use the "advanced flow" to opt out).