Rendered at 15:10:33 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
annagio_ 1 days ago [-]
I have couple apps from f-droid, and I'm not prepared for this. Let's hope something happens, otherwise rip.
mike_hearn 1 days ago [-]
Bad title. It should read "Android Developer Verification" or something similar.
cromka 1 days ago [-]
It's Holwerda's typical absolutist, extreme take.
mindcrash 1 days ago [-]
I really don't see how Google will make Samsung and the big Chinese Android phone manufacturers (Xiaomi, OnePlus, ...) put this crap on their own custom Android distributions, especially because all these guys know that if they do it will have a very severe cost -- Besides Play and the Galaxy Store F-Droid is probably the third most popular distribution channel for Android apps on Galaxy devices, for example.
So I do think the only people who will be really affected by this are those running Google's own Pixel devices which are entirely locked into the Play ecosystem. The rest not so much.
sunaookami 1 days ago [-]
It's already installed on every Google-certified Android device through the Google Play Services
preisschild 5 hours ago [-]
> So I do think the only people who will be really affected by this are those running Google's own Pixel devices which are entirely locked into the Play ecosystem. The rest not so much.
Ironically its the opposite because Google's Pixel series are relatively open and thus its possible to install Android forks (GrapheneOS, LineageOS) without Google Mobile Services that contain ADV
ChocolateGod 1 days ago [-]
It's part of Google Play Services, so it's already integrated into Xiaomi, OnePlus etc phones.
red-iron-pine 23 hours ago [-]
pixel users can lean on GraphineOS, for now
pjerem 1 days ago [-]
Google is used to put their shit into the Google Play Store contract they have with manufacturers.
Samsung, XiaoMi and OnePlus will let this pass because that will be that or losing access to Play Store. Oh and also they frankly don’t care at all because 99% of people will not know.
Android distribution are already incredibly shitty and most people are used since the 90s to have their computers and now their phones full of junk software. The average smartphone is not that different from the average windows XP/Vista PC of the 2000 era, with crapware everywhere, apps that are doing a lot of malicious things without the user even knowing (or frankly, caring).
For you and me it’s something unacceptable, but for most people it’s just the nth layer of enshitification.
VaderAi 12 hours ago [-]
Doubt it as google push Android and Android is said to have a better camera than apple..but stats show 50/50 between two
I never thought I’d need to go back to custom ROMs, but here we are.
ggm 1 days ago [-]
... as an open platform. Android as a mobile and home device OS is approaching 4 billion.
mdp2021 1 days ago [-]
Hackers will be concerned with the open platform.
cyanydeez 16 hours ago [-]
so whats stopping a realFOSS fork of android? are boot loaders locked? too much diversity? do we need to buy one of those phone farms used by botters?
soraminazuki 9 hours ago [-]
FOSS fork of Android is useless without hardware capable of running them. Which means you need hardware manufacturers and telecom companies on your side.
preisschild 5 hours ago [-]
Google Pixels are open ;)
soraminazuki 3 hours ago [-]
Except Google is the very company progressively shutting out open source efforts out of the Android ecosystem.
akimbostrawman 7 hours ago [-]
Nothing they will continue to work just like before, this is only an issue if you include the proprietary rootkit that is google play services.
ChocolateGod 1 days ago [-]
I lost a lot of sympathy for these campaigns when they started to use hyperbole.
ADV is not a virus, nor a trojan horse.
> killing the ability to install your own software on your phone
But you can still install whatever you want over ADB...
jsiepkes 1 days ago [-]
> But you can still install whatever you want over ADB...
...if you wait 24 hours.
And also thanks to the new Google Play attestation API a lot of apps won't even work on alternative Android OS'es. But that's all needed in the name of security. Never mind if your Samsung Galaxy phone is EOL and hasn't been receiving updates for 4 years anymore. It still works with the attestation API. But the fully updated GrapheneOS phone is a real security hazard apparently, so it won't work with it.
So no, you can't just run everything you want via side-loading. It's pretty obvious Google is making a power play to curb down on everything that isn't going via Google Play.
ChocolateGod 1 days ago [-]
> ...if you wait 24 hours.
False.
ADB is not restricted at all, the moment you enable developer options and enable ADB you can install an APK.
The Google "wait 24 hour" flow only triggers if you install an APK off the web.
Ok, that's some good news. Still leaves the attestation API though. Which makes using a non-Google sanctioned device a non-viable option. Also don't forget that the source code for Android is now, since 2026, only released twice a year (i.e. every 6 months).
So overall it's quite clear which direction Google is moving in. They are clamping down on the ecosystem.
ChocolateGod 1 days ago [-]
> Still leaves the attestation API though. Which makes using a non-Google sanctioned device a non-viable option
The attestation API isn't Google 'being evil', it exists as part of legal requirements that exists, namely for financial and banking applications.
Any alternative platform that wanted similar kind of apps would almost certainly have to implement a similar system.
> Ok, that's some good news
The fact you thought wrong shows the confusion being caused by these factually incorrect articles.
ulrikrasmussen 1 days ago [-]
What legal requirements are you referring to?
angoragoats 1 days ago [-]
> as part of legal requirements that exists, namely for financial and banking applications.
Please cite the laws or regulations you’re referring to, because I don’t think there are any.
ChocolateGod 1 days ago [-]
PCI-DSS (enforced by banks/payment processors) means the EMV token store on your Android phone must be in an isolated uncompromised location (usually the TEE).
If your phone is rooted or has an unlocked bootloader then it's possible that trusted store is no longer secure or can be snooped on by a third party. Given Google Wallet/Pay handles EMV tokens and stores them on the phone, it has to pass PCI-DSS before banks will allow it.
This is the biggest reason why Google tries as much as possible to block Google Pay on rooted/unlocked devices. If a device fails compliance (a rooted phone certainly does), as far as banks are concerned it's not safe.
But people just find it easier to say "Google is Evil".
You also have the EUs Payment Services Directive (so a law) which require strong customer authentication, rooted devices can also fail up here. If anyone else than the user is able to unlock the screen (and thus authenticate a payment), you've failed the Payment Services Directive.
jsiepkes 18 hours ago [-]
> You also have the EUs Payment Services Directive (so a law) which require strong customer authentication, rooted devices can also fail up here.
Plain wrong. PSD3 does not apply to "digital wallets" [1] ("This Directive also does *not* cover, in its scope, the provision of technical services including processing or the operation of digital wallets.").
> If your phone is rooted or has an unlocked bootloader then it's possible that trusted store is no longer secure or can be snooped on by a third party.
That's also wrong. Even with a rooted phone you can't mess or snoop on data in the trusted execution environment. The isolation is enforced in hardware.
> If a device fails compliance (a rooted phone certainly does), as far as banks are concerned it's not safe.
If this were about security, then why allow phones which have known security vulnerabilities (and no longer receive updates) to pass the Google Play Integrity API tests?
> But people just find it easier to say "Google is Evil".
Apparently you also find it easy to forgo about the history of Android. Like how Google introduced the Google Play API about a decade ago and did a "Embrace, extend, extinguish" thing. You also conveniently stay silent on things like the fact that Google now only releases the Android sources only twice a year.
> Even with a rooted phone you can't mess or snoop on data in the trusted execution environment
A rooted phone can have a modified runtime/kernel that can inject code into whatever processes it sees fit, including Google Pay.
Which can expose information being sent to and read from the TEE by the app.
> Plain wrong. PSD3 does not apply to "digital wallets" [1] ("This Directive also does not cover, in its scope, the provision of technical services including processing or the operation of digital wallets.").
The legislation still applies to the bank behind Google Pay.
jsiepkes 8 hours ago [-]
> A rooted phone can have a modified runtime/kernel that can inject code into whatever processes it sees fit, including Google Pay. Which can expose information being sent to and read from the TEE by the app.
You seem to have now realized (?) you can't modify or see data in the trusted execution environment from the host OS (rooted or not). Meaning the point you made earlier: "means the EMV token store on your Android phone must be in an isolated uncompromised location (usually the TEE)." is not affected by your phone being rooted.
So you have shifted your argument from "the store is unsafe" (false) to "the data in transit to the app might be observable". PCI-DSS doesn't require you to have something like Google Play Integrity API for that.
> The legislation still applies to the bank behind Google Pay.
You started out with that the Google Play integrity API was a hard requirement to comply with legislation (false). Sure, banks are still responsible for fraud under that legislation. But that is a very broad statement which doesn't require Google Play integrity API. GrapheneOS proved you can do attestation in an open way. Google just chose to do it in a way which ties you to Google and further locks down the Android ecosystem.
angoragoats 14 hours ago [-]
Okay, so you were mostly referring to payment industry standards, not laws or regulations.
> PCI-DSS (enforced by banks/payment processors) means the EMV token store on your Android phone must be in an isolated uncompromised location (usually the TEE).
Do you have a citation for this? My understanding is that the whole point of EMV tokenization is that it masks the sensitive cardholder data that would otherwise have to be protected in a PCI compliant way. In other words, I don’t think the data that is stored on your phone is covered by PCI-DSS.
And as another poster already mentioned, I don’t think the EU law you’re citing works the way you claim it does.
preisschild 5 hours ago [-]
> And also thanks to the new Google Play attestation API a lot of apps won't even work on alternative Android OS'es.
Tbf to Google, AFAIK they aren't forcing third party app developers to enforce Safetynet/Google attestation.
gonzalohm 1 days ago [-]
Same kind of hyperbole that Google uses saying that "they have to do this because it's too dangerous for users to install whatever they want"
preisschild 1 days ago [-]
By definition Google Mobile Services are a rootkit and have always been, not only since ADV...
antonvs 1 days ago [-]
Oh no, hyperbole! How ever will you recover?!
This has the same energy as “I lost a lot of sympathy for these political protests when they mildly inconvenienced me on my commute.”
If you don’t agree with something, just say so. You don’t need to hide behind fake pearl clutching.
ChocolateGod 1 days ago [-]
It does as much good for the cause as those climate activists who glue themselves to motorways and block ambulances.
dTal 1 days ago [-]
So quite a lot then?
kbelder 19 hours ago [-]
It does a lot; just not any actual accomplishing of goals.
antonvs 21 hours ago [-]
Martin Luther King wrote about that attitude:
> First, I must confess that over the last few years I have been gravely disappointed with the white moderate. I have almost reached the regrettable conclusion that the Negro’s great stumbling block in the stride toward freedom is not the White citizens’ “Councilor” or the Ku Klux Klanner, but the white moderate who is more devoted to “order” than to justice; who prefers a negative peace which is the absence of tension to a positive peace which is the presence of justice; who constantly says “I agree with you in the goal you seek, but I can’t agree with your methods of direst action” who paternalistically feels that he can set the timetable for another man’s freedom; who lives by the myth of time and who constantly advises the Negro to wait until a “more convenient season.” Shallow understanding from people of good will is more frustrating than absolute misunderstanding from people of ill will. Lukewarm acceptance is much more bewildering than outright rejection.
Certainly, the stakes are lower in this case, but the claim that the use of hyperbole causes you to "lose a lot of sympathy" is an obvious excuse for a position that you would have taken anyway.
So I do think the only people who will be really affected by this are those running Google's own Pixel devices which are entirely locked into the Play ecosystem. The rest not so much.
Ironically its the opposite because Google's Pixel series are relatively open and thus its possible to install Android forks (GrapheneOS, LineageOS) without Google Mobile Services that contain ADV
Samsung, XiaoMi and OnePlus will let this pass because that will be that or losing access to Play Store. Oh and also they frankly don’t care at all because 99% of people will not know.
Android distribution are already incredibly shitty and most people are used since the 90s to have their computers and now their phones full of junk software. The average smartphone is not that different from the average windows XP/Vista PC of the 2000 era, with crapware everywhere, apps that are doing a lot of malicious things without the user even knowing (or frankly, caring).
For you and me it’s something unacceptable, but for most people it’s just the nth layer of enshitification.
ADV is not a virus, nor a trojan horse.
> killing the ability to install your own software on your phone
But you can still install whatever you want over ADB...
...if you wait 24 hours.
And also thanks to the new Google Play attestation API a lot of apps won't even work on alternative Android OS'es. But that's all needed in the name of security. Never mind if your Samsung Galaxy phone is EOL and hasn't been receiving updates for 4 years anymore. It still works with the attestation API. But the fully updated GrapheneOS phone is a real security hazard apparently, so it won't work with it.
So no, you can't just run everything you want via side-loading. It's pretty obvious Google is making a power play to curb down on everything that isn't going via Google Play.
False.
ADB is not restricted at all, the moment you enable developer options and enable ADB you can install an APK.
The Google "wait 24 hour" flow only triggers if you install an APK off the web.
https://www.reddit.com/r/Android/comments/1rzd0is/mishaal_ra...
So overall it's quite clear which direction Google is moving in. They are clamping down on the ecosystem.
The attestation API isn't Google 'being evil', it exists as part of legal requirements that exists, namely for financial and banking applications.
Any alternative platform that wanted similar kind of apps would almost certainly have to implement a similar system.
> Ok, that's some good news
The fact you thought wrong shows the confusion being caused by these factually incorrect articles.
Please cite the laws or regulations you’re referring to, because I don’t think there are any.
If your phone is rooted or has an unlocked bootloader then it's possible that trusted store is no longer secure or can be snooped on by a third party. Given Google Wallet/Pay handles EMV tokens and stores them on the phone, it has to pass PCI-DSS before banks will allow it.
This is the biggest reason why Google tries as much as possible to block Google Pay on rooted/unlocked devices. If a device fails compliance (a rooted phone certainly does), as far as banks are concerned it's not safe.
But people just find it easier to say "Google is Evil".
You also have the EUs Payment Services Directive (so a law) which require strong customer authentication, rooted devices can also fail up here. If anyone else than the user is able to unlock the screen (and thus authenticate a payment), you've failed the Payment Services Directive.
Plain wrong. PSD3 does not apply to "digital wallets" [1] ("This Directive also does *not* cover, in its scope, the provision of technical services including processing or the operation of digital wallets.").
> If your phone is rooted or has an unlocked bootloader then it's possible that trusted store is no longer secure or can be snooped on by a third party.
That's also wrong. Even with a rooted phone you can't mess or snoop on data in the trusted execution environment. The isolation is enforced in hardware.
> If a device fails compliance (a rooted phone certainly does), as far as banks are concerned it's not safe.
If this were about security, then why allow phones which have known security vulnerabilities (and no longer receive updates) to pass the Google Play Integrity API tests?
> But people just find it easier to say "Google is Evil".
Apparently you also find it easy to forgo about the history of Android. Like how Google introduced the Google Play API about a decade ago and did a "Embrace, extend, extinguish" thing. You also conveniently stay silent on things like the fact that Google now only releases the Android sources only twice a year.
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52...
A rooted phone can have a modified runtime/kernel that can inject code into whatever processes it sees fit, including Google Pay.
Which can expose information being sent to and read from the TEE by the app.
> Plain wrong. PSD3 does not apply to "digital wallets" [1] ("This Directive also does not cover, in its scope, the provision of technical services including processing or the operation of digital wallets.").
The legislation still applies to the bank behind Google Pay.
You seem to have now realized (?) you can't modify or see data in the trusted execution environment from the host OS (rooted or not). Meaning the point you made earlier: "means the EMV token store on your Android phone must be in an isolated uncompromised location (usually the TEE)." is not affected by your phone being rooted.
So you have shifted your argument from "the store is unsafe" (false) to "the data in transit to the app might be observable". PCI-DSS doesn't require you to have something like Google Play Integrity API for that.
> The legislation still applies to the bank behind Google Pay.
You started out with that the Google Play integrity API was a hard requirement to comply with legislation (false). Sure, banks are still responsible for fraud under that legislation. But that is a very broad statement which doesn't require Google Play integrity API. GrapheneOS proved you can do attestation in an open way. Google just chose to do it in a way which ties you to Google and further locks down the Android ecosystem.
> PCI-DSS (enforced by banks/payment processors) means the EMV token store on your Android phone must be in an isolated uncompromised location (usually the TEE).
Do you have a citation for this? My understanding is that the whole point of EMV tokenization is that it masks the sensitive cardholder data that would otherwise have to be protected in a PCI compliant way. In other words, I don’t think the data that is stored on your phone is covered by PCI-DSS.
And as another poster already mentioned, I don’t think the EU law you’re citing works the way you claim it does.
Tbf to Google, AFAIK they aren't forcing third party app developers to enforce Safetynet/Google attestation.
This has the same energy as “I lost a lot of sympathy for these political protests when they mildly inconvenienced me on my commute.”
If you don’t agree with something, just say so. You don’t need to hide behind fake pearl clutching.
> First, I must confess that over the last few years I have been gravely disappointed with the white moderate. I have almost reached the regrettable conclusion that the Negro’s great stumbling block in the stride toward freedom is not the White citizens’ “Councilor” or the Ku Klux Klanner, but the white moderate who is more devoted to “order” than to justice; who prefers a negative peace which is the absence of tension to a positive peace which is the presence of justice; who constantly says “I agree with you in the goal you seek, but I can’t agree with your methods of direst action” who paternalistically feels that he can set the timetable for another man’s freedom; who lives by the myth of time and who constantly advises the Negro to wait until a “more convenient season.” Shallow understanding from people of good will is more frustrating than absolute misunderstanding from people of ill will. Lukewarm acceptance is much more bewildering than outright rejection.
Certainly, the stakes are lower in this case, but the claim that the use of hyperbole causes you to "lose a lot of sympathy" is an obvious excuse for a position that you would have taken anyway.