Saying that computer/OS manufacturers should prevent malware is effectively equivalent to saying that they should not sell general purpose computers to the public. A general purpose computer is one that can run any program the users tells it to, which necessarily includes one that's malicious.

That doesn't necessarily preclude helping the user to notice when they're doing something dangerous, but a waiting period before the computer becomes general-purpose seems pretty extreme.

It's pretending to address a serious issue while giving Google significant power to limit distribution of apps Google doesn't like, which could sometimes include legal apps that certain governments don't like such as the recently famous ICEBlock.

Google says they don't intend to do that, but even if I believe that's their current intention, they have a strong incentive to do otherwise in the future. Incentives predict outcomes more reliably than intentions.

I say it's pretending because scammers are good at shifting tactics. If convincing users to install malware ceases to be the path of least resistance, they'll convince users to install legitimate remote access utilities, hand over credentials directly, or some other scheme I haven't thought up because I'm not a scammer.

> they have a strong incentive to do otherwise in the future.

The reality is far worse than that. Remember FBI vs Apple? That defense came down to Apple not having software in place that could facilitate the demand being made of them. If they'd had such a system they would presumably have been required to comply.

The government can presumably get an illegal app forcibly removed from an app store but at present you could still install it yourself. With this system they could compel Google to block it entirely.

It's a very small concession. The high initial friction still means when someone comes to me with a problem and I tell them the solution is in F-Droid, they have to wait a day. Most give up and pick a different, less trustworthy solution from Google Play.

Incredibly small concession that doesn’t warrant this article’s absolutely insane framing: “Even less of a problem than we thought,” “very, very good news,” “already sounded perfectly manageable.”

The author is so giddy to defend this monopolistic restriction on Google’s part. Hackers can use F-Droid without annoyance, but this really does kill any chance at normies using it. They absolutely will use the worst spyware on Google Play instead, and the author seemingly loves it.

I've given up on getting normies to care. So long as we can use these things on our own terms, it's fine.

"On our own terms", as long as it's approved by Google,.. for now. Surely we bear no resemblance to frogs in warming water, and we do not find ourselves praying that the deal is not further altered.

Given the Epic settlement means Google is allowing alternate app stores, and also the delay only applies for unregistered developers, I'm not certain it won't actually get easier to get folk set up on F-Droid.

It still remains to be seen what the actual requirements are, and even if F-Droid could become "approved" that doesn't mean they want to. Time will tell.

"only applies for unregistered developers" but remember the whole point is to allow Google to pull your "registered developer" status on a whim. Something they've shown over and over again they cannot be trusted with

But if there's a court order saying Epic and F-Droid have to be registered developers, they can go to jail for doing that.

Sure. But there isn't.

Why the hell should we "mother may I" with Google for running apps on our own phones if it isn't sourced from the Play Store?

The "security" rationale is horseshit given just how much malware is readily download able on the Play Store. Google never cleans its own house before going after others.

Don't you know? If one elderly person gets scammed we all deserve to be infantilized.

Wouldn't it be something if, given all the surveillance already in place, law enforcement punished the scammers instead of the innocent?

But then how would they police what you install?

Maybe you have the criminal idea of installing an adblocker, for example.

That is not allowed since corporations need to make money.

The government and ad networks need to track you for your benefit.

Ads are needed before listening to each minute of a song.

You must submit to crpyto miners running in the background from the ads, increasing your electricity bill and pollution.

Only USA sanctioned and approved ads are allowed, also. We wouldn't want you seeing an ad from a competing entity, right?

If you install an ablocker, you are a terrorist and broke 324582 American laws.

The scammers are often in a very different country than the victim. Finding the scammer is only 50% of the work, the other 50% is diplomacy and hoping the other side is willing to extradite. This is not made easier if the police force in the scammer's country is extremely corrupt.

This is why those scams so often rely on gift cards (or sometimes on cash which a local mule converts to crypto).

Many banking scams involve fake checks and deposits into other accounts, but I don’t see the government or banks taking active steps to stop them.

Maybe they can just sanction that person? Block them from making phone calls to the country and publishing apps?

(nevermind that the scams are extraordinarily likely to come through Meta, Google, Apple, Amazon)

They don't want users to find out who's the real scammer.

"Likely"? Do you mean that based on actual data, or are you using it as a weasel word so you can present whatever convenient "facts" that benefit Google as truth?

I’m betting on the latter. No Kitboga video mentions custom Android apps. What actually appears on almost all videos are online ads/spam or fake celebrity accounts messaging random people on Facebook.

It's funny how you aggressively push solutions that ignore the most common scam vectors investigators encounter. Could it be a coincidence that your proposal conveniently places every aspect of people’s lives at the mercy of big businesses? Or that the scam vector you downplay, ads and social media, just happens to be cash cows for some of the richest companies in history?

We already have plenty of paid lobbyists cheering the transfer of wealth from the poorest to the richest. There's no need to do that dirty work for free. Weaponizing the elderly being scammed of their life savings while protecting those that benefit from it is beyond messed up.

My proposal? Who exactly do you think I am? lol

Outside Play, on YouTube or via Google Ads for many of them. Likewise for Meta ads.

The scams that are happening in the rest of world are calls posing as bank support about urgent security issues and telling people to install apps to protect their accounts.

All the scams are for apps that are already in the Play and App store.

Absolutely! Never had one problem with apps on FDroid. Not even when tbe Simple Mobile Tools suite was sold to a shady company without a heads up to its users. And that safety isn't an accident.

I don't disagree about that.

Ah, sorry there seem to be a lot of people that seem to think that side loading is an issue to anything other than Apple and Googles profit margins.

They let so much malware in their stores already.

In the USA they tell you to install AnyDesk and remote access your computer. Or they just ask for your password. Or forge a check.

Does not sound like an Android problem. Maybe ask Microsoft or Apple about that.

Sideloading is very possible on iOS and there's an entire subculture surrounding it.

Not widespread enough to be a viable grift target.

And how much grift happens through Android side loading? (BTW, I hate that weasel word used to vilify a perfectly reasonable activity.) Practically all grift on Android happens through apps on the Play Store. People who know how to 'side load' are also usually careful and smart enough to think about what they're putting in. That's not a useful target for grifts either.

As somebody put it, Google goes after others without cleaning their own house first. It's just abuse of power at this point.

Apparently it's widespread in Asia and South America.

Are Debian repos a viable grift target?

They absolutely are and that's why they're tightly curated by maintainers.

Exactly like... you guessed it... F-Droid. Not Google Play.

FDroid has 0.2% of app volume of Play Store.

Don't mistake obscurity for security. FDroid isn't the size to even be noticed by problems that Play Store and AppStore are dealing with.

F-Droid at least does a quick review to make sure there's nothing malicious in the app before adding it. Since we know Google does something similar and there is still malware on the Play Store one might reasonably conclude that Google doesn't actually care about malware.

Now, it might be a problem of vetting at scale or malware being really subtle, but if that's the case Google should focus on improving their process before locking down Android for "security".

This is exactly why I gave the example of Debian repos.

Which again work on a model of a single entity having all the curation power.

Right, but the Debian Developers don't prevent you from installing (installing, not "sideloading") other programs. If you want to install malware you're free to, but they don't distribute it.

My point is that Google does not want to protect users by restricting "side loading". If they actually wanted that, they would remove all the malware in their store. They are just building higher walls in the walled garden to lock you in.

What does that have to do with Android and iOS?

Free software protects from malware, not walled gardens.

If you don't want Play Store, don't use it?

"Google is slowly removing such option "for your safety", and "hackers" on this website really believe them.

You can still install any ROM you want. Not having Play Store has some downsides, but those trades offs should be familiar to a free software enthusiast.

You can only do this on a tiny number of devices supporting free drivers (and mainline kernel), otherwise you are tied to an ancient Linux kernel. I'm using Librem 5 btw and don't believe that Android, whose development completely depends on Google, is a viable long-term solution.

Ha if we follow that to it's logical conclusion we should ban smartphones.

Ok, but the vast majority of people do need their hand held because they're incompetent, naive, or both. IMO this is pro consumer move

We shouldn't let naive or mentally disabled people to dictate how computing should work. That's the same logic behind the age verification shit that's happening worldwide.

If you (not you specifically) are unsure of your abilities to use computers, let a friend or a family member buy a dumbed down device for you or install parental controls or something. Or maybe have clicking the build number 7 times reveal "toddler mode" where you can lock your device down irreversibly as much as you want.

It might be pro consumer if the power were lying in some kind of democratically justified organization, which then decides which apps are allowed and which are not.

This way, consumers are helpless victims of the same megacorporation, which will use its near-absolute power over the mobile ecosystem (shared with one other megacorporation) to profit on the back of consumers.

No. Society should not be holding the hands of adults. It's unnecessary and it's insulting.

If Google actually wanted to protect people from malware, they would not approve Facebook, Instagram, TikTok, …

This is as pro-consumer as cutting off one's nose to cure a cold. Let me say this for the... I don't know how many times, that security, child protection, scam prevention, terrorism, miniaturization, sophistication, etc are all lies peddled by trillion-dollar megacorps to justify their cash grab, and by despotic governments to justify their consolidation of power over citizens. Nobody wants to know why all those problems still occur despite these unpopular measures. Meanwhile, NONE of those draconian restrictions on users' freedom and privacy are technically necessary to achieve any of those ideals. It's a lie that they convince the people by repeating incessantly.

This is 2026, for God's sake! How long has this grift been playing out? At least two decades? What will it take people, much less the tech savvy ones, to learn that all these are designs of greedy and power lusting minds?

It's not just the US, story through the grapevine is that Google is under a lot of pressure Asian governments over "online scams".

(Allegedly the main actor behind this push is Singapore)

Singapore is not big enough to dictate terms to Google. If Singapore wanted this change and Google didn't, Singapore's most extreme option would be to ban the import of standard Android phones to a market of a few million people.

They're free to make changes to Asian country phones and not let the political pressure of Asian countries impact non-Asian countries.

Poor, poor Google

It's not about malware. It's about Google complying with USA's geopolitical adventures.

Basically, Google needs an answer when men in suits ask them why they have technology that enables users to install sanctioned Iranian banking apps.

Says who? The fanbois? What makes you think that ordinary people are any happier with Apple's abuses than Google's? This is not a worthwhile justification for what either one of them does.

The rationale behind this move makes no sense either - most of the scams happen via some instruction to install Anydesk or some such remote-support software, not some shady apkg downloaded from some third party website.

Seems like a move to get around the Epic Games ruling (and assorted rumbles from countries like India).

Not to mention that the "concession", such that it is, will presumably only work if you sign into a Google account. Presumably, this will require that you have Google Play Services installed.

Of course, many people who want to de-Google their phones won't want to do either. This is an attack on people who want to keep their lives separate from Google.

Do you have to wait a day, or do you have to set your clock forward a day?

Cell phones know what time it really is.

The vast majority of software on Google Play is absolute spyware-laden slop. There are turstworthy apps, sure, but they are drops in an ocean. F-Droid’s trustworthy-to-ad-ridden-slop ratio is pretty much definitionally lower than Google’s, by virtue of it being actually curated. That everything on it is libre and they are working hard on reproducible builds just makes it all the better.

This is a bunch of opinion though. I'm not saying I disagree, but I do think it's bad faith to state as fact what is opinion. Is Play a "walled garden" or is it not curated? It can't be both depending on what suits the argument. You may disagree with the policies, but suggesting there are no policies in favour user privacy is just false. You may think they aren't enforced sufficiently, but again this is opinion. The policies are there.

F-Droid has the benefit that it essentially doesn't have to deal with malicious actors. It's very easy to have a high quality library when there are no malicious actors.

It can be both - a walled garden full of malware, that rejects many apps which are not malware.

Have you just presented your opinion as a fact?

Um, it obviously is that. Have you used it recently?

From the article:

> While sadly, it doesn’t look like there will be any ADB command you can send to your phone to make it immediately jump to the end of that 24-hour delay

There's also no evidence that adb-sideloaded app stores will be able to skip PackageInstaller's developer verification enforcement, so no, you will have to wait 24 hours to install F-Droid and actually use it.

It seems to me that "no and don't ask again" should be a possible outcome of a vote on proposed legislation.

Without going into full detail on the procedure I'm imagining, such an outcome would bar consideration of equivalent legislation for several years and require a supermajority at several stages of the legislative process to override.

The EU parliament is not a real parliament since it can't choose which laws it has to vote for, and in negociations ("trilogue") it doesn't hold the pen.

Basically, it can oppose new legislations but can't retract old laws.

> seems to me that "no and don't ask again" should be a possible outcome of a vote on proposed legislation

It can't be. At least not in a legislature. Defining what is the same question is itself a political question. And past legislatures being able to bind future ones is just a futurecasting veto. A single crap election could poison the pool on a raft of issues for generations.

The proper way to do this is through constitutional amendments. The fact that these are too difficult to do, currently, seems to be the bug.

Ah, but if they were easier to do, would they be as effectice at stopping "bad" legislation?

What you propose is totalitarian and not democratic.

Ironically, just like many software users, the EU Parliament is not given the option to say "no", only "ask me later".

Anyone who’s ever been unable to dismiss a nag and forced to defer via "Ask me later" knows the feeling of powerlessness and disenfranchisement deliberately planted by those making UX decisions. .. or the EU constitutional framework.

> I don’t know where this fascination with getting everyone to download your app comes from.

I do. I once read that app users are seven times more profitable than web users on average.

That number isn't current, and I don't know if it was ever broadly correct, but it's obvious that an installed app provides more opportunities to try to get the user to do something profitable, and it's harder to block ads in native apps. I would be surprised if convincing a user to install a native app doesn't reliably increase profits by a large amount for most kinds of business.

As I understand it, that would not bypass Google's requirement that the developer of each app be verified by Google.

What do scams have to do with having developer options enabled?

This isn't a rhetorical question. There's no big red warning on the developer options screen saying it's dangerous. I haven't heard about real-world attacks leveraging developer settings. I suppose granting USB debug to an infected PC is dangerous, but if you're in that situation, you're already pwned.

Is there a real vulnerability nobody talks about?

Android is attempting to discourage good / regular users from sideloading apps, rooting their phone, etc.

Android wants good / regular users to pass things like Play Integrity with the strongest verdicts.

This helps app distributors to separate regular good users from custom clients, API scripting etc that is often used to coordinate scamming, create bots, etc. If an app developer can just toss anyone who doesn't pass Play Integrity checks in the trash, they can increase friction for malicious developers.

Play Integrity and developer options are entirely separate as far as I know.

I don't think Google should be changing Android this way at all, and fear that it will later be used for evil. That said, I thought of an improvement:

Allow a toggle with no waiting period during initial device setup. The user is almost certainly not being guided by a scammer when they're first setting up their device, so this addresses the concern Google claims is driving the verification requirement. I'll be pretty angry if I have to wait a day to install F-Droid and finish setting up a new phone.

Evil, for the record would mean blocking developers of things that do not act against the user's wishes, but might offend governments or interfere with Google's business model, like the article's example of an alternative YouTube client that bypasses Google’s ads. Youtube is within its rights to try to block such clients, but preventing my device from installing them when that's what I want to do is itself a malicious act.

> Allow a toggle with no waiting period during initial device setup

I like this idea in principle but I think it could become a workaround that the same malicious entities would be willing to exploit, by just coercing their victims to "reset" their phones to access that toggle.

That wipes all the data on the device and requires logging back in to accounts. It seems to me that's high enough friction to resist most coercion.

Isn't app data, photos etc. usually synced with the Google account? Besides, Google claims that the scammers are using social engineering to create a feeling of panic and urgency, so I think the victim would be willing to reset and log in to the accounts again in such a frame of mind.

Some is, some is optional, some isn't.

I'm sure there's a hypothetical scenario where someone successfully runs a scam that way, but there's also a hypothetical scenario where a 24 hour wait doesn't succeed at interrupting the scam.

The perfect is the enemy of the good.

Which applies just the same to the hypothetical option during initial device setup.

I don't think it does because of the workaround I mentioned upthread.

The victim also can't be on the phone with the scammer using that device during the setup process. We're talking about a very high-friction scenario.

None of this is stopping a malicious entity. We keep trying to use tech (poorly thought out tech at that) to solve issues of social engineering. And no one is asking for a solution, either; it's being jammed in for control.

Such a silly statement. Of course tech can solve social engineering problem, we do so every day startign from UX design. This is a good solution to killing urgency.

Ux is made for humans. Humans can learn to exploit UX. This is as useless a battle as fighting piracy: you will destroy your product before you solve the problem.

Social engineering is destroyed with education, not with restriction and control.

Trading freedom for safety eliminates both.

That's an interesting idea wrt to enabling the advanced flow during initial device setup! I'll pass it along.

I'm not convinced the author cares very much about this. He bought an iPhone. Based on his other blog posts, he knew what he was buying and what the alternatives are.

An Android phone, even with a stock OS would get him more of the capabilities one would expect from a desktop PC, but he chose an iPhone. Some Android phones let the user unlock the bootloader easily and gain root, but he chose an iPhone. With an unlocked bootloader and a well-supported device, it's possible to install a third-party Android distribution with even more freedom, but he chose an iPhone.

Maybe he likes the iOS UX or app selection better, but if that's the deciding factor then I don't think using the phone as a Real Computer (tm) is really all that important to him.

No they wouldn't. We don't have to speculate about that; Android already has a toggle to allow direct installation of apps, and most people don't turn it on.

Many Android devices allow unlocking the bootloader and gaining root or installing an alternate OS without exploits, and there are quite a few third-party Android builds for supported devices. The process is not beyond what a person of average intelligence and modest computer skills could pull off with some patience and a video guide. Only a handful of tech nerds actually do it.

Perhaps we're making different assumptions, but a process that "is not beyond what a person of average intelligence and modest computer skills could pull off with some patience and a video guide" sounds quite a bit more complex than a mere Unlock option in iPhone settings. Also, the results are different too. The process you've described results in an Android desktop, whereas the proposed iphone unlock process would result in a full macOS desktop, which sounds (to me at least) much more desirable to have.

I stand by my speculation that if it were possible to do that on an iphone, it'd definitely be something loads of people would do, including a large amount of people who shouldn't open their device that way but do just because they watched someone on social media telling them to.