A few days ago we brought you word that Google was looking to crack down on “sideloaded” Android applications. That is, software packages installed from outside of the mobile operating system’s official repository. Unsurprisingly, a number of readers were outraged at the proposed changes. Android’s open nature, at least in comparison to other mobile operating systems, is what attracted many users to it in the first place. Seeing the platform slowly move towards its own walled garden approach is concerning, especially as it leaves the fate of popular services such as the F-Droid free and open source software (FOSS) repository in question.
But for those who’ve been keeping and eye out for such things, this latest move by Google to throw their weight around isn’t exactly unexpected. They had the goodwill of the community when they decided to develop an open source browser engine to keep the likes of Microsoft from taking over the Internet and dictating the rules, but now Google has arguably become exactly what they once set out to destroy.
Today they essentially control the Internet, at least as the average person sees it, they control 72% of the mobile phone OS market, and now they want to firm up their already outsized control which apps get installed on your phone. The only question is whether or not we let them get away with it.
Must be This High to Ride
First, “sideloading”. The way you’re supposed to install apps on your Android device is through the Google Play store, and maybe your phone manufacturer’s equivalent. All other sources are, by default, untrusted. What used to be refreshing about the Android ecosystem, at least in comparison, was how easy it was to sideload an application that didn’t come directly from, and profit, Big G. That is what’s changing.
Of course, the apologists will be quick to point out that Google isn’t taking away the ability to sideload applications on Android. At least, not on paper. What they’re actually doing is making it so sideloaded applications need to be from a verified developer. According to their blog post on the subject, they have no interest in the actual content of the apps in question, they just want to confirm a malicious actor didn’t develop it.
The blog post attempts to make a somewhat ill-conceived comparison between verifying developer identities with having your ID checked at the airport. They go on to say that they’re only interested in verifying each “passenger” is who they say they are for security purposes, and won’t be checking their “bags” to make sure there’s nothing troubling within. But in making this analogy Google surely realizes — though perhaps they hope the audience doesn’t pick up on — the fact that the people checking ID at the airport happen to wear the same uniforms as the ones who x-ray your bags and run you through the metal detector. The implication being that they believe checking the contents of each sideloaded package is within their authority, they have simply decided not to exercise that right. For now.
Conceptually, this initiative is not unlike another program Google announced this summer: OSS Rebuild. Citing the growing risk of supply chain attacks, where malicious code sneaks into a system thanks to the relatively lax security of online library repositories, the search giant offers a solution. They propose setting up a system by which they not only verify the authors of these open source libraries, but scan them to make sure the versions being installed match the published source code. In this way, you can tell that not only are you installing the authentic library, but that no rogue code has been added to your specific copy.
Google the Gatekeeper
Much like verifying the developer of sideloaded applications, OSS Rebuild might seem like something that would benefit users at first glance. Indeed, there’s a case to be made that both programs will likely identify some low-hanging digital fruit before it has the chance to cause problems. An event that you can be sure Google will publicize for all it’s worth.
But in both cases, the real concern is that of authority. If Google gets to decide who a verified developer is for Android, then they ultimately have the power to block whatever packages they don’t like. To go back to their own airport security comparison, it would be like if the people doing the ID checks weren’t an independent security force, but instead representatives of a rival airline. Sure they would do their duty most of the time, but could they be trusted to do the right thing when it might be in their financial interests not to? Will Google be able to avoid the temptation to say that the developers of alternative software repositories are persona non grata?
Even more concerning, who do you appeal to if Google has decided they don’t want you in their ecosystem? We’ve seen how they treat YouTube users that have earned their ire for some reason or another. Can developers expect the same treatment should they make some operational faux pas?
Let us further imagine that verification through OSS Rebuild becomes a necessary “Seal of Approval” to be taken seriously in the open source world — at least in the eyes of the bean counters and decision makers. Given Google’s clout, it’s not hard to picture such an eventuality. All Google would have to do to keep a particular service or library down is elect not to include them in the verification process.
Life Finds a Way
If we’ve learned anything about Google over the years, it’s that they can be exceptionally mercurial. They’re quick to drop a project and change course if it seems like it isn’t taking them where they want to go. Even projects that at one time seemed like they were going to be a pivotal part of the company’s future — such as Google+ — can be kicked to the curb unceremoniously if the math doesn’t look right to them. Indeed, the graveyard of failed Google initiatives has far more headstones than the company’s current roster of offerings.
Which is so say, that there’s every possibility that user reaction to this news might be enough to get Google to take a different tack. Verified sideloading isn’t slated to go live until 2027 for most of the world, although some territories will get it earlier, and a lot can happen between now and then.
Even if Google goes through with it, they’ve already offered something of an olive branch. The blog post mentions that they intend to develop a carve out in the system that will allow students and hobbyists to install their own self-developed applications. Depending on what that looks like, this whole debate could be moot, at least for folks like us.
In either event, the path would seem clear. If we want to make sure there’s choice when it comes to Android software, the community needs to make noise about the issue and keep the pressure on. Google’s big, but we’re bigger.
Consumer hostile corporations deserve hostile consumers.
I prefer to be able to side load apps. I have a few old games I like to play, they are no longer on the store but still works on my phone. I had to side load those when I got the new one a year ago. Snowflake Sudoku (1-6 in a single hexagon of 6 triangles, multiple hexigons and partial hexigons to form snowflake like shape) aren’t common and only obsolete version exists, not on any store.
To be fair we should probably just invent a Sandbox app that can run any app virtualized.
This would have side benefits that we can run regular apps in an environment where they don’t have full access to our phone. It is pretty common for me to have an app requesting stupid permissions and refusing to work full stop even though I was not planning to use any of the features that require those permissions.
This is what the web browser is. It’s an open runtime. Google and Apple just need to make the rest of the hardware able to access it.
The problem is app developers with a attitude towards personal privacy and agency that’s pretty much like Google itself IS the ones causing all the problems.
If Google was serious and sincere about it and not just trying to gain more control over end-users devices, they’d both clamp down hard on malicious app devs and also provide more effective and fine-grained permissions control to the end-users.
But as always, a good chunk of those app developers also uses Google’s ad slinging and user tracking systems, so doing anything against that also harms Google’s bottom line.
And with Google being your stereotypical profits-at-almost-any-costs company, yeah, that’s not happening.
I’ve endured google’s BS for too much time now, maybe it’s time to switch OS, they keep annoying me.
And i don’t even sideload apps, but i want to have the option in case i want to
Sorry I have a few questions I’m not too familiar with android-google relationship. I open android studio maybe twice a year to write some simple utility app for personal use, so I don’t follow these developments.
Are they saying that I won’t be able to install an application via an apk file that I have? Or are they saying an android dev won’t be allowed to put their app on the play store without their permission?
I was thinking about this issue while reading Al’s great post on App Inventor for creating an Android app interface. I like the back-to-back timing of the posts.
We’ve had nanny state and now we have nanny corporations.
If you want to be protected to this degree go play in the Apple sandpit with rubber knives and forks.
You have to explicitly confirm what you are doing before side loading an APK.
Why does saving stupid people from their own moronic stupidity mean that I cannot have nice things ??
We have a population problem. FFS let Darwin take care of it.