Last week, we were talking about how glad we are to be the type who by-and-large understands technology, and how it’s becoming more and more difficult to simply get along otherwise. We thought we had a good handle on the topic.
Then, we were talking about Google’s plans to require an ID for Android developers, and whether or not this will shut down free and open software development on the Android platform. Would this be the end of the ability to run whatever software that you’d like on your phone? Google offered the figleaf that “sideloading” – installing software through methods other than Google’s official store, would still be be allowed. But there’s a catch – you have to use Android Debug Bridge (ADB).
Is that a relief? It surely means that I will be able to install anything I want: I use ADB all the time, because it’s one of the fastest and easiest ways to transfer files and update software on the device. But how many non-techies do you know who use ADB? We’d guess that requiring this step shuts out 99.9% of Android users. If you make software hard to install for the masses, even if you make it possible for the geeks, you’re effectively killing it.
I have long wondered why end-to-end encrypted e-mail isn’t the default. After all, getting a GPG signing key, distributing it to your friends, and then reading mail with supporting software shouldn’t be a big deal, right? If GPG signing were available by default in Outlook or GMail, everyone would sign their e-mail. But there is no dead-simple, non-techie friendly way to do so, and so nobody does it.
Requiring ADB to load Android software is going to have the same effect, and it’s poised to severely restrict the amount of good, open software we have on the platform unless we can figure out a way to make installing that software easy enough that even the naive users can do it.
The people who use F-droid are the same people who can use ADB. I don’t think it will affect “the masses” in any noticeable way – one of my mates who is “sort of” tech savvy didn’t even know how to unlock dev mode on his phone to be able to install F-droid (which he’d never heard of).
Exactly. Not sure what the point of this article is. Masses != developers. Developers == can use adb
This is wildly untrue, F-Droid is way more easier to use than to ADB, it’s untethered, and lets the app and the OS handle everything for you. It’s just an alternative app store with FOSS software. F-Droid users are more likely to know how to use ADB or to be predisposed to learn how to use it since they’re very likely power users, but they don’t necessarily have to know how to use it
Exactly – you can download F-Droid through the phone’s web-browser and install it after allowing “unsafe”(or something) apps to be installed.
After that I think you can remove that global permission and grant it to F-Droid specifically.
(not entirely sure)
Why should someone have to plug their phone into another device just to install/update an app? This is a completely artificial restriction, with only anti-consumer “upsides”. Just because someone knows how to use ADB doesn’t mean that they should have to do so just to have normal functionality.
I don’t need to plug a cable into a serial port (assuming that there is one) on my PC motherboard just to install software that isn’t signed by some third party. I can do that, I have UART-USB adapters, but it’d be an extra hassle of a step that isn’t needed.
Isn’t Android open source? How come Google can dictate such things?
Looks like Android is just another walled garden. Or has it always been?
I believe there is a stock vanilla android. But bootstrapping the hardware is so complex we have android versions per each device.
Google mobile services apps are proprietary, if you want them in your system, then you do as Google says. Google also does most of the development and they dictate what goes into the official releases. You can fork it, but then you need to take care of the fork.
You know, things like that.
The Android change will limit the available software, but not because “the masses” aren’t able to figure out how to install things. Users of free and open source software are almost exclusively free riders who do not contribute to its creation. The problem is that it will make it substantially more annoying and inconvenient for everybody, including software developers, to install what they want on their phones.
Additionally, the change signals that Android has become hostile territory. Writing software for a hostile environment is also known as reverse engineering, which requires additional time and different skills compared to unimpeded creative coding.
We’re doing dead simple email encryption. Unfortunately, we don’t have the money to publicly support anymore. We’re working on a solution for this. Until then, we can only offer to paying customers, unfortunately. The software is 100 % free software, though. The sources are publicly available.
Volker Birk
p≡p project
So someone will code, probably vibe-code, a graphical wrapper for ADB with some setup smarts in it? So “the masses” get a easy to use tool to “sideload” stuff.
But here’s the thing I don’t see mentioned, and by all means I don’t want to discourage the Google-bashing because they’ve earned it for a lot of things (imho), but reducing the possibility to install any old APK with maybe malicious code inside that you get from a shady place (cracked games or softwares, that sort of stuff kids do?) seems like a good move. People that are able to use ADB may be better estimating risks of unmoderated software packages, whereas the typical not-informed user might not be able to see a risk.
Like with a lot of things, this could be seen two or even more ways – a grey area, as you may call it.
I agree. There’ll be a PC-based store that automatically installs over ADB in no time.
How is this different from downloading a random exe from the Internet on a Windows PC and installing it? Sure MS will yell at you if it’s not signed by a known publisher, but you can still do it. What if the windows store was the only way to add ‘apps’ to a PC OS? I don’t see why people aren’t making more of a stink about this, given that in 2025 smartphones are many peoples’ main/only computing device.
Nah this is just rent seeking from the Big G – pay for your developer licence so your stuff is signed and can actually be used by the general population. Which for good measure brings you most of the way in hoop jumping to just listing it on the play store so they can take their cut of all your sales…
It doesn’t do anything to protect from malicious packages, and I’d bet Google doesn’t actually care at all as there have been so many junk apk on the store they should have noticed relatively easily and purged, but don’t. If anything Google probably like this change even more as the occasional developer having gone to far that does get ritually cut off to great fanfare of how much safer it makes their users will simply have to pay them their fee again for a new developer account. Which they won’t much care about as that developer of malware won’t care at that tiny fee to be able to exploit the huge market of users…
Devils advocate here. Malicious apps are a huge problem for Android. Sideloading random apk you find on the net has had detrimental outcomes. I browse archive.org APK archive, but I stopped bc I have no assurances of the safety of sideloading. Nefarious use is the dominant use case here, people attempting to steal games outnumber developers building apps.
And the playstore is in your opinion actually safe and free from bad actors?!?!?!?!
so all you need is and ID? what’s the problem?
A little money and sending your government ID to Google.
So, how long till they lock the apps that are installed via adb into some sandbox with limited access to the rest of the phone? Similarly like they neutered addons in chome with manifest v3. You know, because of security .
I find this really concerning. Considering chat control that is once again a real threat in the EU und probably soon enough in the US and worldwide, being able to run our own software is becoming more and more important. Also what’s the use of being able to have your own software if you’re alone with it…
I’m not one to say “wake up people” light-heartedly, but this might well be a pretty large step towards serious restrictions in how you can privately communicate on the internet.
I get that malware is a problem on android. But this even holds for play store apps. It’s not like having to present a (fake) ID is going to stop hostile people from doing evil. It’s only going to stop “the good guys*”. It’s nothing but incapacitating and even insulting.
Chat control is quite simply a (sad) joke. Proposed by a Swedish Social Democrat (take note – the Social Democrats have a long standing tradition of saying things at one point in time, then flat out denying they said it later on, hoping nobody notices), who as mentioned in the parenthesis later on denied being behind it or even supporting it!?!
They say they expect to be able to implement it by monitoring encrypted comms and ‘sensing’ bad content, without actually looking at the content aka looking at a fibre and seeing what’s flowing over it. To the masses this likely sounds reasonable – to those with the slightest knowledge you know they can only do this by inspecting ALL your pre-encrypted traffic, but obviously if they say that the proposal would be almost dead in the water.
There are alternative versions of Android, but Google keeps finding ways to make those less viable, like breaking RCS and disallowing Wallet and encouraging more people to use Play Integrity. I think eventually Google is gonna overplay their hand and enough people are going to opt out of Android proper that these services are simply not going to be used by enough people that everyone has to reject them or offer viable alternatives.
Your premise is technically correct, but requires multiple reading to actually understand it, which is bad because it initially SOUNDS like you are making the opposite statement.
You (paraphrased for clarity): it is getting more and more difficult to get by without having a good understanding of technology.
That is true, and GOOD.
Tech has become far too easy in the last few decades. This leads to LESS technical expertise.
Anyone can go to Wikipedia and FEEL like they know something. This is a problem, because now they don’t listen to actual experts.
Anyone can spend $dinner to buy a dev board, fiddle with it, and ‘understand’ electronics.
The problem is, commitment and repetition are IMPORTANT parts of understanding.
Tech knowledge today is mostly casual. And I don’t mean most people have it. I mean the bar for entry is now SO LOW that you can comfortably stop learning/doing without feeling like you have wasted any sunk costs.
Making things easier is FANTASTIC for people who were already going to put that effort and commitment into it. We can learn/do twice as much.
But for people who never were going to commit, they know less than ever.
The Apple-ification/Android-ification of computing has been such an awful thing for tech knowledge. Things are now so easy, and users have been trained to rely on the system suggesting(or steering you to) what it thinks you want, that users have no clue how to even use a computer anymore. Tech knowledge for highschool graduates is lower than it has been in the last 25 years.
I certainly don’t want my permissions revoked, since I’m more than willing to put in the due diligence, and I understand the risks. But at the same time, ‘normies’ genuinely ARE children who need to be told not to pick things up off the street and put them in their mouth. If we need to make it harder for morons to ignore safeguards so they stop constantly getting malware, then so be it. They need to be treated like children.
Imagine if 90% of drivers didn’t know they should go to a mechanic if their check engine light was on, and all kept driving until their engines blew up.
“My new laptop is slow and weird after only 3 months. Fix it?”
Fixing the laptop is faster than fixing the person, but doesn’t actually fix the problem…
Re – GPG e2e encrypted mail:
To me the main reason is that there’s no official requirement anywhere.
How many countries have ID with electronic functionality that could (have been designend to) be used to sign stuff.
Imagine that – a lot less fraud per mail because every company sending you a bill must sign it with their public key (which in turn may have been signed by some kind of state key).
Of course one would still be able to use/sign “unofficial” keys but if the option to use your ID card to GPG sign something with your name existed.
If banks, financial or really any companies were required by law to only send you signed eMails and the customer must be able to verify it…. (initially the company could just add their public key to paper mail they send to you anyway (QR-code)).
Really a frustrating sequence of commentary from Hackaday, and from some of the users as well. More than half of what I’ve read on this subject has been baselessly alarmist. TBH, it mirrors a lot of political discourse. People are obsessed with the principle of the thing but very few are considering who and what with enough specificity to say anything correct.
You consider a specific user and app and suddenly it doesn’t look like a big deal. For example, many of the apps on F-droid are already signed by verified google developers. This doesn’t kill F-droid, it’s just another in a long long line of nuissances they’ll have to deal with. An app developer that is trying to reach for the masses will jump through Google’s hoops. A member of the masses who is trying to install an app is probably going to benefit from being prevented from installing malware.
The app developer who is harmed by this is someone who wants to make an app for the masses but doesn’t want to use the play store. That venn diagram is two disjoint circles.
The end user who is harmed by this is someone who wants to hack his phone but can’t follow simple directions to install adb. The venn diagram here has a huge overlap — lots of people want to fall for scams! I don’t think we need to enable their mistake.
The particularly frustrating thing here is that there is a fire, but y’all are freaking out about something that’s not even smoke.
I’ve been sshing into my phone to install my own apps for about a decade now and it’s never worked well. Google keeps changing the Intent you have to create to accomplish this, and they keep changing the UI to accept the Intent, and it has worked well for a couple disjoint 6 month long eras, punctuated by pointless churn. The ssh server i use (and wrote) has been deleted from the play store because google decided to ban all apps that use file management permissions but aren’t file managers (and they aren’t willing to consider that people are using ssh to manage files). That’s about 30,000 active users left out in the cold by Google. As a developer, they not only break the API every year, but they also break the compatibility layers! Entirely new compatibility methodologies every couple years. They keep breaking the build system! The online documentation is a javascript nightmare that, with stock Chrome, brings my 8-core 32GB RAM computer to its knees! Instead of making a reasonable permission system for things like background execution, they keep making one system that is overly permissive, and then a year later throwing it away and replacing it with another system that is overly permissive. And none of these systems have ever worked because every single vendor responds to “my new phone’s battery only lasts 6 hours” reviews by sabotaging Google’s overly-permissive system.
Like, a core function of my phone is a bespoke app that synchronizes my notes across all my platforms. 5 minutes after i stop using it, i want it to phone home in the background. But it has never worked! I keep adopting the Google API du jour. I keep jumping through the hoops — now it’s a background service, now it’s a broadcastreceiver, now it’s a JobScheduler. It doesn’t matter, every single one of them has been only about 80% successful. Sometimes, the job is scheduled and it simply doesn’t run. And every one of them has been broken by google changing its mind.
And just as a regular end user, core apps are a poop-hitting-fan experience. Messages, Clock, and now Gboard keep getting broken. Pointless frustrating churn, but also overt bugs! These are core to the Android experience and Google just doesn’t care! I keep getting pop-up spam from Google, and i can’t block it. Every time i block a category of notification, they invent a new category to get around it. Clock has a splash screen it shows while you wait for it to load!!! YOU WAIT FOR CLOCK TO LOAD!!!
There’s a real problem, Google is the new Microsoft. This app signing requirement isn’t even a footnote to that problem.
Mostly agreed, however this is one of the most overt and obvious bad actions, and one you can actually explain to the less technically minded in a way they will understand it. Big G acting in bad faith with excessive control and money grubbing methods isn’t new, but events that make it obvious to a wider audience are relative rare. For instance I didn’t know about your file management permission problem at all, that particular annoyance is a new one to me, as it has never affected me personally (probably because my few devices are rarely used and actually stuck on very old manufacturer kernels with a postmarketOS rebadge – been needing to get something that isn’t 10+ years old for a while really, but as I rarely actually need a mobile and the ecosystem has been going to hell…).