In a recent blog post Google announced that the early access phase of its Android Developer Verification program has commenced, as previously announced. In addition to this new announcement Google also claims to be taking note of the feedback it has been receiving, in particular pertaining to non-commercial developers for whom these new measures are incredibly inconvenient. Yet most notable is the ’empowering experienced users’ section, where Google admits that to developers and ‘power users’ the intensive handholding isn’t required and it’ll develop an ‘advanced flow’ where unverified apps can still be installed without jumping through (adb) hoops.
What this new option will look like, and how it’ll differ from the current warning pop-up when installing an APK not via the Play Store remains to be seen. Either way, it highlights the impossible balance that Google is trying to strike between a simultaneously open ecosystem and a high-security one. A problem with a central software repository is that while it does provide a lot of convenience for end users, ensuring that all software in it is vetted and safe is a tough one.
In the case of something like the Debian or FreeBSD software repositories, these are quite locked down and with no random developer getting their software in without some serious work, whereas the very open NPM and Python repositories are practically overrun with malware. Here Google has to choose and pick its battles, with the scenario of scammers making a victim download a fake ‘verification app’ clearly being front and center on their mind. The problem here being of course that this is trying to fix a social engineering issue with technology, which only gets you so far and risks immense damage in the process.
For developer types, Google still only distinguishes between commercial developers and students/hobbyists, with the latter developing for a ‘small group’, making one wonder how OSS software with potentially very large userbases will be treated. Will they have to go through the whole ‘submit government ID scan’ and publishing of personal contact information on the app details page, same as for a commercial app?
Either way, it seems like good progress at least that the option of distributing APKs via alternate app stores as well as places like GitHub will be preserved. Telling users to just mash the ‘Ok’ button a few times on scary dialogs is significantly more straightforward than instructing them on how to push your app onto their Android device via adb would be. In fact, most users probably won’t need any special encouragement to do so.
I told you so.
And anyways they’ve been verifying developers for years.
One development since this news broke is i received an email to my verified developer address from an interactive presumed human who wanted to give me $300 for my verified account.
You told who what?
If no one had made a fuss about the plans as originally announced do you not think they would be going through with that?
they’re responding to the true complaints, not to the fud
“Here Google has to choose and pick its battles, with the scenario of scammers making a victim download a fake ‘verification app’ clearly being front and center on their mind.”
Has there actually been a large number of Android users tricked into side-loading malware? I haven’t heard of it myself but maybe I just don’t know about it. If there hasn’t then I think the author is being way to generous towards Google here.
hahaha i understand “citation needed” kind of comments but “malware is a concern on consumer-oriented OSes” doesn’t seem like one of those moments where i can muster an iotum of doubt
Yes. There has been.
Google’s solution (at least the original version) is highly invasive, highly against people’s rights to own their devices, a great avenue for censorship, and doesn’t even solve that problem very well. But one can’t deny that there is a problem.
it’s somewhat common for cracked apps. Just like the malware attached to a cracked game.
“In the case of something like the Debian or FreeBSD software repositories,…”
Uh Uh! You don’t get to go there!
Since when did Debian or FreeBSD do anything to make it hard to install stuff from outside of their repositories? This is not a fair comparison in any way. No one is saying that Google needs to open up their own Play Store to allow anonymous submissions!