In a recent blog post Google announced that the early access phase of its Android Developer Verification program has commenced, as previously announced. In addition to this new announcement Google also claims to be taking note of the feedback it has been receiving, in particular pertaining to non-commercial developers for whom these new measures are incredibly inconvenient. Yet most notable is the ’empowering experienced users’ section, where Google admits that to developers and ‘power users’ the intensive handholding isn’t required and it’ll develop an ‘advanced flow’ where unverified apps can still be installed without jumping through (adb) hoops.
What this new option will look like, and how it’ll differ from the current warning pop-up when installing an APK not via the Play Store remains to be seen. Either way, it highlights the impossible balance that Google is trying to strike between a simultaneously open ecosystem and a high-security one. A problem with a central software repository is that while it does provide a lot of convenience for end users, ensuring that all software in it is vetted and safe is a tough one.
In the case of something like the Debian or FreeBSD software repositories, these are quite locked down and with no random developer getting their software in without some serious work, whereas the very open NPM and Python repositories are practically overrun with malware. Here Google has to choose and pick its battles, with the scenario of scammers making a victim download a fake ‘verification app’ clearly being front and center on their mind. The problem here being of course that this is trying to fix a social engineering issue with technology, which only gets you so far and risks immense damage in the process.
For developer types, Google still only distinguishes between commercial developers and students/hobbyists, with the latter developing for a ‘small group’, making one wonder how OSS software with potentially very large userbases will be treated. Will they have to go through the whole ‘submit government ID scan’ and publishing of personal contact information on the app details page, same as for a commercial app?
Either way, it seems like good progress at least that the option of distributing APKs via alternate app stores as well as places like GitHub will be preserved. Telling users to just mash the ‘Ok’ button a few times on scary dialogs is significantly more straightforward than instructing them on how to push your app onto their Android device via adb would be. In fact, most users probably won’t need any special encouragement to do so.
I told you so.
And anyways they’ve been verifying developers for years.
One development since this news broke is i received an email to my verified developer address from an interactive presumed human who wanted to give me $300 for my verified account.
You told who what?
If no one had made a fuss about the plans as originally announced do you not think they would be going through with that?
they’re responding to the true complaints, not to the fud
“Here Google has to choose and pick its battles, with the scenario of scammers making a victim download a fake ‘verification app’ clearly being front and center on their mind.”
Has there actually been a large number of Android users tricked into side-loading malware? I haven’t heard of it myself but maybe I just don’t know about it. If there hasn’t then I think the author is being way to generous towards Google here.
hahaha i understand “citation needed” kind of comments but “malware is a concern on consumer-oriented OSes” doesn’t seem like one of those moments where i can muster an iotum of doubt
Yes. There has been.
Google’s solution (at least the original version) is highly invasive, highly against people’s rights to own their devices, a great avenue for censorship, and doesn’t even solve that problem very well. But one can’t deny that there is a problem.
it’s somewhat common for cracked apps. Just like the malware attached to a cracked game.
“In the case of something like the Debian or FreeBSD software repositories,…”
Uh Uh! You don’t get to go there!
Since when did Debian or FreeBSD do anything to make it hard to install stuff from outside of their repositories? This is not a fair comparison in any way. No one is saying that Google needs to open up their own Play Store to allow anonymous submissions!
Well, first there’s absolutely no proof that you can’t have both. I think of Linux, here where it’s both and works quite well without the drama. Then, I haven’t see Google proving that adding more control on the ecosystem will actually improve its security. I highly doubt it’s the case anyway, since the even almighty Google can’t decompile, understand and analyze all the software that’s submitted to the store so there is absolutely no causal link between controlling the developers and improving the security of the system. You know the developer, but what? Will you ban Mozilla because it submit a web browser where a third party can write a webpage where the Granny will get scammed ? It doesn’t make any sense.
It’s another example of a case where Google is asking your to drop a liberty (running the software you want on your device) for the illusion of some security. We all know it never work. Why are they trying again to do that? Why don’t they learn from the past?
I think the “problem” that Google wants to “solve” is that people keep improving their apps or installing alternatives, which results in them earning less money. Trying to block options is in their best interest.
Take YouTube for example. I can either fix the app by running it to another piece of software, that patches YouTube and makes it usable, or I can install an alternative. Google hates both options. They don’t even list the big alternative to YouTube in their own app stores and you can only find it on there if you search online for it. You then find a link back to the app store and you can download it, but if you type the name in the app store, you won’t find it because it’s not listed.
They never care about their customers. ‘Don’t be evil’ was a long long time ago and got replaced by ‘Be evil’.
Care to elaborate? I have no problem paying for YouTube to stop the ads, but it drains my phone something fierce and I suspect it’s using new Codecs my phone with a snapdragon 865+ doesn’t support.
Also if I make a play next list it invariably loses the whole thing and what I was watching either is not in my history or it shows I watched the whole thing, but not what else was in the list.
So tell me this alternative please.
Check out newpipe ;)
The fact Google pushes ‘Play Protect’ tells you all you need to know about their ‘vetted and safe’ software repository.
And demanding that all software is vetted and safe with limited resources to do so, or limited will/ability to pay for said resources, means that not all software gets added to the repository, which inconveniences the end users. Practically speaking, a central software repository can never have all the software.
That’s one reason why Windows is so popular in personal computers. “Sideloading” is the default, and requires no special steps. There’s no third party, no repository or gatekeeping process, between you and whatever software you want to install.