It’s no secret that Google really doesn’t like it that people are installing Android applications from any other source than the Play Store. Last year they proposed locking everyone into their official software repository by requiring all apps to be signed by verified developers, an identity which would be checked against a Google-maintained list. After a lot of pushback a so-called ‘advanced flow’ for installing even unsigned APKs would be implemented, and we now know how this process is supposed to work.
Instead of the old ‘allow installing from unknown sources’ toggle, you are now going to have to dig deep into the Developer Options, to tap the Allow Unverified Packages setting and confirm that nobody is forcing you to do this. This starts a ‘security delay’ of twenty-four hours after you restart the device, following which you can finally enable the setting either temporarily or permanently. It would seem these measures are in place to make it more difficult for a scammer to coerce a user into installing a malicious app — whether or not that’s a realistic concern or not, we’re not sure.
When we last covered this issue this ‘advanced flow’ had just been introduced as an appeasement option. In addition to this a limited free developer account was also pitched, which now turns out to allow for up to only 20 device installations. If you want more than this, you have to pay the $25 fee and provide your government ID.
Although Google’s public pitch is still that this is ‘for user security’, it will also mean that third-party app stores are swept up in these changes, with developers who publish on these stores subject to the same verification rules. This means that Android users will have to learn quickly how to enable this new option as it will be rolled out to more countries over the coming months.
The reality is that scammers will simply work around this issue by buying up already verified developer accounts. At the same time, it’ll cripple third-party app stores and indie developers who had intended to distribute their Android app by simply providing an APK download.
Here’s a better proposal: don’t provide what 20 years ago would be considered almost a supercomputer to illiterate people with IQ of a fruit fly. Scammers exist only because there are suckers who fall for their tactics.
It’s like i side load apps all the time
Never had a problem
That’s only a desktop and laptop pc problem
Never got malware or viruses on my phone
Never needed antivirus on my phone
It’s like Google made up na problem, and trying to fix something that wasn’t broken to begin with
Sometimes I want to side load an apk, because I want an older version that didn’t display ads and shit
Or some bugs in new version
Or software simply not available on PlayStore
Can the “Allow Unverified Packages” procedure be started anytime by anyone or only by a young unicorn during the second full moon after the Autumn equinox? Thank you.
We regret that we are unable to answer your question unless you sign in to verify your identity. As part of the verification, you will be required to quantify “young”. You must also agree to our Terms of Service, which are updated daily and twice on Sundays.
Thanks you for your attention to this matter.
No, only if witnessing a herd of wild elephants, on the 4th of July, during a hailstorm.
Quite a few of the streaming radio apps on the Play store are predatory, ongoing subscription fees to access open source, crowd sourced, station directories and ‘free’ streaming. The only app you need is RadioDroid. Perfect in function even if it is a little plain to the eye.. it’s not available on the Play Store.
The only version of Termux I trust is the github version. I’m addicted to bash scripting, wget, gallery-dl, yt-dlp, ffmpeg.. there’s so many little things you can do with Termux to polish Android’s rough corners.
I use Winlator for mass tagging in Android.. with the Windows version of mp3tag. Audio tagging in 2026, on Android, is still severely lacking.
Seems like I will be using my 2009 netbook more often from now on to do bash scripting, instead of terminal on android.
The process of putting software you want to run on a computing device already had a proper name, and that is simply “installing”. Please, everyone, stop calling it “sideloading”, that is the term they want us to use because it makes it sound like going around something we’re not supposed to.
Do you have trouble with the term “apps” as well?
App, short for “application” is a term that substituted the word “program”, don’t “they” want us to use that either? Who cares, it’s a word, nothing changes the system as it is is bad enough (people using high power computers with a tiny screen but no keyboard controlled by a silly/inaccurate touchy touch interface that in most cases is barely good enough to almost do what you need to do and then your finger slips and you move 2 pages back but there is no undo ability). Who cares.
Regarding the topic, it’s a bit annoying that “sideloading” could possibly eventually be outlawed. But people always find a way, it will become a bit harder to do, but impossible, I do not think so.
Really? It will never be impossible?
I’m still waiting for people to “find a way” to root a decently spec’d up to date phone.
It’s ironic but if you buy an unlocked Google Pixel, you can install other OSes including ones with root.
Yah….. I require the ability to do desktop mode wirelessly via Miracast though. Kind of keeps me tethered to Samsung.
No you can’t anymore. Read the news from last year. Contact GrapheneOS if you are sure about your claim, they’ll be surely interested.
Words have power, and it’s a slippery slope. Do you “sideload” “apps” on your desktop computer, or your laptop? When we can’t write or run FOSS on our own hardware without the manufacturer’s approval, is it really ours?
Apps is just a contraction of a word people have used for ages, as Application and Program has been interchangeable in common speak around computing pretty much since the beginning. But Sideloading is a rather newer invention that has been given so much spin to make the act installing anything without paying the Big G their cut sound wrong, dangerous, etc.
So yeah we really shouldn’t be normalising that the OS/device vendor really owns the device we paid for, unfortunately clearly and snappily expressing that you are giving Big G the middle finger and installing what you want on ‘your’ device anyway doesn’t really have its own description.
No. Application is a broader abstraction around the function or a task whereas a program is specifically the software on your computer. The word “app” is blurring the line between something you have and something you merely use.
For example, many phone apps are merely web pages displayed using the browser engine on your phone. They’re not programs in the sense that you’d have a binary that you can install and run natively on the device – it’s a web app pretending to be a local program.
Talking about in common vocabulary not technical minutia – both words have been used forever rather interchangeably to simply be something you run! If anything the difference in common language use is how polished and idiot proof the GUI is – if its all 8 million clicks of hand holding to do anything that is usually called an Application, if you can get everything done with one hotkey and a few clicks, but you might just need to learn how to use it its a Program…
Also while a Web App isn’t a local program as such, it is still the program you run to get the result, so from the regular user perspective there is no really difference. Plus in many cases it is still a local program (or at least can be) just using the browser engine to do all the work on the locally stored data.
Even on that account, if the app is essentially a website with the actual program on the server side, do you actually run it?
if (Allow_Unverified_Packages == true) remaining_warranty_time=0;
?
Olaf
Not allowed in the EU i think. I can install any SW on my HW without losing the my warranty
You say that like Google doesn’t explicitly disclaim all warranties on their software already.
Will disabling Play Services work around this?
If I can’t put a custom ROM on a phone, then at minimum I remove/disable all the Google apps, including Play Services, and install FOSS versions of everything from F-Droid. This is a day 1 procedure with any new phone I get.
Otherwise, when I get a new phone, I’m going to have to jump through that 24 hour hoop and not use it at all until the same time next day because “stupid people might do something stupid”. That’s insane.
Why don’t they make their operating system safe enough so it can handle unsigned apps?
how? Android malware nowadays uses legitimate features like screen recording, viewing screenshots, viewing the clipboard, acting as a keyboard, etc. It’s just a program. We want arbitrary access but we also want “safety”.
But only the Android that came with my phone, or via those safe OTA updates, is apparently safe enough to use banking app(lication)s…
Banking applications are just terminal application. All safety is obviously done on the server side. Rooting your phone will not magically allow you to add one million dollars to your account, even if you can now decompile & modify the application. The excuse of forbidding “sideloading” for protecting any eye dropping (or manipulating the keyboard for generating a transfer out of your account without you noticing), is just complete bullshit. If you want to prevent this security issue, you remove the feature from the OS or you gate these features (and only those) with some user authorization. As far as I know, there isn’t even a single word about “limiting” Accessibility features, like screenshoting or fake keyboard input in this announce.
That’s simply not possible on any operating system unless you’re willing to drastically limit the device features to which apps have access. You’re asking for the device to make the distinction between malicious apps and legitimate ones, and there are any number of legitimate reasons you’d want an app to be able to read or change sensitive data. The fact that this can’t be automated is the biggest reason (other than profit) that Apple has such a stranglehold on iOS apps.
The alternative is that every on-device API which could be abused triggers a pop-up which asks the user for permission.
This is a solution that works for the 1% of people who know what “API” stands for. It does not work for humanity as a whole. 99% of users just automatically approve any popup that is preventing them from using their app.
The Windows UAC popups are a history lesson in this. I think they have prevented virtually zero viruses in the past 20 years, while consuming roughly 1,000 human lifetimes of time.
Then get rid of 99% illiterate users. Tell them to f*ck off and use a mechanical typewriter. If they are dumb enough not to study computers, they are dumb enough not to be allowed life in the XXI century.
makes me icky to say it but .. I don’t really see this as a bad thing at all. Decent compromise.
.
A knowledgeable person can do whatever they want, after 24 hrs. Do it once, live your life.
.
If you don’t already have elderly parents, just wait. Of all the life stressors (career, family, money) not a lot of people talk about aging parents. 24 hour wait (to do something the vast majority of users will never need anyway, HaD readers excluded) to decrease the months long pain of identity theft in a parent/elderly person? I can live with that.
Yeah this is honestly better than I feared so long as google doesn’t change it every few months to be increasingly more restrictive/difficult (the whole crab in a pot of water with rising temperature analogy).
Sounds okay for me too. Unlocking Xiaomi phones is far worse.
I hate it. This will be as inconvenient to me as having to wait an extra day to set up my new phone (and come to think of it, what happens if you factory reset your device? Do you have to go to through this process again?). That said, I agree with everything in your comment. Ultimately this will be a positive thing, and it makes no sense to undermine the system to accommodate my niche use case.
The process Google describe provides no security but you surrender almost all your liberties. What does it prevent, honestly? How the introduced process prevents identity theft? (Does it even speak of identity?). It vaguely presents excuses for introducing a PITA, but there’s no gain, just pain.
Their example is about someone social engineering them to enable “allow installing from unknown source”, but a scammer is very unlikely to bother doing that (because the actual process is already so complex, you can’t rely on an elder to do it correctly). He’ll likely do the usual “I need to verify it’s you, I’ll send you a SMS, please read me the code in it so I can assert you’re the one I’ve called”.
This is just plain bullshit, as usual from Google.
This is nothing more than the equivalent of malicious compliance in regards to preserving device owners freedom to install what they want without Google’s interference.
So when do we get a Linux phone that doesn’t have anemic hardware?
When enough people agree to pay ( beforehand ) a correct ( ie, not subsidized ) price for it. Then it can be developed , build and sent to buyers.
But you know, people choose cheap things first, and then complain about them later.
You say people choose cheap things first, I’d argue that isn’t true, as if it was nobody would use Windoze when so many vendors let you save money buying your computer without… The problem is a lack of attempts at a real Linux phone using a remotely modern chip when it is created.
Though with Valve using a Snapdragon in the Frame, and a few other laptops using them too the dream of a chip with enough manufacturer support that is modern chip with decent energy efficiency and performance to be a general and actually daily drivable Linux phone now is looking rather more promising. Assuming you can get together enough funding or the support of the chip supplier etc to start such a project.
Not to belittle the older attempts, that are no doubt going to be a useful stepping stone to build from, just they all had to compromise a bit too hard on the silicon at the time to be that compelling, and have only fallen further behind.
How do you explain Apple, then? Or any of the flagship Android phones that cost over a thousand dollars?
You could make a Linux phone in that price range. It’s just that it won’t be any good because it’s missing all the apps and general infrastructure as a software platform, and the hardware compatibility (options and performance) and the general UI/UX sucks. It would be again expecting a bunch of uncoordinated and to a great extent unpaid amateurs to come up with something finished and polished when none of them can even agree what they should be doing, without any industry backup or support from OEMs because nobody’s taking them seriously.
To make it work, you’d need to set up a company around the point and take control of the development with commercial intent and focus, which is what Google did with Android. You want Linux phones, you already have them.
Apple ? Same as buying Rolex, Nike, etc. Mostly people buy it because of the brand. Some people buy it expecting better quality. And if you agree with Apple´s rules, everything kind of “just works”.
As for the linux phone : you repeated what I wrote. If enough people want so much a linux phone that they will put their money where their words are, it can be built. But will cost probably more than that flaship Android phone you mention, due to production costs.
And then the people who bought it will complain that nobody develops programs for it . And with a very small user base, that will happen only if they pay for it.
And we are back to the “people want cheap things”. And I would add, “unless it is them doing the work. Then they want top money”. Or the complaints will be “Somebody should do this app”. The person who demands it always has some excuse ( “don´t have time” or “I´m not a programmer” ) . But they want other´s work to be had for free.
“I’m not a programmer” is not an excuse, it’s most often just the fact.
The problem with “Linux” is that it insists on being free – it won’t accept money for the point that it would constrain the developers to do what the customers want instead of what they themselves want to do with their toy of an operating system. They don’t really care about what the users want or need, or they have other ideas about what the users should want or need.
Android is the exact opposite: it’s free because it’s a trap to get independent software vendors into the ecosystem where they have to pay Google a tax to distribute their software on the platform.
It’s not the building that is the problem. It’s not an issue of making an individual phone as a product, but making the ecosystem to make Linux phones viable in general. Android did that, and it took a commercial interest like Google to put their foot down and say “This is how it’s going to work and here’s what you do to make it.”
It didn’t start from the consumers demanding a new system, because consumers never demand new stuff – they demand what they already know is good. For “Linux” phones to succceed, you need to introduce a controlled uniform system that targets consumer needs, instead of a wishy washy vague ideal like “open freedom” that doesn’t have any concrete meaning and doesn’t produce any tangible results.
Consumers can’t choose Linux because it doesn’t really mean anything for them – they don’t know where to put their money to get what they want, and the community is refusing to provide such a target because it would bind them into providing exactly that. The community wants the money but no the responsibility to do the work they’re paid for.
Try postmarketOS. Works for me.
Like the FLX1s ? Or the Jolla Phone ?
They don’t have the marketing power of Google. But they exists. And it’s usable (not perfect, good for most things with still some weird UX’s sometimes)
This is fine. The 24 hour wait is hilarious but will prevent a lot of scams by forcing people to sleep on it.
Except it probably won’t prevent most of them – as the Play store itself is frequently caught full of malware they don’t swiftly remove, and applications from that source, or signed apps in general that are malicious are still installable without any road block at all!
So the developer of the malware probably stole somebodies identity and paid their one time Google membership fee and will get years of scamming folks out of it before it is finally shut down. The users haven’t been protected from scammers very much at all, just infantilised and the issue confused enough to leave them quite possibly believing that anything the phone doesn’t ask you the ‘Are you sure’, ‘Are you really sure’ message is perfectly safe…
So great the Big G gets to charge a small tax on the malware vendors for themselves, and because its so small the scumbags won’t care, but the user really isn’t any safer.
I think you’re greatly exaggerating the prevalence of malware on the play store, especially in comparison to the web in general where every website you find “off the beaten path” is trying to get you to install some “videoplayer.exe” or “download accelerator”.
Plenty of it keeps being found – all you need is that little bit of social engineering to scare the user into doing what you want or to create the right advertising buzz around your new better than Discord or auto pass the age verification Discord app (etc) to distribute this malware.
Didn’t say that regular windoze stuff especially off the beaten path is better. However in this case if its on the play store, or signed by a Google approved developer it really isn’t “Off the beaten path” so that isn’t a fair comparison to that anyway. While on the other side in that wilderness the Antivirus scanners, even Microslop’s own windon’t defender are pretty good filters that will detect many of those variation on a theme from the known malware anyway – so it probably is better!
But the point is this ‘sideloading’ roadblock is not a valid, functional security measure at all while the bad actors CAN get their software signed for a friction free install, and they are doing so. It is nothing but making it obnoxious for anybody to distribute their software without paying Google for the privilege first.
I would prefer if you gave statistics.
The common scam calls are trying to trick you by urgency, like “Someone stole your indentity and now they’re emptying your bank account, quick I need you to log in through this fake website and let us transfer your money to a ‘safe’ account!”
Unfortunately the 24 hour wait period doesn’t really help against those scams, because they’re not relying on you installing malware. They’re relying on you being stupid.
Exactly the point. This is just bullshit from Google to gain monopoly with a vague excuse of security.
Aren’t all DJI apps essentially side loaded? As far as I can recall you have to I stall it by APK for the last 5/6 years. Wonder what they’ll do to get around this.
Anyone else getting fed up with big corporations dictating what we can and can’t do with expensive devices that we paid for and own? This crap from Google, and the way the MS can arbitrarily restart my PC without my consent? Just two examples. They can only get away with it because they basically hold a monopoly and for a lot of people the alternative just isn’t an option. I’ve tried Linux many many times since the mid 90s at least, and never once found it palatable enough for my needs.
It’s like a new language. It’s hard when you start and then it becomes your main language the more you are practicing it. Honestly, Linux (the desktops and applications) have improved a lot since the last 5 years. It installs without pain or hassle, it’s more customizable than windows or macos, and deliver much more. In my family, they are using a Linux computer without even realizing it’s Linux underneath. It just work. I’m having a hard time going back to Windows now.
Listen & repeat:
I will use LineageOS.
or GrapheneOS
IMHO, GrapheneOS is dead in the next 2 years or so. They are trying to survive with external manufacturer like Motorola because Google is closing their access. Motorola will likely deliver a phone or two with opened bootloader and some documentation, but after that, if they don’t get the sales to compensate the development efforts they’re invested, they’ll just end the deal and that’s it. The GrapheneOS market is peanuts to them.
I have a mini gameboy styled “powkiddy” handheld that runs a cut down customized version of Ubuntu linux (ark os) and cost about $70. Why can’t someone put together a device with a similar custom linux os in the shape of a phone and sell it at a reasonable price? This wouldn’t appeal to the average consumer but its a start.
How about the PinePhone ?
Well this won’t work for me. It asks me if anyone is forcing me to do this and I have to honestly say yes. Google is forcing me to do this because the apps in the Play store aren’t what I want.