Google gives Android users a way to install unverified apps if they worked hard for it(including waiting 24 hours)
2mon 2h ago by lemmus.org/u/Beep in technology from android-developers.googleblog.com
Okay but, installing an apk is not the kind of thing a scammer does. They'll just install some standard off the shelf remote access software from the play store
This very much feels like they just needed to come up with a new justification for this process and opted for scammers for some reason. Even though they're completely disconnected
This very much feels like they just needed to come up with a new justification for this process
It feels that way because that's exactly what happened.
I was hoping for at least something slightly believable, someone let Gemini write the justification I guess
They don't even respect us enough to bother with trying to make their lies convincing anymore.
A man can dream
- enable developer options
- confirm that you are not tricked
- restart phone and re-authenticate
- wait one day
- confirm with biometrics that you know what you are doing
- decide if you only want unrestricted installs for 1 week or forever
- confirm that you accept the risks
- enjoy the few apps that still have developers motivated to develop for a user-base willing to put up with this
Is this for all android systems because it is a huge rug pull if so
Pretty sure it's a change to AOSP, the basis for every single Android ROM in existence.
Combined with the news that they're going to start requiring developer age verification even in the alternate app repositories...
The biometrics part makes no sense, you can disable biometrics. You mean that you have to do a security confirmation however you've set it up.
I can understand this workflow being created to protect the legions of people who are tricked into installing spyware.
It doesn't remotely affect me because I use GrapheneOS and if this is an issue for you then you're probably someone who should look at installing GOS or Lineage.
I don't think Google should be able to do this and it is likely part of a longer-term strategy to strangle any competition. At the same time, I can understand how this change will save a lot of grandparents from clicking a link in a text from their 'grandchildren' and installing spyware that'll steal all of their bank information.
GrapheneOS is built on AOSP, which is where the change is being made. Graphene and other custom ROMs will need to maintain a fork that cuts out the feature if they want to avoid. Google is also starting to close off Android to make that more difficult, so it'll become a genuine project to maintain the fork well.
As far as I understand the enforcement depends on privileged play services. https://xcancel.com/Metr0pl3x/status/1960329785277571420#m
That's better, at least. GrapheneOS users should be fine at least since there are extensive restrictions on Play. Other Android ROMs may have issues, though. Maybe not if they use MicroG.
I mean... This is kind of why I never let people use my phone.
I have installations from various sources enabled... Like my browser, because I know what I'm doing. But I wouldn't trust anyone as the process is currently effortless....
If someone is trying to install spyware on you (like a partner or parent.) this might offer some notification and prevention.
I don't really see the big deal. You do it once, enable it forever, and wipe up those tears.
I think a better way would just to have maybe like a biometric/pin confirmation upon installation. Simple. Clean.
they want to suppress the developers, not users. By making it so bothersome, so many people will just stop using sources from outside google play. First they do this and at some later time they will add more hoops to it. If they manage to strangle any developers that make stuff, people will have nowhere to turn yet they cant complain either because google will have undeniable monopoly.
The delay is almost assuredly to prevent live scamming. Like a grandparent picking up a random call or text and being tricked into thinking they're a family member/bank worker/etc.
I'll admit it's annoying, and could be used by Google later to do more annoying shit.
Taking their explanations in good faith and looking at it from an customer security point of view, I can see this cutting back on some common scam types. This is kind of like how, when you go to rustdesk.com there's a giant 'YOU'RE PROBABLY GETTING SCAMMED' banner across the top of the page:
These little steps can seems pointless or annoying to us, as most of us are probably in the upper range of tech skills, but consider the average user and it starts to make a lot more sense.
The delay makes intuitive sense especially since it will give the target a chance to complain about it to their friends and family who will hopefully stop it from there.
However, I’m not sure if it’s worth it. I imagine this would stop exfiltration apps which scan the users device to useful data and maybe passive screenshots but this pales in comparison to apps with subscription dark patterns, gambling and apps that harvest and sell your data legally already. If this was a case of apps prompting the user to enter sensitive information into a form then they could just use a browser.
I don’t know. I think this is a good measure to prevent scams. I’m just uncomfortable about Google’s motivation.
e: nm, mod got 'em
In addition to the advanced flow we’re building free, limited distribution accounts for students and hobbyists. This allows you to share apps with a small group (up to 20 devices) without needing to provide a government-issued ID or pay a registration fee.
Fuck you sideways, Google.
What? ID?
They want developers to share their IDs to have their apps on the play store. The limited groups is so hobbyist developers can still share apps without having to jump through those hoops and so the users don't need to go and enable sideloading, with the caveat that there's a call on how many users you can send it to it looks like.
That's already the case. The new thing is that they want developers to share their ID to have their apps be installable on Android in the first place, even if they don't use the Play Store.
I wonder if this is a direct result of apps like ICE watch or ones that track billionaire planes and stuff
Google did just say they're "...leaning more into military contracts..." or something...
But the sideloading flow via dev options that they have revealed doesn't require that and it's easy to do...
From what angle is it easy to do?
- Enable developer mode (using a hidden process where you have to know where to find it)
- Go through a scary form
- Restart the device
- Wait 24 hours?!
- Go to the settings again
- Do some more scary confirmations
- Check another scary checkbox
- And then... confirm again every single time you install an app
And you are telling me it's easy to do? I can go publish a diet tracking app and Aunt Flo will happily go through this and I won't lose customers?
I feel like if someone knows what an .apk is and where to download them, they'll also know how to search for how to install them
Yeah, and currently you don't need to know what an apk is to install them.
Then you're just installing from the play store are you not? If you want to use f-droid or something else you initially have to start with getting their .apk do you not? Or am I mistaken and misremembering?
And again, confirming that my current phone will be the last android device I own.
What will you use instead though?
At this stage, I'm thinking one of the Motorola phones that will run Graphene out of the box.
Isn't that Android?
I believe it’s a fork of android that is not managed by Google
It's an Android fork that has been degoogled
........so it's android.
Is that meant to be a "gotcha" or something?
My point is, this is the last time I let google control my phone.
I imagine since it's not an official product of Google's, it can't legally be called "Android." As such it's something that is not Android, but is highly compatible with it since both are rooted in the AOSP.
Legally? Maybe not.
But Col Sanders left KFC after selling a business he created with his own secret reciepe. Then after he sold it, he watched the new owners use his image to sell an inferior chicken product.
So he started up another new chicken resteraunt using the original reciepe. Legally he couldn't call it KFC, but that doesn't change the fact that it was the original KFC reciepe.
Hows that phrase go? A rose by any other name would smell just as sweet.
Call things whatever word you want, it's still the same thing in the end.
The point that is clearly not sinking into your wired-to-argue-for-no-reason brain, is that it gets rid of the shit that Google is fucking with. Which is what they were concerned about, not the underlying structure of the OS being offensive to them.
Ok, not OP but also wired-to-argue-for-no-reason :
People present graphene as some independent project that throws the middle finger to Google.
In reality Google could very easily stop tolerating the sandboxed playstore and require them to follow the same "certification" as the other.
Sure graphene could still ship but without the playstore that will be a very different experience. You can roll with F-Droid etc but your choice of apps would be very limited.
Basically, I just wanted to point out that graphene is definitely working with the permission of Google and google could very well sabotage the project in a few dumb requirements.
As someone that uses GrapheneOS without google play services, I'd be fine with it. Fuck em.
I use graphene on a pixel. Graphene is Android, albeit a much better version of Android.
I don't care whether it's technically android or not, I care that it's not a tool to let google in to my life.
I'm hoping it's smaller than any of their current offerings. I really want to support a "factory" GrapheneOS phone, but can't stand the size of current generation phones.
I want the opposite! I currently use a fold phone because phones are too small :P
Even sidegrading to an older mid-high range phone seems like a good idea at this point. I hate android 12 and everything after it with a passion. Moto have been decent in my experience though, hopefully HMD will follow suit with Graphene
any links for more info?
March 2, 2026 https://motorolanews.com/motorola-three-new-b2b-solutions-at-mwc-2026/
That's some good news indeed.
Linux phone, landline, or tin can and string.
Another option, an ESP32 radio. Surprisingly large mesh network in the greater Seattle area.
Yeah, but you guys don't have any ghosts in your city! So.....Who ya gonna call???
Fairphone with /e/os or Jolla phone with sailfishos (waiting for the reviews of their new preordered flagship phone coming out this fall.)
Well, that runs into a different problem with the same results.
Sure, GOOGLE can't hinder you from installing apps, but the fact that nobody has heard of these OS's before means your selection of available apps is what hinders your ability to install apps.
"Nobody has Heard of these os'" - wtf you talk about? They are gaining popularity here in EU as well as in Turkey. It's getting popular to de-google/de-americanize. People are hating on the monopoly iOS and Android has on the industry. Better to do something than being a sheep about it, and just let thos mofos suck the data out of your life forever?
/e/os is Android without Google proprietary stuff. It runs most Android apps.
While technically correct, it runs apps, it's misleading because it won't run the majority of apps from the playstore.
Google holds people captive with the playstore and the very sneaky google play services.
Only the most hardcore tinkerers and privacy oriented would run a pure AOSP phone.
These devices have replaced play services with things like micro g, so yes they will run pretty much any android app even Google ones would work but that would be defeating the purpose.
I've tried it, and only ran into a couple apps that wouldn't work with MicroG. I won't pretend it's painless, but it's workable for someone with sufficient motivation.
/e/ OS is just a degoogled Android (similar to Graphene, but not so security oriented). You can install the same apps - though some might not work properly.
Sailfish OS is Linux, but if I understand it correctly they have a compatibility layer enabling you to seamlessly install Android apps on it.
You != Everybody.
That exact issue killed Blackberry, the largest smartphone maker at the time. Even after they built a compatibility layer to run Android apps.
You think anywhere near enough people are going to go out of their way to try something that doesn't have marketshare already to maintain an entire alternative hardware and software ecosystem? Where can I get wherever awesome shit you're smoking?
When i was a kid, blackberries were more common than android. At least in my area it was the "in" thing to be on BBM
e/os and Sailfish are pretty popular alternative OSs (OSes? OSii?) and e/os is an android fork, with Sailfish having an android compatibility layer, so they work with standard Android apps.
Source: I use e/os.
Why are you in here arguing losing points with no reason or even knowledge about them?
Just think of all the other things that could benefit from a "protective waiting period" to enhance your safety.
Turning off location tracking, using a web browser other than Chrome, using a mail server other than Gmail, visiting duckduckgo.com — if Google really cared about your privacy and security they'd add a 24-hour delay to all these dangerous activities.
Downloading Linux? Mandatory psych evaluation. For your protection.
They think this will take some of the heat off of them. Hopefully no one actually thinks this is a reasonable compromise. If I want to help an elderly family member install something on their phone during Thanksgiving dinner or a family reunion, I'm not gonna want to wait a day. Uncle Paul's flying back to Florida tomorrow morning!
Thanksgiving was four months ago. Uncle Paul lives with you now.
I imagine that the demand for linux phones will only grow.
THE PENGUINS MUST GROW
Who are these smooth-talking scammers that can guide a regular-ass user to jump through hoops in settings to install a malicious app?
Maybe I should ask them how they do it, because I cannot convince my family to download and use Signal. You know, the legit app from the official app store.
People who can't operate a computer will somehow become gods at following instructions if someone calls "from Microsoft"
Yes exactly this. I try and explain a computer thing to someone and get ignored. That same person talks to some sales rep in the electronics store and comes away "ohh they said I need to buy super expensive antivirus, that'll solve my issue with my screen resolution being too low". 🤦
The sales rep offered a solution to that person's problem.
You want that person to be right which they perceive as you want to dominate them.
So they try to resist you while they are highly motivated to follow the instructions of the sales person.
Interesting explanation of the psychology and I don't necessarily doubt it, But I also offered a solution. The solution I've offered fixes the problem, the salesman's solution sounds like it solves the problem but does not.
A solution without demand is worthless. At first the demand has to be created. Some people value understanding and are thankful but that's a small minority.
You mean from 'The Microsoft'
Who are these smooth-talking scammers that can guide a regular-ass user to jump through hoops in settings to install a malicious app?
you would be extremely surprised. I think lemmy users fail to realize that not everyone has an IT job and is a sys admin.
Exactly.. there are a ton of older people falling for scams everyday. It's all over the news. They manipulate people by pretending to be a love interest or a family member.
Can we prevent this on the EU level? It really is just killing independent competition.
Vote for the Pirates
According to Wikipedia, they basically have no representative nowhere... I would rather vote for a more established party which actually has the power do influence the decision. Surely there must be one mainstream party that has the same stance.
There are some places one can contact:
https://competition-policy.ec.europa.eu/antitrust-and-cartels/contact_en
Email Digital Markets Act team: EC-DMA@ec.europa.eu
Contact DMA team: https://digital-markets-act.ec.europa.eu/contact-dma-team_en↗
Contact your Member of the European Parliament directly: https://zeyus.com/contact-mep-representative↗
Email Antitrust: COMP-GREFFE-ANTITRUST@ec.europa.eu
https://competition-policy.ec.europa.eu/antitrust-and-cartels/contact_en
I tried sending a message to one one, i forget which, and they essentially replied that they see nothing wrong with it, so more people need to complain.
https://keepandroidopen.org/More infromation from here.
Rental devices tend to be bad investments for the individuals.
They will just redefine what 24h means!
Don't think for a second that these companies are working in good faith, and would change their evil plans due to some pushback from the rabble. They will just find ways to circumvent things. They have everyone by the nads, there are no competitors.
This would not have affected me since I use Lineage OS without Google Play Services, but I am now more seriously than ever looking into using a Linux phone like Postmarket OS.
It would affect a lot of users, then it will indirectly affect you too, as a lot of devs won't be as interested in maintaining their apps for so few users. But I hope it will at least give a bit of a push to developing postmarket os. I personally am sure going to get a second hand phone to install postmarketos too and hope I can contribute at least a little bit. I am prepared to suffer, at least a little bit for the right cause.
- Camera
- Phone projection for cars
- Contactless pay/ wallet/pay alternative
Give me a device that can do these and I am in for ditching android. I only use browsers or off store apps that have linux support mainly anymore anyway.
At least the last one won't happen, as banks would have to be on board. And banks are not on your side with this one.
To be honest this one is in hand, curve has an alternative product and a lot of banks across EU have nativr NFC. My country does not have those banks though. I hope revolut bring it in.
I do want something that takes me tickets for shows and flights and membership cards too though
Yeah, im in a similar situation. Curve doesn't work in my country and banks don't have their own solution. And google pay won't work on my grapheneos pixel.
I got a pixel for graphene but had to go back for android auto and payments. The camera was lacking compared to pixelOS but that was fixable.
Sucks to be with google more than ever
I'm just going to eradicate Google once SteamOS supports mobile devices. Fucking control freak douchebags.
Bruh what? You're gonna be waiting a long time for that. Better to use one of the pre-existing alternatives than wait for an OS that probably won't ever exist, and probably won't support your hardware if it ever does.
Why is it called developer mode if it's supposedly an advanced flow? That has a bad implication.
I hate how much more difficult my work or life has to be because some people shouldn't have a smartphone.
How will this be accepted by the EU? Will it comply to the regulations?
Because they technically still allow sideloading after 24 hours so I don't think it would violate EU laws
spoiler
___either going back to cell phones or we all go for Linux phones
Not happening on /e/OS! You can join us here: https://e.foundation/
What the fuck
I am already on Graphene OS.. so, do what the fuck u want. I dont care.
If this is really as straightforward as it sounds then I'd consider this the best case scenario. Google could have gone full Apple style lockdown or even just have implemented this flow on a per app basis, but needing to wait 24hr one time to enable unverified app installation isn't a bad idea from a security perspective. It prevents a bad actor with temporary access from being able to do much while not getting in the way of us power users after the initial 24hr period.
My bigger problem is how Google is leveraging their monopoly to implement this single-handedly and only for themselves. If they had instead gone through AOSP this perhaps could have been implemented in a better way to allow other parties than just Google to be the verifier, and that 24hr waiting period could be applied to any verifier that is not the phone's default. I'd argue this would be an equally reasonable security measure considering how many scams are out there preying on those who aren't technologically savvy, yet would maintain transparency.
I've heard of security by obscurity being accepted, but never heard of security by obtuseness being accepted as valid.
I hate the fact that Android is open source only on paper. You can't compile your own flavor and install it.
You absolutely can... Custom ROMs do just that.
Your phone has to support it. It's not a Google wall. Your phone maker determines how difficult or easy this is. Google pixels make it rather easy to install Graphene on. Motorola is also going to support Graphene.
There's also lineage and e/os/ and even non-AOSP-based postmarketOS(which is a Linux distro.)
Which is not as libre as a computer OS. What I mean is that Google has complete control and power over it as it's not developed by the community and therefore doesn't do its best interests
Android used to be a little more diverse.
But it's been limited to the launcher(shell) mostly.
What do you think are in the best interest of the community that Google isn't doing? Do you have any less contentious examples? As a technical support specialist I've talked to numerous dipshits that were talked into installing a virus on their own Computer system or phone or other device.
Some people are really really really fucking gullible.
It's their problem if they were tricked into installing malware. It shouldn't be an excuse to limit power users. The real reason Google does that is profiling developers and preventing real libre alternatives
Hot Take: Honestly, this is not as bad as I thought it'd be... IMO
(But still, it's kinda a slipperly slope...)
Their strategy:
- announce they will make extreme restrictions
- people get crazy over it and backlash
- announce that they're listening to people and will soften the proposed restrictions
- people relax and accept the restrictions, while the media portray them as the good guys
I feel if everything they said is true, then this is a reasonable solution. But from my many Youtube scammer video experience, like people have already mentioned, most scammers use standard remote access software, not some bespoke APK.
If graphene had Liquid Glass I’d unironically switch to it. I can’t stand flat looking UI.
Are you really trading off an aesthetic feature for no privacy?
Secondly, just install a liquid glass theme if you're funny.
Thirdly, liquid glass theme is ugly anyway
Genuinely, can you link me to it? And not an icon pack,I want the entire system ui to be glossy and blurry.
I don't care, this is a massive win
Found the Google employee.
Bro did you want them to ban it? A one-time 24 hour wait is literally nothing compared to having 0 viable phones on the market where you can sideload.
Am I tripping? How is this not good news?
You purchased something. Then the company you purchased from announces they're taking away features from you after the fact. Then they announce that they'll give it back partially if you waste your time and do all sorts of steps.
You see this as a win? With attitudes like this, no wonder companies feel they can get away with anything.
I don't give a shit about steps, I can follow steps. Nor do I give a shit about 24 hour cooldown when the flipside is having the phone completely neutered.
And don't get me wrong, I'm infuriated that they even considered it. In my opinion side loading is a basic phone feature and not having it is disabling.
But... they're not removing it, and they sure as fuck didn't get away with it. They got immense backlash and now they're listening to the community, as they should.
This is an enormous win for the future of sideloading (which, let me remind you, almost just got killed on every Android phone) and I'm happy it's living to see another day.
What specifically is a massive win?
I bought an Android specifically because iPhone doesn't allow sideloading. If Android bans sideloading, there's no viable options left until Linux phone develops to a usable state.
The win is that they're not banning sideloading, obviously. Personally I don't gaf if I gotta wait 24 hours as long as you can do it.
that sideloading wasnt banned
I’m okay with this. Didn’t read the article — I read one on Ars Technica or somewhere wore.
iPhone guy, but say I get an Android phone that has this. Say the Pixel 11 Pro ships with it. So I do the thing, right when I get it… 24 hours after that I can install whatever? That’s fine. It’s only 24 hours and then it’s open as long as you want it to be. I don’t even think I need to sideload, but I’ll want the option. And it’s still better than the hoops we gotta jump through to sideload on iPhone.
And it’s still better than the hoops we gotta jump through to sideload on iPhone.
The fact that iOS is a joke doesn't make this any better, and there's no such thing as "sideloading" outside of corporate FUD; it's installing perfectly goddamn normal software on your goddamn device that you goddamn own. I didn't "sideload" Firefox onto my desktop. "Yeah, bro, I just sideloaded Hades II."
No, you do this and then you can't install anything, because no developer will choose this process as their publishing strategy.
Apps outside the Play Store will be dead, which is the point.
What apps outside of the Play Store, and why do I care about them? (Again, assuming I'm a new Pixel/Galaxy user.)
I remember when I bought Titanium Backup (anybody remember that?). You could buy it for X on the Play Store, or you could buy the unlocker from the developer. IIRC you pay a little bit less, but he gets 100% of the money, so you just cut Google out. I don't recall exactly, but I did that.
I feel like anything you want to get that's not on the Play Store, you're gonna be savvy enough to install. Like FDroid. People who install FDroid tend to know what they're doing. Or ad blockers. Or whatever torrent/Dark Web app that's not in the Play Store. You're gonna know how to do it, and if these hoops stop you from doing it, you can always get a geek to do it for you... or maybe you'd be better off not doing it learning how your device works first.
I feel like anything you want to get that’s not on the Play Store, you’re gonna be savvy enough to install.
Yes, that's my point. Google making it so that you have to be a tech savvy user to install anything from outside the Play Store is why there is nothing outside the Play Store that a non-tech savvy user would be interested in, because why would there be if no one is going to install it anyway. Fortnite was a big example where you had to download the APK from their website, and they sued Google that it was too hard for users. And it was before these changes which make it incredibly harder.
Meanwhile, TVDB doesn't have an app, and IMDb and Wikipedia have shitty apps, so I've installed all three as web apps. You can do a lot with web apps these days. It's not all inclusive, but it is something. And that's on iPhone. On Android I actually prefer to use the browser (Firefox with uBlock Origin).