Yep, it's as bad as everyone expected it to be. "We aren't taking away sideloading, we're just going to fully control it now! No Google-unapproved code on user devices! For security reasons!"
Chrome isn't enough. We need Android to get clawed away from Google too.
Do you see the direction they're heading? They're now making it so maybe .5% of android users know how to sideload. They're clearly chipping away at it, even though they might not be making all the changes at once.
On Android you can both install and run apps over adb. The linked article explains:
> Participating in developer verification will not affect your experience in Android Studio, the official IDE for Android app development. You will continue to be able to build and run an app even if your identity is not verified. Android Studio is unaffected because deployments performed with adb, which Android Studio uses behind the scenes to push builds to devices, is unaffected. You can continue to develop, debug, and test your app locally by deploying to both emulators and physical devices, just as you do now.
> We want to make sure that if you download an app, it’s truly from the developer it claims to be published from, regardless of where you get the app. Verified developers will have the same freedom to distribute their apps directly to users through sideloading or through any app store they prefer.
Somewhat unrelated: Do you think the UK government and Google have the same PR team?
Thought: Maybe we can organise and collectively hire this PR team to get Google, other big tech, and our governments, to look bad... And get shit done that way... If 2025 is the year of the PR spin, surely the only counter-measure is counter-spin?
Edit: Hold on, I think I just re-invented the concept of a political party.
Android was a sink for people who want things like this and an excuse for people to rationalize Apple doing it. If Android is "good enough" then who needs some actual Linux phone? If Android is open and that's what you want then why don't people just buy one of those instead of having the government break up Apple and Google?
People become willing to do things when you throw them out in the cold that they wouldn't do when you were still supplying the bread and circuses, and those people they don't like? It's because they're stubborn and they actually care and they know how to build things, isn't it?
Samsung's store contains virtually no original third-party software, anything that's worth installing and is not from Samsung is available on the Play Store.
Look, Google. You and me both, we don't want EU bureaucracy to get involved again...
(It's going to be a different group than the chat control people. If the chat control people win bigly, this would actually support what they want. Is there, like, any connection between that and the timing of these new rules?)
One interesting aspect of this is that when using a personal Android with a work profile, developer options and ADB is (or at least can be) disabled. BYOD will then imply you can't sideload at all.
As though to flex a muscle, around the time this program was first announced, apple revoked a third party application from being installed on its devices. I say its and not users, because they've proven it's not your device.
There sadly isn't a single viable option for a Linux mobile phone out there.
- Purism runs ancient hardware, charges way too much and has questionable business ethics.
- Pine64 has equally bad hardware but reasonable prices. I don't like the Hong-Kong connection though. Not sure how the security patching environment is in practice.
The only option on the table as I see it is buying from the devil and installing GrapheneOS.
I'm not an android developer, so I'm missing some context and key information. But I have a question: When Google is asking developers to "register" their apps as part of this new program, are they just trying to keep a mapping from some code signing key to a government ID? Or are they trying to do a code review process that is similar to submitting to an app store?
I know both are objectionable in their own way, but these two scenarios are quite different and I want to understand this better.
The first one for sure, second one — to an extent. If you publish “objectionable” apps (we are told this will be used to combat malware) — your certificate will be revoked.
> If your team’s current test process relies on distributing APKs to testers for installation using methods other than adb, you will need to verify your identity and register the package.
Absolute bullshit Google.
You have no right telling me what I can and cannot run on my own devices. Regardless of how I choose to install it.
This mostly confirms that it's exactly as bad as we thought. The only clarification is that building from source and installing via adb will continue to be allowed. For now.
So this is saying you have to have an Android developer account and sign the app with your identity… so a one-time $25 cost and that’s it? You can still distribute and sideload apps as long as you sign them.
Microsoft does this for Windows apps if you don’t want scary warnings popping up everywhere. Apple doesn’t even let you sideload at all for iOS and for macOS they do the forced trash malware thing unless you run commands to allow the app in the terminal.
Am I missing how this is different from what we already have on most platforms? Is it because you can’t force it to install the apps? Is there not a developer mode that lets you install unsigned apps, or a way to root the device to install apps?
The fact that other platforms do something similar is not an excuse, and this is more restrictive than both windows and macOS, even if technically less restrictive than iOS.
(The fact that all those platforms still have malware, as well as the officially sanctioned google store, should also inform you about how effective this measure is for its stated goal)
I'm guessing Windows gets a pass because you can still fairly easily bypass the signature check - it's effectively a warning rather than a hard block. It sounds like for (mainstream) Android, the only workaround will be to plug it into a PC and use adb there to install an unsigned app, which is considerably harder. Installing a custom ROM will presumably get around it too, but that's tough, and various government and banking apps etc tend to refuse to run because of attestation.
Apple is of course locked down, but that's not news. The anger is because Android was the better option on this dimension.
> Am I missing how this is different from what we already have on most platforms?
Most? The only platform that is like that is ios.
On linux, in any form, I can run what I want.
On a mac I can run what I want.
On windows I can run what I want.
Obviously on BSDs, Illumos, etc, I can run what I want.
On android up to now, I can run what I want.
The one and sole exception where I don't really own the device and can't run what I want it ios (therefore I don't own anything that uses ios). And now google wants to join that evil club.
Googles decisision to add developer verification killed my interest in handset development entirely. But hey, at least I know what to focus my time on rather than third party app development ie. F-Droid. I look at my android phone differently now that its on the table which sucks but hey they made me switch my development time to linux drivers now instead.
I have been running Graphene on a Pixel for a while now and I don't think Linux phones are a viable alternative. The vast majority of Android apps just work on Graphene, and there are millions of them. The UI experience is polished, everything just works with the exception of apps that require Google Play Integrity. And of course these projects aren't affected by Google's restrictions on sideloading.
Look I love that GrapheneOS exists, and I have used it in the past (as have I with Lineage).
But GrapheneOS lives by the mercy of Google. Pixel devices being reference devices makes it so that it's unlikely that Google will close them down completely.
However, as can be seen with this verification move, Google is willing to go very far to accomplish its aims. They already delayed delivery of Android 16 images, causing GrapheneOS some headaches.
Can an non-profit LLC verify itself and submit apps on behalf or anonymous developers after vetting their code? If so, that would probably a nice middle-ground.
The reaction to this change has truly changed my opinion that developer's opinions on a lot of subjects affecting the public's safety and security shouldn't be valued much (and yes, I realize I am on HN). If this is a bridge too far, then why should anyone listen to devs about "we can't backdoor cryptography" and things like chat control and more? You can't make every hill the hill you die on. I wouldn't even be against requiring a professional certification organization for developers before they're allowed to publish software to the masses. I would very much find it unpleasant, but we live in a society. You need a license to drive, to be a doctor, engineer and just about any profession where people's safety and well being is in jeopardy. Even real estate agents are licensed! and people all up in arms about a simple id verification.
This is just to address malicious code. How does the public know your code isn't full of vulnerabilities, that you're not selling their data to the highest bidder? How do they know that you have a good understanding of secure coding practices and knowledge of privacy laws? Let's talk about that instead, if you publish software for a private group of people, there should be no restrictions. If you're publishing it on a platform that would expose your software to billions of people, get a license after id verification and passing a globally standardized exam (multiple choice and a practical coding exam!).
See, the big disconnect is that most developers see software as something similar to writing a book or selling a home-made item on etsy or ebay. But in reality, it's more like manufacturing a car or a gun, or opening a bank (if your app takes payments), or even opening a restaurant or a food truck. all these things require licensing. The malware and privacy loss people suffer is akin too food poisoning, car accidents,etc.. but since it all happens virtually and there is typically no physical harm, developers are dismissive of it. This isn't the 90's anymore, people's lives and livelihoods are all online, all the security measures you can take, using signal for chat, passkeys and password managers for creds,vpns,etc.. and you're still one legit looking app install away, one convincing phish away from your phone being compromised along with all your accounts, finances , job and your entire life as you recognize it from being harmed or destroyed.
I urge you all to temper passions with reason and practicality.
The umbrella organisation signing apps is not impossible, as far as I know. But it would need to be pretty cautious, because if Google revokes its registration, that could block all the apps it has signed at once.
It's hard to see how you could get the necessary level of careful code review with just volunteer effort. But I suspect that most developers who don't want to register with Google are also unlikely to pay money to a third party to work around this.
With enough developers, revoking that cert would affect too many users, so Google would be forced to be careful. It will sort of be like devs unionizing. As far as review goes, not having the money or time to review code sounds exactly like the problem Google is trying to eradicate, because right now when your app causes problems you can just create a different account and start over without risking your reputation.
> I wouldn't even be against requiring a professional certification organization for developers before they're allowed to publish software to the masses
Is Google that organization? Because they themselves have decided that they are. I think what people are worried about is that Google is positioning itself to be the judge, jury, and executioner within such a licensing framework, not necessarily the licensing itself.
> This is just to address malicious code.
Yes, and if Google had shown that it's capable of identifying and rejecting malicious code distributed via its own app store, then maybe their proposed expansion of that security program to the entirety of the Android app ecosystem would carry some weight. But as it stands, their Play Store is full of user-hostile and often malicious apps[1].
> If you publish software for a private group of people, there should be no restrictions. If you're publishing it on a platform that would expose your software to billions of people, get a license after id verification
But that's exactly the opposite of what Google is doing, here, and why people are mad. Google isn't adding a new policy to their app distribution platform (the play store that grants exposure to billions of users), but rather they are forcing ID verification on any form of app distribution: If you want any regular user to be able to install your code, no matter how small the audience, you'll need to first give your identity to Google, and obtain a (paid[1]?) license. So the restrictions do apply to "a private group of people" too.
The crux, and what has people up in arms I think, is the overreach of Google's peoposed licensing policy to cover not only their own app distribution ecosystem, but all others targeting Android.
Many technical users of Android consider it to be a general purpose computing platform, and they want to retain the freedom to install and run whatever software they trust.
Google should focus their supposed concerns about regular user's safety on the user-hostile apps that they allow to exist in their own app store, rather than grasping for broader control that they'll "probably use at some point but only for good things like user security".
I agree, it isn't and shouldn't be, an industry self-regulating org is needed, like the CA/B forum for browsers. Maybe one day we can transition to that.
> Yes, and if Google had shown that it's capable of identifying and rejecting malicious code distributed via its own app store,
You're making the opposite point there, they can't do a good job at scanning their appstore, so requiring devs to id themselves is a better option, so that anyone publishing malicious code might risk real-world criminal penalties. That's a better deterrent than google scanning code.
> If you want any regular user to be able to install your code, no matter how small the audience, you'll need to first give your identity to Google, and obtain a (paid[1]?) license. So the restrictions do apply to "a private group of people" too.
This applies to google certified phones, and such phones at the time of certification are sold to the public, not to a private audience. Private audiences need to buy non-google-certified phones (which exist). The question of google certification is one you need to have with phone vendors not Google. Samsung can opt to avoid google certification just fine. They have every right to demand that a phone with their stamp on it can only run apps by devs they authenticated, this is the price of their seal of approval.
> Many technical users of Android consider it to be a general purpose computing platform, and they want to retain the freedom to install and run whatever software they trust.
Yeah, for example I have an x86 android VM, it won't be affected because it isn't google certified. If you came up with a custom tablet or laptop that runs android, you can load random apps on it just fine.
> Google should focus their supposed concerns about regular user's safety on the user-hostile apps..
They can do multiple things, but this helps with that as well. the dev making user hostile apps now has to use his real name and their reputation will now follow them forever.
Libel for calling it malicious and a tort case for malicious interference in trace/commerce. Although, fighting google's lawyers is another matter. If they blocked it without reason, it would be difficult, but if they said it was malicious and that was a lie, regardless of ToS or contracts you have a libel case as the very least. IANAL.
This isn't so bad. Unlike other mobile OSes (namely iOS and HarmonyOS), you will still be able to install whatever you like on Android over a USB debugging connection (adb) without any developer verification.
It doesn't take much effort to enable Developer Options, plug into a laptop and run "adb install whatever.apk". It's kind of like the floppy disk era again, having to physically insert things into one's computer to install software. Not a big deal.
At least as far as I understand, this would be a huge issue for F-Droid, to the extent that it isn't clear if it can continue at all. Half of my apps come from there, and gets automatically updated. Starting to download APKs manually and install them with ADB isn't impossible, but a huge downside.
This might open up a market opportunity for an "F-Droid box" that one would plug into an Android phone over USB, to install and update F-Droid apps over adb. Or the equivalent software for a laptop.
They've made their intentions clear. As soon as third-parties start to use adb for sideloading there's a very good chance they start to lock that down as well.
Yep, it's as bad as everyone expected it to be. "We aren't taking away sideloading, we're just going to fully control it now! No Google-unapproved code on user devices! For security reasons!"
Chrome isn't enough. We need Android to get clawed away from Google too.
Not really though, as you can still install apps over adb without developer verification, same as always.
Do you see the direction they're heading? They're now making it so maybe .5% of android users know how to sideload. They're clearly chipping away at it, even though they might not be making all the changes at once.
You can sideload apps in ios too, but you may not run it.
On Android you can both install and run apps over adb. The linked article explains:
> Participating in developer verification will not affect your experience in Android Studio, the official IDE for Android app development. You will continue to be able to build and run an app even if your identity is not verified. Android Studio is unaffected because deployments performed with adb, which Android Studio uses behind the scenes to push builds to devices, is unaffected. You can continue to develop, debug, and test your app locally by deploying to both emulators and physical devices, just as you do now.
Not really though. That's not how apps are usually installed on Android outside of Google's control.
> We want to make sure that if you download an app, it’s truly from the developer it claims to be published from, regardless of where you get the app. Verified developers will have the same freedom to distribute their apps directly to users through sideloading or through any app store they prefer.
This makes no sense at all.
Classic strawman argument and corporate tactics of shifting the conversation without addressing real concerns.
Somewhat unrelated: Do you think the UK government and Google have the same PR team?
Thought: Maybe we can organise and collectively hire this PR team to get Google, other big tech, and our governments, to look bad... And get shit done that way... If 2025 is the year of the PR spin, surely the only counter-measure is counter-spin?
Edit: Hold on, I think I just re-invented the concept of a political party.
More confirmation that Google is a company with too much power and should be forced to sell Android and Chrome
No need to listen. We all know how evil the intentions are. This will kill the platform, for better or worse.
We’ve been through this route before, it doesn’t kill the platforms. It just alienates people like us, which is actually a net benefit to Google.
Android was a sink for people who want things like this and an excuse for people to rationalize Apple doing it. If Android is "good enough" then who needs some actual Linux phone? If Android is open and that's what you want then why don't people just buy one of those instead of having the government break up Apple and Google?
People become willing to do things when you throw them out in the cold that they wouldn't do when you were still supplying the bread and circuses, and those people they don't like? It's because they're stubborn and they actually care and they know how to build things, isn't it?
In this case, the benefit of android is that the owner of the device owns it, so can run whatever they want, in stark contrast to apple.
If that goes away, might as well use apple's walled garden. There is no point for android to exist if freedom goes away.
An average person never thinks about that. That’s like not even a thing one ever thinks of while purchasing a phone.
What do the OEMs have to say about this? A lot of them, including Samsung, have their own app stores. Surely they'd not be willing to cede control?
Samsung's store contains virtually no original third-party software, anything that's worth installing and is not from Samsung is available on the Play Store.
OEM will of course retain more rights than device owner as it's always the case on android
Look, Google. You and me both, we don't want EU bureaucracy to get involved again... (It's going to be a different group than the chat control people. If the chat control people win bigly, this would actually support what they want. Is there, like, any connection between that and the timing of these new rules?)
One interesting aspect of this is that when using a personal Android with a work profile, developer options and ADB is (or at least can be) disabled. BYOD will then imply you can't sideload at all.
The only reason I still have a Google account is because I have a android phone.
Seems like that will change soon.
Is an Apple account materially better?
As though to flex a muscle, around the time this program was first announced, apple revoked a third party application from being installed on its devices. I say its and not users, because they've proven it's not your device.
I would say an apple account feels a bit less like having stepped in shit.
But no, I think in the case when android is no option any more, I will seriously reconsider if we peaked on some enshitification with smartphones.
Maybe no smartphone or Linux phones will be more interesting for some time for me then.
The year of the Linux Phone is coming!
There sadly isn't a single viable option for a Linux mobile phone out there.
- Purism runs ancient hardware, charges way too much and has questionable business ethics.
- Pine64 has equally bad hardware but reasonable prices. I don't like the Hong-Kong connection though. Not sure how the security patching environment is in practice.
The only option on the table as I see it is buying from the devil and installing GrapheneOS.
https://postmarketos.org/
There is also jolla / sailfishos built by ex Nokia engineers. The Russians forked it and are useing it in government / industry.
DHH has not completed his desktop Linux quest yet…
I'm not an android developer, so I'm missing some context and key information. But I have a question: When Google is asking developers to "register" their apps as part of this new program, are they just trying to keep a mapping from some code signing key to a government ID? Or are they trying to do a code review process that is similar to submitting to an app store?
I know both are objectionable in their own way, but these two scenarios are quite different and I want to understand this better.
The first one for sure, second one — to an extent. If you publish “objectionable” apps (we are told this will be used to combat malware) — your certificate will be revoked.
Yes, combat malware. They totally aren't doing this to kill off ReVanced.
> If your team’s current test process relies on distributing APKs to testers for installation using methods other than adb, you will need to verify your identity and register the package.
Absolute bullshit Google. You have no right telling me what I can and cannot run on my own devices. Regardless of how I choose to install it.
This mostly confirms that it's exactly as bad as we thought. The only clarification is that building from source and installing via adb will continue to be allowed. For now.
My understanding was that those packages still had to be signed with a key known to Google.
The current blog post does appear to say that you don't need to be verified to install and run apps with adb.
Ah thanks for correcting me. I had only listened to the ADB podcast episode and from that it seemed that signature would always be needed.
So this is saying you have to have an Android developer account and sign the app with your identity… so a one-time $25 cost and that’s it? You can still distribute and sideload apps as long as you sign them.
Microsoft does this for Windows apps if you don’t want scary warnings popping up everywhere. Apple doesn’t even let you sideload at all for iOS and for macOS they do the forced trash malware thing unless you run commands to allow the app in the terminal.
Am I missing how this is different from what we already have on most platforms? Is it because you can’t force it to install the apps? Is there not a developer mode that lets you install unsigned apps, or a way to root the device to install apps?
The fact that other platforms do something similar is not an excuse, and this is more restrictive than both windows and macOS, even if technically less restrictive than iOS.
(The fact that all those platforms still have malware, as well as the officially sanctioned google store, should also inform you about how effective this measure is for its stated goal)
I'm guessing Windows gets a pass because you can still fairly easily bypass the signature check - it's effectively a warning rather than a hard block. It sounds like for (mainstream) Android, the only workaround will be to plug it into a PC and use adb there to install an unsigned app, which is considerably harder. Installing a custom ROM will presumably get around it too, but that's tough, and various government and banking apps etc tend to refuse to run because of attestation.
Apple is of course locked down, but that's not news. The anger is because Android was the better option on this dimension.
> Am I missing how this is different from what we already have on most platforms?
Most? The only platform that is like that is ios.
On linux, in any form, I can run what I want.
On a mac I can run what I want.
On windows I can run what I want.
Obviously on BSDs, Illumos, etc, I can run what I want.
On android up to now, I can run what I want.
The one and sole exception where I don't really own the device and can't run what I want it ios (therefore I don't own anything that uses ios). And now google wants to join that evil club.
It's not about the $25. It's about Google centralizing control. If they don't like your app, oops, no verification for you.
Goodbye NewPipe. Goodbye anything that doesn't align with Google's capitalist interest or American imperial interest.
Googles decisision to add developer verification killed my interest in handset development entirely. But hey, at least I know what to focus my time on rather than third party app development ie. F-Droid. I look at my android phone differently now that its on the table which sucks but hey they made me switch my development time to linux drivers now instead.
After 15 years of professional development on Android I too am now thinking about switching my focus to something different. And it sucks.
Just wished there was a viable* FOSS Linux based mobile OS project out there that I could offer my time and energy to instead.
Aren't Graphene and Lineage exactly that?
I have been running Graphene on a Pixel for a while now and I don't think Linux phones are a viable alternative. The vast majority of Android apps just work on Graphene, and there are millions of them. The UI experience is polished, everything just works with the exception of apps that require Google Play Integrity. And of course these projects aren't affected by Google's restrictions on sideloading.
Look I love that GrapheneOS exists, and I have used it in the past (as have I with Lineage).
But GrapheneOS lives by the mercy of Google. Pixel devices being reference devices makes it so that it's unlikely that Google will close them down completely.
However, as can be seen with this verification move, Google is willing to go very far to accomplish its aims. They already delayed delivery of Android 16 images, causing GrapheneOS some headaches.
Who is to say more isn't to come.
> One of the most important themes we hear from the developer community is the need for more lead time to adapt to changes
No, it's not.
That's the biggest lie haha, if they asked a single real developer, we want less useless paperwork.
Boy do I regret signing up to a yearly plan of Google Workspace, I sure as fuck won't be renewing that next year.
Can an non-profit LLC verify itself and submit apps on behalf or anonymous developers after vetting their code? If so, that would probably a nice middle-ground.
The reaction to this change has truly changed my opinion that developer's opinions on a lot of subjects affecting the public's safety and security shouldn't be valued much (and yes, I realize I am on HN). If this is a bridge too far, then why should anyone listen to devs about "we can't backdoor cryptography" and things like chat control and more? You can't make every hill the hill you die on. I wouldn't even be against requiring a professional certification organization for developers before they're allowed to publish software to the masses. I would very much find it unpleasant, but we live in a society. You need a license to drive, to be a doctor, engineer and just about any profession where people's safety and well being is in jeopardy. Even real estate agents are licensed! and people all up in arms about a simple id verification.
This is just to address malicious code. How does the public know your code isn't full of vulnerabilities, that you're not selling their data to the highest bidder? How do they know that you have a good understanding of secure coding practices and knowledge of privacy laws? Let's talk about that instead, if you publish software for a private group of people, there should be no restrictions. If you're publishing it on a platform that would expose your software to billions of people, get a license after id verification and passing a globally standardized exam (multiple choice and a practical coding exam!).
See, the big disconnect is that most developers see software as something similar to writing a book or selling a home-made item on etsy or ebay. But in reality, it's more like manufacturing a car or a gun, or opening a bank (if your app takes payments), or even opening a restaurant or a food truck. all these things require licensing. The malware and privacy loss people suffer is akin too food poisoning, car accidents,etc.. but since it all happens virtually and there is typically no physical harm, developers are dismissive of it. This isn't the 90's anymore, people's lives and livelihoods are all online, all the security measures you can take, using signal for chat, passkeys and password managers for creds,vpns,etc.. and you're still one legit looking app install away, one convincing phish away from your phone being compromised along with all your accounts, finances , job and your entire life as you recognize it from being harmed or destroyed.
I urge you all to temper passions with reason and practicality.
The umbrella organisation signing apps is not impossible, as far as I know. But it would need to be pretty cautious, because if Google revokes its registration, that could block all the apps it has signed at once.
It's hard to see how you could get the necessary level of careful code review with just volunteer effort. But I suspect that most developers who don't want to register with Google are also unlikely to pay money to a third party to work around this.
With enough developers, revoking that cert would affect too many users, so Google would be forced to be careful. It will sort of be like devs unionizing. As far as review goes, not having the money or time to review code sounds exactly like the problem Google is trying to eradicate, because right now when your app causes problems you can just create a different account and start over without risking your reputation.
> I wouldn't even be against requiring a professional certification organization for developers before they're allowed to publish software to the masses
Is Google that organization? Because they themselves have decided that they are. I think what people are worried about is that Google is positioning itself to be the judge, jury, and executioner within such a licensing framework, not necessarily the licensing itself.
> This is just to address malicious code.
Yes, and if Google had shown that it's capable of identifying and rejecting malicious code distributed via its own app store, then maybe their proposed expansion of that security program to the entirety of the Android app ecosystem would carry some weight. But as it stands, their Play Store is full of user-hostile and often malicious apps[1].
> If you publish software for a private group of people, there should be no restrictions. If you're publishing it on a platform that would expose your software to billions of people, get a license after id verification
But that's exactly the opposite of what Google is doing, here, and why people are mad. Google isn't adding a new policy to their app distribution platform (the play store that grants exposure to billions of users), but rather they are forcing ID verification on any form of app distribution: If you want any regular user to be able to install your code, no matter how small the audience, you'll need to first give your identity to Google, and obtain a (paid[1]?) license. So the restrictions do apply to "a private group of people" too.
The crux, and what has people up in arms I think, is the overreach of Google's peoposed licensing policy to cover not only their own app distribution ecosystem, but all others targeting Android.
Many technical users of Android consider it to be a general purpose computing platform, and they want to retain the freedom to install and run whatever software they trust.
Google should focus their supposed concerns about regular user's safety on the user-hostile apps that they allow to exist in their own app store, rather than grasping for broader control that they'll "probably use at some point but only for good things like user security".
1: https://f-droid.org/en/2025/09/29/google-developer-registrat...
> Is Google that organization?
I agree, it isn't and shouldn't be, an industry self-regulating org is needed, like the CA/B forum for browsers. Maybe one day we can transition to that.
> Yes, and if Google had shown that it's capable of identifying and rejecting malicious code distributed via its own app store,
You're making the opposite point there, they can't do a good job at scanning their appstore, so requiring devs to id themselves is a better option, so that anyone publishing malicious code might risk real-world criminal penalties. That's a better deterrent than google scanning code.
> If you want any regular user to be able to install your code, no matter how small the audience, you'll need to first give your identity to Google, and obtain a (paid[1]?) license. So the restrictions do apply to "a private group of people" too.
This applies to google certified phones, and such phones at the time of certification are sold to the public, not to a private audience. Private audiences need to buy non-google-certified phones (which exist). The question of google certification is one you need to have with phone vendors not Google. Samsung can opt to avoid google certification just fine. They have every right to demand that a phone with their stamp on it can only run apps by devs they authenticated, this is the price of their seal of approval.
> Many technical users of Android consider it to be a general purpose computing platform, and they want to retain the freedom to install and run whatever software they trust.
Yeah, for example I have an x86 android VM, it won't be affected because it isn't google certified. If you came up with a custom tablet or laptop that runs android, you can load random apps on it just fine.
> Google should focus their supposed concerns about regular user's safety on the user-hostile apps..
They can do multiple things, but this helps with that as well. the dev making user hostile apps now has to use his real name and their reputation will now follow them forever.
> This is just to address malicious code
Where "malicious" is defined as anything that Google or the American Empire doesn't agree with.
Malicious is to cause harm and if it refuses your app because of that reason you have legal recourse.
Legal recourse in the American empire that just made Google block an app to warn of its armed goons approaching? Color me skeptical.
Libel for calling it malicious and a tort case for malicious interference in trace/commerce. Although, fighting google's lawyers is another matter. If they blocked it without reason, it would be difficult, but if they said it was malicious and that was a lie, regardless of ToS or contracts you have a libel case as the very least. IANAL.
This isn't so bad. Unlike other mobile OSes (namely iOS and HarmonyOS), you will still be able to install whatever you like on Android over a USB debugging connection (adb) without any developer verification.
It doesn't take much effort to enable Developer Options, plug into a laptop and run "adb install whatever.apk". It's kind of like the floppy disk era again, having to physically insert things into one's computer to install software. Not a big deal.
At least as far as I understand, this would be a huge issue for F-Droid, to the extent that it isn't clear if it can continue at all. Half of my apps come from there, and gets automatically updated. Starting to download APKs manually and install them with ADB isn't impossible, but a huge downside.
This might open up a market opportunity for an "F-Droid box" that one would plug into an Android phone over USB, to install and update F-Droid apps over adb. Or the equivalent software for a laptop.
Taking away adb install should be the next step. It's a slippery slope
Is there any evidence that Google plan to do this?
They've made their intentions clear. As soon as third-parties start to use adb for sideloading there's a very good chance they start to lock that down as well.
The current trajectory provides at least strong evidence.
If adb installing is used to circumvent their signing programm, it has to go as well.
Was there ever evidence that they would take away apk installing?
adb backup is gone