Fabio ManganielloJan 22, 2023

Outside of Europe, #Google's monopoly gets slammed by India too. The ruling says that:

- Google must allow alternative app stores (like F-Droid or ApkPure) on the Play Store. This is really the step zero for fair competition: give everybody the same visibility, and let users pick what they like.

- Google should not force Android providers to install its own apps in order to be a certified Android provider. Step one for fair competition: competition only works if none of the involved party starts from a position of advantage.

- Google should make the Play Store available also on Android forks. Step two for fair competition: if the competitors' stores are available on your store, then your store should also be available on the competitors' forks, and users eventually will pick what they like the most. All the distribution asymmetries should be removed.

This is a good and balanced ruling that aims to create a level playing field by removing all the bumps that, as of now, strongly consolidate Google's position of dominance.

And it's going to hit Google quite badly too: India is the largest global market for Android (arguably on par with China), and Google may be on its way to lose its unfair advantage there.

https://9to5google.com/2023/01/20/google-play-stroe-third-party-india/

Google Play Store will be forced to house other app stores by next week as India upholds ruling

A ruling in India will force the Google Play Store to distribute third-party app stores as soon as January 2023.

9to5Google
Show threadKat Ravenwolf
@blacklight How does this work though from a security prospective? That could cause Android malware to run rampant. (I want to believe that Google had that in mind when they disallowed third-party stores for a while.)
Jan 23, 2023 at 3:38amWeb
Show threadFabio ManganielloJan 23, 2023

@cambridgeport90 stores like F-Droid are actually much, much safer than the Play Store. Before something gets approved there's a real human behind the scenes testing the app, you're also forced to disclose the source code, and they run static analysis tools on it.

Uploading malware to the Play Store, on the other hand, is actually quite easy: you just have to activate the malware logic only when the app receives a certain payload from upstream (and there are also ways to obfuscate this logic so a code analyzer that uses a Java decompiler won't flag it). No payload=no malware=it'll pass the automated tests put in place by Google. And, since you aren't required to upload the source code, there's no easy way to statically monitor when the app initializes new connections. This is actually the way many malicious actors still upload malware to the Play Store today: https://www.zdnet.com/article/google-play-malware-if-youve-downloaded-these-malicious-apps-delete-them-immediately/

So when Google says "but user security...", they're just trying to throw excuses to defend their dominant position. The safest way to distribute any software is by forcing developers and distributors to share the source code and make it accessible to the user - and there are already stores that do that.

Google Play malware: If you've downloaded these malicious apps, delete them immediately

Cybersecurity researchers identify 35 apps, many downloaded over 100,000 times, that have been serving up malware to millions of Android users.

ZDNET
Show threadKat RavenwolfJan 24, 2023
@blacklight Interesting. I never knew how it really worked. I wonder then whether Apple is the same way? (It seems easier to get something into the play store or something like F-Droid than it does to get into the Apple App store.)