meanidea ๐น๐ผ๐บ๐ฆ๐จ๐ฆ๐ฉ๐ฐ
Eugen Rochko
Quincy โ๐ฏ%
bananabob 
๐บ๐ฆ ๐ต๐ธ
Feyter@Gargron also looking at you, car manufacturers ๐
Isocat@Gargron That word "your" is carrying more than its rated weight.
J. R. DePriest 
:EA DATA. SF:@Gargron I can't hear "sideload" without thinking about this classic: https://youtu.be/Sa0EtdtPi8w
Christian Side Hug[FULL SONG]
Ivan Todorov@Gargron I think this just became so acceptable and the inertia from the consumers just allowed both Apple and Google to do pretty much what they please..
TrimTab ๐บ๐ฆ@Gargron
I agree in spirit, but man... Its only 50% rentseeking... My elderly parents and computer illiterate siblings and coworkers would get in trouble fast if they weren't constrained by 3 software platforms: mint software manager, android play, and MS whatchamacallit. I have pounded it into their heads: never download software candy from strangers. (I live in an anti-apple pocket of the world)
But then, i guess all three of those do let you do your own thing to varying degrees.
Magnus Ahltorp
Kevin Karhan 
David Cohen@davidbcohen @Gargron
Proof that microsoft is bad at software. Several generations of computers users have been brain damaged with deplorable op-sec habits.
Srsly what kind of software company would ever think auto running code on USB thumb drives was ever smart? Only the dumbest developers who failed their comp sci classes...
JuMi@TrimTab @davidbcohen @Gargron it was a carryover from auto run on CDs, because putting in an installation disc and have a screen show up felt futuristic or something.
It has always been a stupid idea though, I completely agree with you.
โฅแตแต Cแตธแตแถบแตแถซโธแตแต โ๏ธ@jumianr @TrimTab @davidbcohen @Gargron it was because "open Explorer and open whatever driver letter for CDROM is" was beyond many people
@falken @jumianr @TrimTab @davidbcohen @Gargron well, we better eradicade #TechIlliteracy by spreading #TechLiteracy then, before #TechIlliterate #Cyberfacists get know how to weaponize shit!
Allen but one of the good ones@falken @jumianr @TrimTab @davidbcohen @Gargron Also, music CDs and movies on VHS would just work when you put them in the machine, and the whole Multimedia PC Experience promised that same appliance convenience.
But it didn't take long to become an attack vector, and they made the deliberate choice to do nothing about it for decades, so this isn't incompetence, it's malice.
Nathan A. Stine
Loren@duckdotexe @Gargron
Do you not care for any others? No friends, family or colleagues? Just remorseless indifference towards everyone who isn't you? I doubt that's who you are...
There comes a point where if someone we care about is in trouble, we help. As computer gurus in todays age that gives us many opportunities to lend a hand.
ฬถsฬถeฬถtฬถhฬถ ฬถ ฬถI should be able to say what software runs on my hardware.
If I also get to say what software runs on YOUR hardware, that's when there's a problem.
I don't want terrorists, nation-state hackers, the NSA, or script kiddies deciding what software runs on my Dad's phone.
I don't want my sister's psycho ex stalker boyfriend deciding what software runs on her phone either.
Phones are way too big of a target to run without security. Some compromise is needed here.
Rob@Gargron absolutely ๐ฏ!!
AdventureTense@Gargron Even the term "Side loading", makes it sound non-standard and risky. Which of course, it doesnt have to be.
Joe W@adventure_tense @Gargron My best friend migrated his parents to Linux (20 y ago). The separation of admin and user accounts actually worked, software did not assume you were admin all the time, and he could let his parents only install software from trusted repositories. There is absolutely a case to be made for locking down the system. Don't forget, this is a pretty technically minded echo chamber we are in, what works for us is bad for others.
But I agree: It should be possible to do stuff!
But I agree: It should be possible to do stuff!
tranquil_cassowary@drchaos @adventure_tense @Gargron You can do it like Apple does for MacOS with notarization. Users can bypass it by going through several warning screens.
@tranquil_cassowary @drchaos @adventure_tense @Gargron #Ansroid does the same, demanding PIN & Confirmation to allow any "unverified" [not signed by Google] App to be installed.
@kkarhan @tranquil_cassowary @adventure_tense @Gargron Have you seen the plans? It will be very difficult for F-Droid etc to continue...
@drchaos @tranquil_cassowary @adventure_tense @Gargron I kniw and it pisses me.off as well!
Being greedy assholes wanting to monopolize shit is NOT a legitimate reason.
@drchaos @kkarhan @adventure_tense @Gargron
We don't know that yet. First of all, I don't think it's detailed yet whether Google will block developers from being verified based on terms that have nothing to do with the identification being real/accurate (e.g. no ad-blocking YouTube front-ends because it violates non-security related terms). A large amount of apps will be able to get verified probably because they won't violate any terms Google enforces, whatever those will end up being. Second of all, it won't apply to non-certified OSes. Whether it's viable for most of the apps on F-Droid to continue development if they would only be accessible on non-certified OSes remains to be seen. I don't know if there is any data about what percentage of F-Droid apps and FOSS apps in general gets consumed by people running alternative non-licensed OSes compared to licensed OSes developed by the Android OEMs.
We don't know that yet. First of all, I don't think it's detailed yet whether Google will block developers from being verified based on terms that have nothing to do with the identification being real/accurate (e.g. no ad-blocking YouTube front-ends because it violates non-security related terms). A large amount of apps will be able to get verified probably because they won't violate any terms Google enforces, whatever those will end up being. Second of all, it won't apply to non-certified OSes. Whether it's viable for most of the apps on F-Droid to continue development if they would only be accessible on non-certified OSes remains to be seen. I don't know if there is any data about what percentage of F-Droid apps and FOSS apps in general gets consumed by people running alternative non-licensed OSes compared to licensed OSes developed by the Android OEMs.
@kkarhan @drchaos @adventure_tense @Gargron
I only know how it works on GrapheneOS, currently.
It doesn't ask credentials for me upon install. It just wants me to allow alternative app stores or the Files app (for downloaded APK files) as an installation source for "unknown apps". It also asks that for the Play Store, given that that is a third-party optional app on GrapheneOS.
The "install unknown apps from source" permission doesn't have anything to do with who signed the app, just seems to have to do with the fact that it's not a bundled/default app installer like GrapheneOS App Store is on GrapheneOS.
I only know how it works on GrapheneOS, currently.
It doesn't ask credentials for me upon install. It just wants me to allow alternative app stores or the Files app (for downloaded APK files) as an installation source for "unknown apps". It also asks that for the Play Store, given that that is a third-party optional app on GrapheneOS.
The "install unknown apps from source" permission doesn't have anything to do with who signed the app, just seems to have to do with the fact that it's not a bundled/default app installer like GrapheneOS App Store is on GrapheneOS.
Ethan Black@drchaos @adventure_tense @Gargron I'm a believer in "locking" things down so that in order to install apps from unverified sources, you need to use the command line.
So, it indeed is unlocked, and rights are preserved; but, the system is built so that if you're savvy enough to know when it's safe to bypass the system's security checks, you need to be savvy enough to use the command line.
Best of both worlds in my opinion.
@golemwire @adventure_tense @Gargron ... and have the root password... Otherwise you get the new(?) "please use [win]+R and [Ctrl] + V to fix your computer" thing.
@drchaos @adventure_tense @Gargron I think that "PEBKAC" exploit existing is a neccesary evil that is possible when the user has rights and thus freedom. Removing their rights is just out of the picture in my opinion.
But truly it would be great if manual-control / command-prompt interfaces gave a warning when opened, saying that it gives them manual control and may be dangerous when in the hands of non-experts (+ a 'Don't show again next time' option).
Invoking sudo on #MacOSX comes to mind.
Ben Ford 
@adventure_tense @Gargron we /want/ it to sound scary. Itโs basically the `โno-preserve-root` of the mobile app ecosystem.
@adventure_tense you have to trust the source of your apps either way and even Google can't catch every bad actor red handed. Security researchers find malware in Google play all the time.
This is about a platform mandating DRM, to control/manipulate revenue streams.
I think Google (and Apple) are fully capable to manage platform security without gatekeeping access to our devices. They could improve OS immutability, or better admin rights without root privileges.
As irritating as they can be, even the banks have developed secure financial platforms that still allow us to purchase WHAT we want, from WHO we want.
@Gargron @adventure_tense OFC this is a matter if #control and #monopolization.
- #Google is jealous about #Apple getting away with #iOS & #AppStore and since #WhatYouAllowIsWhatWillContinue applies to #technology, they want their cake and eat it as well!
The #Enshittification of #Android is not a law of nature, but strategy!
๊คษแดสษสS@Gargron Imagine buying something from a local store instead of amazon was called "sideshopping" and there's a massive campaign to delegitimize buying items from stores not approved by amazon. Completely absurd. Why accept that exact ideology when it comes to installing software on your phone?
Marcus Bointon@Gargron @StaticR perhaps because the little local store also sells nuclear weapons, gives free drug samples to kids, has a ready supply of DIY biological warfare kits, tracks your wife 24/7 without her knowledge, and has borrowed your banking credentials. Apart from that, they do have some other cool things though.
Denzil Ferreira@Gargron the review process at Google can be a PITA, but for a good reason. Permissions to access more than an app really needs can be exploited for harvesting private information on a seemless update that most won't even notice. Side loaded apps downloaded from say APK mirror can have been tampered with using smali edits and you won't know. What Google should do is certified dev signing keys to trace and confirm if an APK is legit or not and coming from the actual dev, regardless of being side loaded.
Chickerino@denzilferreira @Gargron so why dont we do this on windows or linux then, both oses by default dont even have a permissions system and give applications near full access to the device
@Chickerino @Gargron that's not true, you do need to raise admin rights to install something not digitally signed on Windows, and admin credentials to install on Linux. On Linux you have Flatpaks that do have permissions in place, and the software runs on a sandbox with only access to what you allow. Windows does not do any of that - hence I'm not gonna even recommend it.
@denzilferreira @Gargron thats why i said "near" everything, for example on android you need to give permission for the app to be able to access your files outside of the app container, windows by default lets every app access every file that your user has access to, i think thats a bit stinky
@Chickerino @Gargron yes ๐
btw Google is doing exactly what I said: verification of dev certificate on the .APK allowing you to side load authentic apps. Only unverified .APK are blocked https://arstechnica.com/gadgets/2025/08/google-will-block-sideloading-of-unverified-android-apps-starting-next-year/
@denzilferreira @Gargron thats also stinky but for a different reason, unless the user can specifically override this requirement
BillieDenzil, nope. G****e demands you give them your private app signing keys, breaking any thrust chain this way.
@Billie we are talking about Google Certified devices here. Google is the root trust CA, and as a developer that wants to publish on the Play Store, you want people not to be able to side load malicious versions of your app. That's what this is about. If you put your own ROM, without GMS, nothing stops you from side loaded apks. It is the same for iPhones. This will affect and prevent the spread of malicious and randonsomware that scammers use.
Giving away your private signing keys breaks any thrust chain. It is just the opposite.
@Billie I guess Google only needs the pub key to verify your identity, true.
@Billie @denzilferreira except #Google.has no right to demand that control to begin with!
- They have forfeilt their control the moment a person ticks the "allow unverified app installations" setting in Android.
Remember: "Know Your Developer" IS the ilkicit activity!
@denzilferreira @Chickerino @Gargron it's still opening a door to censor whomever they decide is not an approved developer for whatever reason. It's still not justifiable to completely lock out users to do what they want with their devices.
@jumianr @Chickerino @Gargron I understand this. But we are a minority who want to tinker. For Google, the priority is to protect the large majority of Android users from installing apps that are not legitimately packaged by developers who did publish their app on the Play Store. Developers will be able to install their own apps on their devices if developer mode is enabled and via ADB. And a user will be able to adb install an app if compiled with debug keys. The thing here are release keys, which need to match the play store version of legit apps. This also attempts to prevent repackaging of apps with malware. This is the same on Apple devices. I think people are overreacting to be honest. EU also dictated alternative play stores are possible and pretty sure Google will not be able to enforce Play Store only verified apps to install.
@denzilferreira @jumianr @Gargron this is not a reasonable excuse to remove the freedom that users have to install whatever they want, i would be ok with this if and only if the user was given a clear warning before installing an application and given a choice to do so anyway
besides, apps on android are sandboxed, the damage they can cause (notwithstanding any security vulnerabilities) is limited to the permissions that the user gives, if theres any place this would make sense, i dont think its android, especially considering that mallicious apps or just data stealing apps are very common place on the play store anyway
@Chickerino @jumianr @Gargron and I do believe that will be the case. The only thing they are preventing is installing an app that the package matches what is available on the Play Store and signed with a verified developer account and the app you are trying to install has not been signed with the same certificate. You should be able to install the apks otherwise (no package match, nor verified developer). That does not sound bad to me.
@denzilferreira @jumianr @Gargron @Chickerino PRECISELY THAT!
- #Google of all companies (worse is only #StasiBook / #NSAbook) has no moral right given their business is based around data harvesting and microtargeting users.
@denzilferreira @Chickerino @Gargron @jumianr precisely!
- If you can't use a device against the manufacturer's will and/or intentions, then you don't own it!
Daniel Leigh@denzilferreira @Chickerino @Gargron on both windows and linux no additional permission is needed to install to a users home directory or simply run without installing. The permission model on both operating systems is more geared towards preventing the system configuration from getting messed up than preventing anything remotely malicious.
@denzilferreira @Chickerino @Gargron @danielleigh granted one could just remove users' ability to create/write files with executeable permissions or run
chmod +x but oitside of some hard-locked kiosk systems noone does that!
โ Fish Id Wardrobe@denzilferreira @Chickerino @Gargron i don't have to pay to use admin rights, and neither does the developer, though. neither of us need linus's permssion to do itโฆ
Kg. Madee โ
ก.@denzilferreira absolutely not true. Nothing short of very advanced security configuration prevents you from running any executable file from anywhere as long as you don't want to write into protected system directories.
And nothing prevents you from not doing that, either, so you can have your walled garden "security" if you so wish ...
And nothing prevents you from not doing that, either, so you can have your walled garden "security" if you so wish ...
@kgMadee2 yep, when there is a will, there is a way ;)