0xedbGoogle details new 24-hour process to sideload unverified Android apps
https://android-developers.googleblog.com/2026/03/android-de...
The part in the flow where you select between allowing app installs for 7 days or forever is a glimpse into the future. That toggle shows the thought process that's going on at Google.
I can bet that a few versions down the line, the "Not recommended" option of allowing installs indefinitely will become so not recommended that they'll remove it outright. Then shrink the 7 day window to 3 days or less. Or only give users one allowed attempt at installing an app, after which it's another 24 hour waiting period for you. Then ask the user to verify themselves as a developer if they want to install whatever they want. Whatever helps them turn people away from alternatives and shrink the odds of someone dislodging their monopoly, they will do. Anything to drive people to Google Play only.
Pay verification fee to continue
>"PLEASE DRINK VERIFICATION CAN TO CONTINUE"
Context: https://files.catbox.moe/eqg0b2.png
I think they later made a Black Mirror episode along these lines. "Resume viewing... Resume viewing..."
That meme was 13 years ago.
Fiften Million Merits. The one where advertisers literally torture a man with loud high pitched noises because he refused to view ads and didn't have enough money to skip them.
Every one of BM's episodes is extremely good. Fifty Million Merits has so many parts that show precisely how evil technology can be.
Common People is utterly terrifying. Woman falls into a coma, so startup uploads her mind to the cloud so it can stream her mind back to her. Then they start to enshittify the poor woman's life. Can't even sleep because they're using her brain as a CPU. She gets mercy killed while blurting out ads for antidepressants to the person doing it.
Metalhead is also among my favorites. Those kill bots put Skynet to shame.
I think the last 2(?) seasons lost the essence of what made Black Mirror great but the older ones are excellent. Older episodes often felt directly applicable to the evils of technology we use today but these newer ones seem to be more generic Sci-Fi, season 6 didn't feel like Black Mirror at all to me.
so Apple then? They require you to pay the $99 yearly fee to sideload for more than 7 days
Which increases the limit to whatever time is left on your current payment period. After which the app will stop working and need to be reinstalled by an authenticated developer who has a current Apple Developer Subscription.
EDIT: Edited the above which previously said 90 days incorrectly. Not sure where my brain pulled that from but I posted the correct details here prior: https://news.ycombinator.com/item?id=45743615
Notably if you install a month before your subscription expires you need to reinstall the app in 1 month.
> Which increases the limit to 90 days
It increases to 365 days, no? At least thats the longest I can sign my app and I use a personal but paid Apple Developer Account
Apple was clear that they were offering the safety of a walled garden from the start.
Apple didn't lie about supporting a user's freedom to run anything they like, only to execute a rug pull after they successfully drove the other open options out of the marketplace.
If Google actually takes away the ability to run unsigned code, my next phone will be an iPhone. And I rarely even run unsigned code.
Honestly, it might finally result in me fully exiting the Google ecosystem.
Buy a cheap unlocked smartphone and run GrapheneOS[0]. I want my smartphone to be like my linux computers where I run them for as long as the hardware works and is still relevant. My iPhone 12 is getting close to its end of life support, yet it is still working well. We should expect better from trillion dollar companies. So I'm not supporting them with dollars wherever I can afford not to. That and I think it's more enjoyable to run something off the beaten path. I like to explore the space a little.
I swapped out my MBP for an Asus Pro Art running linux last year and that's been working out pretty well. Hopefully my cheap motorola phone will be supported by GrapheneOS soon and that will work out too.
> Buy a cheap unlocked smartphone and run GrapheneOS
Note that this needs to be a Pixel at the moment.
> If Google actually takes away the ability to run unsigned code, my next phone will be an iPhone. And I rarely even run unsigned code.
Same here. If I must be in a walled garden, then I will choose the better kept garden and it sure as hell isn't one of Google's crappy platforms.
The only reason to put up with the shittiness of Android is freedom. The same freedom they keep eroding with their constant, never ending attempts to force remote attestation and sideloading limits.
GrapheneOS is the last hope for Android as far as I'm concerned. Hopefully Google won't find ways to screw that up.
> it might finally result in me fully exiting the Google ecosystem
Don't wait for them to push you away. Start exiting now. Setting up mail on my own domain and distancing myself from gmail is one of the best things I've ever done. Highly recommended.
I've noticed with GrapheneOS, that more recent builds are exhibiting weird issues. This isn't their fault, it's upstream ASOP issues. For example, just in the last few weeks:
* The date has now gone missing from my lockscreen, only showing the time.
* I can no longer see signal strength on my phone for mobile, if wiki is off. I turn wifi on, and now I can. I use a larger font, but it used to be just fine.
There are all sorts of little changes like this I've noticed recently.
It makes me wonder if Google is slowly mangling default ASOP so projects like GrapheneOS will have a crappier daily build experience.
And GrapheneOS doesn't have time to manage features changes like this, they focus on their key security improvements and fixes. If Google is doing this on purpose, it has real potential to seriously degrade ASOP as usable without lots of fixes and changes.
They already rug-pulled security updates or whatever it was a few months back.
And it really seems like the sort of sneaky, underhanded way Google would handle things.
Odd, I don't have those issues (date is on the lock screen, network signal strength when wifi is off is there). Played around with font settings but that changed nothing. Up to date stable version of Graphene on an 8a. Are these beta versions? Or maybe it's phone dependent.
Do you have 'Receive security preview updates' on?
Google stopped publishing any info about security updates until (I think) quarterlies come out. GrapheneOS had to sign some sort of non-disclosure for them, in order to roll them into updates.
If you don't have that on, then you're not fully up to date with security updates. This could be the difference.
> GrapheneOS had to sign some sort of non-disclosure for them, in order to roll them into updates.
So doesn't this mean GrapheneOS is effectively controlled by Google now?
Also, how is keeping anything secret under NDA possible at all if you want to know what's in a security update and be actually able to build that update yourself from source?
Controlled? No. It's about security updates being patched before disclosure.
That said. it is indeed annoying, and there was a lot of uproar when it happened.
For the nuance of it, I'd suggest GrapheneOS docs, you'll get more accurate info.
https://discuss.grapheneos.org/d/27068-grapheneos-security-p...
Just to switch to an even more aggressively monitored and tightly controlled walled garden?
People sometimes act as if the one would be an viable alternative to the other. Even both are effectively the exact same shit for the exact same reasons.
How about we move instead to open systems?
> Apple didn't lie about supporting a user's freedom to run anything they like, only to execute a rug pull after they successfully drove the other open options out of the marketplace.
They did execute a rugpull, and they aren't offering safety anymore.
The rug pull is ads in the app store. If I go to the app store now and search for my bank's name, the first result is a different bank. If I search for 'anki', the first 3 results are spam ad-ware tracking-cookie trash.
If I search "password store" I get 4 results before the "password store" app.
I had a family member try to install one of the google-docs suite of apps, and the first result was some spamware that opened a full-screen ad, which on click resulted in a phishing site.
My family can't safely use the app store anymore because they click the first result, and the first result for most searches is now adware infested crap because of apple's "sponsored results".
What's the point of charging huge overhead on the hardware, and then an astounding 30% tax, and also a $100/year developer fee, if you then double-dip and screw over the users who want your app by selling user's clicks to the highest bidder?
Don't forget that Apple is spying on their users even more then Google does (which is gross in its own). Apple controls much more user data then Google does.
At the same time Apple keeps telling their users some fairy-tales about "privacy".
No, Apple isn't honest. Definitely not.
Sources needed.
Google also "Doesn't sell your data to data brokers"
Because they sell "insights" or "access" or "marketing" or whatever.
> Apple was clear that they were offering the safety of a walled garden from the start.
This is a red herring. Is Google a hypocrite for lying about it first? Sure. But suppose Android dies and gets replaced by something that never claimed to be open. Or gets replaced by nothing so there is only iOS. Is that fine then?
Of course not, because the problem is the lack of alternatives, and having your choice glued to an entire ecosystem full of other choices so that everything is all or nothing and the choices you would make the other way are coerced by them all being tied together into something with a network effect.
No. Apple's phones started out with only web apps. They only add the walled garden later.
hahahahaha 'walled garden'
repeating marketing speak.
Apple got you.
Walled Prison. Look at all those people suffering with iMessage trying to use openclaw.
You can refresh them. SideStore[1] does that automatically out of the box (no computer needed) but there are Shortcuts to do that too.
All apps should be open source and subject to verification by nonprofit repositories like F-Droid which have scary warnings on software that does undesirable things. For-profit appstores like Google and Apple that allow closed source software are too friendly to scams and malware.
That's absurd.
No more absurd than letting a megacorp control what I install on my own device.
Instead the megacorp forces open source licensing, which doesn't solve any of this shit anyway lol
It's also true, the best way to audit software is source-code and behavior analysis. Google and Apple do surprisingly minimal amounts of auditing of the software they allow on the Play Store and App Store, mostly because they can't, by design. It should shock absolutely nobody then that those distribution methods are much more at risk of malware.
No one is auditing. Behavior analysis works on closed source software too.
Most open source repositories do have eyes on the code. Debian often has separate maintainers who maintain patches specific to Debian.
It's not a coincidence that Linux distros are much less susceptible to malware in their official repositories. It's a result of the system. Trusted software currated and reviewed by maintainers.
The play store will always have significant amounts of malware, so this entire conversation is moot.
A lot of dubious claims here.
1. "Most open source repositories do have eyes on the code"
Seems basically impossible that this is true.
"Debian often has separate maintainers who maintain patches specific to Debian." does not support the previous statement. Debian cherry picks patches, yes.
2. "It's not a coincidence that Linux distros are much less susceptible to malware in their official repositories."
Not only is it not a coincidence, it seems to not even be true.
3. "The play store will always have significant amounts of malware, so this entire conversation is moot."
This seems to just be "a problem can not be totally solved, therefor making progress on this problem is pointless to attempt". I... just reject this?
Why would I need to invalidate claims made with no support that seem obviously incorrect? Certainly I won't accept them.
I don't think that's a realistic suggestion as as the quantity of applications are huge who are going to spend time reviewing them one by one. And and even then it's not realistic to expect that that undesirable things can be detected as these things can be hidden externally for instance or obfuscated
F-Droid exists and they have a much better track record than Google. I'm not actually serious, I just think if there's a single app repo that should be allowed to install apps without a scary 24h verification cooldown, it's Google's proprietary closed-source app store that needs the scary process, not F-Droid.
Users don't have to wait 24 hours because Google Play store already has registered developers. Scammers can be held liable when Google knows who the developer of the malicious app is.
Really though? Who is in jail right now for Play Store malware offenses? Or are we just talking about some random person in China or Russia who signed up with a prepaid card and fake information had their Google account shut off eventually.
I'll give you that, enforcement of the rules can sometimes fail. But scamming & malware is a global industry, definitely not limited to state-funded actors in those two countries (which is what I think you're referring to).
I think compared to the alternatives, this is the best answer.
Even if you are a bank or whatever, you shouldn't store global secrets on the app itself, obfuscated or not. And once you have good engineering practices to not store global secrets (user specific secrets is ok), then there is no reason why the source code couldn't be public.
'Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.' - Benjamin Franklin
'essential' means can't be bothered to wait 24 hours (once)?