0xedbGoogle details new 24-hour process to sideload unverified Android apps
https://android-developers.googleblog.com/2026/03/android-de...
The part in the flow where you select between allowing app installs for 7 days or forever is a glimpse into the future. That toggle shows the thought process that's going on at Google.
I can bet that a few versions down the line, the "Not recommended" option of allowing installs indefinitely will become so not recommended that they'll remove it outright. Then shrink the 7 day window to 3 days or less. Or only give users one allowed attempt at installing an app, after which it's another 24 hour waiting period for you. Then ask the user to verify themselves as a developer if they want to install whatever they want. Whatever helps them turn people away from alternatives and shrink the odds of someone dislodging their monopoly, they will do. Anything to drive people to Google Play only.
what's your solution to combat scammers?
All apps should be open source and subject to verification by nonprofit repositories like F-Droid which have scary warnings on software that does undesirable things. For-profit appstores like Google and Apple that allow closed source software are too friendly to scams and malware.
That's absurd.
No more absurd than letting a megacorp control what I install on my own device.
Instead the megacorp forces open source licensing, which doesn't solve any of this shit anyway lol
It's also true, the best way to audit software is source-code and behavior analysis. Google and Apple do surprisingly minimal amounts of auditing of the software they allow on the Play Store and App Store, mostly because they can't, by design. It should shock absolutely nobody then that those distribution methods are much more at risk of malware.
No one is auditing. Behavior analysis works on closed source software too.
Most open source repositories do have eyes on the code. Debian often has separate maintainers who maintain patches specific to Debian.
It's not a coincidence that Linux distros are much less susceptible to malware in their official repositories. It's a result of the system. Trusted software currated and reviewed by maintainers.
The play store will always have significant amounts of malware, so this entire conversation is moot.
A lot of dubious claims here.
1. "Most open source repositories do have eyes on the code"
Seems basically impossible that this is true.
"Debian often has separate maintainers who maintain patches specific to Debian." does not support the previous statement. Debian cherry picks patches, yes.
2. "It's not a coincidence that Linux distros are much less susceptible to malware in their official repositories."
Not only is it not a coincidence, it seems to not even be true.
3. "The play store will always have significant amounts of malware, so this entire conversation is moot."
This seems to just be "a problem can not be totally solved, therefor making progress on this problem is pointless to attempt". I... just reject this?
Why would I need to invalidate claims made with no support that seem obviously incorrect? Certainly I won't accept them.
I don't think that's a realistic suggestion as as the quantity of applications are huge who are going to spend time reviewing them one by one. And and even then it's not realistic to expect that that undesirable things can be detected as these things can be hidden externally for instance or obfuscated
F-Droid exists and they have a much better track record than Google. I'm not actually serious, I just think if there's a single app repo that should be allowed to install apps without a scary 24h verification cooldown, it's Google's proprietary closed-source app store that needs the scary process, not F-Droid.
Users don't have to wait 24 hours because Google Play store already has registered developers. Scammers can be held liable when Google knows who the developer of the malicious app is.
Really though? Who is in jail right now for Play Store malware offenses? Or are we just talking about some random person in China or Russia who signed up with a prepaid card and fake information had their Google account shut off eventually.
I'll give you that, enforcement of the rules can sometimes fail. But scamming & malware is a global industry, definitely not limited to state-funded actors in those two countries (which is what I think you're referring to).
I think compared to the alternatives, this is the best answer.
Even if you are a bank or whatever, you shouldn't store global secrets on the app itself, obfuscated or not. And once you have good engineering practices to not store global secrets (user specific secrets is ok), then there is no reason why the source code couldn't be public.
'Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.' - Benjamin Franklin
'essential' means can't be bothered to wait 24 hours (once)?
I have to completely concur that it's probably one step toward an increasingly restrictive final state. Add a few "Are you sure?? You'll brick your phone!!!" warnings, then ID and age-verification mandatory (think of the children!!)
Maybe it's not good idea for our entire civilization to use only two mobile operating systems controlled by companies that only want to make money.
Labeling the phones essential infrastructure can pretty easily backfire if your goal is to be able to modify the phone as you like.
For an example think about how mods are treated on cars. There can be very good reasons for those restrictions, but if your goal is to be able to modify phones in the way you want, that might not be the best way to go about it.
In short, be careful what you wish for because sometimes you get it. :)
Boiling the scammers and criminals is good.
[dead]
You are missing the part that new 24 hour process was a response to backlash. It was not even in their plan.
Sounds like backlash needs to continue until it's clear that that isn't acceptable either.
So install a different ROM
And when you do that, you lose access to your bank, because bank apps routinely refuse to run on devices that leave the user in control (e.g. unlocked bootloader, rooted phone). Graphene and similar would be a much more acceptable solution if remote attestation of a locked bootloader were banned.
I really don't see the issue with waiting 24 hours. These protections in general seem very likely to help unsophisticated users. It really seems like a nothingburger to me personally. I was going to make an analogy to the ethics of getting vaccinated (and getting mildly ill of a day) to protect the immunity compromised members of the community, but even that is laughable because it underscores what a nothingburger this is (far more of the community is technologically unsophisticated than is immunocompromised, and what sophisticated users are being asked to do is closer to wearing a mask once for 24 hours).
You can always find justifications to erode all civil liberties. I think it's a major gap in the way history is being taught that people think that the reasons to remove liberties sound like overt evil mustache-twirling slogans. In reality they always talk about a danger that the benevolent overlord will keep you safe from.
All these changes are attacks on general purpose computing and computing sovereignty and personal control over one's data, and one's digital agency.
It makes no sense to me that people who feel this way insist on running a vendor's Android or iOS.
More and more apps won't run, again allegedly to keep you safe. You can't run your bank apps on your rooted and custom software. TPMs of desktop, everything needing approval. Yeah you may say tough luck, just use the web. But more and more banks sunset their web UI. It's apps only. And then you'll say "tough luck, start your own bank and offer this feature if you think there is customer demand". Or tough luck, win an election and then you can change the laws etc.
Yeah I'm aware that we can only watch from the sidelines. At least we can write these comments.
The new world will be constant AI surveillance of all your biosignals, age and ID verification, only approved and audited computation, all data and messaging in ID attached non e2e encrypted cloud storage and so on. And people will say it keeps you safe and you have nothing to fear if you are a law abiding person.
That world arrived at least ten years ago and if you don't like it, running Google's OS isn't even remotely admissible as an answer.
This would be less of an issue if there were an explicit regulatory mandate saying "businesses larger than X may not limit any consumer capabilities for interacting with their business in such a way that it can only be accessed by proprietary applications running on locked-down systems that a user cannot modify, control, or install their own software on. Offering to have a person handle that functionality on their behalf does not constitute an alternative to functionality made available via such an application". (With appropriate clear definitions for "locked-down", and other appropriate elaborations.)
I don't know that sounds pretty dumb on the whole. The key challenge is determine who is at fault in the event of a breach. I don't think it's reasonable to hold companies responsible for privacy while also requiring them to allow privacy to be invaded.
The current situation is that banks regularly require the use of an unmodified, unrooted Android or iOS device, which reinforces the duopoly and makes it impossible for anyone to compete. (Even emulating Android doesn't help, as emulated Android won't pass the checks banks do to make sure you don't have control of your device.)
That situation is not acceptable. Got something better than insults like "pretty dumb" to say about how to resolve this abuse of the two-player oligopoly in the mobile phone market?
I actually did explain specifically why it was pretty dumb and you ignored that point completely.
You are uncritically repeating the party line from banks who claim it is necessary for security, without giving any rationale or supporting evidence, and coupling it with an insult.
The "party line" is not that holding companies accountable for security and also requiring them to be insecure is inconsistent.
The incorrect party line is that allowing rooting and running your own OS and apps is insecure.
Meanwhile, those same banks have websites.
Have you tried using your web browser to buy gas or ride the bus?
"Stockholm syndrome" is completely useless term invented by guy who never spoke with the actual hostages. What the histages did was logical conclusion for their safety, where police was endangering their lives more than their captors.
"Nils Bejerot, a Swedish criminologist and psychiatrist, invented the term after the Stockholm police asked him for assistance with analyzing the victims' reactions to the robbery and their status as hostages. Bejerot never met, spoke to, or corresponded with the hostages, during or after the incident, yet diagnosed them with a condition he invented."
"According to accounts by Kristin Enmark, one of the hostages, the authorities were careless, and their initial approach to the robbers nearly compromised the hostages' safety.[6] Enmark criticized Sweden's prime minister, Olof Palme, for endangering their lives. Palme believed that if Olsson saw one of his close relatives, he might be willing to surrender the hostages; however, the police made a careless mistake. They misidentified Olsson, and sent a 16-year old boy who was unrelated into the bank. This caused confusion and resulted in Olsson firing rounds at the boy who barely escaped. Olsson became much more agitated in general. After that, Enmark and the other three hostages were fearful that they were just as likely to be killed by police incompetence as by the robbers.[7][8][9] Ultimately, Enmark explained she was more afraid of the police, whose attitude seemed to be a much larger, direct threat to her life than the robbers.[10]"
>"'essential' means can't be bothered to wait 24 hours (once)?"
Essential means to get fucking lost and let me do with the hardware I paid for whatever I want.
Install a different ROM then that doesn't make you wait 24 hours one time.
Would you support Microsoft doing the same thing to Windows?
These are general purpose computing devices. It's sure taking a long time, but Cory Doctorow's talk on the war on general purpose computing is sure starting to become a depressing reality: https://www.youtube.com/watch?v=HUEvRyemKSg
28c3: The coming war on general computation
Microsoft is doing the same thing, they call it S-mode. A surprisingly large amount of computers are sold with Windows S. Thankfully S-Mode can usually be disabled even if your computer shipped with it enabled.
Windows S mode is a streamlined version of Windows designed for enhanced security and performance, allowing only apps from the Microsoft Store and requiring Microsoft Edge for safe browsing.Which is frankly hilarious because the Microsoft Store is the worst offender when it comes to hosting straight-up scams.
I'm not the only one who has noticed: https://www.reddit.com/r/windows/s/6y39VNaLUh
Do you think regular desktop computer should be locked down like this too? Scammers can also tell people to run Windows programs. Should that be banned too?
I'm fine with an opt-in lock-down feature so people can do it for their parents/grandparents/children.
Also, just let people get used to it. People will get burned, then tell their friends and they will then know not to simply follow what a stranger guides them to do over the phone. Maybe they will actually have second thoughts about what personal data they enter on their phone and when and where and who it may be sent to.
Same as with emails telling you to buy gift cards at the gas station. Should the clerk tell people to come back tomorrow if they want to buy a gift card, just in case they are being "guided" by a Nigerian prince scammer?
Maybe? Let people form CAs, and if a CA gives out certs for malicious apps remove them. (Old apps continue to work, to publish new one get new cert.)
Yes, sad, but works.
People will learn about scams, but scammers are unfortunately a few steps ahead. (Lots of scammers, good techniques spread faster among them than among the general public.)
Keep in mind that Android has like a billion users who have never touched a Windows computer. (And unmanaged Windows was/is also a disaster zone.) Coming at this from a internet forum perspective is missing the scope of the problem.
> I'm fine with an opt-in lock-down feature
Me too, but it's really just some UI semantics whether this is 'opt-in' or 'opt-out'. Essentially it would be an option to set up the phone in "developer mode".
There is a big difference between opt-in and opt-out that isn't semantics. You can't slowly discourage, deprecate and delete the default the way you can an opt-in, because too many people keep using it.
Yeah, I predict that "developer mode" will eventually be a setup option in the trust store, so you'd have reset the phone to get to it.
With billions of Android users, there's only millions of people who need or really want this. So like 1%. My point is stop thinking about your mom's windows box and consider the scale.