Does anyone here actually support Google’s Developer Verification?

I don’t. I’ve put a warning about it in my repo because I’m against policies like sideloading restrictions, forced ID verification.

Curious what other devs here think. Is Play Store still worth the hassle?

  • vapeloki@lemmy.world
    link
    fedilink
    arrow-up
    6
    ·
    edit-2
    4 hours ago

    Yes I am.

    I spend a long time of my career in IT Sec.

    80% of android users will freely install whatever APK from wherever.

    Info stealer infected fake apps are a massive risk to a huge part of the user base.

    Yes, it will get a little bit more complicated to sideload. But nobody is prevented from it.

    And everybody that is against user protection (and yes, this is fucking user protection, just not for you) is invited next Christmas to de-worm the android devices of my family without wiping them.

    EDIT for all those that only read the memes. Sideloading will NOT be disabled. You have to jump though extra hoops.

    Yes, the way they do this is not even testable yet and we can argue over details.

    I support the principal idea, as someone who had to live with the fallout of people who installed “it support apps” because someone told them to

    • hneerqe@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      39 minutes ago

      80% of android users will freely install whatever APK from wherever.

      I should care because? Do they care about me not wanting google shoved in every aspect of my life?

          • vapeloki@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            16 minutes ago

            How about an apple phone?

            Or how about that: projects like Linux and Ubuntu phones died because there was no interest in it, because there was Google. And now, everybody wants an alternative.

            They are out there, you can use opensource Android forks, you don’t have to use Google

    • curbstickle@anarchist.nexus
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 hours ago

      So with your career in ITSec, you’re aware of the massive amount of malware found in the play store? That it has historically been the main distribution vector for malware?

      You have to jump though extra hoops.

      You are downplaying the hoops here by a lot. To install software on my own phone.

      Stop calling installing software “side loading”. Its nonsense.

      • vapeloki@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        20 minutes ago

        I k ow that the Playstore is also full of crap, I don’t deny this.

        But, just because our back window does not close correctly, do you leave the front entrance open?

        Not the best analogy maybe, but a visual one

        • curbstickle@anarchist.nexus
          link
          fedilink
          English
          arrow-up
          1
          ·
          11 minutes ago

          Except you have it backwards. The play store is the primary vector. The play store is also pre-installed on Android devices, and even without the whole verification nonsense, you still need to allow a different app repository to install.

          Not cleaning their own play store up first means it has nothing to do with what they are claiming. And lets be candid - they have absolutely not.

          The analogy is bad specifically because its not reflecting the issues anywhere near accurately. This is closing a window on the second floor while the front door is wide open with a sign that says “Come on in!”.

          • vapeloki@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            6 minutes ago

            That assumes that Google does not do anything about the appstore and that is objectively not true.

            Is it enough? No ideas, but still, it does not change the need for better endpoint security.

            • curbstickle@anarchist.nexus
              link
              fedilink
              English
              arrow-up
              1
              ·
              3 minutes ago

              I firmly disagree. The issue has nothing to do with the endpoint. They have done very little with the play store relative to this massively impactful change to installation practices in creating a walled garden - precisely the reason many, myself included, chose not to go with iOS in the first place.

              So the very idea that this is an endpoint security issue rather than an app store issue is, to me, laughable at best.

    • TrickDacy@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      3 hours ago

      80% of android users will freely install whatever APK from wherever.

      A ridiculous and absurd lie. 90% have zero clue what one is, let alone go into the developer settings (there are one, maybe two settings you have to enable) to change the settings to even make that possible. Why are you lying about this? It’s weird.

      • vapeloki@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 hours ago

        I am lying? OK, so is:

        I have over 2 decades of background in hardcore IT-Sec, i know my stuff. And you? What is your qualification, where are your sources?

        • TrickDacy@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          1 hour ago

          I have over 2 decades of background in hardcore IT-Sec, i know my stuff. And you? What is your qualification, where are your sources?

          I wonder if a statement like this ever once convinced anyone of anything. My guess would be it nearly always has the opposite effect. You basically told me that whatever I know doesn’t matter because “trust me bro”. For all I know, you’re the worst source ever for literally every topic. Your articles didn’t back you up. Why do people bother with shit like this? “I’m an expert so what I say goes” is idiotic and in no way addresses the common sense point I was making: the average person definitely doesn’t know or install apks because of fucking course they don’t. If you said 80% would if scammed, that’s at least plausible but I’m not even sure I could believe that. The well is poisoned now in any case so you’re not convincing anyone here after this… Whatever masturbatory shit this was. Or just shilling for a corporation? Who the fuck knows

            • TrickDacy@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              17 minutes ago

              You do, actually.

              I have over 2 decades of background in hardcore IT-Sec, i know my stuff. And you? What is your qualification, where are your sources?

              This translates to anyone who isn’t you to:

              I know a lot, you know very little. Trust me, not you.

              And again if you’re going to make this 80% claim and then say you sourced it, don’t link shit that’s sort of related but in no way backing up that claim. No one here is saying malware isn’t a problem. You’re getting downvoted for making specific claims which are absurd.

              • vapeloki@lemmy.world
                link
                fedilink
                arrow-up
                1
                ·
                7 minutes ago

                That is a general issue of online debates.

                I can not squash 20 years of daily learning into a comment.

                I can point you to sources where you can verify it our self. Social engineering studies, blog post about campaigns from other researchers.

                Placing m credentials there is my kind of saying “I have insight, ask”, but how do you think should something like this communicated.

                We have a highly sensitive topic, with a lot of obsolete or just misinformation.

                It is a highly complex topic that can not be simply understood by most persons, but social media opens a place for debate anyways.

                There are many other examples for this happening and it is bad. Very bad.

                Another example Google wants to get rid of third party cookies. Instead they want to to adspace action on your local system. In our browser, protected. But bad, because Google. Firefox could implement the same API on better, but no, bad because Google.

                Google is not the good guy. But just throwing out every fucking Idea because Google Had it (or was forced into it, allowing sideloading again was because of pressure) is just not what we need

          • zod000@lemmy.dbzer0.com
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            1 hour ago

            He just using the old “Argument from Authority” logical fallacy. I’ve worked with tons of people, even those that did in fact “know their stuff”, that thought it was perfectly valid to dismiss others because of their experience being more extensive than others. Ironically, after I’d prove these people wrong in serious matters (usually several times), I somehow got added to the nebulous authority whitelist in their head. I don’t want to just be believed became I’m dammit, believe me when I’m correct and provide evidence!

        • TrickDacy@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          3 hours ago

          Given that your first article says nothing about 80% I’m not continuing to click your links.

          I was being generous when I said 90%.

          Source: I have ever spoken to another human.

          • vapeloki@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            2 hours ago

            Because people do not know what apps are and that they can be installed via sideloading, faked appstores and more, they are vulnerable.

            If I ask a “normal” person if the ever drunk di-hydrogen-monoxid they would say no, because they have no idea this is water

            • TrickDacy@lemmy.world
              link
              fedilink
              arrow-up
              2
              ·
              2 hours ago

              Okay either you’re trolling or clueless. Because you just made my argument for me. How exactly are people who don’t know what an app is going to enable side loading and then do it? That makes no sense whatsoever.

                  • vapeloki@lemmy.world
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    2 hours ago

                    I am 100% serious. Maybe you should look up what social engineering is and how it works.

                    People install TeamViewer and other stuff on their desktop, the execute commands in their terminal without nowing what it is.

                    ou have clearly 0 qualifications to talk about it security

    • Avid Amoeba@lemmy.ca
      link
      fedilink
      arrow-up
      3
      ·
      2 hours ago

      for all those that only read the memes.

      For someone who possibly considers themselves better informed than others, you’re seem to be missing the fact that Google’s plan had no option for sideloading unverified apps until a sizeable outcry from us (a lot of professional developers and users). Unverified app installation was only allowed (via new hoops) after this action. For now. The fact that Google’s plan did not have an option for installing unverified apps shows us what they really want. Therefore it won’t be surprising if they make it increasingly difficult or impossible in the future.

      • loutr@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        ·
        2 hours ago

        I’m pretty sure they originally planned to allow sideloading through ADB, but I might be mistaken.

        • Avid Amoeba@lemmy.ca
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          2 hours ago

          I think I recall the same. Otherwise development would be a nightmare. But then again, that isn’t remotely equivalent to sideloading (as colloquially understood) and would still kill F-Droid. Not saying you’re saying it’s equivalent.

    • skyline2@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      3
      ·
      3 hours ago

      Alternate stores like Accrescent and FDroid are blocked by this policy, and Google refuses to implement any mechanism for authorising at the store level either. Store level authorization is an obvious alternative to verification of each individual app.

      Both Accescent and FDroid have some oversight processes in place, and do not contain “random” APKs. Googles actions show the real motive, which is control… not security.

        • skyline2@lemmy.dbzer0.com
          link
          fedilink
          arrow-up
          2
          ·
          2 hours ago

          They are de-facto “blocked” for developers that refuse to submit their identity to Google. I think you might not be understanding the implications of Google’s policy, please read this open letter to learn more: https://keepandroidopen.org/open-letter/

          If a developer doesn’t submit to identify verification, under the new system their app could not be installed regardless of what store it is distributed on.

          Needing individual devs to identify themselves directly to Google is invasive. Stores, however, could identity themselves to Google (or the world) as having security processes in place. Then they could be allowed as official 3rd party stores, similar to how the Linux repository system works.

    • Pollo_Jack@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      4 hours ago

      At least make it a toggle, like you need to request access for your account for your phone.

      Kneecapping everyone because idiots exist is idiotic.

      • Pika@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        22 minutes ago

        It is a toggle. they just locked said toggle behind a 24 hour time lock. It’s ridiculous. I think if they kept it the way it was without said time lock it wouldn’t be anywhere near as controversial.

      • flyingSock@feddit.org
        link
        fedilink
        arrow-up
        6
        ·
        6 hours ago

        maybe because it was to easy to upload to the googleplay store. Maybe there should be some kind of verification of the person uploading. How could this be accomplished?

        Joking aside I don’t think side loading should be encoumbered like this, but for the official app store it makes sense.

        • dubyakay@lemmy.ca
          link
          fedilink
          arrow-up
          1
          ·
          2 hours ago

          Your heart is in the right place, but your mind is not.

          Google et.al. is pushing for IDV in every segment due to lobby pressure from meta to build REAL user database for advertisement purposes in the age of LLM drivel. Every “protect the *” has meta’s government lobbyists behind it.

          There could be alternative approaches, but meta’s goals just so happens to align well with a fascist government’s that thinks they need to stamp out dissenting voices and anonymity.

        • thingsiplay@lemmy.ml
          link
          fedilink
          arrow-up
          5
          ·
          4 hours ago

          Total control and taking away freedom is not negotiable. Not literally, but: “Maybe we should ban programming languages on Windows and Linux too, because it could be used to program viruses. We should protect the not so tech savvy.” See what I mean? Instead we should look forward to a better way of helping them. The proposed way of Google is not acceptable.

    • lime!@feddit.nu
      link
      fedilink
      arrow-up
      16
      ·
      edit-2
      6 hours ago

      so the real-world id requirement is also user protection? play store is basically an info stealer at this point.

    • Cassa@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      13
      ·
      6 hours ago

      so your family’s devices get their apps from outside the play store?

      people are effectivly prevented from sideloading. not “just a little more complicated”

      • iByteABit@lemmy.ml
        link
        fedilink
        arrow-up
        10
        ·
        4 hours ago

        of course nana uses adb exclusively to install apps on her smartphone, after all this is a totally real story about user protection right?