Google can do this for own their own store first. I doubt it will make any difference in the number of malicious and shit apps on that store. Requiring this be mandatory for everyone is clearly malicious.
The only apps I have installed from the play store are ones that came pre-installed with the phone. The rest are all from f-droid…
LONG LIVE F-DROID ! !
DOWN WITH GOOGLE
DOWN WITH GOOGLE
DOWN WITH GOOGLE
…
really hope someone finds a way to break google’s block on apks that aren’t registered. with more and more manufacturers locking down bootloaders, changing roms is no longer an option.
Except that it is still an option to only buy phones that allow bootloader unlocking and root? That’s been a requirement for me since my first smartphone.
Where can I find a list of such phones?
Fdroid is just the best. Around half of the apps on my phone are from Fdroid and Izzy.
Disclaimer: I have been a maintainer for LineageOS and a long time user.
Whoever advocates for LineageOS don’t get it. Using LineageOS will not fix any issue like this.
Already today using LineageOS means give up on banking apps, ID apps, and even McDonald’s and some games like Pokemon.
Yeah because Google with play intergrity now demands valid keys that gets invalidated as soon Google detect they are used for such usage. The cat and mouse game suddenly got much harder to beat.
So no, using LineageOS will soon be possible only with secondary devices and not your primary that you will need for your actual stuff to work.
Would you recommend a B-2 Spirit solution or not yet?
I’ve never had an issue with the three banking apps I tried on LineageOS, and I didn’t even know there was a McDonald’s app or pokemon games.
If this list for /e/os roughly applies to LineageOS (with microG), I wouldn’t call it “only for secondary devices”, more “won’t work for some people”
Did I miss something? AFAIK google is requiring devs to ID, not to use SafetyNet or whatever the “only-runs-on-certified-phones” thing is called
I (for the moment) use stock android without a google account without any issues.
Then again i don’t use banking apps on a smartphone.
My gov provides ID apps and they work fine - then again, GPS is installed of course.
Fuck McDonnalds.I’ll have to check app support on Linage or PostMarketOS in the near future.
Counterpoint: I use the McDonald’s app where it belongs - on a giant greasy ordering kiosk.
But seriously, banks have websites. Everyone and everything has a website.
I don’t need Android apps at the cost of my privacy or at the cost of control of my devices.
I use GrapheneOS as my only phone, and I have done so for years.
Whatever the topic, I don’t need an app for that.
I don’t know about the US but on this side of the pond banks have their own 2nd factor apps. So to log in to a bank’s website you need an app - quite probably with play integrity.
In America, we’re lucky if our bank supports 2fa, let alone require an app for it
That’s insane, I have never heard of such a thing, but I’m in the US where most banks don’t even have non-sms second factor.
That’s crazy. Yeah in the rest of the world you can’t do shit on a bank website, it’s mostly just view only, and the rest is via the app. If it lets you do anything at all, it’ll require 2FA via the app.
You can transfer money from a savings account with one bank to another account with another bank just via tapping said bank account icon in the app, like you don’t even need the BIC/IBAN/AccNo/Name or any details, it knows where to go just because you have the app of the other bank, all you do is tap the icon.
I’m not even sure you can withdraw the money from the savings account without having the app of the target bank installed on the phone, signed into the target account.
Same way you can add a card to Google Pay by just tapping a button in the bank app, no details or anything required.
Frankly I don’t even know where any one of my bank cards are, I remember for a good while I had a credit card that I didn’t actually have physically because when you open the credit card account (which requires extra checks compared to what is default - debit cards) they don’t bother to ship the physical thing to you unless you explicitly ask for it (via an option in the app), since most people just use it only via Google Pay because everywhere is cashless and uses only NFC.
I didn’t realize at first but it meant that my “card” didn’t even have a PIN, because there was no way to physically have it, any large transactions are authorized in the app, everything else, including IRL is implicitly authorized by me unlocking my phone with my fingerprint, which is required to make NFC payments on Android. I think with Apple phones it’s required to open the app but for me since 2018 it’s been muscle memory to tap the fingerprint reader and slap the phone on the NFC reader on anything from the tube to the dodgy corner shop.
To get the actual card details it’s a relatively hidden submenu in the app, to add to Google pay is a giant button on the card icon in the app.
Convenient as hell but the sheer amount of privacy violations involved and info that must be gathered about the phone to do this in a compliant fashion makes me shudder.
Not so convenient when one loses their phone or service. Then get locked put of everything.
I’ve been using a dedicated TAN generator for banking since I first made my account but I don’t doubt that’s going away at some point, since debit cards from the same bank already require an app for 3-D secure.
No, hardware TAN generator work fine. If the bank wants to force me to use proprietary snake oil it’s time for a new bank. Or using a dedicated old smartphone just for the app.
Counter-counterpoint:
Banks use their app to generate the otp and they reinvented the wheel so if you want to login you need to install it, can’t use a generic authenticator. I am not aware of any single bank in the EU that allows the use of generic authenticators.
For McDonald’s, using the app gives at least 50% off. A menu in the app costs 5 euro while on the store kiosk costs 12 euro. I do not personally care because I find their food to be just barely edible, but I understand why there’s a need to install the app
Some people have no smartphone at all. How can they be customers at your bank?
Pay a fee of 0.30€ to receive the otp via SMS every time they want to login without the proprietary otp app and 0.30€ for each payment to authorize
Fucking hell, y’all make me realize how lucky I am with my bank that runs without gapps.
My bank had a device that was basically a simple android phone running the 2fa app. The phone app got updated through new versions and eventually got the drm treatment, but the old app keeps working because it is still running on those dedicated 2fa “devices”.
Naturally the bank is now trying their best to make people deregister the old “devices” and switch to only the “app”.The old app has no internet permissions. It reads qr from the camera and shows verification as a 6 digit code.
The new app has internet permissions and is integrated with other apps so you can conveniently accept the request of your banking app in the 2fa app (on the same phone) with a single tap via an overlay. 2fa.Wow, I admit that’s reaally bad 😅
Also the norm tho, afaik
They physically go there in person.
That’s still a thing.
Damn… The two extremes of the cyberpunk dystopia: no tech at all vs tech slavery.
I assume this is the same with GrapheneOS?
My bank app works without issue inside a private space with sandboxed Play services on my main user profile.
I also have an investment app which runs without any issue whatsoever.
Maybe I’m lucky and these Canadian companies just aren’t dicks about mandating google.
As far as I’m aware, as of now, graphene does not meet googles attestation (Uncertified Device), because google says so, but is easily more secure.
Google’s lockdown has zero to do with security.
I remember when internet banking meant installing some shitty “security” software on Windows before it would let you access the proper page on your browser.
Seriously? Open computing is dead to you because you can’t order fast food or play games? I don’t even have Google Play on this GOS device. And, by the way, my banking app works fine on LineageOS. Not that I need it, since I use a hardware TAN generator.
Fucking google at it again. Straight up turning into apple.
You can blame the courts for this one. They basically ruled “Apple isn’t a monopoly, because they don’t even LET other people compete in the first place”. (which is about a bass-ackwards as it gets but whatever)
Google saw this and went “shit…” so they’re rushing to implement the same thing.
You would wish Google would turn into Apple. AAPL at least has the decency of respecting some privacy.
Google, on the other hand, is an advertising company (not a tech company), selling all the people pocket size advertisement billboards named “Android” for years, and they’re taking the last step of seizing full control over it.
If you don’t think Apple is profiting off your data for advertising, I have a bridge to sell you
Why the Google identity check is completely useless:
Step 1: scammer acquires stolen id card
What’s the difference between malware developed anonymously and malware developed anonymously but registered under a fake id? It can be installed today and it can be installed tomorrow. Do they really believe that malware developers will doxx themselves when publishing their malware?
This. Every day there is a new legitimate dataset of ids for sale on the internet. I have seen enough never to trust ids anymore
When Android stops working properly, I’ll move back to a dumb/feature phone. My wife will hate it, but so be it.
My wife will hate it, but so be it.
Pretty sure you can build and self-host an SMS-whatever-she-is-using (e.g. Signal, DeltaChat, etc) bridge if somehow SMS isn’t enough.
Note to self if that were to happen : OSHW SIM modem (or even eSIM) that forwards to whatever (API, email, etc) that then bridges to other networks.
I have a couple of PinePhone I could keep plugged in but otherwise any Android phone where one can load an
.apke.g. Termux could have a hook on SMS then forward accordingly.Edit: quick search, a 4G dongle costs ~20EUR today and for compatibility on e.g. a RPi https://forums.raspberrypi.com/viewtopic.php?t=210724 bother otherwise Ubuntu https://wiki.ubuntu.com/NetworkManager/Hardware/3G and example on Debian https://wiki.friendlyelec.com/wiki/index.php/How_to_use_4G_Module_on_Debian
Edit2: didn’t try it but https://alwaysconnected.eu/ proposes 1Gb for 1 year (probably already too much data… since one needs 0 if connected on RPi) for 14EUR and they sell a Huawei (not great but I imagine works well with the card) E3372 (no idea if it works well with Linux) for 60EUR.
Some friends and I were talking about the feasibility of that earlier today.
It’s possible, assuming that you never need to use your phone as an MFA method, never need to scan a QR code, or never need to use an app for something because they lack a web version.
My company recently required us to have mandatory fun at a baseball stadium. Apparently, Ballpark MLB is the only way to receive tickets and get into the park… I had to sign up for some stupid account and download some stupid app because my company required it.
The future is stupid.
What if you said no?
I could have technically said no… but I would have taken a hit politically. I’ve definitely been on teams where people have said “Oh, paequ2 doesn’t like us. He doesn’t want to hang out with us.” I mean, they’re not wrong. I don’t like people. But. You know. I still need people to review my PRs, approve them, ask them for help, ask them for pay bumps, etc.
Forgive me Lemmy for my moment of weakness. I’ll go off to the corner and practice some self flatulation.
Not judging you, it’s a balance. I play this game as well! Godspeed
Self flatulation is so unironically funny in this context. I think you meant flagellation but really people are giving you more guff than you deserve over the situation. And your response was basically “well I’ll go fart by myself about it.” And like yeah, that’s about what all this is worth.
I think you meant flagellation
I said what I said! I didn’t typo. 🏃💨
You’re going to go… fart on yourself?
rsync arch three times; $ man bash > /tmp/forgiven
I read all this in Lenny’s voice because of your pfp and it made it even better
never need to scan a QR code
QR wishes it can someday become as relevant as you’re giving it credit for. Haha.
There is Aegis for MFA. It’s much nicer than the closed proprietary ones.
Of course, if a job requires something incompatible, then I’ll let them buy me a dedicated device.
Some services threaten me with “there’s no web version”, but they never end up being someome I want to do any business with, anyway. ¯(°_o)/¯
But I do want a dumb flip phone again. They were cool.
This has come full circle because at my work, we refuse to buy hardware keys for employees because of the cost. Work is making them download Duo authenticator as the only means of MFA as well.
If my employer wants me to use MFA, they can provide me the device.
This is exactly what a Yubikey is for. They’re phishing-resistant too, as opposed to TOTP codes.
I have tried to make the case for Yubikeys a hundred times. It’s officially not in the budget.
What a shame, they will lose much more to hacks
How about for any personal accounts?
My personal accounts do not use MFA of any kind and very few are tied to external accounts for any form of verification.
Lucky you can get away with that. My bank requires the app, without it you can’t even make transactions via the web UI because the 2FA is via their app. You can’t even order a new card or many times order a physical card via their web UI because they don’t bother sending you a physical thing anymore, intention being is that you add the card to Google pay for NFC and online payments and use it that way only. Everything is via the app. I actually have no idea what happens if I lose my phone, because as far as it has been made to appear my bank account is on my phone, there are no sign in details or anything of the sort, it’s either there or it isn’t.
If my bank ever changes to do that, I would immediately find a different bank. Then again, whenever it’s possible, I do business in cash.
Looks like I’m searching for a device that can run LineageOS, then.
🤗
If this comes to pass, f-droid might get closed as the userbase dwindles. Many apps will also cease to be developed and be left without updates. You will not get out with just updating to LineageOS. We should be looking at Linux phones at that point.
Linux Phones have a few software hurdles to pass through to get usable.
The biggest problem right now is adoption and contribution to the ecosystem, but there’s a few things in the way of outright using Linux apps on a phone. One is that most Linux apps aren’t made to be verical. Some newer ones can adapt to it, but many of the apps you likely would depend on using a Linux laptop are almost unusable on a Linux phone, like… vlc, for instance.
The network stack isn’t as beaten to death for 4G and 5G as Android’s is. I work in a slightly iffy area, and on Android I’d have times where I’d lose signal, but it would always come back within 5-10 minutes or so. There’d be times on Linux when it wouldn’t until I’d missed two calls and three texts and an hour and a half had gone by because the system was choking on a comma or a misplaced semicolon it found somewhere in the background and wouldn’t reset until I forced airplane mode off and on. If I was at home, or in the city, I’d never notice this problem, but the second I hit a road trip or went to work, boy.
Also, and this is just my phone, my OP6T had iffy microphone and earpiece settings. Pulse Audio was at the forefront of this audio stack almost entirely unchanged from its appearance on gnome or kde and on a phone it’s just confusing and obtuse as to what app is using what and what even is what. If you got it right, it was fine, then the next call it wouldn’t be, or would change back, again, probably more the 6T being a 6T than anything else.
I think right now, in this interim period, I’m going to buy a hotspot that I can just slip a sim card into and tether a Linux phone to it. I can use Conversations on Waydroid and use JMP.chat to send phone calls and texts over XMPP. I did fine on my OP6T for my actual use of a phone. I was browsin’, I was textin’, I was sendin’ messages, I was doin’ terminal stuff, administratin’ my servers, readin’, listening to musicn’. It was fine. Will do some experimenting.
Very insightful and interesting. Thanks. I am using GrapheneOS at the moment and only have read about the Linux phones. Of course an open android system that is decoupled from Google and their shenanigans would be great as well. But I am not very hopeful as Google has started a battle on several fronts…
f-droid might get closed as the userbase dwindles.
Nah. F-Droid is already federation-ready. https://f-droid.org/docs/Installing_the_Server_and_Repo_Tools/
I’ll run my own copy of the F-Droid servers, before I bend my knee to Google. So will others.
Edit: But yes, you are correct that Linux phone is the long term solution. Android is a pile of corporate Java. Linux is a lean sleek set of mature highly optimized tools. Once the big show-stoppers are cleared, my Linux phone will be the envy of all who see me use it.
The big problem is, I think many apps will cease to get updates as the devs stop developing on Android. Just running F-Droid is not going to solve this.
Where will devs move? Apple is even worse
I don’t know, Linux? But if they don’t want to get the dev certificate I doubt they continue to develop on Android.
Doubt it.
Most of those on a Google ROM isn’t moving to GNU/Linux, its either Lineage, Graphene, etc…, or just give up on these non-google apps. “Linux” is so broken and dysfunctional compared to Android ROMs.
So where’s the Dev push to make that usable?
I do not know, I hope it is there somewhere.
What should happen at this point is EU and European governments (and why not others) doling out money to do it.
The risk of the phone duopoly to Europe (among others) is too great now with the US already having succumbed to outright fascism and it’s tech sector running around rampant with blatant disregard for any kind of basic human rights. They all seem to correct themselves only after lawsuits and only in the EU sector.
If Google goes ahead bans sideloading I think that might spur some developers into action long term.
Intent is declared. Where are they? Please hurry?
Fdroid will not close, it’s decentralized. I have my little personal repository with apps I care about. Thousands of people do. Together we have pretty much everything
I hope so. But the app devs might stop if they don’t want to get certified.
Maybe an altstore type option will pop up so people don’t have to manually install or update each app they use with adb. Might lead to enough people still sideloading on non custom rom phones so there is still interest providing apps for people.
There are other software sources, e.g. I use Obtainium mostly.
I just got my Moto G 5G 2024 unlocked 😁 Its only like $140
Still using LOS, haven’t looked back…
I think way forward for me once these restrictions come in place will be to go with custom rom for my main phone, and a cheap stock phone for just apps that aren’t custom rom friendly like bank apps. I don’t need bank apps on the go, so not really going to need to carry 2 personal phones around.
Holy crap I got one! So stoked to try it out! I’ve been seeing all the pixel stuff about it and just assumed it was flagships only, but my $150 unlocked phone is supported! Thank for the push I needed to look it up.
I’m confused by this:
The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.
If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all. F-Droid’s myriad users5 will be left adrift, with no means to install — or even update their existing installed — applications.
My understanding is that developers need to sign up with Google and once they have an account they can sign their own apks.
How would this impact F-Droid in any way? Presumably by the time F-Droid enters the picture the developers of the apps they distribute would have already gone through that entire process, right? The apks will be tied to that new Google certificate, but after that they can still be distributed anywhere.
I mean, don’t get me wrong, this has genuine, very serious, dealbreaking issues, in that Google can just cancel the account of a developer making apps they don’t like, the same way Apple has done in the past. That’s not great. But from F-Droid’s perspective all of that has happened upstream, they are not anywhere in that loop, unless I’ve misunderstood the changes.
How would this impact F-Droid in any way?
F-Droid itself builds the APKs to ensure that they’re reproducible and not signed on a development machine that could be compromised.
https://f-droid.org/en/docs/FAQ_-_General/#is-your-building-and-signing-process-secure
With these changes, either:
- They use Google’s developer identity process to sign every APK they build with their own developer identity, which Google is likely not going to allow or is going to quickly find an example of a “malicious” app so they can blacklist all of them; or
- They stop building APKs and just trust the developer provides a non-malicious, pre-verified APK;
- They find a way to mediate the process between the original developer and Google. Knowing Google, they would make it as needlessly painful for everyone involved to discourage and punish alternative app stores.
Oooh, gotcha. That makes sense.
I guess it’d make sense to take that first option as far as it will go, at which point the issue becomes litigating this the first time Google has their own weird censorship issue in the Apple mold. I’d expect if they ban all of F-Droid explicitly that would at least make more ripples than going after a single torrent client app or whatever. It may play out different from a regulatory perspective, too, if the practical effect is they ban third party stores.
Side note, I’m really mad at the very deliberate choice Google made of categorizing all potential apps as either “apps meant for Google Play” or “student or hobbyist apps”. You know they know why that’s wrong, but it still makes you want to explain it to them.
My understanding is that developers need to sign up with Google and once they have an account they can sign their own apks.
Yes, and google asks for identification from the developers, and a lot of open source developers - having privacy in mind - don’t want to provide personal information. This is shitty beyond anything google has done before.
“Want” isn’t my concern. Presumably no developers want to give Google a piece of anything they generate, open source or not.
My concern was not understanding how this interferes with F-Droid and that has been explained above: F-Droid builds their own APKs for verification and this process potentially makes that a lot harder while not providing a replacement for their verification from Google.
That makes sense and it is indeed a dealbreaker. The other thing much less so.
wellp. time to go back to a time where phones were phones and not much more. i don’t need a smart phone, i barely wanted one to begin with. i just want a way to talk to people, send sms with a T9 keyboard, listen to preloaded MP3s and maybe play snake.
Nokias are back, maybe see if you can get one where you are
