- Does this mean sideloading is going away on Android?
Absolutely not. Sideloading is fundamental to Android and it is not going away. Our new developer identity requirements are designed to protect users and developers from bad actors, not to limit choice. We want to make sure that if you download an app, it’s truly from the developer it claims to be published from, regardless of where you get the app. Verified developers will have the same freedom to distribute their apps directly to users through sideloading or through any app store they prefer.
- Making APKs available to your test team
If your team’s current test process relies on distributing APKs to testers for installation using methods other than adb, you will need to verify your identity and register the package. This also applies if you make APKs available to your test teams through Google Play Internal Testing, Firebase App Distribution, or similar solutions through other distribution partners.
- Do I still need to register my apps if I’m only distributing to a limited number of users?
We recommend you register. It’s a simple, one-time process that will allow anyone to download and install your app. However, if you prefer not to, we are also introducing a free developer account type that will allow teachers, students, and hobbyists to distribute apps to a limited number of devices without needing to provide a government ID.
- What can I do to prepare for developer verification?
The best way to get ready and stay updated is to sign up for early access. We’ll start sending invitations in October.
We recommend you participate in developer verification because, even though verification is not required to develop apps with Android Studio, you will need it to distribute apps to certified Android devices. Apps installed through enterprise management tools on managed devices will also be installable without being registered.
I know I will get downvoted for this opinion, but I like this.
Developers who decided not to use Play Store can still do so, but are required to identify themselves. I get that not everyone is willing to do this, but there still is a free way to compile apps yourself and put it on your phone.
I am a developer myself and I have published apps for iOS and Android in the past and this process still is way easier than anything an iOS developer has to do to just install an app on his personal phone.
You don’t understand how easy it is to get a fake Id/passport with any photo you like in some countries.
Bad actors already do this, which clearly doesn’t stop bad apps from appearing in the play store. If the main reason why this new thing exists is to prevent malware and such, and it immediately fails to do that, what other motives do you think there could be?
You may have apps on iOS and Android, but you’re either very naive or privileged enough that can’t see a problem with this whole verification.
Imagine if every program on your PC had to be verified by Microsoft, or Canonical.
Fuck that noise.
This won’t increase security. This just allows Google to tighten the reigns on their system to push out alternative app stores and enhance their monopoly. What do you think will be in the developer agreement - guarantee there’s clauses preventing YouTube frontend apps (Freetube, Grayjay) and root alternative apps (Magisk, Shizuku). If it’s not there on day one it will magically appear in a few months - and then the rug will be pulled from under those devs and they’ll be banned from working on Android again on anything, potentially sued, and Google will be able to enforce it because they know exactly whom the devs are and have their government IDs.
I don’t know, man. A signature makes the author of the app that fucks my system pretty clear. That has consequences: apps by bad actors can be pulled.
With an unsigned app, we can’t authenticate the package is untampered, and the author can repudiate any fuckery as unauthorized modifications.
They already wrote the free developer account for limited distributions doesn’t require those.
None of that is necessary when installs over Android Debug Bridge bypass verification entirely.
Enforcement only applies to certified Android devices, ie, those certified for and that ship with Play Protect, and even Play Protect can be disabled.
This all seems like a huge nothingburger by the willfully illiterate. Look at these illiterates downvote.
I totally agree with you that having Google as the only one able to assign these certificates is a problem. This needs to change (and I rely heavily on the EU to enforce this), but I still think that everyone who is publishing an app to an undisclosed number of people (and therefore there is no implicit trust by design) should identify him- or herself to some authority.
I agree if someone makes something like the ice app for their country the government should be able to track them down if they want. There shouldn’t be a way for citizens to distrupt things for any reason. We need government to control every aspect of our lives and key is to make everything trackable for a safer world so the authorities in power can remain in power.
Every action should be identifiable. Including lemmy. It disturbs me that such a site where people arent required to provide real IDs exists.
Why? Google is demanding personal ID for devs, but we have no idea who wrote code for the Google apps we install - was it a Californian, was it slopped together by an AI, was an NSA analyst supplying code? Sorry, Google deems that’s all private. Code is closed. Trust us.
Now, open source devs who value their privacy are forced to give it all up for users to continue using their vettable code that has earned them user trust over years or decades - just to give Google direct power over them. Power to ban from the store, power to sue, to litigate - you presume for benevolent reasons, however there is not much reason to believe this, given Google’s history.
Google has repeatedly spread malware through their store and it has had real world impacts, so if they want to improve their security and more thoroughly vet the devs that they charge to use their store to distribute their code, fine - that’s their call. But that’s not all they’re doing, is it - they’re demanding ID from any dev that uses any storefront, even if that storefront is completely out of Google’s hands and has over a decade of never distributing a single piece of malware.
Don’t be fooled, this is a ploy to kill third party apps and third party stores, while enabling Google to strike at any devs of apps they take issue with.
They’re taking away a BIG freedom in android, which is installing apps from wherever you want, however you want, and when you want.
And google play itself has WAY MORE malware than all FOSS sources combined.
Do you reconsider now?
FOSS is a thousand times more reliable than the standard app on play store.
Honestly this was one of the few major advantages to using android over iOS. Might have to consider a switch now…
no no no, hold your horses!
there is hope in custom roms and root!
and maybe, ADB (therefore shizuku).
unless you mean a switch to linux phones
then, do it.
That freedom is still there. The only thing going away is installing from an undisclosed source.
Why should we have to disclose the source to google? It’s evil, and this is just more bullshit they are trying to get your data.
What if they refuse to approve your developer identity application? Now you can’t sideload the app you developed for personal use.
At the moment (I am willing to change my opinion if that changes) Google has announced that for your personal use you won’t need to submit any ID. This just shows me you haven’t even read the whole thing, but just the headline and your opinion on this was set.
I understand where you’re coming from with this comment. I’m also generally frustrated when I see people commenting on sensationalized headlines without taking the time to learn more.
I, however, have read their published plans for developer ID’s.
Think back, and be objective about how Google has managed Android since AOSP launched. Time and time again, Google has borrowed and adapted code which was submitted to the project by talented, passionate developers who expected no compensation. At each milestone, Google has taken steps to apply additional restrictions on developers- Siding instead with hardware manufacturers to limit the public’s ability to use their purchased hardware as they see fit.
I am aware that there is a balance that must be struck to limit expense, exploitation, and to prevent widespread security incidents and piracy, but how many times in the past have end users and developers been in this precise situation over the years? How long until Google decides that they don’t need the AOSP project at all and fork the entire project? They’ve already taken large parts of the framework private.
Maybe I’m a little jaded, but I can’t see a benefit here for anyone but Google and hardware manufacturers. This is just another step towards locking us out.
You do need to submit an ID if your app gets a larger audience. Plus, the account requirement stays. With the way google bans developer accounts I wouldn’t be surprised if your hobby developer gets an axe once a while.
It’s not hard to imagine them abusing/being compelled to limit apps based on regional restrictions or perhaps other apps terms of service. Like newpipe could be nuked out of nowhere assuming it even gets a say since it breaks YouTube’s Terms of service.
Or manga, book reading apps getting the axe due to copyright strike. Plus, the devs could get doxxed again due to copyright strike.
No sane developer should risk submitting this personal information to google for a side or hobby or even a community project.
You’ll get downvotes because this is just rationalizing kow-towing to Google.
There’s no technical, nor security reasoning to rationalize this.
There is security reasoning
The internet has a ton of malware and having a better way of identifying apps isn’t a bad thing. The problem is when it is used in order to make Google the sole gatekeeper of alllowed apps.
The malware is already on the Play Store.
Google is already doing nothing about malware that you can officially download directly from Google.
Google play is huge
Every time Google finds malware they take it down and improve their processes. I’m definitely not a big fan of Google but they do handle security pretty well. (Except for malware in ads)
There are plenty of reasons to hate Google. However, just because there have been cases of malware on Google play doesn’t mean that downloading apps is somehow less risky. You should stick to trusted sources and avoid questionable apps. The core problem here is the fact that the solution Google came up with for malware prevention allows them to block third party app stores and potentially apps not liked by Google like NewPipe.
I would have far less of an issue Android app verification if it was instead implemented in AOSP with a way for users to configure it in settings. Bonus if it allows users to install trusted certificates from third parties.
Yes and they actually have a malware service that already runs on side loaded apks. This isn’t about security and you can’t convince me otherwise.
The solution they “came up with” just didn’t just happen to exclude those apps. It is the entire purpose.
We have had anti-malware on desktops for decades. None of them set a system hard line at phoning home to (insert mega globo corp) to install software on hardware, I repeat, you own. It’s yours. You paid for it. What you do with it is none of Google’s concern.
Are you stubborn?
Well yes. That’s what happens when your only argument boils down to “It could be worse”.
My argument isn’t “it could be worse” - my argument is “that’s how it should have been from the beginning”.
“No no, my argument is even worse than that!”
Then you deserve them even more. Fuck privacy and freedom I guess?