[giamma]

While I understand the reasons behind this campaign, I have mixed feelings about it.

As an iPhone user, I find it frustrating that deploying my own app on my own device requires either reinstalling it every 7 days or paying $100 annually. Android doesn't have this limitation, which makes it simpler and more convenient for personal use.

However, when it comes to publishing apps to the store, I take a different view. In my opinion, stricter oversight is beneficial. To draw an analogy: NPM registry has experienced several supply chain attacks because anyone can easily publish a library. The Maven Central registry for Java libraries, by contrast, requires developers to own the DNS domain used as a namespace for their library. This additional requirement, along with a few extra security checks, has been largely effective in preventing—or at least significantly reducing—the supply chain attacks seen in the NPM ecosystem.

Given the growing threat of such attacks, we need to find ways to mitigate them. I hope that Google's new approach is motivated by security concerns rather than purely economic reasons.

[stratts]

Android already has this strict oversight, in theory, in the form of the Play Store. And yet.

Personally I feel much more safe and secure downloading a random app from F-Droid, than I do from Google, whose supposed watchful eyes have allowed genuine malware to be distributed unimpeded.

[marcos100]

Exaclty. Play Store takes a cut from what it is selling, so they should be more strict what can be sold, not lock the whole platform.

[zzo38computer]

> In my opinion, stricter oversight is beneficial.

I agree; stricter oversight is beneficial for the official app store. It should not be necessary (and neither should Google's (or Apple's, or Microsoft's, or the government's, etc) verification be necessary) for stuff you install by yourself.

> The Maven Central registry for Java libraries, by contrast, requires developers to own the DNS domain used as a namespace for their library.

This means that you will need to have a domain name, and can verify it for this purpose. (It also has a problem if the domain name is later reassigned to someone else; including a timestamp would be one way to avoid that problem (there are other possibilities as well) but I think Java namespaces do not have timestamps.)

> I hope that Google's new approach is motivated by security concerns rather than purely economic reasons.

Maybe partially, but they would need to do it a better way.

[user34283]

If the manufacturer wants to offer verification of developers, this should be an optional feature allowing the user to continue the installation of applications distributed by unverified developers in a convenient way.

Making this verification mandatory is an absolute non-starter, ridiculous overreach, and a spit in the face of regulators who are trying to break Google and Apple's monopoly on mobile app distribution.

[Yokolos]

I don't understand how you can have mixed feelings about this.

> However, when it comes to publishing apps to the store,

This isn't about publishing apps to the Play Store. If that's all this was about, we wouldn't give a shit. The problem is that this applies to all stores, including third party stores like F-Droid, and any app that is installed independently of a store (as an apk file).

> Given the growing threat of such attacks, we need to find ways to mitigate them.

How about the growing threat of right-wing authoritarian control? How do we mitigate that when the only "free" platform is deciding the only way anybody can install any app on their phone is if that app's developer is officially and explicitly allowed by Google?

Hell, how long until those anti-porn groups turn their gaze from video games and Steam onto apps, then pressure MasterCard/Visa and in turn Google to revoke privileges from developers who make any app/game that's too "obscene" (according to completely arbitrary standards)?

There's such a massive tail of consequences that will follow and people are just "well, it's fine if it's about security". No. It's not. This is about arbitrary groups with whatever arbitrary bullshit ideology they might have being able to determine what apps are allowed to be made and installed on your phone. It's not fucking okay.

[giamma]

My elderly father unknowingly installed an application on Android after seeing a deceptive ad. An advertising message disguised as an operating system pop-up convinced him that his Android phone's storage was almost full. When he tapped the pop-up, and followed instructions he installed a fake cleaner app from the Play Store. While the app caused no actual harm, it displayed notifications every other day urging him to clean his phone using the same app. When he opened it, the app — which did nothing except display a fake graph simulating almost full storage — pressured him to purchase the PRO version to perform a deeper cleanup.

In reality, the phone had 24 GB of free space out of 64 GB total. I simply uninstalled the fake cleaner and the annoying notifications disappeared.

How such an app could reach the Play Store is beyond me. I can only imagine how many people that app must have deceived and how much money its creators likely made. I'm fairly certain the advertisement targets older people specifically—those most likely to be tricked.

For better or worse, I'm pretty sure that such an app would never land into the Apple App Store.

[gumby271]

So you're saying Google is doing fuck all to protect customers on their already locked down store, right? This doesn't sound like it will be addressed by Google extending developer registration outside of their store at all if they can't even address obvious scam apps that they're already promoting. And to your point, yes, Apple probably does do a better job of maintaining their app store, that way they can prevent some of the push back on iOS being so locked down. An iPhone sounds like the right device for your father.

[avra]

from the Play Store

This is not about the Play Store. This is about the whole Android platform. It's about running what you want on your own machine.

[BeFlatXIII]

> Maven Central registry for Java libraries, by contrast, requires developers to own the DNS domain used as a namespace

What are the requirements around domain renewal?

[morshu9001]

Litmus test: Can you get NewPipe or other Youtube clients onto an Android phone? This is non-malicious software that users want to run but could reduce YouTube's profits.

[beeflet]

The threat of such attacks is not growing