[Zak]

I don't think Google should be changing Android this way at all, and fear that it will later be used for evil. That said, I thought of an improvement:

Allow a toggle with no waiting period during initial device setup. The user is almost certainly not being guided by a scammer when they're first setting up their device, so this addresses the concern Google claims is driving the verification requirement. I'll be pretty angry if I have to wait a day to install F-Droid and finish setting up a new phone.

Evil, for the record would mean blocking developers of things that do not act against the user's wishes, but might offend governments or interfere with Google's business model, like the article's example of an alternative YouTube client that bypasses Google’s ads. Youtube is within its rights to try to block such clients, but preventing my device from installing them when that's what I want to do is itself a malicious act.

[Ajedi32]

Agreed. I also don't think this should be in developer settings; it's kinda insulting to imply that only developers need to have full control of their own devices.

Personally those two changes would mollify me somewhat, though the slippery slope concerns others have discussed in this thread remain. Additionally, I think there's a real anti competitive concern in that these changes negatively impact the market for non-Google-approved apps. (Perhaps the latter could be solved by allowing alternate app stores like F-Droid to completely bypass the verification requirement, allowing those stores' internal app verification processes to compete on equal footing with Google's.)

[silver_sun]

> Allow a toggle with no waiting period during initial device setup

I like this idea in principle but I think it could become a workaround that the same malicious entities would be willing to exploit, by just coercing their victims to "reset" their phones to access that toggle.

[Zak]

That wipes all the data on the device and requires logging back in to accounts. It seems to me that's high enough friction to resist most coercion.

[silver_sun]

Isn't app data, photos etc. usually synced with the Google account? Besides, Google claims that the scammers are using social engineering to create a feeling of panic and urgency, so I think the victim would be willing to reset and log in to the accounts again in such a frame of mind.

[Zak]

Some is, some is optional, some isn't.

I'm sure there's a hypothetical scenario where someone successfully runs a scam that way, but there's also a hypothetical scenario where a 24 hour wait doesn't succeed at interrupting the scam.

[silver_sun]

The perfect is the enemy of the good.

[deaux]

Which applies just the same to the hypothetical option during initial device setup.

[johnnyanmac]

None of this is stopping a malicious entity. We keep trying to use tech (poorly thought out tech at that) to solve issues of social engineering. And no one is asking for a solution, either; it's being jammed in for control.

[thedevilslawyer]

Such a silly statement. Of course tech can solve social engineering problem, we do so every day startign from UX design. This is a good solution to killing urgency.

[johnnyanmac]

Ux is made for humans. Humans can learn to exploit UX. This is as useless a battle as fighting piracy: you will destroy your product before you solve the problem.

[survirtual]

Social engineering is destroyed with education, not with restriction and control.

Trading freedom for safety eliminates both.

[MishaalRahman]

That's an interesting idea wrt to enabling the advanced flow during initial device setup! I'll pass it along.