_______ __ _______
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----.
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --|
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____|
on Gopher (inofficial)
URI Visit Hacker News on the Web
COMMENT PAGE FOR:
URI Google just gave Android power users a sideloading win
branon wrote 27 min ago:
How will the transfer occur? I'm assuming via Google account?
So this is vendor lock-in to an online account being sold as a way to
"win" against a problem _created_ by said vendor? I would prefer a
per-device wait time and I sincerely hope a Google account will not be
a hard requirement. I didn't consider this initially.
Google is in the process of stealing the shirts from our backs and
selling them back to us. Whoever wrote this article is drinking the
kool-aid. This should NOT be presented as a positive thing. Some of us
use Android without a Google account and would still like to sideload.
throwaway81523 wrote 1 hour 23 min ago:
I thought that even after the 24h wait, you will have to go through
some annoying dialog to install (or maybe even update) anything not
from the play store. So installing from F-droid will become an
obnoxious process. Even worse if updates also become obnoxious.
F-droid often wants to update several apps at once, so I click "update
all". If that becomes multiple dialogs, that sucks.
scuff3d wrote 1 hour 34 min ago:
"Google is doing this thing that is total bullshit, but now they're
given you slightly less shit. What a win! Our glorious corporate
overlords are so generous!"
What a joke. It's not a journalist job to shill for corporations
AlBugdy wrote 2 hours 36 min ago:
What's the phone OS landscape now? What can someone who values their
agency and wants FOSS choose?
* iOS - walled garden, so no
* Android:
* * with a Google account and Play Services - a bit less of a walled
garden, but still no
* * Android without Google:
* * * GrapheneOS - root or adb not supported, so no
* * * LineageOS - (edit: root or adb not supported, so no - just
learned) seems like a viable option although it seems like it depends
on Google's development of Android and keeping it FOSS. How's the
situation with security updates? Which phones would you recommend? I
don't count Samsung or whatever crap as they're generally quite
user-hostile.
* Linux - IIRC only PMOS supported FDE. Is that still the case? Are
there are good Linux phones? I tried PinePhone a few years ago, but it
was crappy. The OS also lacked basic features like new windows showing
up inside the screen.
* anything else?
PufPufPuf wrote 1 hour 29 min ago:
Why do you want to root? I didn't really feel the need for the past
few years.
AlBugdy wrote 1 hour 11 min ago:
Because my new phone would be my new phone. And a phone is a
computer. That should be enough of a reason.
I'm quite surprised people who post here don't get that. I've been
lurking for years even though my account is new and even though
general hackerishness here has gotten a bit reduced over the years,
but it's still HackerNews, not ConsumerNews. No offense implied - I
just hoped I'd see more people willing to claim their right to own
and modify their OS like a true hacker.
kace91 wrote 1 hour 36 min ago:
I think a problem is that phones, as a concept, are communication
first, rather than general computing first.
If you want to partake in social networks, messaging, work
communication, banking, etc you're at the mercy of the service's
owner and their moat. You can't access Instagram in any other way
than their app, and at that point an open OS doesn't help a lot.
I'm sure FOSS can make a feature equivalent Instagram (or Whatsapp,
or whatever) but the people aren't in there.
AlBugdy wrote 1 hour 18 min ago:
> I think a problem is that phones, as a concept, are communication
first, rather than general computing first.
I use all kinds of computers for communication. I'm communicating
with you on my desktop. I had a call earlier on my laptop. And a
phone IS a computer, so why pretend it's not?
> If you want to partake in social networks, messaging, work
communication, banking, etc you're at the mercy of the service's
owner and their moat. You can't access Instagram in any other way
than their app, and at that point an open OS doesn't help a lot.
I wouldn't use proprietary work tools on a personal device. It's
not good hygiene.
I don't care if Instagram requires an app on a non-rooted phone
with verified Google attestations because I don't use it and it's
not essential.
Banking apps ARE a problem because a lot of banks don't let you use
their site without their app at all. That should be solved with
regulations - give people a FOSS banking app or, better yet, an
API, so they can bank however they want to. Let us create FOSS
interfaces for the different banks. Right now we need to revert the
regulations who more or less force us to rely on Google or Apple's
attestation. Internet banking is important both because there's a
trend, even in countries where cash is still widely used, to have
places that don't take cash, and because it's a highly regulated
system paid for my taxes - I should be able to participate in a
modern way with bullshit restrictions allegedly made to prevent
someone's grandpa from getting hacked or phished.
But if I can't access my bank online, I'm not going to bow my head
and buy a bank-approved phone with a bank-approved OS and a
bank-approved $tech_company account. Who banks that often that they
really need to do that, outside of places like Sweden where cash is
almost dead?
kace91 wrote 33 min ago:
>I use all kinds of computers for communication. I'm
communicating with you on my desktop.
Sure, now get a date, connect with old friends, get invited to a
party or join your children's school parent groups exclusively on
free software.
>And a phone IS a computer, so why pretend it's not?
I agree we shouldn't, I'm just saying that it's unlikely for that
need to meet a large enough demand.
You might consider Instagram, whatsapp or similar apps personally
not essential, but for many (I would say most) people they are -
if not truly essential for living, at least essential in the
sense that they don't have much use for their phone outside of
those apps.
Which was my point, as long as the main use of a phone requires
passing through meta's (or whoever else's) hoops, it's going to
be a hard battle.
The only minimally mainstream uses of a phone that currently lie
outside the walled garden are piracy and emulators, and that's
already a stretch.
armadyl wrote 1 hour 40 min ago:
> GrapheneOS - root or adb not supported, so no
Like the other poster said, you can get root on GOS. However it's
highly ill advised and severely breaks the security model of devices.
99% of the time nobody, especially the average person, needs root on
their phone (imo). Allowing that easily just opens up the average
person to getting duped into getting their phone rocked with exploits
and possibly persistent malware.
There is no reason that a lack of root access should be viewed as a
negative within the context of GrapheneOS. In that case why even
mention or choose GOS? Just choose an Android fork with poor security
or a Linux phone with zero security instead.
AlBugdy wrote 1 hour 27 min ago:
> 99% of the time nobody [...] needs root on their phone
Do you also not have root on your laptops or desktops? I don't get
why it's so different. I don't just want to open TikTok and
Instagram, I want to use my phone computer as a computer. I assumed
HN folks would get it.
I would choose something as locked down as GrapheneOS for its
security if I was going to use it to install random apps left and
right and give them root or run JavaScript from random sites on a
browser I gave root to.
Anyway, not having root seems like a very weird way to harden
security. What about compartmentalization?
And what's wrong with my my terminal app having root sometimes? How
is shadycryptonews.xyz/exploit.js going to leverage it? How would
even the Official Authoritarian Police State app leverage it?
I probably don't get it, but it's like people see 2 extremes - run
nothing ever in root or run everything in root all the time.
I want to run like 5-6 apps I trust.
Maybe if I wanted to secure a billion dollars worth of Bitcoin, I
would be OK with a separate phone without root, but then again I
would likely use a hardware wallet. What's the threat model for
someone who doesn't blindly give apps root or do anything stupid,
really?
armadyl wrote 2 min ago:
> Do you also not have root on your laptops or desktops? I don't
get why it's so different. I don't just want to open TikTok and
Instagram, I want to use my phone computer as a computer. I
assumed HN folks would get it.
The security models of desktop operating systems are far, far
behind those of mobile operating systems (Android/iOS). ChromeOS,
followed by macOS are the closest to mobile security but are
still severely lacking. Windows is farther behind and desktop
Linux might as well be minimum security. Itâs not even an
equivalent comparison as youâre comparing mobile OSes to ones
on a platform with a fundamentally worse security architecture.
I mean, even to an extent some of the Linux distributions
understand the security problems with the traditional model. Look
at what Universal Blue is doing with their images and leaning
more into Flatpaks and containers for any developer like etc
tooling while actively discouraging installing things via
rpm-ostree.
> I would choose something as locked down as GrapheneOS for its
security if I was going to use it to install random apps left and
right and give them root or run JavaScript from random sites on a
browser I gave root to. Anyway, not having root seems like a very
weird way to harden security. What about compartmentalization?
The first sentence is inherently incompatible with the security
structure of GrapheneOS (for example). The point is to not give
applications root, giving them root circumvents basically all of
the protections GrapheneOS and Android give the user. Yes, mobile
operating systems were designed sandbox first to treat all
applications as untrusted. However it doesnât matter if
youâre only giving âtrustedâ apps root, all it takes is one
supply chain exploit, one malicious developer, one anything to
make that app with root do something its not supposed to do.
Not having root is the best way to harden security. Mobile OSes
are designed to be heavily compartmentalized, each application
runs in its own sandbox. Giving an application root circumvents
the entire thing, allowing that application in theory to see into
other sandboxed apps etc. If you want a real world example look
at all the malware exploits that come into iOS via iMessage, one
of the only apps on iOS thatâs not fully sandboxed like normal
apps.
> And what's wrong with my my terminal app having root sometimes?
How is shadycryptonews.xyz/exploit.js going to leverage it? How
would even the Official Authoritarian Police State app leverage
it?
The problem is that we donât know how they could leverage it,
so the solution is to eliminate that pathway entirely.
This is also my issue with the push for Linux phones onto the
average person (instead of the community coming together and
forking AOSP if they want to escape Google). The platform has
zero real sandboxing, and the average person still wants to use
Meta apps as shit as they are. These big tech companiesâ and
governmentsâ apps would go absolutely crazy on Linux phones.
> What's the threat model for someone who doesn't blindly give
apps root or do anything stupid, really?
To not get unknowingly pwned. Realistically even if you have a
trusted app, you or the community can only verify that itâs
trusted at a specific point in time. Realistically a community
cannot verify that an app or package etc is consistently not
malicious and will more often than not lag behind in the
implementation of the exploit vs its discovery, it doesnât
matter if its closed or open source.
To be clear though my view is that we shouldnât be pushing
root-capable mobile operating systems onto the average person and
that no root is infinitely more secure than having it. Maybe
companies could provide alternatives, i.e. offering devices with
rooted versions available but offering no customer support if
something goes wrong with the software. But it certainly
shouldnât be a default available feature for the majority of
the population.
garciansmith wrote 1 hour 45 min ago:
You can root GrapheneOS, they just don't recommend you doing so.
AlBugdy wrote 1 hour 35 min ago:
In their forum they repeatedly say stuff like:
> If you choose to root, then I believe its not considered to be
"GrapheneOS" any longer and assistance will not be provided for
issues you face
Getting no support would suck. Obviously it's a FOSS OS, so it
would be community support for the most part, but it's still
invaluable when you run into issues.
KetoManx64 wrote 1 hour 48 min ago:
GrapheneOS - does allow you to root/ADB. It's just not official, just
like LineageOS. You can even sign your own images and relock the
bootloader and have root i f you put in the effort.
AlBugdy wrote 1 hour 43 min ago:
So I misunderstood about LineageOS - I haven't read anything about
it for a while. Everyone on GrapheneOS's forum is really anti-root,
they even mention it's not GrapheneOS anymore. From what I saw you
can't get any support whatsoever if you have an issue with root or
adb, which seems like a core component to any OS to me. Would've
been nice if there was a community that gave each other support for
rooted LOS or GOS. There could be one, though - I haven't
researched it.
Hasslequest wrote 2 hours 26 min ago:
fairphone support for pmOS is improving. What DE were you using? It
was probably just slow on the pinephone.
librem 5 is also an option. It is sorta expensive and weak but is the
most capable. [1] right now im on calyxos but development has been
paused for like a year
URI [1]: https://wiki.postmarketos.org/wiki/Devices
AlBugdy wrote 2 hours 5 min ago:
It was a long time ago, so I don't remember. Phosh or Plasma. I
tried to like Sxmo, but it was really unintuitive, unlike tiling
WMs on Linux.
Fairphones seems OK, although for â¬549 I'll probably stick to a
dumb phone and invest in a better laptop for now. I'm not saying
it's too expensive for what it is, though - it's still a tiny
computer with all kinds of periphery.
I just wish there was a version with a shitty camera for â¬50 less
or with no Bluetooth for â¬10 less - you get the idea.
Interestingly, when I went to [1] the prices for the headphones
were lower for a few seconds and got higher afterwards.
â¬186.75 -> â¬249
â¬74.25 -> â¬99
while the phone price remained the same. Both are increases of
33.(3)%. Probably a script that determined my location and added a
VAT.
URI [1]: https://www.fairphone.com/shop-home
sgbeal wrote 3 hours 7 min ago:
When typos are inadvertently funny:
> Googleâs been working hard to relive everyoneâs fears...
hagbard_c wrote 3 hours 23 min ago:
You still seem to need a Google account to be able to use the hardware
you just paid for. I don't have one, don't want one either. I've been
using Android without Google for about 15 years now but will hold off
on getting a new device until I'm sure I can continue using it without
getting a Google account.
fluidcruft wrote 2 hours 39 min ago:
Do you run a custom ROM? I can't imagine bothering with the hassle of
running a vendor OS without signing into Play.
hagbard_c wrote 34 min ago:
On some devices I run custom distributions (mostly LineageOS),
others I just root and de-fang by removing all objectionable
content including the Google bits. In all cases I put on F-Droid
with a few configured repos to get the applications I want. On a
few devices I also add some proprietary apps which are more or less
mandatory - electronic ID (BankID) being the main one - either by
manually installing it or through Aurora Store, an alternative play
store front-end which does not require a Google account. No Google,
no problem and no real hassle. My current main phone - a Xiaomi
Redmi Note 5 Pro - is 8 years old, I already have a replacement in
a drawer but have not configured it yet because I first want to
make a cover for it. Even though it is 8 years old it works fine,
the battery holds for 2 days and all applications I need still run
on it. The oldest device in use is 15 years old and also works fine
but it can no longer be used as a phone since 3G was switched off
where I live.
throwaway81523 wrote 1 hour 26 min ago:
I'm using stock Android with a bunch of F-droid apps and no Google
account. I've never installed anything from Play and don't feel
like I'm missing anything.
EvanAnderson wrote 1 hour 0 min ago:
I don't use F-Droid, but I've been an Android user for several
years on two different devices and I've never associated a Google
account with a device. I've installed all my software from APK
downloads from the open source project site releases they came
from.
It was really nice last year when I moved to a new device. I
restored my last SMS, call log, and contact backup with the open
source app I use for that, then loaded the rest of the apps I use
from their APKs. It was a lot like getting a new PC. Very
enjoyable.
aucisson_masque wrote 1 hour 49 min ago:
Aurora store make it pretty seamless. Used to run my Samsung
without any account, no Google nor Samsung and things worked
perfectly.
catlikesshrimp wrote 3 hours 25 min ago:
WTF win? Sounds like I will need a tracking google account because it
can "carry over" when I "upgrade my phone"
"Google giving a concession" is no win.
WTF Concession? Why are we asking google for permission to use the
devices we bought as they see fit?
Ok, google is doing what is best for them, abusing users. But the
manufacturers are really to blame here because the devices are by
default locked to what google and them decide. There is no Market
Choice here.
ddtaylor wrote 3 hours 9 min ago:
Hopefully other vendors will adopt GrapheneOS like Motorola is
prepared to.
dzikimarian wrote 1 hour 49 min ago:
Yeah, but then banks need to be pushed to support it. And while
we're at it it would be good if people responsible for European eID
also stopped recommending Google device attestation.
yesbut wrote 3 hours 32 min ago:
can't wait until this is just completely bypassed and we can ignore
Google again.
idle_zealot wrote 3 hours 24 min ago:
There's not really a way to bypass Google if they don't want there to
be, and that's what they're moving towards. The only long-term
solution is to cut Google out entirely.
ddtaylor wrote 3 hours 11 min ago:
Motorola with GrapheneOS is an interesting prospect. The space is
ready for disruption and the tools to do it are more available than
ever. Maybe it will come from the EU. Who knows, but Google
overplayed their hand, IMO.
Also, let's be clear about the mobile landscape right now. Many
apps aren't written in Java or Swift, but instead are being
transpiled from other languages like TypeScript and using UI
libraries that aren't locked to the mobile platform itself.
When a new mobile platform enters the space it will require some
react-native and capacitor glue code and we are in business.
fluidcruft wrote 2 hours 37 min ago:
Motorola with GrapheneOS has all the same failings of any other
custom ROM.
Zak wrote 3 hours 34 min ago:
It's a very small concession. The high initial friction still means
when someone comes to me with a problem and I tell them the solution is
in F-Droid, they have to wait a day. Most give up and pick a different,
less trustworthy solution from Google Play.
andrewaylett wrote 3 hours 21 min ago:
Given the Epic settlement means Google is allowing alternate app
stores, and also the delay only applies for unregistered developers,
I'm not certain it won't actually get easier to get folk set up on
F-Droid.
It still remains to be seen what the actual requirements are, and
even if F-Droid could become "approved" that doesn't mean they want
to. Time will tell.
rockskon wrote 3 hours 14 min ago:
Why the hell should we "mother may I" with Google for running apps
on our own phones if it isn't sourced from the Play Store?
The "security" rationale is horseshit given just how much malware
is readily download able on the Play Store. Google never cleans
its own house before going after others.
hparadiz wrote 3 hours 2 min ago:
Don't you know? If one elderly person gets scammed we all deserve
to be infantilized.
packetlost wrote 1 hour 15 min ago:
Ok, but the vast majority of people do need their hand held
because they're incompetent, naive, or both. IMO this is pro
consumer move
bigstrat2003 wrote 42 min ago:
No. Society should not be holding the hands of adults. It's
unnecessary and it's insulting.
AlBugdy wrote 1 hour 4 min ago:
We shouldn't let naive or mentally disabled people to dictate
how computing should work. That's the same logic behind the
age verification shit that's happening worldwide.
If you (not you specifically) are unsure of your abilities to
use computers, let a friend or a family member buy a dumbed
down device for you or install parental controls or
something. Or maybe have clicking the build number 7 times
reveal "toddler mode" where you can lock your device down
irreversibly as much as you want.
RedComet wrote 2 hours 11 min ago:
Wouldn't it be something if, given all the surveillance already
in place, law enforcement punished the scammers instead of the
innocent?
benoau wrote 2 hours 51 min ago:
(nevermind that the scams are extraordinarily likely to come
through Meta, Google, Apple, Amazon)
fluidcruft wrote 2 hours 42 min ago:
The scams are likely to some from outside Play. In the US,
these scams don't run because iPhone is the dominant platform
and side loading in iOS is not possible. In the rest of world
they are widespread.
LocalH wrote 2 min ago:
[delayed]
benoau wrote 2 hours 30 min ago:
Outside Play, on YouTube or via Google Ads for many of
them. Likewise for Meta ads.
fluidcruft wrote 13 min ago:
The scams that are happening in the rest of world are
calls posing as bank support about urgent security issues
and telling people to install apps to protect their
accounts.
xt00 wrote 3 hours 44 min ago:
How long before there is a "we've detected your account has been used
multiple times to re-setup a phone.. we've re-enabled the Google Nanny
Safety mode.. also we've locked your google account just in case.. "
I mean other than hackers, who has needed to factory reset their phone
more than once in a year you must be doing something shady... right
right?
Pooge wrote 4 hours 14 min ago:
There is no win. They are winning 50-0 and they just scored an
own-goal; so what?!
EvanAnderson wrote 2 hours 9 min ago:
Can't agree with you enough.
They're still moving the Overton window on making Android a walled
garden. They're playing a longer game.
DIR <- back to front page