This story with restricting users is a similar one to Manifest V3 in Chromium.
But we don't have anything like FF as an alternative to go from Android. Especially considering banks require "certified OS".
I switched to a Linux smartphone because I've had enough of the duopoly.
I also switched banks so I can use my bank card as the 2FA device, similar to CAP. [0]
[0]: https://en.wikipedia.org/wiki/Chip_Authentication_Program
Probably in the long run the only way to go will be to own/carry two devices. A long supported phone with stock firmware and apps you are "forced" to use to interface with the world around you, and a second Linux portable machine where you have your freedom.
No, it's not "long supported" phone fallacy.
Google and by extension banks, are claiming that the phone on, Android 9, without security updates AT ALL since 2009 is perfectly safe and secure to use.
Meanwhile, really well locked OS, hardened so well some of the improvements were later picked up upstream (both by Google and Apple), running _the_ latest AOSP version and releasing new security updates within hours is not considered safe and secure, despite assuring full chain of trust (including locked bootloader, verified boot, etc).
This is what Play Integrity does.
Of course Android supports better scheme, hardware attestation, but od course Google enforces their iron grip on the ecosystem, and instead uses the outdated, flaved system that certifies only the devices with preinstalled Google services running in the privileged mode. Snooping on everything you do and have.
Thats the reason.
When companies like Google talk about a device being "secure", they don't mean secure from malicious third parties, they mean secure from the user. The device is considered "secure" if the user cannot do anything with it that Google does not approve of.
That's it. It is a device secure for Google to:
* Enforce Hardware-DRM * Enforce PlayServices * Enforce apps which don't circumvent their business model e.g. YouTube-Downloaders ("Watch my ad again...") * Payment fees from PlayStore
Taking a look at the dangerous crap in the official Play Store confirms that. It is full of awful and dangerous apps. It was never about the security of the user.
This is my exact feeling. Louis Rossman talks so much about this (YouTube). I think the only secure device now is a dumb phone.
I am really learing to live life without the internet anymore. Between the lock in, the privacy risks, and just the hassle, it is easier to act like I am living back in the 1990's and just get used to the "inconvenience" of life without a smartphone. I can leave my smartphone in a faraday bag and just pull it out when I need it, or just wait to be in wifi. (I am homeless living in a minivan so this makes it much harder for me.)
I just do not know how much this will effect GrapheneOS or I would get a Pixel 9a. It seems like it will not, at least for the older phones.
At least we still have linux (for now).
But more and more computer technology is looking like a trap.
If anyone has any recommendations for a dumb phone that will work with AT&T please let me know.
It's been a minute but Nokia was selling dumb phones. I would also just check what at&t sells for very cheap prepaid phones in a physical store - they could tell you what kinda hardware still works?
Thanks, Ill check these options out!
Look at Sony phones and Sailfish OS
> Google and by extension banks, are claiming that the phone on, Android 9, without security updates AT ALL since 2009 is perfectly safe and secure to use.
Funnily enough that's actually a good thing in a twisted way. Long term, it will either force manufacturers to become much better with their update support, because apps will refuse to work on non-patched devices... or they won't and we'll all have one of those devices at home rooted through a long known CVE as a proxy for device attestation.
I've been doing this for years already, except I split it further to three devices:
1) an old iPhone with 0 personal data on it and in no way linked to my identity, which is used for completely untrustable commercial apps, and rarely even leaves the house.
2) a LineageOS Android which is my daily smartphone for things like camera and GPS, running almost exclusively open source apps, except for unavoidables like WhatsApp which are run in an separate profile
3) a GPD Micro PC running Void Linux, which is roughly the same size as the phone and a true swiss army knife. Its purpose is to reliably do what I want, when I want it. No systemd, for it does not spark joy. It is used for web browsing, note taking, light productivity, and playing movies on the TVs of friends who have overinvested in streaming and dongles only to find that $CHOSEN_MOVIE is not on any of their services.
I am not entirely happy with this state of affairs - too many devices, and still not enough siloing of closed apps like WhatsApp.
It seems to me that they way you have divided up the roles, you actually need 4 devices, because you need one to run commercial apps which are linked to identity (which rules out device 1) and which will only run on a "secure" device (which rules out 2 and 3). For example banking apps.
Keeping all those devices charged is already too much of a hassle for me to do this.
You won’t be able to do much with the second. Web sites will force login with google, etc. and only work for attested browsers.
Both Apple and Google decided against implementing device attestation in browsers.
They'll both change their minds at the same politically-opportune time. They're not competitors.
Apple has been shipping device attestation in their browser for years (Private Access Tokens), with no backlash.
And Google decided against evil too
for now*
I don't use Google login any where and have a lot of accounts with many different websites? Youtube and other Goolag ecosystem being the exception, but, of course they are?
Give it a few years, the google login nag screens are getting pervasive. And old school user/pw login is dying
> And old school user/pw login is dying
Is it though? Almost every new service has it, and all existing services keep offering it.
This is what I expressed considering, in another recent thread. Phone does phone things and "necessary" apps. Otherwise, it's a hotspot for the "unhindered" device.
I'd enjoy suggestions as to suitable unhindered devices.
P.S. I just hope we can continue to access / create unhindered devices -- and programs/apps (cough Manifest v3 cough).
>> Probably in the long run the only way to go will be to own/carry two devices.
Been doing this for a while. I have a smaller Samsung S22 for the apps I absolutely need that won't run on my Graphene phone. The majority of my day-to-day stuff is handled on my older phone running Graphene.
Been tinkering with Ubuntu Touch, but AFAIK they haven't figured out how to solve the issues with VoLTE yet here in the US but its on my radar to try and make the switch soon.
I wish I had enough clout / money to get a chinese tablet maker to allow me to install Linux. Luckily I could root it which is great, but outside that i'm lost. Hope someone will make my dream device with linux some day.
Someone already does, check out the StarLite tablet. It even runs coreboot firmware.
Well, I did not mention what my dream device is; I cannot stand the limited battery life on almost all devices. That's why I like companies like Oukitel; their devices go forever. My main driver (rooted and cleaned) is the rt7 titan 5g. It's the best think I ever had. Rain, shine, in the pool, week long battery, you can hammer nails with it. That with Linux would be my dream device.
Which one?
It’s a Librem 5. I’m looking for a more powerful model that can also run mainline(-ish) Linux.
Fairphone and Sony Xperias
- Fairphone 5 works with Ubuntu touch - Xperias that are from previous gen can run Sailfish OS
I've looked into others, don't recommend
Seeing as GrapheneOS appear to be recommended on the newest Pixel models, I wonder if it shouldn't be too difficult to get Arch Linux running on them with the AUR plasma-mobile?
Run away from Graphene, it is suspicious at best scenario and dangerous at worst.
Just observe that the key factor is to be independent from Google and then the only recommended devices from their side are exactly google devices where nobody here can have an idea of what is modified inside them.
You'd be better off supporting other distributions like Calyx, which have no problems in supporting other devices like the fairphone and so on.
I was very interested in Graphene, do you have other grounds for your suspicions?
I agree with the parent. GrapheneOS puts security above freedom, which is wrong. It forces you to give your money to Google and rely on Google hardware, which is questionable in the long term. They refuse to support different hardware "for your security". Their developers are constantly attacking GNU/Linux phones, which are the actual long-term solution for both freedom and security.
I don't think I've ever read any solid refutation of the technical choices of the project, mostly just character attacks, the basis of which are dodgy at best. They're completely up-front about the limitations and catches of their choices, too.
Those links don't really help your case, to be frank. Nothing strcat says reads as incorrect or even particularly controversial, they have personal beef with CalyxOS but their criticisms of the choices of the project are largely on point. They're justifiably upset by the mental health accusations too, it's kind of a joke that one of those people in the thread tried to gaslight strcat about how these accusations are somehow not a recurring issue when I, as a third party observer, have seen it come up all the fucking time.
Meanwhile, you're imagining "attacks" on GNU/Linux phones, when most of what I read from them regarding those was sober and reasonable, if not particularly positive, but they're allowed to do that. Their priorities are clearly security and none of those phones really have any.
>Their priorities are clearly security and none of those phones really have any.
As opposed to a black box from Google, that nobody really knows exactly what it does...
This is another project that knows what you need better than yourself. People are constantly asking them to add support to other hardware, but the answer is "it's insecure". This is completely wrong and forces everybody without a(n expensive!) Pixel to abandon reasonable security. Even Qubes OS allows installing itself on hardware without VT-d, with respective warnings, and plans to enable GPU acceleration in VMs on demand. Their priority clearly isn't to make as many people as possible more secure but to force Google on you.
Are you calling the above a "character attack"?
I would love to use GrapheneOS on my Librem 5 and Pinephone. No proprietary drivers are required. Yes, some security features are lacking. Yet it would be a win for everybody.
I didn't say anything about CalyxOS: I don't care about this.
> the answer is "it's insecure".
Can you give me a quote where they outright say this? Because my hunch is that what they actually say is something along the lines of 'because it doesn't have the security requirements that we desire' which would be true. Whatever their reasons for those choices, it also makes sense to limit scope given the extreme constraints they're working under and that scope is best limited to phones with the widest security feature support for their security-focus Android OS.
> Are you calling the above a "character attack"?
Grow up.
'because it doesn't have the security requirements that we desire'
aka, insecure.
I am continually puzzled that sometimes people can't put together a denial without including an affirmation as a crucial part of that denial. It's like they're doing the opposite of question-begging, they're saying that you're wrong because you're right.
No, the "key factor" of GrapheneOS is to provide a secure OS on a secure hardware. If the "key factor" was to be independent from Google, they wouldn't support Google devices at all. But since the Pixel phones are the only ones with secure enough hardware, GrapheneOS supports them.
They even tell you in their usage guide that it's more secure to use Google's app store than e.g. F-Droid (which neglects several good security practices for an app store), and that it's not a good idea to blindly aim for "degoogling" at all costs.
Go away with your baseless FUD.
I use a Pixel with GrapheneOS because it's really the least bad option available today. But it's not wrong to say that they strongly prioritize security over privacy or freedom/independence. That's a fair decision for them to make, but people should know what they're getting into.
> Pixel phones are the only ones with secure enough hardware
The biggest thing that excludes most phones from supporting GrapheneOS is the lack of unlockable bootloader. Pixel phones also allow the developers to target a large but homogeneous hardware base.
There is no single biggest thing. GrapheneOS has a rather strict demands for a device they're willing to support, see https://grapheneos.org/faq#future-devices
GrapheneOS doesn't support Pixels with locked bootloader. It's where the game stops for all locked phones, a common practice now. You can already see how this is the single biggest thing.
The second big thing is that the "non-exhaustive list of requirements" is basically "whatever new Pixels do". Your conclusion that Pixel phones are "the only ones with secure enough hardware" is overstretching what's happening here.
The developers took the Pixel as a template because it's a well selling line, with good security, and generally with unlocked bootloader, and modelled the requirements based on it. It's a reasonable approach to the development of a niche security oriented OS because: "In order to support a device, the appropriate resources also need to be available and dedicated towards it". It has the downside that it makes it sound like no other phone has comparable security features.
Are the fully supported Pixel 6/6a more secure than any other non-Pixel phone sold on the market today?
What do you mean, "doesn't support Pixels with locked bootloader"? Yes, you need the bootloader unlocked to install GOS, but the last step during installation is locking the bootloader again. Having an unlocked bootloader is officially considered unfinished GOS installation. See https://grapheneos.org/install/cli#locking-the-bootloader
As for Pixels being more secure than non-Pixel phones, I would say they are more secure, due to existing hardware security features that most non-Pixel phones do not have, and just as importantly, due to still getting regular security updates from the vendor. Pixel 6 in particular is supported until late 2026, if I recall correctly.
This is the problem for most Android phones on the market - most of them stop getting security updates after a year or two, so your only option is hoping that one of the alternate Android OSes pick up the slack, e.g. Lineage or Calyx.
EDIT: That they modeled their security requirements based on the best device available at the time is simply how this works if the priority is security. They picked best of what was available, built features around that, and refuse to compromise for new device models if at all possible. And yes, no other Android phone has comparable security features for what they are doing. That's not how "it makes it sound", that's just reality.
> What do you mean, "doesn't support Pixels with locked bootloader"?
You cannot install GrapheneOS on a Pixel that was locked by the carrier, it's literally the first prerequisite they mention [0]. From here came my initial comment saying that the biggest thing that excludes most phones from supporting GrapheneOS is the lack of unlockable bootloader.
This is what should give you pause when you declare one phone to be "best HW for security" because it supports GrapheneOS. Some Pixels are unsupported even with the same HW/FW/SW.
You acting purposefully obtuse. unlocked bootloader is the prerequisite for any android rom, that does not mean other hardware feature are less important than there other security requirements set by the project. Why other phones aren't comparable with details is literally explain two bullets point below your own link.
> purposefully
Mighty all-knowing of you.
Just read my first comment, see what I objected to, see what arguments I used, and then think 2-3 times if you really added to the conversation. There must be better way to pad your comment count.
I did, and it makes this comment unintelligible unless there are no other Android phones with unlocked bootloaders. You've moved the goalposts, then got snotty about it.
edit: exactly who on this planet is motivated by "comment count" other than spammers?
edit2: the only way I can make your comments comprehensible is if I assume that you thought somebody was angry that they couldn't install Graphene on a phone with a locked bootloader. Before you assume the person you're talking to is insane, you should consider the alternatives.
> it's not a good idea to blindly aim for "degoogling" at all costs
Why not ? This seems to be exactly the push that was needed.
Out of all the models I saw, SailfishOS is the only one that ticks all the boxes for me.
Wish there were other alternatives. PinePhone Pro got discontinued. This is truly a duopoly.
>PinePhone Pro got discontinued.
At the EXACT moment everyone is now looking for Google alternatives. This is truly snatching defeat from the jaws of victory.
https://liliputing.com/pinephone-pro-linux-smartphone-has-be...
What if we collectively decide to use the web alternatives for banking? We lose some convinience since they are generally desktop oriented, but they don't check who signed my kernel
My bank recently made it that app-based MFA must be used for every single web login. Unless I and many others are willing to swap banks in the vain hope that the new bank won't do the same thing (I am not), then we're cooked.
Just say you do not have a compatible device. Special undocumented alternatives appear every time in my experience.
Sure, one option means paying for each SMS (actually they had to abandon that one), another option is getting a paid banking card just to use a hardware device. From my experience they try to make sure that you will get a certified phone . I just got one because for some reason my Redmi Note 10 despite passing all play integrity checks after hacks like Tricky store+Key box triggered some checks in my banking apps. I needed to use an aftermarket ROM, because my device would not receive any updates from Xiaomi (also I don't know why a device packed with Chinese bloat ware is certified as secure in the first place). And guess what I bought: a Google Pixel. Smart Google, huh.
These "security checks" are a complete, total, absolute joke. Just a couple of weeks ago I had a friend ask me to downgrade firmware on a similar Xiaomi device from the latest LineageOS to stock to make two shitty banks work. Nothing I did on Lineage would make "security checks" pass, even though it was running the cleanest possible Android 15 with the latest security patches applied.
Now the phone is running stock firmware from 2020, with Android security patches from 2020, and with numerous publicly known vulnerabilities. The banks work fine, Google Pay works fine, every Play Integrity check passes, even the strongest one (device integrity).
The only reason I see for it being implemented this way is not to lock the bad guys out from your phone, but to prevent you from doing anything to the banking applications, even through it is still possible through said vulnerabilities.
One of said banks also refuses to run if it detects remote assistance clients on your phone (like TeamViewer), or even Discord, because apparently these were used in scams over the past few years, and we need to protect even the stupidest at the expense of everyone else. How did we come to this "future"? The worst days of desktop Windows weren't even remotely close to this nonsense.
The most stupid is the interplay with regulators: on one hand grapheneOS is far too secure if it comes to CSAM or organized crime on the other hand it is not secure enough for banking (most of the 2FA comes from the interpretation of the PSD regulations afaik).
It's not stupid. It's governments being extremely cheap. Banks (large banks are part of the government everywhere, at least when it comes to policy) and governments are totally dependent on certification (meaning someone to check security patches on devices), effectively a group of people that have some budget to check a lot of software version of a lot of devices. This doesn't have to be many people.
Nobody's willing to pay for it, so only Google, who have to do this for a bunch of other reasons, actually does it.
On the contrary, governments are imposing other restrictions on OS'es (like EU Chat directive), as well as making more and more critical government functions (like eID, and the various equivalents, and the banks) that can never work without OS certification, are utterly dependent on the App stores (it requires the ability to replace apps on user's devices without being detected), and thereby driving people deeper into Google and Apple's arms. Despite the fact that this makes the EU totally dependent on yet another US company, making this stupid. And, of course, it makes securing anyone in the EU against US spying an exercise in futility.
But it saves a little bit of money now, and gives the US, ie. Trump, yet another loaded gun aimed at the head of the EU economy. What could possibly go wrong?
Sell your airbus stock.
Google still didn't block leaked Nexus 4 keys, meaning anything rooted with magisk can spoof the integrity check.
Rooted. Usually with unlocked bootloader. Safe.
Also phones on Android 9 unpatched since 2009. Etc.
:)
Why would you care about this but still want to run Discord ??
Because that's where people are. The choice is to run Discord or be ostracized.
??? What's the correlation?
It's a platform, meaning you cannot run your own servers (as compared to "servers").
It's also Deep Web, not Open Web.
Furthermore, it's US-based, with an unknown amount of Tencent backing, going back to before even its creation.
> Sure, one option means paying for each SMS (actually they had to abandon that one), another option is getting a paid banking card just to use a hardware device.
That sounds... fine? Like... there are actually alternatives. Sure, if their plan is to phase out those alternatives, then that's bad, but... the current situation seems fine?
Reality is very different. If you have the courage, you can experiment living one year without bank card or wire payments, then your life is going to get very very difficult.
This comment isn't about living without a bank card or wire payments, though? It's about living with a hardware TOTP device
This problem is getting worse too, as more and more businesses become "cashless only".
Well, this is literally illegal in many jurisdictions.
And literally legal in many jurisdictions
If you're trying to imply Xiaomi is crap with updates so people buy pixel phones I don't think that makes much sense.
Agree with this. Either you'll get SMS OTP (which is free for the user, at least in the UK?) or they will send some 'calculator' or multi-colour-code-scanner device that generates OTPs. (Honestly this last one was the most impressive bank security system I'd seen yet; for every individual transaction, you'd have to scan the code and the scanner device would tell you what you were authorising, then you put the PIN in and get a OTP to put back in the bank)
that is just normal practice for business account transaction in my country????
business account can request such devices so if any malicious people cant withdraw funds without pressing a same combination in all devices (there are multiple devices) so there is no rogue employee
I switched banks when they required authentication with biometric and when i said i didn't want to do that the answer was
sorry, we can't do anything for you then
Most banks give you a physical device when you say you don't have a smartphone.
fuck it back to cash
I stayed away from cryptocurrency when DeFi and Web3 and NFTs were everywhere, but I've started paying with BTC where I can, so I don't have to deal with banking apps, and to stick it to puritanical payment processors, after the Steam/Itch debacle.
Know Your Customer is acceptable. Nanny Your Customer is not.
Monero is the cryptocurrency everyone uses for this. The userbase and community is completely separate from the Web3 NFT dog-coin crowd (unlike Bitcoin).
There's also systems like PaySafeCard, which is accepted by Steam.
Know Your Customer is not acceptable at all. It is the financial arm of warrantless global mass surveillance. The government got the private sector to do all the surveilance for them.
I uninstalled banking related apps from my phone years ago. I used it so infrequently that every time I did use it, it was as if it had been newly installed and didn't remember anything about me. Now I use a desktop web browser for anything finance (and it's Firefox on Linux, so thankfully that works for now).
It's getting repetitive to come with the same message over and over and over again, but in many countries you can no longer interact with your bank through the web browser. The banks' applications are either required for 2FA, or are the only way to use remote banking at all.
The last one applies in my country. You can of course go to the bank branch for every little financial operation, which is bad enough by itself for us living in cities, but is practically impossible for my relatives in the rural area, who would have to drive 100 km to the nearest bank branch, and then back just to move some money between two accounts.
Even if you don't care for anyone else but your country, it will come to you also, I promise.
You should at least complain to your bank and government, support NGOs fighting for your freedom like https://edri.org, https:/eff.org, or equivalent in your country.
Forcing you to use foreign megacorps for essential services should be illegal if not already.
Sure, I complain basically every week, but it's like moving a mountain. It was the government's idea, and they're very gung-ho on continuing with it. The official reason is fighting tax evasion, but the more probable one is that the ruling elite has major stakes in all major banks, so they're very interested in making everyone dependent on those banks.
The only realistic thing left for me is moaning about it on the ole 'net and hoping (probably in vain) that this disease doesn't spread further to other countries. Western democracies are already in the process of copying several bad ideas we implemented 10+ years ago (and China more than 20 years ago), I don't see a reason why this also wouldn't be ported over.
And the digital sovereignty argument doesn't really work, one of the banks uses its own payment system — mostly copied from Chinese AliPay — and it's the most popular one here. Zero dependence on "the West" other than the phones themselves, where they think they have an alternative in Huawei and friends, and you're gonna have to depend on someone in any case, even just for internet infrastructure, or even cash printing machines.
The problematic companies are all Russian/Chinese/USian(/Israeli ?) last I checked, so what "the West" generally has to do with it ?
The reply was to GP's:
> Forcing you to use foreign megacorps for essential services should be illegal if not already.
The only two major mobile operating systems are developed by American companies. The two most popular global payment processors are maintained by American companies. The hardware is jointly developed by a bunch of countries, basically all of them in North America and Western Europe.
If one brings up digital sovereignty, should I think not of "the West", but of Tokelau, South Africa, or Brazil?
> Zero dependence on "the West" other than the phones themselves
A smartphone today is the most essential and private thing you have. This is as far from "zero dependence" as you can get.
> they think they have an alternative in Huawei and friends
Do Huawei phones work for banking in your country? If yes, does it mean, Google Play / integrity isn't necessary?
Huawei phones have their own alternatives to Play Services; none of the banks work on pure ungoogled and un-everything Android. You have to use a locked device which you have zero control over in any case.
It's not really that different from forcing you to use a national midicorp (a bank) to bank.
CBDCs solve this in theory, but the government would add the requirement back just for funsies.
The phone will be used as MFA, and that will have requirements especially on Android versions. So it is going to be harder to escape it, it is darn comfortable using Android as a MFA. Many banks still use a custom device for MFA here but is is slowly going away.
BankID in Sweden and similar in other European countries.
For now the custom issued 2FA is still an inconvenient option, but nearly everyone uses the phone for 2FA as it is so much faster.
Many banks are slowly phasing out their websites to go app only.
In Australia they aren't phasing out web, but anything high risk like a transaction to a new contact and you have to approve it on the app. The app is considered a significantly safer environment.
I get text messages to approve new payees. No apps.
Which ones?
every single Brazilian bank for instance
Brazil is screwed anyway from what I heard about WhatsApp being mandatory for daily life ?
Even though I very much dislike WhatsApp, it does not require having full control over "your" device, and does not make itself an arbiter of what you can or cannot install on "your" hardware.
I can't see them changing this in the foreseeable future, major parts of their userbase run the cheapest phones one can buy, and they're much more interested in as much data as possible, so near 100% device coverage has to be important for them.
Last time I tried to use WhatsApp (in 2024), it was also basically unusable, because after I gave it the barest amount of information during installation (using its own dialog screens !), (in particular not willing to share my contacts), it regularly locked me out (IIRC as not a 'real' user).
Brazil is screwed beyond belief but WhatsApp being popular is the least of our problems. It's got enough end-to-end encryption to defeat judges. It's much better than some parallel universe where people are using SMS or Facebook Messenger or whatever. I'll count my blessings.
In my country banks have required users to install "security modules" to log into their accounts for decades now. Once upon a time I tried to crack one of these things open. I discovered they were literal device drivers running in kernel mode and I caught them intercepting every single network connection. Told me all I needed to know.
They even have Linux versions:
https://aur.archlinux.org/packages/warsaw
https://aur.archlinux.org/packages/warsaw-bin
Who even knows what this malware does? I sure as hell don't want to find out.
For the bank, things like "fraud prevention" override literally everything. There is no limit they wouldn't cross and there is no freedom they wouldn't trample in the pursuit of their goals.
Also, use ATMs if you can instead. Don't use propietary code on your own machine; run it on theirs instead.
I don't understand the sentiment - how does relinquishing control of the hardware help us? I see a possible future where the banks/governments give the people devices to use for these things, and I don't like this future, as these would surely become spy instruments.
Not OP, but sharing the sentiment (never had banking or similar software on a phone, yet using ATMs, banks' web interfaces, offices). Avoiding interaction with a bank completely is rarely viable these days, and they will run their software on their hardware to operate either way (whether it is an ATM, a bank office, or a website). I do not see it as relinquishing control of the hardware, since you are not expected to control a bank's hardware in the first place. While setting it on your phone comes with the usual risks of running proprietary software on your machines, such as sneaky data collection. If banks/governments will give mobile devices to people for that, those may act even a little more like electronic ankle bracelets, but they would also be isolated from your other data and software; in places with near-mandatory government software, some choose to create such an isolation by having multiple devices for different purposes.
> how does relinquishing control of the hardware help us
It's not relinquishing control, but separation of concerns for hardware.
Bank should manage their hardware, not your hardware.
Yep! Thanks for helping me put my points across better. It's like having a separate work computer, for example.
Okay, I guess more to the point, I don't want the banking app forcing the OS that I use. They can provide their own damn hardware!
> the banks/governments give the people devices to use for these things,
The devices will cost "a reasonable amount" and have GPS tracking "for your safety".
Most banks here (nl) give you a dumb coincell battery powered code-calculator, either with or without smartcard access to your banking-card. Basically some form of TOTP or challenge-response system.
Those devices have no network, no connectity, no gps, and no interface besides a tiny 7-segment lcd display and some 0-9 buttons for pincode entry.
I'd be satisfied with that.
It sounds like an implementation of the Orwell's 1984 telescreen
In what way, if supplied by the bank and used only for contacting the bank to do banking, could a device become a spy instrument?
Kicking banks off the internet/apps would make Android and Apple less cushy.
> In what way, if supplied by the bank and used only for contacting the bank to do banking, could a device become a spy instrument?
Here's my attempt at future history: Firstly they'll require you to prove your current location, to ensure that the request isn't made by a remote hacker; they'll do this by integrating their own cellular modem, as well as scanning local wi-fi networks. Then, at a second phase, they'll integrate a camera and microphone to perform a face identification, asking you to speak out a particular phrase while performing a particular motion. At the start they'll only require you to turn the mic and camera on during active usage, but eventually they'll say that these have to stay on continuously so that they can ensure that the device wasn't tempered with. And if we aren't careful, we'll accept every single small added requirement, until we're boiled alive.
If it was normal and expected that you carry the device around, to make purchases with, then all that would be very bad, and it becomes like a phone but worse in some ways (less ownership over it) and better in others (does not contain other personal data).
However, if it sits at home in a drawer, it can keep its camera on all it likes, transmitting images of darkness, and tell the bank repeatedly where your home address is, and sometimes (when in use) confirm what your face looks like. Not a privacy issue I think?
Probably it would become expected that you carry the thing around and it replaces cash and cards, but that seems to me to be the crucial step if it's going to have meaningful potential for spying.
ATM's are disapearing. There used to be one at every corner. Now, I have to travel to the next village that has just one left at the train station.
Cash is positioned as suspicious. In 10 years, it might very well be illegal.
Not in the US... have you seen the first or second Shrek movie where a monster busts in on a Starbucks and all the scared customers run across the street to another Starbucks? Like a virus they're everywhere. Same thing for atm machines. Cash is doing just fine.
Ain't gonna happen (unfortunately). Somehow people (outside of HN) seem to like to use apps for everything. EVERYTHING.
Can anyone confirm that the situation regarding authentication in EU will change with the PSD3 directive ? As far as I read the directive will require authentication methods to individuals without smartphones. Anyone alrady working on this ?
All EU banks provide an hardware device if you ask for it already.
Not all. Mine was willing to downgrade me to SMS 2FA though.
Except they did in several countries, typically using activeX.
It's too late for that. In many Asian countries, most of the banks have completely removed access via a browser.
> What if we collectively decide to use the web alternatives for banking?
So, like, legislate it?
Prior art exists on this point.
Most banks worth their salt accept GrapheneOS.
DNB in Norway does for sure. Same for BankID , national electronic identity authorization provider. There are good programmers out there that know their stuff. Find a bank that has a hacker culture like DnB.
I remember that I chose them just by comparing uMatrix output between them and SpareBank - the other big player. DNB had no 3rd party trackers showing, while SpareBank had a lot.
Same in France, I would have switched to another bank that supports GrapheneOS if mine didn't. In my case, I doubt it's hacker culture but more of a sovereignty and accessibility issue which made them choose to not rely on Play Integrity.
I use several European banks, GrapheneOS works just fine.
FYI, I know that Revolut is a Europe-wide bank which does not use Play integrity. In case anyone needs it.
I've only had one non-banking app trigger the "used Play integrity" warning, though that app apparently does not care and still works fine.
ChatGPT app is annoyingly triggering it with every prompt reply.
But there is this escooter app in Norway called Ryde, that blocks itself from even being seen on Play Store. They are otherwise very good, excellent support, responded positively to some UI feature requests. They also have a living wage policy for their battery maintenance mechanics.
How would I approach them about changing how they verify phones? I'm no dev really and feel like it's a little above me.
I'm not sure that's the best answer but GrapheneOS has a page they recommend linking to developer that may be interested in supporting something else than Play Integrity: https://grapheneos.org/articles/attestation-compatibility-gu...
I live in Thailand which is very mobile first and the main way to pay for things here is through your banking app, you scan a QR code, it fires up the app and you make a transfer.
The convenience is great but increasingly businesses now begin to offer this as the ONLY way to pay.
I keep telling people because I'm seeing it begin. This is how it happens, this is the endgame for freedom, democracy and life as you know it. Give the West 20-30 years, it will happen in some developing countries sooner.
They will require the approved app to buy and sell. Without it you will be outside the financial system, and maybe will starve.
They will require the approved app to only run on the approved operating system. You will have 2-3 options for the approved operating system but total surveillance will be a mandatory feature on all of them.
Finally, they will punish you for wrongthink when your surveilled device detects you writing or saying it.
As the world gets worse political leaders will become more authoritarian until one finally checks the last box on that list, and that's the end.
There will be no escape except for death.
All the pieces are coming into place. Every time you hear them talking about better security for XYZ you can see how it's one of the pieces on the board, being moved one square.
I don't think there is one guy who has this master plan I think it's the inevitable end state for surveillance capitalism that's as pervasive as ours.
I am an atheist, I think the Bible is all fairy tales, and yet the "Mark of the Beast" vibes I get from where the world is going are out of control. The mark on your hand or your forehead that will be required to buy or sell, that was what you'd be forced to accept once the Antichrist took over, or whatever. The 2,000 year old fairy tales were not wrong they are starting to set it up now, you carry the device in your hand, they will do it through payments and banking.
I am curious: how do tourists pay? Will they be forced to install those apps as well without having a bank account in Thailand?
When traveling to China, which is also a very mobile-first country, you're expected to install AliPay and WeChat. A couple of years ago AliPay started accepting foreign bank cards, which you add to your account (in addition to lots of other information including photos of yourself and scans of your government id), and then pay through the AliPay application everywhere. Cash has been made extremely inconvenient or even impossible to use, foreign cards are also often not accepted.
The government and one of the largest banks collaborated to release an app which lets tourists make payments through the QR based system this year: https://www.tatnews.org/2025/03/tourist-e-wallet-tagthai-eas...
> I am curious: how do tourists pay?
Cash or normal credit/debit card, but I guess that for native having a credit/debit card costs more money and cash well, it's cash like everywhere else with its pros and cons.
This has been happening for a while. I've seen plenty of card-only shops in the UK and US.
I don’t need a bank for my daily driver and I can have a backup phone. You can get fairly recent Android devices at a fraction of the cost of a new one.
And if you still can, use the website.
I also had enough. Switching to Linux pretty soon.
The alternative is older versions of Android, from before these hostile changes. The propaganda that it's "unsafe" is just that, propaganda. Perhaps Google will realise once enough of the population refuses to put on the noose.
the majority of the population will happily put on the noose and they will join in on pressuring you to do it too. Don't kid yourself. However, a successful resistance movement only requires like 3% of the population or something
The problem is not the propaganda, it is the businesses restricting the freedom and choices of users because of this propaganda.
So many apps even refuse to be installed on older versions of iOS/Android.
So many apps even refuse to be installed on older versions of iOS/Android.
That's because they see older versions of Android decrease in usage so they think it's fine to lock them out and potentially lose customers[1], but they're not going to do that to the majority of them.
If the majority stops falling for the propaganda and "upgrading" to a worse experience, other businesses will follow.
[1] I have told businesses that changes to their site have made me no longer want to do business with them, and seen responses ranging from complete dismissal to quick reversion.
Yet another reason to dump iOS/Android : planned obsolescence of this form.
It's totally unfeasable for those using stock deviced. Refusing to upgrade takes lots of attention even from experienced users like developers. Regular user just doesn't have any chance to avoid accidentally clicking or intentionally accepting the annoying permanent notification to upgrade OS.
It's the norm for the huge number of users with devices where there is no newer upgrade available from the original manufacturer. Back when Android was great(tm) there were far more of those than today.
The bank app, mandatory updated to the latest version, does not run on old android.
Here's what I think Google should do: I really like the Work Profile feature. It essentially sandboxes Work from personal and it adds nice little briefcase badges to mark apps that are in the Work Profile.
Another solution might be to to add an optional Uncertified Profile that if turned on allows unregistered apps but sandboxes them and marks them with a "dangerous" badge. That might ensnare these trojans and malicious apps that pose as legit. That might be enough to scare grandma and let people who know what they are doing do what they want.
Although, frankly I'd just prefer google just made a "Secure Profile" to keep bank apps and other high-security apps away from everything else.
> allows unregistered apps but sandboxes them and marks them with a "dangerous" badge
Surely apps are sandboxed on android by default?
To some extent, but permissions are very loose on Android (i.e. broad and difficult to fully think through implications in terms of how apps might interact) and in many cases they are not fine-grained enough. For example, without Work Profile it's difficult to compartmentalize to avoid mixing personal and business files and its difficult to say what apps do behind the scenes (say, PDF or word document viewers try to be "helpful" in ways you don't really want) and other intents.
I don't do banking on my phone. I really don't understand why anyone would. If I can't get to my PC or laptop, I'm probably near an ATM. I've already given so much autonomy to Google/Alphabet/Apple, I won't give them access to my bank account.
even if you use a computer to do banking, like i do, some banks still require an app for 2FA, or windows...
ATMs won't let me send money or do any other kind of maintenance
> some banks still require an app for 2FA, or windows...
Are these limited to only "approved" apps? Usually you can add an auth to an app via a qr code or string. Why can't people use whatever auth app they want, or even just roll their own?
it's something nonstandard, so there are no approved apps, but it is only the app provided by the bank and nothing else. there used to be two, one for auth only and one for onlinebanking itself, which was optional because you could use auth to log into the web. as i understand it they merged the two apps and now only support the all-in-one app. apparently the banking features of the app can be turned off, but i could not see if that can be locked too.
I think this depends on the ATM. OCBC ones do allow sending money digitally.
Oh, and you can always send money by withdrawing cash and giving it to the other person physically.
Or go to the bank branch, or write a cheque.
I won't leave my home to type a 20-digit IBAN into an ATM.
I won't travel to another city or country just to hand money in cash.
I won't travel to a branch to... I have never ever written or received a cheque, what the heck even is a cheque? A piece of paper someone can photo-copy?
I used to be able to do all of my banking from a web browser, from any browser/OS I liked. I've had a fob that displayed a 6-digit code rotating every 30s. This used to be simple and secure. What you propose is ludditism.
Luddism -- in this case going without a smartphone altogether -- is quickly becoming the most reasonable option.
You are also quite quick to dismiss cheques as someone that never even tried them...
What about GrapheneOS?
I'm not going to buy Pixel feeding Google further with my pennies just to use GrafeneOS.
Well you can always buy second hand/refurbished.
Viability of second-hand still drives market demand, as people have an incentive to buy devices that have resale value. The counter-argument is that otherwise this device will become e-waste. This is still a conundrum, but "don't give your money to Google" remains the active topic here, so...
True, but grapheneos only supports Pixels because of the unlocked bootloader and hardware security. If more and more people adopt Pixels solely to install Grapheneos, it may drive other hardware manufacturers to offer a device that meets Grapheneos' requirements, and then they can bank on grabbing almost all of the PixelGrapheneos market share, or at least the fraction which actively wants to avoid google (which I suspect is at least 75%).
Maybe you should buy good devices from any vendor, and the market will do what economists say it should do, and keep making those devices. (As if!)
But Google is one of the rare Android smartphones vendors that allows you to install a custom operating system, while still allowing the same security as with the default one (ie allowing bootloader re-locking with a custom key)
Is it a joke? Have you seen the list of supported devices?
https://grapheneos.org/releases
(Pixels only)
Is there anything about GrapheneOS that limits it to only Pixel devices, or was it just a prioritization decision?
It is sus as heck and just about everyone in cybersec was complaining about that weird decision.
Go for Calyx or any other android distro, they have zero difficulties in supporting more devices.
Suspicion constantly comes up in this regard, but their site (as linked by another commenter) provides their rationale.
The last cellbrite leaks show it as more secure against attacks from le than the current iphones, and that's more important to me than abandoning google hardware.
GrapheneOS developers are free to set their bar wherever they like it. It's an independent, non-profit foundation, driven by community contributions. They provide a web-based, hands-free installer. They offer their work for free, and owe nothing to anyone.
Personally, I wish there was an open/libre device on the market that GrapheneOS could target.
> Personally, I wish there was an open/libre device on the market that GrapheneOS could target.
You mean, Pinephone and Librem 5?
Serious question: can you point out some serious complaints? They seem to have an exhaustive justification for their reasons to only support Pixels, see https://grapheneos.org/faq#future-devices
This list always bugged me. If Pixel - for example - starts to introduce security patches slower, they will change this list... or even ignore it. If something more secure comes into the picture, they will change this list, and they will ditch supporting Pixel. If they don't, then it will be quite obvious, that they formed this list only to meet only Pixel's feature list. Also Google can obviously satisfy this list more easily, than any other company, so basically they created a moot for them.
Calyx development has stopped.
Yes. There aren't many Android smartphones that allow you to re-lock the bootloader after installing a custom operating system. Pixels are the only ones officially supporting `avb_custom_key`.
Again, technological measures against this kind of attacks on ownership rights fall short and are probably what conglomerates want since it keeps the tech people busy in a self-satisfying "fight" against the big corporation.
You need legislation.
This is the social solution. It's making users aware of the issue and pressuring them to not upgrade, and in the long run pressuring legislators to forbid such monopolistic practices if the average person dislikes it.
Copying this here for those that want some specifics:
Some things to advocate for to counter the direction we've been going in.
1. Termination of WIPO Copyright Treaty (prerequisite for #2)
2. Repeal of DMCA. (primarily because of Section 1201)
3. Enact and enforce, Right to ownership, Right to repair laws.
4. Enforce antitrust laws. / Break up monopolies
The establishments don't want to break up monopolies! They probably made a deal to allow them have monopolies in return for total dominance (don't think it is going so well).
Nothing will be resolve via legislation when the people making the bill are the same people in the revolving doors from the transnational corporations where the bill suppose to govern. A lot needs to be altered if we want this really to serve the 99%.
This.
You can have a popup, but it must have a call-to-action. Explain to users how to fight this.
It's open source... We don't need legislation; you are free to do whatever you want, and open source provides those freedoms. You just want it to be the way you want it instead of it being the way that benefits the most people.
This "fight" will always be lost, because the other side is 99% of the population and they want to stop scammers more than they want to enable you to publish software to a personal tracking device anonymously...
99% of the population doesn't fall for scam apps outside the Play Store. They don't want to stop app scammers, because they don't have any issue with them. It's only a small minority which does, and which is supposed to justify the new restrictions in Android.
99% of the population wants to fight scammers; they don't want their grannies scammed. It 100% justifies it. Only entitled nerds think their silly edge cases matter more than everyone else.
Granny isn't installing unsigned binaries on her phone or rooting her phone. Don't bullshit us.
The reality is we don't need to fucking remotely rootkit someone's phone to scam them. This isn't how the vast, vast majority of scams are done.
Relying on client side trust is a recipe for disaster, any anyone even kind of technically minded should see that.
The scams are also edge cases. Some people will always be stupid enough to hurt themselves with a a 99% safe system.
No, they're not. And by saying that, you're proven why the "fight" will also result in the other side winning. Ignorant, pedantic, arrogant, and entitled technical people vs the rest.
99.9% of scams on Android/iOS happen by making people install remote assistance apps from... the "100% safe" app stores. So, no, you're completely wrong.
Of course they are edge cases. How many people do you think install third-party apps on Android? Pretty sure hardly anyone does that.
Also, Windows works pretty well with software from third-party sources, or would you forbid them in Windows as well? Sure, there are the occasional crypto scams which disable a hospital here and there, but this can arguably be prevented by not giving non-admins admin permissions.
> This library is licensed under the GPLv3.
If the intention was to make it easier to spread the word, you've already failed.
Anyway, this whole library should have been a copy-pastable snippet for a dialog or toast (what's with the duplicate code?); the only value added is the translation, which most app devs already have a pipeline for.
The code part is so trivial that I suspect it doesn't even meet the legal bar for copyright protection in many jurisdictions.
> Anyway, this whole library should have been a copy-pastable snippet for a dialog or toast
People under-value copy-pasting. I'd rather copy/vendor a thousand lines of code (with license+credit intact) than add it as a dependency.
I'm working on a side project, and needed a CPIO library for Go. CPIO is a fixed thing, a good implementation is "done". U-root[1] has a really decent implementation, so I've vendored 2500+ lines of code, as otherwise I'd have to (indirectly) depend on almost 700.000. Great value.
Yeah this is very
npm i is-evenOP, I recommend switching to the LGPLv3. It ensures users remain in control over your part of the code while avoiding this type of reaction.
Not really, it would have maybe avoided the first paragraph. I actually really like copyleft, but I assume the social statement here is more important than the code, thus making it easier to rally around it should be the priority.
A CC0 copy-pastable snippet, plus maybe this helper library with a permissive licence. The only way this would go popular is through slacktivism, so you need to remove any friction.
changed it to Apache V2.0 license
That's more fitting! I wish I had a popular app to spread the word from, I do like the spirit of your project.
changed to Apache V2.0 license
> Google has announced that, starting in 2026/2027, all apps on certified Android devices will require the developer to submit personal identity details directly to Google. Since the developers of this app do not agree to this requirement, this app will no longer work on certified Android devices after that time.
I don’t have any hope that this will sway Google, but at least the users are being warned.
GPLv3 seems like a quite restrictive license for such a project. I would assume they want that note to be spread everywhere and while about user's freedom, the freedom for that code may be less relevant.
changed to Apache V2.0 license
Nice timing. I’d probably just ship a simple in-app dialog instead of a whole dep, but the message matters. For non-root users, will ADB + “Unknown sources” remain the escape hatch once the new checks roll out?
You don't need this library, it's just an `AlertDialog` wrapper with a check in `SharedPreferences`. It's not particularly well-written.
If this library is licensed under GPL, you can't really use it without relicensing your entire project, right?
changed to Apache V2.0 license
Rad. That's the way to do it.
"Avoid Google. Don't buy Google products, especially their phones."
Money is the corporate language, especially for Big Tech, which is always several steps ahead of legislation.
Will corporate care? Google alternatives are either iOS (which has had the same restriction for a decade now so you're not gaining anything by switching) or a super niche OS that isn't going to be profitable in the mass market.
> "Avoid Google. Don't buy Google products, especially their phones."
Ironically their phones are the best way to avoid this shit, because they are one of the few that properly support securely installing de-googled Android Versions.
Agreed, ironic. I recently switched my Pixel to Graphene
Didn't Google say that they're gonna provide an escape hatch for students and hobbyists? So, best case scenario, we just need to tap some label 5 times to enable side-loading again.
We have different definitions of an "escape hatch". A user is not an IT specialist. Ordinary people need unobstructed access to lifeboats.
Apple allows developers to self-sign a handful of apps (exclusively from source!) with short-lived certs - it's a complete PITA to maintain a simple app for personal use, and you still need an account. Google is heading in the same direction.
Also features that people assume are part of the OS, like push notifications, but are really a service run by Apple that your phone is locked to using cryptography don't work with self-signed apps.
You are able to get a limited number of app installs for your package for free.
https://developer.android.com/developer-verification/guides/...
Which still requires ID verification.
How many people would that really stop? It wouldn't stop me from feeling comfortable with creating android apps that are capable of being side loaded.
> You'll need > Your legal name and address. These need to be verified by uploading official identity documents.
I don't have a "legal name". Sounds like some sovcit bullshit. I go by several names, none of which is canonical. Maybe other countries formalize this idea, but the countries where I am a citizen/resident do not.
> A private email address and phone number for Google to contact you. These will need to be verified using a one-time password
I love that email OTP is good enough for this, but apparently not for anything else, where I'll need an approved verified secure attested super official app.
>I don't have a "legal name". Sounds like some sovcit bullshit.
Considering every country has passports and passports all have the person's legal name on them. And thst the passport standard only supports having one name with a primary and secondary identifier. You must be mistaken.
Not everyone has a passport. And people with strange or no name may have passports with names that are not theirs.
They might have several different passports from different countries.
It's also fairly common for instance for women to have multiple names from their marriage(s).
All this has me wondering: what's the future of chroot-based tools like proot-distro? No app store here, just PPAs. Can largely run whatever the hell I want, provided it's distributed for the OS I'm currently running.
The future I see is that it gets rearchitected such that each app will correspond to an android app that way it follows the Android model properly. The current model of shoving everything into the same app is going to continually run into problems and is not the right way to do it long term. So essentially there will be a tool to easily convert a freedesktop Linux application to an android one.
In regards to this new package name registration whoever is running the repo of such packages would register a new package name for each app.
A little bit overkill to use a dependency to just show a dialog. I agree that Google ia making Android less and less free with every new release, but show a damn dialog, no need to use this.
It's also pretty sloppily coded, with the same code repeated in both branches of the `if`...
https://github.com/woheller69/FreeDroidWarn/blob/master/libr...
If it was 2023 I would say someone just vibecoded a trivial android piece of code. But nowadays Android studio comes with Gemini agent integrated, and I doubt it would produce such terrible redundancy on a code so simple.
Sounds right. Though may aid in spreading the practice if it accumulates stars, goes viral on places like this?
I think creation of this repo is more of a statement than creation of utility.
I would say it's both a statement and a way to encourage other developers to "speak with one voice". Like handing out printed signs at a protest.
The library features localized warnings.
Based.
I wonder how badly Google's shenanigans will affect sales of new Android devices too. I've been looking to buy a foldable at some point, but I'll have to make entirely sure it won't be of an effectively broken (too new) Android version.
I doubt then locking down side loading will make more than 1% difference. Most people just don't care.
This. The average don't even know what sideloading is.
Hence they are comfortable making this overreaching decision.
Well what is the alternative? Apple does the very same, even in the EU.
The single most prevailing argument for Android was always “sideloading”.
“You want sideload on Apple? Go buy an Android”
I see this change as win, personally.
a) it will finally shut the fuck up braindead sideload, Apple bootlicking, haters
b) EU can go after both Google and Apple to allow sideloading (one can only dream!)
Win-win.
It's not the same because Google still allows you to load apps for free. Apple forces you to pay a yearly subscription.
Wouldn't it be nice if, in this time of feeding our IDs to the machine, there would be someone who would also offer some nice and easy way to identify ourselves digitally? Maybe someone who sits on all that unverified advertisement tracking data already and somebody who has an AI agent to feed?
I'm sure everybody would profit from that...
https://blog.google/products/google-pay/google-wallet-age-id...
Fascinating that the same company producing zero knowledge proof implementation didn't think to use it for the purpose they mention here. Do these departments not talk to each other?
It's Google we're talking about. Likely the left hand has no idea of what the right hand is doing. And it's got far more than two hands.
What property would they prove? The whole point (supposedly anyway) is they know your actual identity in case you publish malware.
What would be my options as an end user who does not want to root his device
Perhaps a Fairphone 6 with /e/OS (which is a de-googled Android)?
https://shop.fairphone.com/the-fairphone-gen-6-e-operating-s...
who does not want to root his device
Why not? Freedom isn't a given --- you need to fight for it.
You can't expect people to go into fight mode for every single chunk of social interaction they engage into, and still be able to enjoy any moment of freedom.
A society which value freedom should of course give a lot of it to its citizen, and expect them to defend and improve it for everyone.
A society where freedom is never a given, is not going to foster much of it.
Rooting a device will usually cause banking apps to stop working.
There are still workarounds. The way to win is to keep fighting.
All banks in Brazil now use the Google Play Integrity api. I've been on rooted phones for almost 15 years, and I'll never not main a rooted phone. But for a couple years now, I have to keep a separate phone just to be able to use tha f*cking banks.
Then go to your bank and say hey, fix this or close my account
And they'll gladly close it, them and every other bank. We lack alternatives so we lack leverage.
In many European countries this means you cannot have a online-activated bank account. Offline banking is paid and often expensive.
For now, there isn't an alternative. Maybe a Pixel phone and GrapheneOS with the sandboxed Play Store would be the only choice, but for now, nobody knows.
Google Pixel + GrapheneOS
If you want to know if your Banking App is compatible: https://privsec.dev/posts/android/banking-applications-compa...
Cry in a corner ig?
Maybe use iphone? There will be not much advantages left on Android side after that shit gets go.
Even without side loading there are several advantages and freedoms that Android has unmatched.
such as? Curious, because on iOS you can freely install browser extensions (adblockers like uBlock origin lite) from the get go. Still boggles my mind that Chrome does not allow extensions.
Alternative browser engines, JIT-compilation support (enables apps like Koreader), ability to completely disable animations, etc.
Alternate browser engines are now possible in the EU, there is just not much interest in porting to iOS. To me it sounds just bad UX that the first thing you need to do on Chrome to enable Adblock is to switch browser, vs. just installing an extension with the default browser that probably 90%+ of Android users use.
With sideloading being disabled, it takes a single decision from a Google employee to completely get rid of all browser engines and apps that use JIT.
It's not feasible, several large projects completely depend on the ffi interface that needs JIT.
Like what? I am curious what’s left
Choice of running multiple browsers with different engines
I might just move to whatever Chinese come up with. By 2027 their tech should be clearly superior in every way.
If there's a cheap Chinese phone that banks/google accept, that might be my second (non-rooted) phone.
I assume my S20+ won't get this because it's stopped getting anything but security updates. Sometime next year I'll look for the latest phone that's too old to get the new behavior.
I assume this will not be rolled out as an OS-upgrade but as a Play services update, so it will be enrolled by Google directly to nearly all devices on the market.
If so then that blows, but I'm still hopeful Samsung won't create an update for this. Unless this is something Google silently updates in the background even with automatic app updates turned off.
Samsung is not in control of this. Play services is a quite broad framework that is fully in control of Google, and the foundation for many services and applications on the device (including Play Store itself).
If you would factory-reset your device right now, it would reset to the version of Play Services that came with the installed device firmware, but upon startup the services framework would likely fetch information that it is outdated and won't continue until you have upgraded it.
In this state you could probably use your device and sideload apps, but none of the Google Mobile Services (Play Store, Gmail, Maps, YouTube,...) and 3rd party apps which require Google APIs will work
google seem to have the multi-pronged attack on android devs going on atm. They are seemingly trying to take down as many apps and dev accounts as possible.. Anyone know why?
1. doxx yourself of they kill your account
2. re-build every app with pointless newer api version literally every year or it gets taken down.
3. Push an update or a new app or they kill your account.
..
My guess is enshittification, some random exec is trying to save a few pennies in server and storage costs.
..
I'd also say that google makes so much money from ads and data-brokering that everything else they do is not vital for their survival and thus undergoes a sort of "genetic drift" where they just make random decisions.
background political lobbying. its part of the effort from most of the west (not the US yet) to verify users on devices to 'protect kids'
Google cut off their own revenue legs with AI suggestions instead of ads.
Thats okay, they jumped the shark when the imperative for ads took over.
> 1. doxx yourself of they kill your account
Combat abuse. I don't think this is a solvable problem, so obviously this won't be a silver bullet. But maybe will it impose more cost on the abusers creating a nicer app store experience for everyone. Or maybe this only imposes cost on the honest ones? I don't know how much validation they do.
> 2. re-build every app with pointless newer api version literally every year or it gets taken down.
Fix vulns. This also gets rid of abandoned apps. It also probably provides an "opportunity" for the dev to agree to new T&C.
> 3. Push an update or a new app or they kill your account.
This one seems shakier to me, but it might feed into an effort to get rid of abandoned apps. But I disagree with this being healthy for the ecosystem, if that's actually the reason.
I'm not trying to defend google, but from working in FAANG, some of this is obvious. None of these things save a significant amount of server or storage costs. Some of it is clearly anti-abuse and efforts to defend themselves from the constant stream of crap that tries to make its way into the app store.
> everything else they do
Google isn't like some dude (sundar) making decisions. It's a bunch of millionaires and billionaires making decisions. There's some high level guidance, but the difference between different divisions is 100% based on who's running that particular show.
What's wrong with "abandoned" apps? I still use an app called DiskUsage. Not sure you can still get it on the store or it comes with scary warnings now. Continues to work great. Never found a replacement. Don't want a replacement. This one works.
When an app works but keeps getting updated, that means the enshittification is starting. How else do you extract money out of a completed app?
I thought this applies to every app regardless the app store it comes from? Including side loading. The Play Store is already "sanitised".
> Add the JitPack repository to your root build.gradle
How much MB (kb?) does this dependency add to apk?
Given that it's just a couple lines of code and has no other dependencies other than AppCompat (which nearly all apps already use), the increase in size would be negligible (<4KB).
EDIT: The AAR file is 26KB: https://jitpack.io/com/github/woheller69/FreeDroidWarn/V1.3/... But most of it looks to be from R.txt and I think that file gets deduped/compressed during app packaging?
"Copyright GPL"
I don't think this meets the bar for copyrightable code. Copyright protects creative expression. Displaying a single dialogue does not take creative expression, and pretty much any developer given the task would produce code identical to this.
Don't complain about the license. The license removes any doubt. You can happily use it without having to worry. If there was no license you'd have uncertainty.
Also you're misquoting. The license is GPL-3, not AGPL.
I'm not complaining about the license, I'm complaining about the library size.
Something that is too small to be considered creative should be a documented example you copy and adopt into your app, not a dependency.
The only exceptions to this are things like "A dependency that contains all unicode planes and categorizes characters", which isn't creative, but is useful and too large to copy-paste, and also updates over time.
Or the timezone database file, another case of something that should be "public domain" knowledge (uncopyrightable), but makes sense as a dependency.
This is not that sort of thing.
You can't copy paste all the localizations for example. Go make a copy-pasteable version if it's so easy.
Have you looked at the code? I sure wouldn’t produce exactly that. Even for identical functionality, its FreeDroidWarn.java methods are 30 lines, I’d write it in 13 lines. I also wouldn’t write exactly the same strings (some stylistic changes, some being specific rather than generic as is somewhat necessary for a library), and definitely couldn’t produce 17 other translations.
This easily meets thresholds for creative work. The basic concept is nigh-trivial, but the concrete implementation is still creative.
Yes, this code is almost as trivial as a hello world.
Yeah, I just wanted to have something I can add with a line of code to my 20+ apps on F-Droid including all translations. It is Apache now
and pretty much any developer given the task would produce code identical to this.
That I doubt; it seems more like it's deliberately large and complex enough to be copyrightable, because otherwise it wouldn't be.
changed to Apache V2.0 license