This story with restricting users is a similar one to Manifest V3 in Chromium.

But we don't have anything like FF as an alternative to go from Android. Especially considering banks require "certified OS".

• Hackbraten

  today at 5:58 AM

  I switched to a Linux smartphone because I've had enough of the duopoly.

  I also switched banks so I can use my bank card as the 2FA device, similar to CAP. [0]

  [0]: https://en.wikipedia.org/wiki/Chip_Authentication_Program

  • jwrallie

    today at 7:32 AM

    Probably in the long run the only way to go will be to own/carry two devices. A long supported phone with stock firmware and apps you are "forced" to use to interface with the world around you, and a second Linux portable machine where you have your freedom.

    • subscribed

      today at 8:55 AM

      No, it's not "long supported" phone fallacy.

      Google and by extension banks, are claiming that the phone on, Android 9, without security updates AT ALL since 2009 is perfectly safe and secure to use.

      Meanwhile, really well locked OS, hardened so well some of the improvements were later picked up upstream (both by Google and Apple), running _the_ latest AOSP version and releasing new security updates within hours is not considered safe and secure, despite assuring full chain of trust (including locked bootloader, verified boot, etc).

      This is what Play Integrity does.

      Of course Android supports better scheme, hardware attestation, but od course Google enforces their iron grip on the ecosystem, and instead uses the outdated, flaved system that certifies only the devices with preinstalled Google services running in the privileged mode. Snooping on everything you do and have.

      Thats the reason.

      • bakugo

        today at 11:24 AM

        When companies like Google talk about a device being "secure", they don't mean secure from malicious third parties, they mean secure from the user. The device is considered "secure" if the user cannot do anything with it that Google does not approve of.

        • ho_schi

          today at 12:23 PM

          That's it. It is a device secure for Google to:

          * Enforce Hardware-DRM * Enforce PlayServices * Enforce apps which don't circumvent their business model e.g. YouTube-Downloaders ("Watch my ad again...") * Payment fees from PlayStore

          Taking a look at the dangerous crap in the official Play Store confirms that. It is full of awful and dangerous apps. It was never about the security of the user.

      • IlikeKitties

        today at 12:15 PM

        > Google and by extension banks, are claiming that the phone on, Android 9, without security updates AT ALL since 2009 is perfectly safe and secure to use.

        Funnily enough that's actually a good thing in a twisted way. Long term, it will either force manufacturers to become much better with their update support, because apps will refuse to work on non-patched devices... or they won't and we'll all have one of those devices at home rooted through a long known CVE as a proxy for device attestation.

    • dTal

      today at 9:42 AM

      I've been doing this for years already, except I split it further to three devices:

      1) an old iPhone with 0 personal data on it and in no way linked to my identity, which is used for completely untrustable commercial apps, and rarely even leaves the house.

      2) a LineageOS Android which is my daily smartphone for things like camera and GPS, running almost exclusively open source apps, except for unavoidables like WhatsApp which are run in an separate profile

      3) a GPD Micro PC running Void Linux, which is roughly the same size as the phone and a true swiss army knife. Its purpose is to reliably do what I want, when I want it. No systemd, for it does not spark joy. It is used for web browsing, note taking, light productivity, and playing movies on the TVs of friends who have overinvested in streaming and dongles only to find that $CHOSEN_MOVIE is not on any of their services.

      I am not entirely happy with this state of affairs - too many devices, and still not enough siloing of closed apps like WhatsApp.

      • jbstack

        today at 12:13 PM

        It seems to me that they way you have divided up the roles, you actually need 4 devices, because you need one to run commercial apps which are linked to identity (which rules out device 1) and which will only run on a "secure" device (which rules out 2 and 3). For example banking apps.

      • fainpul

        today at 12:13 PM

        Keeping all those devices charged is already too much of a hassle for me to do this.

    • CalRobert

      today at 7:57 AM

      You won’t be able to do much with the second. Web sites will force login with google, etc. and only work for attested browsers.

      • antonkochubey

        today at 9:55 AM

        Both Apple and Google decided against implementing device attestation in browsers.

        https://news.ycombinator.com/item?id=42522490

        • jsnell

          today at 10:56 AM

          Apple has been shipping device attestation in their browser for years (Private Access Tokens), with no backlash.

        • CalRobert

          today at 10:32 AM

          And Google decided against evil too

        • hollow-moe

          today at 10:12 AM

          for now*

      • UnreachableCode

        today at 9:16 AM

        I don't use Google login any where and have a lot of accounts with many different websites? Youtube and other Goolag ecosystem being the exception, but, of course they are?

        • CalRobert

          today at 10:33 AM

          Give it a few years, the google login nag screens are getting pervasive. And old school user/pw login is dying

  • anonzzzies

    today at 10:09 AM

    I wish I had enough clout / money to get a chinese tablet maker to allow me to install Linux. Luckily I could root it which is great, but outside that i'm lost. Hope someone will make my dream device with linux some day.

    • bityard

      today at 12:07 PM

      Someone already does, check out the StarLite tablet. It even runs coreboot firmware.

      • anonzzzies

        today at 12:12 PM

        Well, I did not mention what my dream device is; I cannot stand the limited battery life on almost all devices. That's why I like companies like Oukitel; their devices go forever. My main driver (rooted and cleaned) is the rt7 titan 5g. It's the best think I ever had. Rain, shine, in the pool, week long battery, you can hammer nails with it. That with Linux would be my dream device.

  • russnes

    today at 6:36 AM

    Which one?

    • Hackbraten

      today at 6:48 AM

      It’s a Librem 5. I’m looking for a more powerful model that can also run mainline(-ish) Linux.

      • russnes

        today at 7:06 AM

        Seeing as GrapheneOS appear to be recommended on the newest Pixel models, I wonder if it shouldn't be too difficult to get Arch Linux running on them with the AUR plasma-mobile?

        • nunobrito

          today at 7:19 AM

          Run away from Graphene, it is suspicious at best scenario and dangerous at worst.

          Just observe that the key factor is to be independent from Google and then the only recommended devices from their side are exactly google devices where nobody here can have an idea of what is modified inside them.

          You'd be better off supporting other distributions like Calyx, which have no problems in supporting other devices like the fairphone and so on.

          • duesabati

            today at 7:24 AM

            I was very interested in Graphene, do you have other grounds for your suspicions?

            • fsflover

              today at 9:36 AM

              I agree with the parent. GrapheneOS puts security above freedom, which is wrong. It forces you to give your money to Google and rely on Google hardware, which is questionable in the long term. They refuse to support different hardware "for your security". Their developers are constantly attacking GNU/Linux phones, which are the actual long-term solution for both freedom and security.

              https://news.ycombinator.com/item?id=44680624

              https://news.ycombinator.com/item?id=43675380

              • scheeseman486

                today at 10:27 AM

                I don't think I've ever read any solid refutation of the technical choices of the project, mostly just character attacks, the basis of which are dodgy at best. They're completely up-front about the limitations and catches of their choices, too.

                Those links don't really help your case, to be frank. Nothing strcat says reads as incorrect or even particularly controversial, they have personal beef with CalyxOS but their criticisms of the choices of the project are largely on point. They're justifiably upset by the mental health accusations too, it's kind of a joke that one of those people in the thread tried to gaslight strcat about how these accusations are somehow not a recurring issue when I, as a third party observer, have seen it come up all the fucking time.

                Meanwhile, you're imagining "attacks" on GNU/Linux phones, when most of what I read from them regarding those was sober and reasonable, if not particularly positive, but they're allowed to do that. Their priorities are clearly security and none of those phones really have any.

                • jamesnorden

                  today at 11:18 AM

                  >Their priorities are clearly security and none of those phones really have any.

                  As opposed to a black box from Google, that nobody really knows exactly what it does...

                • fsflover

                  today at 11:03 AM

                  This is another project that knows what you need better than yourself. People are constantly asking them to add support to other hardware, but the answer is "it's insecure". This is completely wrong and forces everybody without a(n expensive!) Pixel to abandon reasonable security. Even Qubes OS allows installing itself on hardware without VT-d, with respective warnings, and plans to enable GPU acceleration in VMs on demand. Their priority clearly isn't to make as many people as possible more secure but to force Google on you.

                  Are you calling the above a "character attack"?

                  I would love to use GrapheneOS on my Librem 5 and Pinephone. No proprietary drivers are required. Yes, some security features are lacking. Yet it would be a win for everybody.

                  I didn't say anything about CalyxOS: I don't care about this.

                  • scheeseman486

                    today at 11:43 AM

                    > the answer is "it's insecure".

                    Can you give me a quote where they outright say this? Because my hunch is that what they actually say is something along the lines of 'because it doesn't have the security requirements that we desire' which would be true. Whatever their reasons for those choices, it also makes sense to limit scope given the extreme constraints they're working under and that scope is best limited to phones with the widest security feature support for their security-focus Android OS.

                    > Are you calling the above a "character attack"?

                    Grow up.

          • pferde

            today at 7:41 AM

            No, the "key factor" of GrapheneOS is to provide a secure OS on a secure hardware. If the "key factor" was to be independent from Google, they wouldn't support Google devices at all. But since the Pixel phones are the only ones with secure enough hardware, GrapheneOS supports them.

            They even tell you in their usage guide that it's more secure to use Google's app store than e.g. F-Droid (which neglects several good security practices for an app store), and that it's not a good idea to blindly aim for "degoogling" at all costs.

            Go away with your baseless FUD.

            • NoGravitas

              today at 12:28 PM

              I use a Pixel with GrapheneOS because it's really the least bad option available today. But it's not wrong to say that they strongly prioritize security over privacy or freedom/independence. That's a fair decision for them to make, but people should know what they're getting into.

            • close04

              today at 8:05 AM

              > Pixel phones are the only ones with secure enough hardware

              The biggest thing that excludes most phones from supporting GrapheneOS is the lack of unlockable bootloader. Pixel phones also allow the developers to target a large but homogeneous hardware base.

              • pferde

                today at 8:17 AM

                There is no single biggest thing. GrapheneOS has a rather strict demands for a device they're willing to support, see https://grapheneos.org/faq#future-devices

                • close04

                  today at 10:11 AM

                  GrapheneOS doesn't support Pixels with locked bootloader. It's where the game stops for all locked phones, a common practice now. You can already see how this is the single biggest thing.

                  The second big thing is that the "non-exhaustive list of requirements" is basically "whatever new Pixels do". Your conclusion that Pixel phones are "the only ones with secure enough hardware" is overstretching what's happening here.

                  The developers took the Pixel as a template because it's a well selling line, with good security, and generally with unlocked bootloader, and modelled the requirements based on it. It's a reasonable approach to the development of a niche security oriented OS because: "In order to support a device, the appropriate resources also need to be available and dedicated towards it". It has the downside that it makes it sound like no other phone has comparable security features.

                  Are the fully supported Pixel 6/6a more secure than any other non-Pixel phone sold on the market today?

                  • pferde

                    today at 10:57 AM

                    What do you mean, "doesn't support Pixels with locked bootloader"? Yes, you need the bootloader unlocked to install GOS, but the last step during installation is locking the bootloader again. Having an unlocked bootloader is officially considered unfinished GOS installation. See https://grapheneos.org/install/cli#locking-the-bootloader

                    As for Pixels being more secure than non-Pixel phones, I would say they are more secure, due to existing hardware security features that most non-Pixel phones do not have, and just as importantly, due to still getting regular security updates from the vendor. Pixel 6 in particular is supported until late 2026, if I recall correctly.

                    This is the problem for most Android phones on the market - most of them stop getting security updates after a year or two, so your only option is hoping that one of the alternate Android OSes pick up the slack, e.g. Lineage or Calyx.

                    EDIT: That they modeled their security requirements based on the best device available at the time is simply how this works if the priority is security. They picked best of what was available, built features around that, and refuse to compromise for new device models if at all possible. And yes, no other Android phone has comparable security features for what they are doing. That's not how "it makes it sound", that's just reality.

                    • close04

                      today at 12:11 PM

                      > What do you mean, "doesn't support Pixels with locked bootloader"?

                      You cannot install GrapheneOS on a Pixel that was locked by the carrier, it's literally the first prerequisite they mention [0]. From here came my initial comment saying that the biggest thing that excludes most phones from supporting GrapheneOS is the lack of unlockable bootloader.

                      This is what should give you pause when you declare one phone to be "best HW for security" because it supports GrapheneOS. Some Pixels, with the same HW/FW/SW, are still unsupported.

                      [0] https://grapheneos.org/faq#supported-devices

            • BlueTemplar

              today at 7:59 AM

              > it's not a good idea to blindly aim for "degoogling" at all costs

              Why not ? This seems to be exactly the push that was needed.

    • seviu

      today at 7:46 AM

      Out of all the models I saw, SailfishOS is the only one that ticks all the boxes for me.

      Wish there were other alternatives. PinePhone Pro got discontinued. This is truly a duopoly.

• yonatan8070

  today at 4:50 AM

  What if we collectively decide to use the web alternatives for banking? We lose some convinience since they are generally desktop oriented, but they don't check who signed my kernel

  • thombles

    today at 5:05 AM

    My bank recently made it that app-based MFA must be used for every single web login. Unless I and many others are willing to swap banks in the vain hope that the new bank won't do the same thing (I am not), then we're cooked.

    • lrvick

      today at 6:01 AM

      Just say you do not have a compatible device. Special undocumented alternatives appear every time in my experience.

      • riedel

        today at 6:15 AM

        Sure, one option means paying for each SMS (actually they had to abandon that one), another option is getting a paid banking card just to use a hardware device. From my experience they try to make sure that you will get a certified phone . I just got one because for some reason my Redmi Note 10 despite passing all play integrity checks after hacks like Tricky store+Key box triggered some checks in my banking apps. I needed to use an aftermarket ROM, because my device would not receive any updates from Xiaomi (also I don't know why a device packed with Chinese bloat ware is certified as secure in the first place). And guess what I bought: a Google Pixel. Smart Google, huh.

        • homebrewer

          today at 7:17 AM

          These "security checks" are a complete, total, absolute joke. Just a couple of weeks ago I had a friend ask me to downgrade firmware on a similar Xiaomi device from the latest LineageOS to stock to make two shitty banks work. Nothing I did on Lineage would make "security checks" pass, even though it was running the cleanest possible Android 15 with the latest security patches applied.

          Now the phone is running stock firmware from 2020, with Android security patches from 2020, and with numerous publicly known vulnerabilities. The banks work fine, Google Pay works fine, every Play Integrity check passes, even the strongest one (device integrity).

          The only reason I see for it being implemented this way is not to lock the bad guys out from your phone, but to prevent you from doing anything to the banking applications, even through it is still possible through said vulnerabilities.

          One of said banks also refuses to run if it detects remote assistance clients on your phone (like TeamViewer), or even Discord, because apparently these were used in scams over the past few years, and we need to protect even the stupidest at the expense of everyone else. How did we come to this "future"? The worst days of desktop Windows weren't even remotely close to this nonsense.

          • riedel

            today at 8:00 AM

            The most stupid is the interplay with regulators: on one hand grapheneOS is far too secure if it comes to CSAM or organized crime on the other hand it is not secure enough for banking (most of the 2FA comes from the interpretation of the PSD regulations afaik).

            • spwa4

              today at 8:59 AM

              It's not stupid. It's governments being extremely cheap. Banks (large banks are part of the government everywhere, at least when it comes to policy) and governments are totally dependent on certification (meaning someone to check security patches on devices), effectively a group of people that have some budget to check a lot of software version of a lot of devices. This doesn't have to be many people.

              Nobody's willing to pay for it, so only Google, who have to do this for a bunch of other reasons, actually does it.

              On the contrary, governments are imposing other restrictions on OS'es (like EU Chat directive), as well as making more and more critical government functions (like eID, and the various equivalents, and the banks) that can never work without OS certification, are utterly dependent on the App stores (it requires the ability to replace apps on user's devices without being detected), and thereby driving people deeper into Google and Apple's arms. Despite the fact that this makes the EU totally dependent on yet another US company, making this stupid. And, of course, it makes securing anyone in the EU against US spying an exercise in futility.

              But it saves a little bit of money now, and gives the US, ie. Trump, yet another loaded gun aimed at the head of the EU economy. What could possibly go wrong?

              Sell your airbus stock.

          • subscribed

            today at 8:58 AM

            Google still didn't block leaked Nexus 4 keys, meaning anything rooted with magisk can spoof the integrity check.

            Rooted. Usually with unlocked bootloader. Safe.

            Also phones on Android 9 unpatched since 2009. Etc.

            :)

          • BlueTemplar

            today at 8:01 AM

            Why would you care about this but still want to run Discord ??

            • jamesnorden

              today at 11:33 AM

              ??? What's the correlation?

        • kelnos

          today at 6:43 AM

          > Sure, one option means paying for each SMS (actually they had to abandon that one), another option is getting a paid banking card just to use a hardware device.

          That sounds... fine? Like... there are actually alternatives. Sure, if their plan is to phase out those alternatives, then that's bad, but... the current situation seems fine?

          • rvnx

            today at 7:02 AM

            Reality is very different. If you have the courage, you can experiment living one year without bank card or wire payments, then your life is going to get very very difficult.

            • sorrythanks

              today at 9:21 AM

              This comment isn't about living without a bank card or wire payments, though? It's about living with a hardware TOTP device

            • 1gn15

              today at 7:55 AM

              This problem is getting worse too, as more and more businesses become "cashless only".

              • BlueTemplar

                today at 8:03 AM

                Well, this is literally illegal in many jurisdictions.

                • subscribed

                  today at 9:00 AM

                  And literally legal in many jurisdictions

        • ChocolateGod

          today at 6:36 AM

          If you're trying to imply Xiaomi is crap with updates so people buy pixel phones I don't think that makes much sense.

      • reitanuki

        today at 7:29 AM

        Agree with this. Either you'll get SMS OTP (which is free for the user, at least in the UK?) or they will send some 'calculator' or multi-colour-code-scanner device that generates OTPs. (Honestly this last one was the most impressive bank security system I'd seen yet; for every individual transaction, you'd have to scan the code and the scanner device would tell you what you were authorising, then you put the PIN in and get a OTP to put back in the bank)

        • tonyhart7

          today at 10:29 AM

          that is just normal practice for business account transaction in my country????

          business account can request such devices so if any malicious people cant withdraw funds without pressing a same combination in all devices (there are multiple devices) so there is no rogue employee

      • monegator

        today at 8:25 AM

        I switched banks when they required authentication with biometric and when i said i didn't want to do that the answer was

        sorry, we can't do anything for you then

    • dingnuts

      today at 5:47 AM

      fuck it back to cash

      • sterlind

        today at 8:03 AM

        I stayed away from cryptocurrency when DeFi and Web3 and NFTs were everywhere, but I've started paying with BTC where I can, so I don't have to deal with banking apps, and to stick it to puritanical payment processors, after the Steam/Itch debacle.

        Know Your Customer is acceptable. Nanny Your Customer is not.

        • uyzstvqs

          today at 10:58 AM

          Monero is the cryptocurrency everyone uses for this. The userbase and community is completely separate from the Web3 NFT dog-coin crowd (unlike Bitcoin).

          There's also systems like PaySafeCard, which is accepted by Steam.

  • MathMonkeyMan

    today at 5:10 AM

    I uninstalled banking related apps from my phone years ago. I used it so infrequently that every time I did use it, it was as if it had been newly installed and didn't remember anything about me. Now I use a desktop web browser for anything finance (and it's Firefox on Linux, so thankfully that works for now).

    • pastage

      today at 5:17 AM

      The phone will be used as MFA, and that will have requirements especially on Android versions. So it is going to be harder to escape it, it is darn comfortable using Android as a MFA. Many banks still use a custom device for MFA here but is is slowly going away.

      BankID in Sweden and similar in other European countries.

      • PeterStuer

        today at 5:27 AM

        For now the custom issued 2FA is still an inconvenient option, but nearly everyone uses the phone for 2FA as it is so much faster.

    • homebrewer

      today at 7:24 AM

      It's getting repetitive to come with the same message over and over and over again, but in many countries you can no longer interact with your bank through the web browser. The banks' applications are either required for 2FA, or are the only way to use remote banking at all.

      The last one applies in my country. You can of course go to the bank branch for every little financial operation, which is bad enough by itself for us living in cities, but is practically impossible for my relatives in the rural area, who would have to drive 100 km to the nearest bank branch, and then back just to move some money between two accounts.

      Even if you don't care for anyone else but your country, it will come to you also, I promise.

      • fsflover

        today at 7:32 AM

        You should at least complain to your bank and government, support NGOs fighting for your freedom like https://edri.org, https:/eff.org, or equivalent in your country.

        Forcing you to use foreign megacorps for essential services should be illegal if not already.

        • homebrewer

          today at 7:57 AM

          Sure, I complain basically every week, but it's like moving a mountain. It was the government's idea, and they're very gung-ho on continuing with it. The official reason is fighting tax evasion, but the more probable one is that the ruling elite has major stakes in all major banks, so they're very interested in making everyone dependent on those banks.

          The only realistic thing left for me is moaning about it on the ole 'net and hoping (probably in vain) that this disease doesn't spread further to other countries. Western democracies are already in the process of copying several bad ideas we implemented 10+ years ago (and China more than 20 years ago), I don't see a reason why this also wouldn't be ported over.

          And the digital sovereignty argument doesn't really work, one of the banks uses its own payment system — mostly copied from Chinese AliPay — and it's the most popular one here. Zero dependence on "the West" other than the phones themselves, where they think they have an alternative in Huawei and friends, and you're gonna have to depend on someone in any case, even just for internet infrastructure, or even cash printing machines.

          • BlueTemplar

            today at 8:13 AM

            The problematic companies are all Russian/Chinese/USian(/Israeli ?) last I checked, so what "the West" generally has to do with it ?

            • homebrewer

              today at 8:37 AM

              The reply was to GP's:

              > Forcing you to use foreign megacorps for essential services should be illegal if not already.

              The only two major mobile operating systems are developed by American companies. The two most popular global payment processors are maintained by American companies. The hardware is jointly developed by a bunch of countries, basically all of them in North America and Western Europe.

              If one brings up digital sovereignty, should I think not of "the West", but of Tokelau, South Africa, or Brazil?

          • fsflover

            today at 8:09 AM

            > Zero dependence on "the West" other than the phones themselves

            A smartphone today is the most essential and private thing you have. This is as far from "zero dependence" as you can get.

            > they think they have an alternative in Huawei and friends

            Do Huawei phones work for banking in your country? If yes, does it mean, Google Play / integrity isn't necessary?

            • homebrewer

              today at 8:32 AM

              Huawei phones have their own alternatives to Play Services; none of the banks work on pure ungoogled and un-everything Android. You have to use a locked device which you have zero control over in any case.

        • immibis

          today at 11:50 AM

          It's not really that different from forcing you to use a national midicorp (a bank) to bank.

          CBDCs solve this in theory, but the government would add the requirement back just for funsies.

  • PeterStuer

    today at 5:24 AM

    Many banks are slowly phasing out their websites to go app only.

    • Gigachad

      today at 6:41 AM

      In Australia they aren't phasing out web, but anything high risk like a transaction to a new contact and you have to approve it on the app. The app is considered a significantly safer environment.

      • an_aparallel

        today at 7:52 AM

        I get text messages to approve new payees. No apps.

    • derwiki

      today at 5:48 AM

      Which ones?

      • kikokikokiko

        today at 6:05 AM

        every single Brazilian bank for instance

        • today at 7:04 AM

        • BlueTemplar

          today at 8:14 AM

          Brazil is screwed anyway from what I heard about WhatsApp being mandatory for daily life ?

          • homebrewer

            today at 8:48 AM

            Even though I very much dislike WhatsApp, it does not require having full control over "your" device, and does not make itself an arbiter of what you can or cannot install on "your" hardware.

            I can't see them changing this in the foreseeable future, major parts of their userbase run the cheapest phones one can buy, and they're much more interested in as much data as possible, so near 100% device coverage has to be important for them.

  • today at 5:26 AM

  • 1gn15

    today at 4:55 AM

    Also, use ATMs if you can instead. Don't use propietary code on your own machine; run it on theirs instead.

    • falcor84

      today at 5:11 AM

      I don't understand the sentiment - how does relinquishing control of the hardware help us? I see a possible future where the banks/governments give the people devices to use for these things, and I don't like this future, as these would surely become spy instruments.

      • defanor

        today at 5:57 AM

        Not OP, but sharing the sentiment (never had banking or similar software on a phone, yet using ATMs, banks' web interfaces, offices). Avoiding interaction with a bank completely is rarely viable these days, and they will run their software on their hardware to operate either way (whether it is an ATM, a bank office, or a website). I do not see it as relinquishing control of the hardware, since you are not expected to control a bank's hardware in the first place. While setting it on your phone comes with the usual risks of running proprietary software on your machines, such as sneaky data collection. If banks/governments will give mobile devices to people for that, those may act even a little more like electronic ankle bracelets, but they would also be isolated from your other data and software; in places with near-mandatory government software, some choose to create such an isolation by having multiple devices for different purposes.

      • zigzag312

        today at 6:51 AM

        > how does relinquishing control of the hardware help us

        It's not relinquishing control, but separation of concerns for hardware.

        Bank should manage their hardware, not your hardware.

        • 1gn15

          today at 7:51 AM

          Yep! Thanks for helping me put my points across better. It's like having a separate work computer, for example.

          Okay, I guess more to the point, I don't want the banking app forcing the OS that I use. They can provide their own damn hardware!

      • dotancohen

        today at 7:41 AM

          > the banks/governments give the people devices to use for these things,
        

        Give?

        The devices will cost "a reasonable amount" and have GPS tracking "for your safety".

      • p0w3n3d

        today at 5:28 AM

        It sounds like an implementation of the Orwell's 1984 telescreen

      • card_zero

        today at 5:45 AM

        In what way, if supplied by the bank and used only for contacting the bank to do banking, could a device become a spy instrument?

        Kicking banks off the internet/apps would make Android and Apple less cushy.

        • falcor84

          today at 6:02 AM

          > In what way, if supplied by the bank and used only for contacting the bank to do banking, could a device become a spy instrument?

          Here's my attempt at future history: Firstly they'll require you to prove your current location, to ensure that the request isn't made by a remote hacker; they'll do this by integrating their own cellular modem, as well as scanning local wi-fi networks. Then, at a second phase, they'll integrate a camera and microphone to perform a face identification, asking you to speak out a particular phrase while performing a particular motion. At the start they'll only require you to turn the mic and camera on during active usage, but eventually they'll say that these have to stay on continuously so that they can ensure that the device wasn't tempered with. And if we aren't careful, we'll accept every single small added requirement, until we're boiled alive.

          • card_zero

            today at 8:10 AM

            If it was normal and expected that you carry the device around, to make purchases with, then all that would be very bad, and it becomes like a phone but worse in some ways (less ownership over it) and better in others (does not contain other personal data).

            However, if it sits at home in a drawer, it can keep its camera on all it likes, transmitting images of darkness, and tell the bank repeatedly where your home address is, and sometimes (when in use) confirm what your face looks like. Not a privacy issue I think?

            Probably it would become expected that you carry the thing around and it replaces cash and cards, but that seems to me to be the crucial step if it's going to have meaningful potential for spying.

    • PeterStuer

      today at 5:31 AM

      ATM's are disapearing. There used to be one at every corner. Now, I have to travel to the next village that has just one left at the train station.

      Cash is positioned as suspicious. In 10 years, it might very well be illegal.

      • scrubs

        today at 5:57 AM

        Not in the US... have you seen the first or second Shrek movie where a monster busts in on a Starbucks and all the scared customers run across the street to another Starbucks? Like a virus they're everywhere. Same thing for atm machines. Cash is doing just fine.

  • tim1994

    today at 8:20 AM

    Ain't gonna happen (unfortunately). Somehow people (outside of HN) seem to like to use apps for everything. EVERYTHING.

  • lifthrasiir

    today at 4:52 AM

    Except they did in several countries, typically using activeX.

  • sfdlkj3jk342a

    today at 5:26 AM

    It's too late for that. In many Asian countries, most of the banks have completely removed access via a browser.

  • vkou

    today at 8:28 AM

    > What if we collectively decide to use the web alternatives for banking?

    So, like, legislate it?

    Prior art exists on this point.

  • sushhtr

    today at 10:02 AM

    [dead]

• wafflemaker

  today at 9:01 AM

  Most banks worth their salt accept GrapheneOS.

  DNB in Norway does for sure. Same for BankID , national electronic identity authorization provider. There are good programmers out there that know their stuff. Find a bank that has a hacker culture like DnB.

  I remember that I chose them just by comparing uMatrix output between them and SpareBank - the other big player. DNB had no 3rd party trackers showing, while SpareBank had a lot.

  • Sayrus

    today at 9:18 AM

    Same in France, I would have switched to another bank that supports GrapheneOS if mine didn't. In my case, I doubt it's hacker culture but more of a sovereignty and accessibility issue which made them choose to not rely on Play Integrity.

    • uyzstvqs

      today at 11:14 AM

      I use several European banks, GrapheneOS works just fine.

      FYI, I know that Revolut is a Europe-wide bank which does not use Play integrity. In case anyone needs it.

      I've only had one non-banking app trigger the "used Play integrity" warning, though that app apparently does not care and still works fine.

• safety1st

  today at 6:22 AM

  I live in Thailand which is very mobile first and the main way to pay for things here is through your banking app, you scan a QR code, it fires up the app and you make a transfer.

  The convenience is great but increasingly businesses now begin to offer this as the ONLY way to pay.

  I keep telling people because I'm seeing it begin. This is how it happens, this is the endgame for freedom, democracy and life as you know it. Give the West 20-30 years, it will happen in some developing countries sooner.

  They will require the approved app to buy and sell. Without it you will be outside the financial system, and maybe will starve.

  They will require the approved app to only run on the approved operating system. You will have 2-3 options for the approved operating system but total surveillance will be a mandatory feature on all of them.

  Finally, they will punish you for wrongthink when your surveilled device detects you writing or saying it.

  As the world gets worse political leaders will become more authoritarian until one finally checks the last box on that list, and that's the end.

  There will be no escape except for death.

  All the pieces are coming into place. Every time you hear them talking about better security for XYZ you can see how it's one of the pieces on the board, being moved one square.

  I don't think there is one guy who has this master plan I think it's the inevitable end state for surveillance capitalism that's as pervasive as ours.

  I am an atheist, I think the Bible is all fairy tales, and yet the "Mark of the Beast" vibes I get from where the world is going are out of control. The mark on your hand or your forehead that will be required to buy or sell, that was what you'd be forced to accept once the Antichrist took over, or whatever. The 2,000 year old fairy tales were not wrong they are starting to set it up now, you carry the device in your hand, they will do it through payments and banking.

  • hans_castorp

    today at 9:06 AM

    I am curious: how do tourists pay? Will they be forced to install those apps as well without having a bank account in Thailand?

    • safety1st

      today at 11:40 AM

      The government and one of the largest banks collaborated to release an app which lets tourists make payments through the QR based system this year: https://www.tatnews.org/2025/03/tourist-e-wallet-tagthai-eas...

    • homebrewer

      today at 10:12 AM

      When traveling to China, which is also a very mobile-first country, you're expected to install AliPay and WeChat. A couple of years ago AliPay started accepting foreign bank cards, which you add to your account (in addition to lots of other information including photos of yourself and scans of your government id), and then pay through the AliPay application everywhere. Cash has been made extremely inconvenient or even impossible to use, foreign cards are also often not accepted.

    • darkwater

      today at 9:26 AM

      > I am curious: how do tourists pay?

      Cash or normal credit/debit card, but I guess that for native having a credit/debit card costs more money and cash well, it's cash like everywhere else with its pros and cons.

  • stavros

    today at 8:00 AM

    This has been happening for a while. I've seen plenty of card-only shops in the UK and US.

• fluidcruft

  today at 11:22 AM

  Here's what I think Google should do: I really like the Work Profile feature. It essentially sandboxes Work from personal and it adds nice little briefcase badges to mark apps that are in the Work Profile.

  Another solution might be to to add an optional Uncertified Profile that if turned on allows unregistered apps but sandboxes them and marks them with a "dangerous" badge. That might ensnare these trojans and malicious apps that pose as legit. That might be enough to scare grandma and let people who know what they are doing do what they want.

  Although, frankly I'd just prefer google just made a "Secure Profile" to keep bank apps and other high-security apps away from everything else.

  • throwaway290

    today at 11:24 AM

    > allows unregistered apps but sandboxes them and marks them with a "dangerous" badge

    Surely apps are sandboxed on android by default?

• userbinator

  today at 4:48 AM

  The alternative is older versions of Android, from before these hostile changes. The propaganda that it's "unsafe" is just that, propaganda. Perhaps Google will realise once enough of the population refuses to put on the noose.

  • russnes

    today at 6:29 AM

    the majority of the population will happily put on the noose and they will join in on pressuring you to do it too. Don't kid yourself. However, a successful resistance movement only requires like 3% of the population or something

  • zx8080

    today at 4:52 AM

    It's totally unfeasable for those using stock deviced. Refusing to upgrade takes lots of attention even from experienced users like developers. Regular user just doesn't have any chance to avoid accidentally clicking or intentionally accepting the annoying permanent notification to upgrade OS.

    • userbinator

      today at 5:02 AM

      It's the norm for the huge number of users with devices where there is no newer upgrade available from the original manufacturer. Back when Android was great(tm) there were far more of those than today.

  • saidinesh5

    today at 4:52 AM

    The problem is not the propaganda, it is the businesses restricting the freedom and choices of users because of this propaganda.

    So many apps even refuse to be installed on older versions of iOS/Android.

    • userbinator

      today at 5:52 AM

      So many apps even refuse to be installed on older versions of iOS/Android.

      That's because they see older versions of Android decrease in usage so they think it's fine to lock them out and potentially lose customers[1], but they're not going to do that to the majority of them.

      If the majority stops falling for the propaganda and "upgrading" to a worse experience, other businesses will follow.

      [1] I have told businesses that changes to their site have made me no longer want to do business with them, and seen responses ranging from complete dismissal to quick reversion.

      • BlueTemplar

        today at 12:02 PM

        Yet another reason to dump iOS/Android : planned obsolescence of this form.

  • PeterStuer

    today at 5:33 AM

    The bank app, mandatory updated to the latest version, does not run on old android.

• seviu

  today at 7:45 AM

  I don’t need a bank for my daily driver and I can have a backup phone. You can get fairly recent Android devices at a fraction of the cost of a new one.

  And if you still can, use the website.

  I also had enough. Switching to Linux pretty soon.

• scotty79

  today at 4:47 AM

  What about GrapheneOS?

  • zx8080

    today at 4:59 AM

    I'm not going to buy Pixel feeding Google further with my pennies just to use GrafeneOS.

    • fzorb

      today at 5:33 AM

      Well you can always buy second hand/refurbished.

      • rollcat

        today at 9:19 AM

        Viability of second-hand still drives market demand, as people have an incentive to buy devices that have resale value. The counter-argument is that otherwise this device will become e-waste. This is still a conundrum, but "don't give your money to Google" remains the active topic here, so...

    • immibis

      today at 7:06 AM

      Maybe you should buy good devices from any vendor, and the market will do what economists say it should do, and keep making those devices. (As if!)

    • preisschild

      today at 7:35 AM

      But Google is one of the rare Android smartphones vendors that allows you to install a custom operating system, while still allowing the same security as with the default one (ie allowing bootloader re-locking with a custom key)

  • zx8080

    today at 4:53 AM

    Is it a joke? Have you seen the list of supported devices?

    https://grapheneos.org/releases

    (Pixels only)

    • falcor84

      today at 5:13 AM

      Is there anything about GrapheneOS that limits it to only Pixel devices, or was it just a prioritization decision?

      • codethief

        today at 5:19 AM

        https://grapheneos.org/faq#future-devices

      • nunobrito

        today at 7:21 AM

        It is sus as heck and just about everyone in cybersec was complaining about that weird decision.

        Go for Calyx or any other android distro, they have zero difficulties in supporting more devices.

        • ghgr

          today at 8:00 AM

          Serious question: can you point out some serious complaints? They seem to have an exhaustive justification for their reasons to only support Pixels, see https://grapheneos.org/faq#future-devices

          • ruszki

            today at 10:32 AM

            This list always bugged me. If Pixel - for example - starts to introduce security patches slower, they will change this list... or even ignore it. If something more secure comes into the picture, they will change this list, and they will ditch supporting Pixel. If they don't, then it will be quite obvious, that they formed this list only to meet only Pixel's feature list. Also Google can obviously satisfy this list more easily, than any other company, so basically they created a moot for them.

        • rollcat

          today at 9:30 AM

          GrapheneOS developers are free to set their bar wherever they like it. It's an independent, non-profit foundation, driven by community contributions. They provide a web-based, hands-free installer. They offer their work for free, and owe nothing to anyone.

          Personally, I wish there was an open/libre device on the market that GrapheneOS could target.

        • hans_castorp

          today at 9:07 AM

          Calyx development has stopped.

      • preisschild

        today at 7:36 AM

        Yes. There aren't many Android smartphones that allow you to re-lock the bootloader after installing a custom operating system. Pixels are the only ones officially supporting `avb_custom_key`.

        https://github.com/chenxiaolong/avbroot/issues/299

• Perenti

  today at 5:08 AM

  I don't do banking on my phone. I really don't understand why anyone would. If I can't get to my PC or laptop, I'm probably near an ATM. I've already given so much autonomy to Google/Alphabet/Apple, I won't give them access to my bank account.

  • em-bee

    today at 5:13 AM

    even if you use a computer to do banking, like i do, some banks still require an app for 2FA, or windows...

    ATMs won't let me send money or do any other kind of maintenance

    • 1gn15

      today at 8:11 AM

      I think this depends on the ATM. OCBC ones do allow sending money digitally.

      Oh, and you can always send money by withdrawing cash and giving it to the other person physically.

      Or go to the bank branch, or write a cheque.

      • rollcat

        today at 9:36 AM

        I won't leave my home to type a 20-digit IBAN into an ATM.

        I won't travel to another city or country just to hand money in cash.

        I won't travel to a branch to... I have never ever written or received a cheque, what the heck even is a cheque? A piece of paper someone can photo-copy?

        I used to be able to do all of my banking from a web browser, from any browser/OS I liked. I've had a fob that displayed a 6-digit code rotating every 30s. This used to be simple and secure. What you propose is ludditism.

Again, technological measures against this kind of attacks on ownership rights fall short and are probably what conglomerates want since it keeps the tech people busy in a self-satisfying "fight" against the big corporation.

You need legislation.

• 1gn15

  today at 8:13 AM

  This is the social solution. It's making users aware of the issue and pressuring them to not upgrade, and in the long run pressuring legislators to forbid such monopolistic practices if the average person dislikes it.

• ajb

  today at 6:13 AM

  This.

  You can have a popup, but it must have a call-to-action. Explain to users how to fight this.

• that_guy_iain

  today at 7:43 AM

  It's open source... We don't need legislation; you are free to do whatever you want, and open source provides those freedoms. You just want it to be the way you want it instead of it being the way that benefits the most people.

  This "fight" will always be lost, because the other side is 99% of the population and they want to stop scammers more than they want to enable you to publish software to a personal tracking device anonymously...

  • cubefox

    today at 8:17 AM

    99% of the population doesn't fall for scam apps outside the Play Store. They don't want to stop app scammers, because they don't have any issue with them. It's only a small minority which does, and which is supposed to justify the new restrictions in Android.

    • that_guy_iain

      today at 8:21 AM

      99% of the population wants to fight scammers; they don't want their grannies scammed. It 100% justifies it. Only entitled nerds think their silly edge cases matter more than everyone else.

      • cubefox

        today at 8:52 AM

        The scams are also edge cases. Some people will always be stupid enough to hurt themselves with a a 99% safe system.

        • that_guy_iain

          today at 9:07 AM

          No, they're not. And by saying that, you're proven why the "fight" will also result in the other side winning. Ignorant, pedantic, arrogant, and entitled technical people vs the rest.

          • jamesnorden

            today at 11:51 AM

            99.9% of scams on Android/iOS happen by making people install remote assistance apps from... the "100% safe" app stores. So, no, you're completely wrong.

          • cubefox

            today at 12:01 PM

            Of course they are edge cases. How many people do you think install third-party apps on Android? Pretty sure hardly anyone does that.

            Also, Windows works pretty well with software from third-party sources, or would you forbid them in Windows as well? Sure, there are the occasional crypto scams which disable a hospital here and there, but this can arguably be prevented by not giving non-admins admin permissions.

> This library is licensed under the GPLv3.

If the intention was to make it easier to spread the word, you've already failed.

Anyway, this whole library should have been a copy-pastable snippet for a dialog or toast (what's with the duplicate code?); the only value added is the translation, which most app devs already have a pipeline for.

The code part is so trivial that I suspect it doesn't even meet the legal bar for copyright protection in many jurisdictions.

• rollcat

  today at 9:54 AM

  > Anyway, this whole library should have been a copy-pastable snippet for a dialog or toast

  People under-value copy-pasting. I'd rather copy/vendor a thousand lines of code (with license+credit intact) than add it as a dependency.

  I'm working on a side project, and needed a CPIO library for Go. CPIO is a fixed thing, a good implementation is "done". U-root[1] has a really decent implementation, so I've vendored 2500+ lines of code, as otherwise I'd have to (indirectly) depend on almost 700.000. Great value.

  [1]: https://github.com/u-root/u-root

• woheller69

  today at 11:42 AM

  changed to Apache V2.0 license

• lptome

  today at 9:12 AM

  Yeah this is very

      npm i is-even

• silverliver

  today at 8:03 AM

  OP, I recommend switching to the LGPLv3. It ensures users remain in control over your part of the code while avoiding this type of reaction.

  • debugnik

    today at 8:17 AM

    Not really, it would have maybe avoided the first paragraph. I actually really like copyleft, but I assume the social statement here is more important than the code, thus making it easier to rally around it should be the priority.

    A CC0 copy-pastable snippet, plus maybe this helper library with a permissive licence. The only way this would go popular is through slacktivism, so you need to remove any friction.

• woheller69

  today at 11:38 AM

  changed it to Apache V2.0 license

> Google has announced that, starting in 2026/2027, all apps on certified Android devices will require the developer to submit personal identity details directly to Google. Since the developers of this app do not agree to this requirement, this app will no longer work on certified Android devices after that time.

I don’t have any hope that this will sway Google, but at least the users are being warned.

GPLv3 seems like a quite restrictive license for such a project. I would assume they want that note to be spread everywhere and while about user's freedom, the freedom for that code may be less relevant.

• woheller69

  today at 11:39 AM

  changed to Apache V2.0 license

Nice timing. I’d probably just ship a simple in-app dialog instead of a whole dep, but the message matters. For non-root users, will ADB + “Unknown sources” remain the escape hatch once the new checks roll out?

If this library is licensed under GPL, you can't really use it without relicensing your entire project, right?

• woheller69

  today at 11:39 AM

  changed to Apache V2.0 license

Didn't Google say that they're gonna provide an escape hatch for students and hobbyists? So, best case scenario, we just need to tap some label 5 times to enable side-loading again.

• rollcat

  today at 10:00 AM

  We have different definitions of an "escape hatch". A user is not an IT specialist. Ordinary people need unobstructed access to lifeboats.

  Apple allows developers to self-sign a handful of apps (exclusively from source!) with short-lived certs - it's a complete PITA to maintain a simple app for personal use, and you still need an account. Google is heading in the same direction.

• charcircuit

  today at 7:12 AM

  You are able to get a limited number of app installs for your package for free.

  https://developer.android.com/developer-verification/guides/...

  • rcxdude

    today at 7:23 AM

    Which still requires ID verification.

  • Y_Y

    today at 9:45 AM

    > You'll need > Your legal name and address. These need to be verified by uploading official identity documents.

    I don't have a "legal name". Sounds like some sovcit bullshit. I go by several names, none of which is canonical. Maybe other countries formalize this idea, but the countries where I am a citizen/resident do not.

    > A private email address and phone number for Google to contact you. These will need to be verified using a one-time password

    I love that email OTP is good enough for this, but apparently not for anything else, where I'll need an approved verified secure attested super official app.

    • charcircuit

      today at 10:48 AM

      >I don't have a "legal name". Sounds like some sovcit bullshit.

      Considering every country has passports and passports all have the person's legal name on them. And thst the passport standard only supports having one name with a primary and secondary identifier. You must be mistaken.

All this has me wondering: what's the future of chroot-based tools like proot-distro? No app store here, just PPAs. Can largely run whatever the hell I want, provided it's distributed for the OS I'm currently running.

• charcircuit

  today at 7:19 AM

  The future I see is that it gets rearchitected such that each app will correspond to an android app that way it follows the Android model properly. The current model of shoving everything into the same app is going to continually run into problems and is not the right way to do it long term. So essentially there will be a tool to easily convert a freedesktop Linux application to an android one.

  In regards to this new package name registration whoever is running the repo of such packages would register a new package name for each app.

A little bit overkill to use a dependency to just show a dialog. I agree that Google ia making Android less and less free with every new release, but show a damn dialog, no need to use this.

• Kwpolska

  today at 5:56 AM

  It's also pretty sloppily coded, with the same code repeated in both branches of the `if`...

  https://github.com/woheller69/FreeDroidWarn/blob/master/libr...

  • kikokikokiko

    today at 6:14 AM

    If it was 2023 I would say someone just vibecoded a trivial android piece of code. But nowadays Android studio comes with Gemini agent integrated, and I doubt it would produce such terrible redundancy on a code so simple.

• Barbing

  today at 4:31 AM

  Sounds right. Though may aid in spreading the practice if it accumulates stars, goes viral on places like this?

  • nagamsreekar

    today at 4:46 AM

    [dead]

• scotty79

  today at 4:48 AM

  I think creation of this repo is more of a statement than creation of utility.

  • ethersteeds

    today at 5:38 AM

    I would say it's both a statement and a way to encourage other developers to "speak with one voice". Like handing out printed signs at a protest.

• Hackbraten

  today at 6:06 AM

  The library features localized warnings.

• bubbi

  today at 4:19 AM

  [dead]

Wouldn't it be nice if, in this time of feeding our IDs to the machine, there would be someone who would also offer some nice and easy way to identify ourselves digitally? Maybe someone who sits on all that unverified advertisement tracking data already and somebody who has an AI agent to feed?

I'm sure everybody would profit from that...

https://blog.google/products/google-pay/google-wallet-age-id...

• politelemon

  today at 5:00 AM

  Fascinating that the same company producing zero knowledge proof implementation didn't think to use it for the purpose they mention here. Do these departments not talk to each other?

  • rippeltippel

    today at 5:52 AM

    It's Google we're talking about. Likely the left hand has no idea of what the right hand is doing. And it's got far more than two hands.

  • IshKebab

    today at 6:21 AM

    What property would they prove? The whole point (supposedly anyway) is they know your actual identity in case you publish malware.

What would be my options as an end user who does not want to root his device

• sjogress

  today at 8:16 AM

  Perhaps a Fairphone 6 with /e/OS (which is a de-googled Android)?

  https://shop.fairphone.com/the-fairphone-gen-6-e-operating-s...

• aydyn

  today at 4:28 AM

  Cry in a corner ig?

  • zx8080

    today at 4:36 AM

    Maybe use iphone? There will be not much advantages left on Android side after that shit gets go.

    • politelemon

      today at 5:01 AM

      Even without side loading there are several advantages and freedoms that Android has unmatched.

      • littlecranky67

        today at 5:06 AM

        such as? Curious, because on iOS you can freely install browser extensions (adblockers like uBlock origin lite) from the get go. Still boggles my mind that Chrome does not allow extensions.

        • cyberax

          today at 6:28 AM

          Alternative browser engines, JIT-compilation support (enables apps like Koreader), ability to completely disable animations, etc.

          • littlecranky67

            today at 9:12 AM

            Alternate browser engines are now possible in the EU, there is just not much interest in porting to iOS. To me it sounds just bad UX that the first thing you need to do on Chrome to enable Adblock is to switch browser, vs. just installing an extension with the default browser that probably 90%+ of Android users use.

          • gkbrk

            today at 8:42 AM

            With sideloading being disabled, it takes a single decision from a Google employee to completely get rid of all browser engines and apps that use JIT.

      • import

        today at 5:42 AM

        Like what? I am curious what’s left

        • Aardwolf

          today at 6:19 AM

          Choice of running multiple browsers with different engines

    • scotty79

      today at 4:50 AM

      I might just move to whatever Chinese come up with. By 2027 their tech should be clearly superior in every way.

• userbinator

  today at 4:59 AM

  who does not want to root his device

  Why not? Freedom isn't a given --- you need to fight for it.

  • psychoslave

    today at 12:10 PM

    You can't expect people to go into fight mode for every single chunk of social interaction they engage into, and still be able to enjoy any moment of freedom.

    A society which value freedom should of course give a lot of it to its citizen, and expect them to defend and improve it for everyone.

    A society where freedom is never a given, is not going to foster much of it.

  • Kwpolska

    today at 5:49 AM

    Rooting a device will usually cause banking apps to stop working.

    • userbinator

      today at 5:53 AM

      There are still workarounds. The way to win is to keep fighting.

      • kikokikokiko

        today at 6:17 AM

        All banks in Brazil now use the Google Play Integrity api. I've been on rooted phones for almost 15 years, and I'll never not main a rooted phone. But for a couple years now, I have to keep a separate phone just to be able to use tha f*cking banks.

    • immibis

      today at 7:08 AM

      Then go to your bank and say hey, fix this or close my account

      • okanat

        today at 7:34 AM

        In many European countries this means you cannot have a online-activated bank account. Offline banking is paid and often expensive.

      • debugnik

        today at 7:24 AM

        And they'll gladly close it, them and every other bank. We lack alternatives so we lack leverage.

• captainepoch

  today at 6:33 AM

  For now, there isn't an alternative. Maybe a Pixel phone and GrapheneOS with the sandboxed Play Store would be the only choice, but for now, nobody knows.

• preisschild

  today at 7:40 AM

  Google Pixel + GrapheneOS

  If you want to know if your Banking App is compatible: https://privsec.dev/posts/android/banking-applications-compa...

• add-sub-mul-div

  today at 5:15 AM

  I assume my S20+ won't get this because it's stopped getting anything but security updates. Sometime next year I'll look for the latest phone that's too old to get the new behavior.

  • rickdeckard

    today at 7:31 AM

    I assume this will not be rolled out as an OS-upgrade but as a Play services update, so it will be enrolled by Google directly to nearly all devices on the market.

Based.

I wonder how badly Google's shenanigans will affect sales of new Android devices too. I've been looking to buy a foldable at some point, but I'll have to make entirely sure it won't be of an effectively broken (too new) Android version.

• ChocolateGod

  today at 6:39 AM

  I doubt then locking down side loading will make more than 1% difference. Most people just don't care.

• littlecranky67

  today at 6:46 AM

  Well what is the alternative? Apple does the very same, even in the EU.

  • wiseowise

    today at 6:56 AM

    The single most prevailing argument for Android was always “sideloading”.

    “You want sideload on Apple? Go buy an Android”

    I see this change as win, personally.

    a) it will finally shut the fuck up braindead sideload, Apple bootlicking, haters

    b) EU can go after both Google and Apple to allow sideloading (one can only dream!)

    Win-win.

google seem to have the multi-pronged attack on android devs going on atm. They are seemingly trying to take down as many apps and dev accounts as possible.. Anyone know why?

1. doxx yourself of they kill your account

2. re-build every app with pointless newer api version literally every year or it gets taken down.

3. Push an update or a new app or they kill your account.

..

My guess is enshittification, some random exec is trying to save a few pennies in server and storage costs.

..

I'd also say that google makes so much money from ads and data-brokering that everything else they do is not vital for their survival and thus undergoes a sort of "genetic drift" where they just make random decisions.

• bloqs

  today at 5:27 AM

  background political lobbying. its part of the effort from most of the west (not the US yet) to verify users on devices to 'protect kids'

• peddling-brink

  today at 5:03 AM

  > 1. doxx yourself of they kill your account

  Combat abuse. I don't think this is a solvable problem, so obviously this won't be a silver bullet. But maybe will it impose more cost on the abusers creating a nicer app store experience for everyone. Or maybe this only imposes cost on the honest ones? I don't know how much validation they do.

  > 2. re-build every app with pointless newer api version literally every year or it gets taken down.

  Fix vulns. This also gets rid of abandoned apps. It also probably provides an "opportunity" for the dev to agree to new T&C.

  > 3. Push an update or a new app or they kill your account.

  This one seems shakier to me, but it might feed into an effort to get rid of abandoned apps. But I disagree with this being healthy for the ecosystem, if that's actually the reason.

  I'm not trying to defend google, but from working in FAANG, some of this is obvious. None of these things save a significant amount of server or storage costs. Some of it is clearly anti-abuse and efforts to defend themselves from the constant stream of crap that tries to make its way into the app store.

  > everything else they do

  Google isn't like some dude (sundar) making decisions. It's a bunch of millionaires and billionaires making decisions. There's some high level guidance, but the difference between different divisions is 100% based on who's running that particular show.

  • 8n4vidtmkvmk

    today at 5:46 AM

    What's wrong with "abandoned" apps? I still use an app called DiskUsage. Not sure you can still get it on the store or it comes with scary warnings now. Continues to work great. Never found a replacement. Don't want a replacement. This one works.

    When an app works but keeps getting updated, that means the enshittification is starting. How else do you extract money out of a completed app?

  • fer

    today at 5:39 AM

    I thought this applies to every app regardless the app store it comes from? Including side loading. The Play Store is already "sanitised".

• tomrod

  today at 4:22 AM

  Google cut off their own revenue legs with AI suggestions instead of ads.

  Thats okay, they jumped the shark when the imperative for ads took over.

• pixxel

  today at 5:34 AM

  [dead]

> Add the JitPack repository to your root build.gradle

How much MB (kb?) does this dependency add to apk?

• nulld3v

  today at 4:46 AM

  Given that it's just a couple lines of code and has no other dependencies other than AppCompat (which nearly all apps already use), the increase in size would be negligible (<4KB).

  EDIT: The AAR file is 26KB: https://jitpack.io/com/github/woheller69/FreeDroidWarn/V1.3/... But most of it looks to be from R.txt and I think that file gets deduped/compressed during app packaging?

"Copyright GPL"

I don't think this meets the bar for copyrightable code. Copyright protects creative expression. Displaying a single dialogue does not take creative expression, and pretty much any developer given the task would produce code identical to this.

• croemer

  today at 4:22 AM

  Don't complain about the license. The license removes any doubt. You can happily use it without having to worry. If there was no license you'd have uncertainty.

  Also you're misquoting. The license is GPL-3, not AGPL.

  • TheDong

    today at 4:40 AM

    I'm not complaining about the license, I'm complaining about the library size.

    Something that is too small to be considered creative should be a documented example you copy and adopt into your app, not a dependency.

    The only exceptions to this are things like "A dependency that contains all unicode planes and categorizes characters", which isn't creative, but is useful and too large to copy-paste, and also updates over time.

    Or the timezone database file, another case of something that should be "public domain" knowledge (uncopyrightable), but makes sense as a dependency.

    This is not that sort of thing.

    • croemer

      today at 10:39 AM

      You can't copy paste all the localizations for example. Go make a copy-pasteable version if it's so easy.

• chrismorgan

  today at 4:47 AM

  Have you looked at the code? I sure wouldn’t produce exactly that. Even for identical functionality, its FreeDroidWarn.java methods are 30 lines, I’d write it in 13 lines. I also wouldn’t write exactly the same strings (some stylistic changes, some being specific rather than generic as is somewhat necessary for a library), and definitely couldn’t produce 17 other translations.

  This easily meets thresholds for creative work. The basic concept is nigh-trivial, but the concrete implementation is still creative.

• ronsor

  today at 4:13 AM

  Yes, this code is almost as trivial as a hello world.

  • woheller69

    today at 11:46 AM

    Yeah, I just wanted to have something I can add with a line of code to my 20+ apps on F-Droid including all translations. It is Apache now

• woheller69

  today at 11:40 AM

  changed to Apache V2.0 license

• userbinator

  today at 4:45 AM

  and pretty much any developer given the task would produce code identical to this.

  That I doubt; it seems more like it's deliberately large and complex enough to be copyrightable, because otherwise it wouldn't be.