The head of the Signal app has criticized plans in the EU to allow messengers to have backdoors to enable automatic searches for criminal content. Signal is considered one of the most secure messengers.
You misidentified your objection.
It isn’t sideloading removal, which isn’t happening.
It’s developer verification, which affects the sideloading that remains available.
Just because you don’t understand the value of verifying signatures doesn’t mean it lacks value.
I recall the same alarm over secureboot: there, too, we can (load our certificates into secureboot and) sign everything ourselves.
This locks down the system from boot-time attacks.
I will never ever ever be able to get friends and family access to third-party applications after this change.
Then sign it: problem solved.
Developer verification should also give them a hard enough time to install trash that fucks their system and steals their information when that trash is unsigned or signed & suspended.
That’s twice that you’ve missed the point that everyone else is saying. Read it again:
without me nor the developer having to kiss the ring of Google or by extension the regulators (EU with Chat Control) that they are beholden to
Google is irreversibly designating themselves the sole arbiter of what apps can be freely installed in the formerly-open Android ecosystem. It’s the same as if they just one day decided that Chromium-based browsers would require sites have a signature from Google and Google alone. I honestly don’t give a shit if they did it just on Pixel devices, but they’re doing it to the phones of ALL manufacturers by looping it into Play services.
I just don’t understand: why the fuck are you so pussy-whipped by Google that you’re stanning their blatant power grabs?
I don’t understand why you can’t read: (1) developer verification can be disabled, bypassed, or worked with, (2) you called it sideloading removal, which it isn’t.
You just don’t like the extra steps that limit the ease for ignorant users to install software known to be malicious that could have been blocked.
I don’t like handholding my dumbass folks through preventable IT problems they created.
This does fuck all for “security”. It’s targeting, mainly, power users and puts just more hoops for developers. This has nothing with security (they should purge malware from Play store first) and everything to do with consolidating power over users.
It’s a blatant power grab and I’m surprised to see this interpreted as anything else. Arguing about semantics just helps Google fuck everyone over.
So let me buy a goddamn phone that I can install what I want in it. Again, I do not give a shit about any phone manufacturers that want to make a walled garden out of their Android installations. I agree, it’s perfect for the grandmas of the world. But Google is forcibly doing this to every goddamn phone, phone manufacturer, and Android enthusiast.
The only silver lining is that whenever Google decides that unregulated social media services like Lemmy are not family-safe I won’t have to listen to your malicious horseshit.
forcibly doing this to every goddamn phone, phone manufacturer, and Android enthusiast
They can manage.
whenever Google decides that unregulated social media services like Lemmy are not family-safe I won’t have to listen to your malicious horseshit
So casual users can get wrecked, yet I’m malicious?
Maybe think of users other than yourself, weigh the potential losses to them by successful attacks, and consider whether OS designers have a legitimate claim in preventing exposure of known threats to casual users while still allowing power users to bypass those checks.
You’re assuming I use an Android app (trash) to get on here, and not a proper workstation or web browser.
You’re welcome to this “malicious horseshit” for eternity.
developer verification can be disabled, bypassed, or worked with
In reality this is useless given the technical capabilities (or access to the technology necessary) of nearly every android user. What percentage of them do you think has the capacity and capability to use ADB?
you called it sideloading removal, which it isn’t.
Strictly it ticks the box, however effectively it is sideloading removal. Arguing otherwise honestly makes me think you work for them. It’s such obvious marketing bullshit “Oh, we left this tiny window open to tick the box which people can use, but almost certainly not you and even if you are capable, it’s a pain in the arse”. There are lots of intelligent people in my house. I’m the only one capable of using ADB without enormous effort, making it a deliberately huge barrier and even I’m not going to do it to install a trusted open source app.
Let’s be clear; the only reason they left that little window open was to have people like you say “no, sideloading is still possible” to cover their arses legally and also for actual developers, not because they care about an open ecosystem.
What percentage of them do you think has the capacity and capability to use ADB?
All of them: they can follow procedures, plug a cable, and push buttons if they really want to.
Most won’t bother: capacity isn’t willpower.
it’s a pain in the arse
That’s the idea: welcome to an effective deterrent.
even I’m not going to do it to install a trusted open source app
Good, then it’ll deter as designed.
the only reason
Nah, the use cases are legitimate:
It will actually deter installation of malicious software once it’s been identified & flagged that way in their system.
It also verifies install packages haven’t been tampered (possibly maliciously) from their original releases.
Malicious software on devices connected to everything including highly sensitive information poses high-cost risks that you & casual users overlook because muh inconvenience 😭.
If casual users can’t bother with a straightforward procedure as you say, then how prepared are they to handle the real challenges of a successful attack?
From a security perspective, it makes sense for OS designers to choose to limit exposure to that threat to power users who can be expected to at least have a better idea of what they’re getting themselves into.
Google employee confirmed. Absolute trash reasoning verging on trolling it’s so ridiculous. Wild that you arguing so vehemently in favour of reduced access to use your hardware the way you want.
All of them
Laughable. You’ve obviously never worked in any kind of customer support role.
Most people are going to melt at the steps necessary to use adb.
capacity isn’t willpower.
By capacity I meant access to hardware. There are so many people in poorer countries out there that don’t have a laptop, permission to start using one for installing adb on it but also have an android phone.
welcome to an effective deterrent.
I don’t want an effective deterrent that effectively kills fdroid and the like. That’s the whole point. I’ve favoured android because it’s more open. The talking points in favour of it pale in comparison to the loss of freedom.
If casual users can’t bother with a straightforward procedure
Honestly just jog on. Please. It is not a straightforward procedure and my threat model shouldn’t need to include the steps you outline. There are already barriers in place that put off casual users.
The fact that you want people to stop installing open source apps that they trust is honestly deranged. Deranged.
You misidentified your objection. It isn’t sideloading removal, which isn’t happening. It’s developer verification, which affects the sideloading that remains available.
Just because you don’t understand the value of verifying signatures doesn’t mean it lacks value.
I recall the same alarm over secureboot: there, too, we can (load our certificates into secureboot and) sign everything ourselves. This locks down the system from boot-time attacks.
Then sign it: problem solved.
Developer verification should also give them a hard enough time to install trash that fucks their system and steals their information when that trash is unsigned or signed & suspended.
Even so, it’s mentioned only in regard to devices certified for and that ship with Play Protect, which I’m pretty sure can be disabled.
Promise kept.
No, I don’t. Developers are always going to need some way to load their unfinished work.
That’s twice that you’ve missed the point that everyone else is saying. Read it again:
Google is irreversibly designating themselves the sole arbiter of what apps can be freely installed in the formerly-open Android ecosystem. It’s the same as if they just one day decided that Chromium-based browsers would require sites have a signature from Google and Google alone. I honestly don’t give a shit if they did it just on Pixel devices, but they’re doing it to the phones of ALL manufacturers by looping it into Play services.
I just don’t understand: why the fuck are you so pussy-whipped by Google that you’re stanning their blatant power grabs?
Probably works at google or is a fanboy.
They’re being precise about their terms, while everyone else is being sloppy. Not stanning
I don’t understand why you can’t read: (1) developer verification can be disabled, bypassed, or worked with, (2) you called it sideloading removal, which it isn’t.
You just don’t like the extra steps that limit the ease for ignorant users to install software known to be malicious that could have been blocked. I don’t like handholding my dumbass folks through preventable IT problems they created.
This does fuck all for “security”. It’s targeting, mainly, power users and puts just more hoops for developers. This has nothing with security (they should purge malware from Play store first) and everything to do with consolidating power over users.
It’s a blatant power grab and I’m surprised to see this interpreted as anything else. Arguing about semantics just helps Google fuck everyone over.
So let me buy a goddamn phone that I can install what I want in it. Again, I do not give a shit about any phone manufacturers that want to make a walled garden out of their Android installations. I agree, it’s perfect for the grandmas of the world. But Google is forcibly doing this to every goddamn phone, phone manufacturer, and Android enthusiast.
The only silver lining is that whenever Google decides that unregulated social media services like Lemmy are not family-safe I won’t have to listen to your malicious horseshit.
Seems you don’t care about grandmas & gen z.
They can manage.
So casual users can get wrecked, yet I’m malicious? Maybe think of users other than yourself, weigh the potential losses to them by successful attacks, and consider whether OS designers have a legitimate claim in preventing exposure of known threats to casual users while still allowing power users to bypass those checks.
You’re assuming I use an Android app (trash) to get on here, and not a proper workstation or web browser. You’re welcome to this “malicious horseshit” for eternity.
In reality this is useless given the technical capabilities (or access to the technology necessary) of nearly every android user. What percentage of them do you think has the capacity and capability to use ADB?
Strictly it ticks the box, however effectively it is sideloading removal. Arguing otherwise honestly makes me think you work for them. It’s such obvious marketing bullshit “Oh, we left this tiny window open to tick the box which people can use, but almost certainly not you and even if you are capable, it’s a pain in the arse”. There are lots of intelligent people in my house. I’m the only one capable of using ADB without enormous effort, making it a deliberately huge barrier and even I’m not going to do it to install a trusted open source app.
Let’s be clear; the only reason they left that little window open was to have people like you say “no, sideloading is still possible” to cover their arses legally and also for actual developers, not because they care about an open ecosystem.
All of them: they can follow procedures, plug a cable, and push buttons if they really want to. Most won’t bother: capacity isn’t willpower.
That’s the idea: welcome to an effective deterrent.
Good, then it’ll deter as designed.
Nah, the use cases are legitimate:
Malicious software on devices connected to everything including highly sensitive information poses high-cost risks that you & casual users overlook because muh inconvenience 😭. If casual users can’t bother with a straightforward procedure as you say, then how prepared are they to handle the real challenges of a successful attack?
From a security perspective, it makes sense for OS designers to choose to limit exposure to that threat to power users who can be expected to at least have a better idea of what they’re getting themselves into.
Google employee confirmed. Absolute trash reasoning verging on trolling it’s so ridiculous. Wild that you arguing so vehemently in favour of reduced access to use your hardware the way you want.
Laughable. You’ve obviously never worked in any kind of customer support role.
Most people are going to melt at the steps necessary to use adb.
By capacity I meant access to hardware. There are so many people in poorer countries out there that don’t have a laptop, permission to start using one for installing adb on it but also have an android phone.
I don’t want an effective deterrent that effectively kills fdroid and the like. That’s the whole point. I’ve favoured android because it’s more open. The talking points in favour of it pale in comparison to the loss of freedom.
Honestly just jog on. Please. It is not a straightforward procedure and my threat model shouldn’t need to include the steps you outline. There are already barriers in place that put off casual users.
The fact that you want people to stop installing open source apps that they trust is honestly deranged. Deranged.
Adb is functionally useless for most people.