The most controversial claim in this letter is in the section that "Existing Measures Are Sufficient."<p>In Google's announcement in Nov 2025, they articulated a pretty clear attack vector. <a href="https://android-developers.googleblog.com/2025/11/android-developer-verification-early.html" rel="nofollow">https://android-developers.googleblog.com/2025/11/android-de...</a><p>> <i>For example, a common attack we track in Southeast Asia illustrates this threat clearly. A scammer calls a victim claiming their bank account is compromised and uses fear and urgency to direct them to sideload a "verification app" to secure their funds, often coaching them to ignore standard security warnings. Once installed, this app — actually malware — intercepts the victim's notifications. When the user logs into their real banking app, the malware captures their two-factor authentication codes, giving the scammer everything they need to drain the account.</i><p>> <i>While we have advanced safeguards and protections to detect and take down bad apps, without verification, bad actors can spin up new harmful apps instantly. It becomes an endless game of whack-a-mole. Verification changes the math by forcing them to use a real identity to distribute malware, making attacks significantly harder and more costly to scale.</i><p>I agree that mandatory developer registration feels too heavy handed, but I think the community needs a better response to this problem than "nuh uh, everything's fine as it is."<p>A related approach might be mandatory developer registration for certain extremely sensitive permissions, like intercepting notifications/SMSes...? Or requiring an expensive "extended validation" certificate for developers who choose not to register...?
> I agree that mandatory developer registration feels too heavy handed, but I think the community needs a better response to this problem than "nuh uh, everything's fine as it is."<p>Why would the community give a different response? Everything <i>is</i> fine as it is. Life is not safe, nor can it be made safe without taking away freedom. That is a fundamental truth of the world. At some point you need to treat people as adults, which includes letting them make very bad decisions if they insist on doing so.<p>Someone being gullible and willing to do things that a scammer tells them to do over the phone is not an "attack vector". It is people making a bad decision with their freedom. And that is not sufficient reason to disallow installing applications on the devices they own, any more than it would be acceptable for a bank to tell an alcoholic "we aren't going to let you withdraw your money because we know you're just spending it at the liquor store".
What if we asked users if they want extra protection? I think that would be nice..
This is the status quo. APK installation is disabled by default, and there is a warning when you go to enable it.
The point is "a warning" is not enough to communicate to people the gravity of what they are doing.<p>It is not enough to write "be careful" on a bag you get from a pharmacy... certain medications require you to both have a prescription, and also to <i>have a conversation with a pharmacist</i> because of how dangerous the decisions the consumer makes can be.<p>Normal human beings can be very dumb. It's entirely reasonable to expect society to try to protect them at some level.
You can add 5 layers of "are you sure you want to do this unsafe thing" and it just adds 5 easy steps to the scam where they say "agree to the annoying popup"
You could even make this an installation-time option. If you want to enable the switch afterwards, you have to do a factory reset. Then, the attackers convincing the victims would get nothing.
then make the unlock cost money<p>relatively easy for devs, but hard to scale for scammers
If those bad decisions have a lot of higher order effects and they turn out to be very costly for society, then limiting freedom seems worth it.<p>And it seems Google thinks society is beginning to unravel in SEA due to scammers. Trust breaks down, people stop using phones to do important things, GDP can shrink, banks go back to cheques, trees will be cut down!!<p>It's bad to let people go and catch the zombie virus and the come back and spread it, right?<p>...<p>I don't like it, but the obvious decision is to set up a parallel authority that can issue certificates to developers (for side loading), so we don't have to trust Google. Let the developer community manage this. And if we can't then Google can revoke the intermediary CA. And of course Google and other manufacturers could sell development devices that are unlocked, etc.
This is a terrible response as a Software Developer by the way. You can just use this to ignore any security concern.<p>It signals that you don't care much about security, and that you don't care about non-technical users, and don't even have the capacity to see how they view a system.<p>Sure, you can analyze domain names effectively, you can distinguish between an organic post and an ad, you know the difference between Read and Write permissions to system files, etc...<p>But can you put yourself on the shoes of a user that doesn't? If not, you are rightfully not in a position as a steward of such users, and Google is.
The reality in South East Asia doesn't support that. You're assuming that the potential victims are able to either use Android alternative or that they are willing and able to educate themselves about scams. The reality in these countries is that neither is the case in practice. Daily lives depend a lot on smartphones and they play a big role in cashless financial transactions. Networking effects play a big role here. Android devices are the only category that is both widely available and affordable.<p>Education is also not that effective. Spreading warnings about scams is hard and warnings don't reach many people for a whole laundry list of reasons.<p>The status quo is decidedly not fine. Society must act to protect those that can't protect themselves. The only remaining question is the how.<p>Google has an approach that would work, but at a high cost. Is there an alternative change that has the same effects on scammers, but with fewer issues for other scenarios?
The status quo may not be perfect but it is the best we can do. We try to educate people about scams. We give them warnings that what they are doing can be dangerous if misused. If they choose to ignore those things and proceed anyway, the only further step society could take is to take away the person's freedom to choose. And that is an unacceptable solution.
Society takes away individual's freedom to choose all the time. You can't choose not to pay your taxes. You can't choose to board a passenger plane without passing a security check. You can't just get a loan without any guarantees to the bank etc.<p>Education isn't really working at this global scale. It doesn't reach people the way you seem to belive it does. Many, if not most people are generally disinterested in learning new things and this gets amplified when it involves technology.
> The status quo may not be perfect but it is the best we can do.<p>Nope. We could, for example, ask developers to register with their legal identity to release apps.
That would be worse than the status quo.
the open source community should ask for their own install key and that's it<p>Play store can be fast and verification based and the F/OSS stores can be slower, reputation and review based.<p>...<p>But fundamentally the easiest thing is to ask people to pay to unlock the phone's security barriers, this makes it harder and costlier for scammers.
> <i>Life is not safe, nor can it be made safe without taking away freedom.</i><p>So... no food and safety regulations, because life is not safe, and people should have the freedom to poison food with cheaper, lethal ingredients because their freedom matters more?<p>You're right that things can't be made more safe without taking away the freedom to harm people. Which is why even the most freedom-loving countries on earth <i>strike a balance</i>. They actually have <i>tons</i> and <i>tons</i> of safety regulations that save <i>tons</i> and <i>tons</i> of lives, even you from your point of view that means not "treating people as adults". You have to wear a seatbelt, even if you feel like you're not being treated like an adult. Because it's also not just your own life you're putting at risk, but your passengers' as well.<p>You're taking the most extreme libertarian stance possible. Thank goodness that's an extremely minority view, and that the vast, vast majority of voters do actually think safety is important.
Thank goodness there are FOSS options, even for mobile phones, and none of us are required to accept proprietary junk.<p>If they make FOSS illegal, guess I’ll be a criminal. Come and take it.
Your analogy is <i>terrible</i> because it doesn't do a proper accounting of "harm" and "risk."<p>Food and seatbelts, that's literal health and life-and-death; very immediate and visible.<p>"Cybersecurity" rarely is; and even when it is, the problem is that the centralized established authorities (like google) aren't at all provably good at this.
Your post is addressing a strawman, not what I said. But to answer the words you so ungraciously put in my mouth:<p>> So... no food and safety regulations, because life is not safe, and people should have the freedom to poison food with cheaper, lethal ingredients because their freedom matters more?<p>This is harm to others and is very obviously something we should enforce. There are unreasonable laws about food (banning the sale of raw milk cheese for example, which most of the world enjoys with perfect safety), but by and large they are unobjectionable.<p>> You're right that things can't be made more safe without taking away the freedom to harm people. Which is why even the most freedom-loving countries on earth strike a balance.<p>I never said I was opposed to striking a balance. Of course we can strike a balance. Indeed we already have when it comes to installing apps on Android. But these measures are being advanced as if safety were the only consideration, which it isn't.<p>> You're taking the most extreme libertarian stance possible.<p>No, that is what you have projected onto me. That's not actually what my stance is.
> At some point you need to treat people as adults, which includes letting them make very bad decisions if they insist on doing so.<p>That's right, it's your decision to use Android. If you choose to do so, that's on you.
If there was a choice to a non-walled garden. It has been taken away, how can you bank without one of the two?
You're right, all Android users who are upset about this change are free to switch to iOS.
Right like someone who can only afford a $100 phone can buy the cheapest iPhone which is 5x more expensive.<p>This is about like the geeks who hate the idea of ad supported services and think that everyone should just pay for every service they use.<p>FWIW: I do exclusively buy Apple devices, pay for streaming services ad free tier, the Stratechery podcast bundle, ATP and the Downstream podcasts and Slate. I also pay for ChatGPT and refuse to use any ad supported app or game.
> At some point you need to treat people as adults, which includes letting them make very bad decisions if they insist on doing so.<p>The world does not consist of all rational actors, and this opens the door to all kinds of exploitation. The attacks today are very sophisticated, and I don't trust my 80-yr old dad to be able to detect them, nor many of my non-tech-savvy friends.<p>> any more than it would be acceptable for a bank to tell an alcoholic "we aren't going to let you withdraw your money because we know you're just spending it at the liquor store".<p>This is a false equivalence.
It's not a false equivalence at all. Both situations are taking away someone's control of something that they own, borne from a paternalistic desire to protect that person from themselves. If one is acceptable, the other should be. Conversely if one is unacceptable, the other should be unacceptable as well. Either paternalistic refusal to let people do as they wish is ok, or it isn't.
Maybe not, but I think that overextending any idea like that in the opposite direction of whatever point you are trying to make at least devolves into a "slippery slope" argument. For instance, is your point that all security on phones that impede freedom of the user (for instance, HTTPS, forced password on initial startup, not allowing apps to access certain parts of the phone without user permissions, verifying boot image signatures) should be removed as well?
No, that's not my point at all. Measures such as that are a tool which is in the hands of the user. There is a default restriction which is good enough for most cases, but the user has the ability to open things up further if he needs. What Google is proposing takes control out of the user's hands and makes Google the sole arbiter of what is and is not allowed on the device.
None of the measures I mentioned are changeable by the user, except possibly sideloading an HTTPS certificate. That's the only way any of those measures even work; if it wasn't set as invariants by the OS, they would be bypassable.<p>>There is a default restriction which is good enough for most cases, but the user has the ability to open things up further if he needs.<p>But this is what the other guy's point is. You are defining "good enough for most cases" in a way that he is not, then making the argument that what he says is equivalent to not allowing an alcoholic to buy beer. Why can you set what level is an acceptable amount of restriction, but he can't?
But it's not a slippery slope, because it's not taking it to the next level. It's the same level, just a different thing.
The alcoholic knows the bad outcomes, and chooses to ignore them. The hapless Android user does not understand the negative consequences of sideloading. I think this makes for a substantial differerence between those two.
Protecting from scams isn't protection from the victim themselves. That should be obvious from the fact that very intelligent and technologically literate people too can fall for phishing attacks. Tell me for example, how many people in your life know how a bank would ACTUALLY contact you about a suspected hijacking and what the process should look like? And how about any of the dozens of other cover stories used? Not to mention the situations where the scammers can use literally the same method of first contact as the real thing (eg. spoofed).
...And the fact that for example email clients do their best to help them by obscuring the email address and only showing the display name, because that's obviously a good idea.
> Protecting from scams isn't protection from the victim themselves.<p>That is where we differ. It is, ultimately, the victim of a scam who makes the choice of "yes, this person is trustworthy and I will do what they say". The only way to prevent that is to block the user from having the power to make that decision, which is to say protecting them from themselves.
But the proposal here, requiring <i>developers</i> to register their identities, doesn't actually impact consumers at all. They still have the ability to make the decision about whether or not to trust someone.
<i>None</i> of these things requires "locking down phones." Every single thing you've mentioned can be done in a smarter way that doesn't involve "individuals aren't allowed to modify the devices they purchase."
There is some world where somebody scammed through sideloading loses their life savings, and every country is politically fine with the customer, not the bank, taking the losses.<p>But for regular people, that is not really the world they want. If the bank app wrongly shows they’re paying a legitimate payee, such as the bank, themselves or the tax authority, people politically want the bank to reimburse.<p>Then the question becomes not if the user trusts the phone’s software, but if the <i>bank</i> trusts the software on the user’s phone. Should the bank not be able to trust the environment that can approve transfers, then the bank would be in the right to no longer offer such transfers.
If the actual bank app does that, or is even easy to fool into doing that, then the bank <i>should</i> be responsible. That's the world "regular people" want and it's the world as it should be.<p>If random malware the user chose to install does that, then that is <i>not the bank's fault</i>. The bank is no more involved than anybody else. And no, I don't think "regular people" want to make that the bank's fault.
The legal infrastructure for banking and securities ownership has long had defaults for liability assignment.<p>For securities, if I own stock outright, the company has to indemnify if they do a transfer for somebody else or if I lack legal capacity. So transfer agents require Medallion Signature Guarantees from a bank or broker. MSGs thereby require a lengthy banking relationship and probably showing up in person.<p>For broker to broker transfers, there is ACATS. The receiving broker is in fact liable in a strict, no-fault way.<p>As far as I know, these liabilities are never waived. Basically for the sizable transfers, there is relatively little faith in the user’s computers (including phones). To the extent there is faith, it has total liability on some capitalized party for fraud.<p>These defaults are probably unknown for most people, even those with large amounts of securities. The system is expected to work since it has been set up this way.<p>Clearly a large number of programmers have a bent to go the complete opposite direction from MSGs, where everything is private keys or caveat emptor no matter the technical sophistication of the customer. I, well, disagree with that sentiment. The regime where it’s possible for no capitalized entity to be liable for wrongful transfers (defined as when the customer believes they are transferring to a different human-readable payee than actually receiving funds) should not be the default.
Keeeep going.<p>Are banks POWERFUL? Do they have lots of money and/or connections to those who do? Do they have a vested interest in getting transactions right?<p>Absolutely!<p>Now, with all that money and power -- they -- whoever THEY are, need to come up with smart ways to verify transactions that don't involve me giving them all the keys to all my devices.<p>We have protections like this elsewhere - even when they have some "ownership." The bank kinda owns my house, but they still can't come in whenever they want.
Why do banks go through all the know-your-customer (KYC) process if not to identify the beneficial owner of every account? If they receive a transfer via fraud, then they either get it clawed back, have to pay it back, and/or get identified to law enforcement. If the last bank in the chain doesn't want to play by the rules, then other banks shouldn't transfer into them, or that bank itself should be held liable.<p>This is more or less how people expect things to work today ....
In the case of some knowing or blindfully unknowing money mule in the chain or at the end of the chain, the intermediary or final banks may not be at fault. The bank could have followed KYC procedures in that somebody with that name actually existed who controlled the account.<p>The money mule themselves is almost certainly insolvent to pay the damages. Currencies can also change by the money mule (either to a different fiat currency or crypto), putting the ultimate link completely out of reach of the originating country.<p>If intermediary banks are deputized and become liable in a no-fault sense, then legitimate transfers out become very difficult. How does a bank prove a negative for where the funds come from? De-banking has already been a problem for a process-based AML regime.
I'm a "regular" person, as are all the signatories, and you don't speak for us.
I am the author of the letter and the coordinator of the signatories. We aren't saying "nuh uh, everything's fine as it is." Rather, we are pointing out that Android has progressively been enhanced over the years to make it more secure and to address emerging new threat models.<p>For example, the "Restricted Settings"¹ feature (introduced in Android 13 and expanded in Android 14) addresses the specific scam technique of coaching someone over the phone to allow the installation of a downloaded APK. "Enhanced Confirmation Mode"², introduced in Android 15, adds furthers protection against potentially malicious apps modifying system settings. These were all designed and rolled out with specified threat models in mind, and all evidence points to them working fairly well.<p>For Google to suddenly abandon these iterative security improvements and unilaterally decide to lock-down Android wholesale is a jarring disconnect from their work to date. Malware has always been with us, and always will be: both inside the Play Store and outside it. Google has presented no evidence to indicate that something has suddenly changed to justify this extreme measure. That's what we mean by "Existing Measures Are Sufficient".<p>[^1]: <a href="https://support.google.com/android/answer/12623953" rel="nofollow">https://support.google.com/android/answer/12623953</a><p>[^2]: <a href="https://android.googlesource.com/platform/prebuilts/fullsdk/sources/+/refs/heads/androidx-xr-arcore-release/android-35/android/app/ecm/EnhancedConfirmationManager.java" rel="nofollow">https://android.googlesource.com/platform/prebuilts/fullsdk/...</a>
I guess it's too late now, but I think "sufficient" is much too strong a word to use for that position, and puts Google in a position where they can disregard you because they "know" that existing measures aren't "sufficient."<p>"Existing measures are working," perhaps?
Would you say that iOS ecosystem suffers the same rate of malware as Android?
Not OP, but my experience was most of the malware-like apps on App Store were top ads of apps with names similar to the original ones: such as Whatsapp or Office.
There could be many other factors, like abysmal patch policies. Many vendors still only do Android Security Bulletins (which are only vulnerabilities marked as <i>high</i> and <i>critical</i>), do them late (despite a three month embargo for patches), very delayed device firmware updates, and sometimes only for two or three years.<p>Many Android phones still do not have a separate secure element.<p>Also, the Play Store itself regularly contains malware.<p>In the end it is mostly about control, dressed up as protecting users. If it was about security, Google would support GrapheneOS remote attestation for Google Pay (for being the most secure Android variant) and cut off many existing phones with deplorable security.
The app store does contain malware, although arguably less than the play store. Apple devices would be much more secure without the app store. Apple should remove the app store.
Of course not.<p>In other news, a new study shows that cutting off your feet is 100% effective against athlete's foot.
> <i>all evidence points to them working fairly well.</i><p>What is this evidence? Please share it.
Like you said, for years now they have added more and more restrictions to address various scams. So far none of them had any effect, other than annoying users of legitimate apps, because all the new restrictions were on the <i>user side</i>. This new approach restricts <i>developers</i>, but is actually a complete non-issue for most, since the vast majority of apps is distributed via Google Play already.<p>In the section "Existing Measures Are Sufficient." your letter also mentions<p>> Developer signing certificates that establish software provenance<p>without any explanation of how that would be the case. With the current system, yes, every app has to be signed. But that's it. There's no certificate chain required, no CA-checks are performed and self-signed certificates are accepted without issue. How is that supposed to establish any form of provenance?<p>If you really think there is a better solution to this, I would suggest you propose some viable alternative. So far all I've heard for the opponents of this change is, either "everything is fine" or "this is not the way", while conveniently ignoring the fact that there is an actual problem that needs a solution.<p>That said, I <i>do</i> generally agree, with you that mandatory verification for *all* apps would be overkill. But that is not what Google has announced in their latest blog posts. Yes, the flow to disable verification and the exemptions for hobbyists and students are just vague promises for now. But the public timeline (<a href="https://developer.android.com/developer-verification#timeline" rel="nofollow">https://developer.android.com/developer-verification#timelin...</a>) states developer verification will be generally available in March 2026. Why publish this letter now and not wait a few weeks so we can see what Google actually is planning before getting everybody outraged about it?
Developer registration doesn't prevent this problem. Stolen ID can be found for a lot less money than what a day in a scam farm's operation will bring in. A criminal with access to Google can sign and deploy a new version of their scam app every hour of the day if they wish.<p>The problem lies in (technical) literacy, to some extent people's natural tendency to trust what others are telling them, the incompetence of investigative powers, and the unwillingness of certain countries to shut down scam farms and human trafficking.<p>My bank's app refuses to operate when I'm on the phone. It also refuses to operate when anything is remotely controlling the phone. There's nothing a banking app can do against vulnerable phones rooted by malware (other than force to operate when phones are too vulnerable according to whatever threshold you decide on so there's nothing to root) but I feel like the countries where banks and police are putting the blame on Google are taking the easy way out.<p>Scammers will find a way around these restrictions in days and everyone else is left worse off.
My guess is that Android 17 will show the registered name of the developer of the app you're trying to install. With stolen IDs you can only get accounts for individual developers not for organisations.<p>When a scammer pretending to be your bank tells you to install an app for verification and it says "This app was created by John Smith" even grandma will get suspicious and ask why it doesn't show the bank's name.
> Stolen ID can be found for a lot less money than what a day in a scam farm's operation will bring in.<p>Well, in that case, Google has an easy escalation path that they already use for Google Business Listings: They send you a physical card, in the mail, with a code, to the address listed. If this turns out to be a real problem at scale, the patch is barely an inconvenience.
So they'll have a lead time building up a set of verified developers. These scams are pulled by organized crime syndicates, using human trafficking and beatings to keep their call centers manned with complicit workers.<p>Now they'll need to pay off a local mailman to give them all of Google's letters with an address in an area they control so they can register a town's worth of addresses, big whoop. It'll cost them a bit more than the registration fee, but I doubt it'll be enough to solve the problem.
> Now they'll need to pay off a local mailman to give them all of Google's letters with an address in an area they control so they can register a town's worth of addresses, big whoop. It'll cost them a bit more than the registration fee, but I doubt it'll be enough to solve the problem.<p>Yeah, this is a huge amount more work than, like, nothing.
If you can "coach someone to ignore standard security warnings", you can coach them to give you the two-factor authentication codes, or any number of other approaches to phishing.
Installing an app that silently intercepts SMS/MMS data is a persistent technical compromise. Once the app is there, the attacker has ongoing access.<p>In contrast, convincing someone to read an OTP over the phone is a one-time manual bypass. To use your logic..<p>A insalled app - Like a hidden camera in a room.<p>Social engineering over phone - Like convincing someone to leave the door unlocked once.
> Installing an app that silently intercepts SMS/MMS data is a persistent technical compromise. Once the app is there, the attacker has ongoing access.<p>The motivating example as described involves "giving the scammer everything they need to drain the account". Once they've drained the account, they don't need ongoing access.
Persistence allows the scammer free license to attempt password recoveries for every account the victim could possibly have. Other banks, retirement accounts, the victim's email account.
When the victim's relatives send them money because they need to eat and pay rent after handing everything over to the scammer, the persistent backdoor lets that money be drained as well... You're underestimating the persistence and ruthlessness of the scammers.
This is still not a root cause solution, it's just a mitigation. Because you do not require side loading to install malware. The play store and apple app store both contain malware, as well as apps which can be used for nefarious purposes, such as remote desktop.<p>A root cause solution is proper sandboxing. Google and apple will not do this, because they rely on applications have far too much access to make their money.<p>One of the fundamentals of security is that applications should use the minimum data and access they need to operate. Apple and Google break this with every piece of software they make. The disease is spreading from the inside out. Putting a shitty lotion on top won't fix this.
>The play store and apple app store both contain malware<p>Wow, that a major claim. What apps are malware, exactly?<p>>This is still not a root cause solution, it's just a mitigation.<p>Requiring signed apps solves the issue though, as it provides identification of whoever is running the scam and a method for remuneration or prosecution.
> Wow, that a major claim. What apps are malware, exactly?<p>I don't understand how this is a major claim at all, it should be obvious. All repositories of large enough sizes contain malware because malware doesn't declare itself as malware.<p>This is exacerbated by the fact the Google Play Store and Apple App Store allow closed-source applications. It's much easier to validate behavior on things like the Debian repos, where maintainers can, and do, audit the source code.<p>Google does not have a magic "is this malware" algorithm, that doesn't exist. They rely on heuristics and things like asking the authors "hey is this malware". As you can imagine, this isn't very effective. They don't even install and test the apps fully. Not that it matters much, obviously malware can easily change it's behavior to not be detectable from the end-user just running the app.<p>> Requiring signed apps solves the issue though, as it provides identification of whoever is running the scam and a method for remuneration or prosecution.<p>It doesn't, for three reasons:<p>1. Identifying an app doesn't magically make it not malware. I can tell you "hey I made this app" and you still have zero idea if it's malware. This is still a post mitigation. Meaning, if we somehow know an app is malware, we can find out who wrote it. It doesn't do the "is this malware" part of the mitigation, which is the most important part.<p>2. Bad actors typically have little allegiance to ethics, meaning they typically will not be honest about their identity. There are criminal organizations which operate in meatspace and fake their identities, which is 1000x harder than doing it online. Most malware will not have a legitimate identity tacked to it.<p>3. Bad actors typically come from countries which don't prosecute them as hard. So, even if you find out if something is malware, and then find out the actual people behind it, you typically can't prosecute them. Even large online services like the Silk Road lasted for a long time, and most likely still do exist, even despite the literal US federal government trying to stop them.
> Installing an app that silently intercepts SMS/MMS data is a persistent technical compromise.<p>Why would an app silently intercepts SMS/MMS data ?
Why does an app needs network access ?<p>Running untrusted code in your browser is also "a persistent technical compromise" but nobody seems to care.
The 2-factor SMS messages usually say: "Do not give this code to anyone! The bank will NEVER ask you for this code!".<p>The sideloading warning is much much milder, something like "are you sure you want to install this?".
You'll then get <i>more</i> warnings if you want to give the sideloaded app additional permissions. And if they want to make the sideloading warnings more dire, that wouldn't be nearly as unreasonable.
the main issue is the bank using sms and OTP apps instead of something like passkeys and mandatory in bank setup.
> The bank will NEVER ask you for this code!<p>> Please enter the code we sent you in the app.<p>lol, lmao even
The phisher’s app or login would be from a completely new device though.<p>Passkeys are also an active area to defeat phishing as long as the device is not compromised. To the extent there is attestation, passkeys also create very critical posts about locking down devices.<p>Given what I see in scams, I think too much is put on the user as it is. The anti-phishing training and such try to blame somebody downward in the hierarchy instead of fixing the systems. For example, spear-phishing scams of home down payments or business accounts work through banks in the US not tying account numbers to payee identity. The real issue is that the US payment system is utterly backward without confirmation of payee (I.e. giving the human readable actual name of recipient account in the banking app). For wire transfers or ACH Credit in the US, commercial customers are basically expected to play detective to make sure new account numbers are legit.<p>As I understand it, sideloading apps can overcome that payee legal name display in other countries. So the question for both sideloading and passkeys is if we want banks liable for correctly showing the actual payee for such transfers. To the extent they are liable, they will need to trust the app’s environment and the passkey.
Never ending worm approach is to get remote control via methods on android or apple. Then scam other contacts.
It’s built into FaceTime. Need 3rd party apps for android.
Does your logic extend to PCs? If not, why?<p>Because I hope you realize that clamping down on “sideloading” (read: installing unsigned software) on PCs is the next logical step. TPMs are already present on a large chunk of consumer PCs - they just need to be used.
You missed their point. They are not saying that what Google is doing is a good way to address the underlying problem Google says it is addressing.<p>They are saying that claiming the underlying problem is not real or not big enough to need addressing is an ineffective way to argue.
Of course it extends to PCs. It'd suck for us, but end users, software vendors, content providers, and service providers all benefit from a more restricted platform that can provide certain guarantees against malware, fraud, piracy, and so forth. It's pathologically programmer-brained to assume that the good old days of being able to run arbitrary code on a networked computing device would last forever. That freedom must be balanced against the interests of the rest of society to avoid risk from certain kinds of harm which can easily proliferate in an environment where any program can run with the full authority of the owner and malware spreads willy-nilly.
The "programmer-brained" assumption is that I will be able to write any program and run it on my machine and that this ability isn't reserved for only me or some limited class of people and that I can share what I write with others. One big plus of the current stye of AI will be that "end users" will be able to write simple programs and will value this ability. Thus helping protect general purpose computing from this bit of evil for a while longer.
Exactly. I own a few dozen computers, if you count some low powered SBCs. But even those can run lightweight Linux.<p>That’s enough for me to distribute a few freedom devices to friends and neighbors, and still have extras to account for normal failures.<p>I also hoard source code, and will happily distribute that with the computers! Maybe that’s “programmer brained,” if so then fine by me!
Users get way more out of it when the device is free. Even if they don't use this option, it makes it easier to set up competing services. This includes ones that would never be allowed in an official store because they're DRM-free alternatives to big streaming services but still offer all the same content. The existence of such alternatives, if they are easy to use, can force the big services to become more user-friendly. Just as happened back then with Napster.<p>Also every user is free to simply not use the option of installing things outside of the store.
> This includes ones that would never be allowed in an official store because they're DRM-free alternatives to big streaming services but still offer all the same content.<p>Do you know <i>anyone</i> who works in a professional creative field that doesn't involve writing code? If so, ask them how they'd feel about their work bring out there on the internet free to all takers. What the implications would be for their ability to feed their children and pay their mortgage doing the things they love.<p>This is what I mean by "programmer-brained." Of all creative workers, only programmers seem okay with abolishing IP laws, I guess because they figure they'll be okay living out of an office at MIT, or even worse out of an office at some YC startup that turns the user into the product. But artists, musicians, writers, filmmakers, etc. all put food on the table because of those IP laws programmers hate so much. Taking that protection for the fruit of your labor away would be at least as disruptive as AI has been.
Obviously I disagree completely. But it is still sad to see this kind of reasoning on HN of all places :(
> That freedom must be balanced against the interests of the rest of society to avoid risk from certain kinds of harm which can easily proliferate in an environment where any program can run with the full authority of the owner and malware spreads willy-nilly.<p>No, no, a thousand times no. This is an argument for authoritarian clampdown on general computing and must be opposed by all means necessary. I have the right to run whatever code I wish on my own damn property without the permission of arbitrary authorities or whatever subset of <i>society</i> you favor, and if you or they have a problem with this, you or they can proceed to pound sand.
>I agree that mandatory developer registration feels too heavy handed, but I think the community needs a better response to this problem than "nuh uh, everything's fine as it is."<p>OK, so instead of educating stupid (or overly naive) people, we implement "protections" to limit any and all people to do useful things with their devices? And as a "side effect" force them to use "our" app store only? Something doesn't smell that good here …<p>How about a less drastic measure, like imposing a serious delay for "side loading" … let's say I'd to tell my phone that I want to install F-Droid and then would have to wait for some hours before the installation is possible? While using the device as usual, of course.<p>The count down could be combined with optional tutorials to teach people to contact their bank by phone meanwhile. Or whatever small printed tips might appear suitable.
There simply isn't a known solution to this problem. If you give users the ability to install unverified apps, then bad actors can trick them into installing bad ones that steal their auth codes and whatnot. If you want to disallow certain apps then you have to make decisions about what apps (stores) are "blessed" and what criteria are used to make those distinctions, necessarily restricting what users can do with their own devices.<p>You can go a softer route of requiring some complicated mechanism of "unlocking" your phone before you can install unverified apps - but by definition that mechanism needs to be <i>more</i> complicated then even a guided (by a scammer) normal non-technical user can manage. So you've essentially made it impossible for normies to install non-playstore apps and thus also made all other app stores irrelevant for the most part.<p>The scamming issue is real, but the proposed solutions seem worse then the disease, at least to me.
> There simply isn't a known solution to this problem. If you give users the ability to install unverified apps, then bad actors can trick them into installing bad ones that steal their auth codes and whatnot.<p>This is also true if they can only install verified apps, because no company on earth has the resources to have an actually functional verification process and stuff gets through every day.
> This is also true if they can only install verified apps, because no company on earth has the resources to have an actually functional verification process and stuff gets through every day.<p>This is true, but if this goes through, I imagine that the next step for safety fascists will be to require developer licensing and insurance like general contractors have. And after that, expensive audits, etc, until independent developers are shut out completely.
The solution would be a "noob mode" that disables sideloading and other security-critical features, which can be chosen when the device is first turned on and requires a factory reset to deactivate. People who still choose expert mode even though they are beginners would then only have themselves to blame.
We know how to do hardware-bound phishing-resistant credentials now, it <i>is</i> a solved problem.
I'm going to assume you're referring to auth codes, especially the ones sent via SMS? In which case yes, banks should definitely stop using those but that alone doesn't solve the overarching issue.<p>The next step is simply that the scammer modifies the official bank app, adds a backdoor to it, and convinces the victim to install that app and login with it. No hardware-bound credentials are going to help you with that, the only fix is attestation, which brings you back to the aformentioned issue of blessed apps.
I like the idea of requiring extra work to get notification access. But really what all these scams pray on are time sensitivity, take that away and you solve the problem in many ways. For example, your bank shouldn't let you drain your account without either being in person or having a mandatory 24hr waiting period. Same could be done with side loaded apps getting notifications, if it's side loaded and wants to read notifications, then it needs to wait 24 hrs. Mostly it won't ever matter.<p>Alternatively reading notifications could be opt in per app, so the reading app needs to have permission to read your SMS message app notifications, or your bank notifications, that would not be as full proof as that requires some tech literacy to understand.
>A related approach might be mandatory developer registration for certain extremely sensitive permissions, like intercepting notifications/SMSes...? Or requiring an expensive "extended validation" certificate for developers who choose not to register...?<p>I think my overriding concern is not nuking F-Droid. I actually think that's a great solution and, interestingly, F-Droid apps already don't use significant permissions (or often use any permissions!) so that might work. Also it would be good if perhaps F-Droid itself could earn a trusted distributor status if there's a way to do that.<p>Or a marriage of the two, F-Droid can jump through some hoops to be a trusted distributor of apps that don't use certain critical permissions.<p>I think there have to be ways of creatively addressing the issue that don't involve nuking a non-evil app distribution option.
> community needs a better response to this problem than "nuh uh, everything's fine as it is."<p>You can also cut yourself with a kitchen knife but nobody proposes banning kitchen knives. Google and the state are not your nannies.
><i>You can also cut yourself with a kitchen knife but nobody proposes banning kitchen knives.</i><p>oh nice, i love this game.<p>you cant carry a kitchen knife that is too long, you cant carry your kitchen knife into a school, you cant brandish your kitchen knife at police, you cant let a small child run around with a kitchen knife...<p>literally most of what "the state" does is be a "nanny"<p>(not agreeing or disagreeing with google here, i have no horse in this particular race. but this little knife quip is silly when you think about it for more than 5 seconds)
In this example we still don't require you to register with anyone to buy a knife, get the blessing of some institution to sell knives, or, as in this case, get a certification before you can start making knives.
its crazy that different things, like knives and app stores, have different rules. maybe thats why the quip about the knife sounded super cool but fell apart as an analogy for this scenario when thought about for more than 5 seconds?<p>the point of my comment was that the state <i>does</i> implement a lot of rules (read: "is a nanny"), despite the claim otherwise.
I think it's important to consider the intent of those laws, too. They are primarily or even exclusively to prevent you from hurting others with knives. They are not really intended to protect you from cutting yourself in your own home. So I think the parent's comment still holds weight.
All of these rules, and yet people still cut themselves and others.
<i>you cant buy a kitchen knife that is too long</i><p>What?
sorry, should say "carry", not "buy". most states have a maximum length you can carry (4-5.5 inches is common).<p>although, i would imagine at some length, it becomes a "sword" (even if marketed as a knife) and falls under some other "nanny"-ing. i have not googled that.
Long knives in the UK are like full auto guns in the rest of the world.
> In Google's announcement in Nov 2025, they articulated a pretty clear attack vector. <a href="https://android-developers.googleblog.com/2025/11/android-de" rel="nofollow">https://android-developers.googleblog.com/2025/11/android-de</a>...<p>This reeks of "think of the children^Wscammed". I mean, following this principle the only solution is to completely remove any form of sideloading and have just one single Google approved store because security.<p>> A related approach might be mandatory developer registration for certain extremely sensitive permissions, like intercepting notifications/SMSes...? O<p>It doesn't work like that. What they mean with "mandatory developer registration" is what Google already does if you want to start as a developer in Play Store. Pay 25$ one-time fee with a credit card and upload your passport copy to some (3rd-party?) ID verification service. [1]
In contrast with F-Droid where you just need a GitLab user to open a merge request in the fdroid-data repository and submit your app, which they scan for malware and compile from source in their build server.<p>[1] but I guess there are plenty of ways to fool Google anyway even with that, if you are a real scammer.
That attack vector is just a symptom. It’s unfathomably foolish to use two-factor authentication via something as easy to intercept as SMS. Two-factor authentication should be done using a separate hardware token that generates time-based one-time codes. Anything else is basically security theater.
the whack-a-mole problem is real but mandatory registration doesn't actually fix it for sophisticated actors -- they'll just use burner entities or buy aged developer accounts. it mostly raises costs for hobbyists and side projects. the permission-gating approach dfabulich mentions (require registration only for notification/SMS interception APIs) seems more targeted.
There will _always_ be a need to balance between safety and the cost of adding more safety. There is no point at which safety is complete; there is always more that can be done, but the cost gets higher and higher.<p>So yes, "its fine the way it is" _is_ valid; but the meaning it "we're at a good point in the balance, any more cost is too much given the gains it generates"
> I think the community needs a better response to this problem than "nuh uh, everything's fine as it is."<p>People choosing between the smartphone ecosystems already have a choice between the safety of a walled garden and the freedom to do anything you like, including shooting yourself in the foot.<p>You don't spend a decade driving other "user freedom" focused ecosystems out of the marketplace, only to yank those supposed freedoms away from the userbase that intentionally chose freedom over safety.
How about.<p>"I am responsible for my own actions" mode.<p>You click that, the phone switches into a separate user space. Securenet is disabled, which is what most financial apps rely on.<p>Then you can install all the fun stuff you want.<p>This is really a matter of Google not sandboxing stuff right. Why the hell does App A need access to data or notifications from App B.
> Why the hell does App A need access to data or notifications from App B.<p>Advertising networks. Just like how you see crap like a metronome app have a laundry list of permissions that it doesn’t need. Some cases they are just scammy data harvesters, but in other cases it’s the ad networks that are actually demanding those permissions.<p>Google won’t sandbox properly because it’s against their direct business interest for them to do so. Google’s Android is adware, and that is the fundamental problem.
The new "Terminal" app might eventually evolve into something like that.
This mode already exists. It's called "Install LineageOS".
> the malware captures their two-factor authentication codes<p>Aren't we supposed to have sandboxing to prevent this kind of thing? If the malware relies on exploiting n-days on unpatched OSes, they could bypass the sideloading restrictions too.
Codes arrive via SMS, which is available to all apps with the READ_SMS permission. This isn't an OS vuln. It is a property of the fact that SMS messages are delivered to a phone number and not an app.<p>On the Play store there is a bunch of annoying checking for apps that request READ_SMS to prevent this very thing. Off Play such defense is impossible.
The main problem here is the banks relying on an untrusted device as second factor.<p>Only immutable devices should be allowed as second factor.
Maybe we should take away peoples' phone calls, ability to use knives, walking on the street, swimming in water, drinking liquids of any kinds, alcohol, trains, while we are at it.
I think there's room to raise the bar of required tech competency without registration.<p>Manually installing an app might be close to the limit of what grandma can be coached through by an impatient scammer.<p>Multiple steps over adb, challenges that can't be copy and pasted in a script, etc. It can be done but it won't provide as much control over end user devices.
> In Google's announcement in Nov 2025, they articulated a pretty clear attack vector.<p>If you can be convinced by this, you can be convinced by anything. What if the scammer uses "fear and urgency" to make the person log onto their bank account and transfer the funds to the scammer?<p>If you can convince people to install new apps through "fear and urgency," especially with how annoying it often is to do outside of the blessed google-owned flow (and they're free to make it more annoying without taking this step), that person can be convinced of anything.<p>> I agree that mandatory developer registration feels too heavy handed, but I think the community needs a better response to this problem than "nuh uh, everything's fine as it is."<p>There's no other "solution" other than control by an authority that you totally trust if your "threat" is that a user will be able to install arbitrary apps.<p>The manufacturer, service provider, and google, of course, won't be held to any standard or regulations; they just get trusted because they own your device and its OS and you're already getting covertly screwed and surveilled by them. Google is a scammer constantly trying to exfiltrate information from my phone and my life in order to make money. The funny thing is that they are only pretending to defend me from their competition - they're not threatened by those small-timers - they're actually "defending" me from apps that I can use to replace their own backdoors. Their threat is that they might not know my location at all times, or all of my contacts, or be able to tax anyone who wants access to me.
I don’t want to be too flippant, but I think there is a real trade off across many aspects of life between “freedom” and “safety”.<p>There is a point at which people have to think critically about what they are doing. We, as a society, should do our best to protect the vulnerable (elderly, mentally disabled, etc) but we must draw the line somewhere.<p>It’s the same thing in the outside world too - otherwise we could make compelling arguments about removing the right to drive cars, for example, due to all the traffic accidents (instead we add measures like seatbelts as a compromise, knowing it will never totally solve the issue).
Google's announcement is just trolling, there's an order of magnitude more scams on the Play store and they don't call for its closure.<p>Right now when I search for "ChatGPT", the top app is a counterfeit app with a fake logo, is it really this store which is supposed to help us fight scams?
> Right now when I search for "ChatGPT", the top app is a counterfeit app with a fake logo, is it really this store which is supposed to help us fight scams?<p>Just did Play search for "ChatGPT" and the top-2 results were for OpenAI's app (one result was sponsored by OpenAI one result was from Google's search). So anecdotally your results may vary.
Agree with this middle path you point out. On one hand, I do not want some apps to be distributed anonymously, I need to know who is behind it in order to trust the app. On the other hand, many apps are benign.<p>Permissions are a great way to distinguish.
Do you need <i>Google</i> to compel the author to start a business relationship with them, which they can cut off at any time?<p>Or would you be OK knowing that Thunderbird you downloaded from <a href="https://thunderbird.net/" rel="nofollow">https://thunderbird.net/</a> is signed by the thunderbird.net certificate owner?
Typo squatting is a thing, and so are Unicode homographs.<p>The permissions approach isn't bad. I may trust Thunderbird for some things, but permission to read SMS and notifications is permission to bypass SMS 2FA for every <i>other</i> account using that phone number. It deserves a special gate that's very hard for a scammer to pass. The exact nature of the gate can be reasonably debated.
Something like Thunderbird <i>might</i> be an exception, but also domain confusion exists, so in the general case, most likely not because most users are susceptible to this.
should I be confident that thunderbird.net is the real one, or could it be hosted at thunderbird.org, thunderbird.com, or thunderbird.mozilla.org?
> standard security warnings<p>Make the warning a full screen overlay with a button to call local police then.<p>(Seriously)<p>"but local police won't treat that seriously..." "the victim will be coached to ignore even that..." well no shit then you have a bigger problem which isn't for google to fix.
> but I think the community needs a better response<p>The community <i>does not</i> need to do that. Installing software on my device should not require identification to be uploaded to a third party beforehand.<p>We're getting into dystopian levels of compliance here because grandma and grandpa are incapable of detecting a scam. I sympathize, not everyone is in their peak mental state at all times, but this seems like a problem for the bank to solve, not Android.
You can’t even win with adding more scare screens because as soon as Epic isn’t allowed to bypass the scare screens, they’ll sue you.<p>Just like they went after Samsung for adding friction to the sideload workflow to warn people against scams.<p><a href="https://www.macrumors.com/2024/09/30/epic-games-sues-samsung-google/" rel="nofollow">https://www.macrumors.com/2024/09/30/epic-games-sues-samsung...</a>
I agree with Epic. It should be like on windows or macOS where you can register, get notarized, and then distribute without scare screens. I don’t see why phones are inherently different than computers.