_______ __ _______
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----.
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --|
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____|
on Gopher (inofficial)
HTML Visit Hacker News on the Web
COMMENT PAGE FOR:
HTML A theoretical way to circumvent Android developer verification
jchw wrote 18 hours 56 min ago:
The more I think about all of this nonsense, the more I wonder if
Google's entire goal with this is actually to kill ReVanced, of all
things.
codethief wrote 19 hours 36 min ago:
> So an apk may just load some zip/apk/dex code from external storage
and execute it in current context.
Wouldn't this break all kinds of things, like app sandboxing, the
permission system, app intents, �
iggldiggl wrote 14 hours 55 min ago:
⦠launcher shortcuts, launcher widgets, storage management,
multi-process set-ups or even services (those need to be declared
statically in the manifest), so yeah it would.
So interesting as a fun exercise, but not really useful for probably
quite a few apps.
SiDevesh wrote 22 hours 41 min ago:
Isn't a better solution here to build an app that signs unsigned apks
with the end user's self provided signature ?
thr0w4w4y1337 wrote 23 hours 8 min ago:
LlamaLab's Automate has a non-root privileged service via network adb
service. Would it be possible to simplify app installation via adb the
same way? An app that reads apk, sends it over pre-paired ADB. Sounds
like a much simpler solution.
sleirsgoevy wrote 23 hours 53 min ago:
What about this idea? Make a movement among the devs who are willing to
distribute "legitimately" (via Google Play or "authorized" sideload),
to sign their apps with intentionally insecure private key. Then some
community will just mine up these certificates in already published
apps and publish them somewhere on GitHub.
VladStanimir wrote 1 day ago:
I am not a app developer however from what I read on the android
developer site you just need to provide some form of id, the singing
key and the app id.
You don't have to distribute via the app store, you dont have to get
Googles permission to publish the app or have them sign it.
This looks like purely app validation, we only run apps we can prove
originate from the author.
m-p-3 wrote 18 hours 37 min ago:
So if Google doesn't like the app in question (such as ReVanced,
NewPipe, etc), they can simply target that signing key to completely
disable the app on all devices, even if it's not distributed by them.
Having the file signed by a relatively centralized authority makes it
much easier for Google to gain control outside of their realm.
huem0n wrote 23 hours 15 min ago:
Under that logic, even if the app is "malicious" it would still be
possible to install it. And thats not true, if somthing is deemed
malicious, its blocked. Is app that hurts Google's dominance
"malicious"? Who is it that decides what is malicious?
Permik wrote 1 day ago:
This is actually a non-issue with tons of unnecessary fear mongering
going around, see my comment here:
HTML [1]: https://github.com/enaix/apk-loader/issues/1
baby_souffle wrote 13 hours 31 min ago:
The OP addressed this: `adb` works ... *for now*. Other than google's
pinky promise, what assurance do we have that adb will continue to
work in a year or five?
charcircuit wrote 4 hours 3 min ago:
The settings app lets you disable package verifiers for adb
installs. The settings app is part of the operating system and can
not be updated via the play store. This means that Google can not
update the settings app.
charcircuit wrote 1 day ago:
>Google assures that it would be possible to install applications
locally using ADB, but there are no details on this
It's going to be the same as Play Protect using the PackageVerifier
API. Even if won't trust that Play Protect will continue to allow adb
installs, if you go to the developer options you can disable package
verifiers for adb installs.
>the concept
This would not really work considering you can't do a lot of things at
runtime. You can't create activities, you can't create services, you
can't declare permissions, you can't use permissions, etc. Pretty much
everything in your manifest can't be done properly. You can't really do
a job faking it. You would have to declare a ton of dummy activities
with all different permutations of things like launch mode, document
launch mode, intent filters, etc.
What you can do are things like game engines like how the android godot
editor works where you aren't loading full android apps, but projects
into the editor.
nacozarina wrote 1 day ago:
yeah, googs can get rekt, Iâm not even
fifticon wrote 1 day ago:
these holes will be closed and turning into flaming jumping hoops, so
this is not viable. fight the people designing the game.
whatshisface wrote 1 day ago:
>My vision of the hack is to distribute a verified loader apk, which in
turn dynamically loads any apk the user wants. A user obtains the
loader apk once and loads apps without installing as much as they want.
Google's not going to let you keep your signing key if you do this with
it.
numpad0 wrote 1 day ago:
> My vision of the hack is to distribute a verified loader apk, which
in turn dynamically loads any apk the user wants.
Right back to Symbian signed AppTRK and rolling back hardware clocks.
Great.
Telaneo wrote 1 day ago:
While neat, it glosses over the actual problem, while maybe not even
solving it (depending on what you deem the problem to be in the first
place). It solved the immediate problem today, but not in a way that's
going to remain solved.
I'd imagine Google would plug any major holes in their soon to be
closed garden, assuming that is their intention. So this and any other
fix to the problem of 'install app through not-Google Play' that goes
via technical means that Google can just cover up after a month or two
doesn't actually move the needle any meaningful amount.
In the same vein, using adb isn't a real solution to that same problem
for most people, since having to use adb is a massive jump in required
effort that's going to leave all the normies behind, with only the
super-dedicated willing to go through the hassle, and an equivalent
amount of developer effort is going to be left behind as well, since
their audience just got decimated, and they themselves might not even
bother to develop something that even their dad or sister is going to
bother/be able to install. Anything that's much more complicated than
'go to website, download thing, run thing, click your way through'
doesn't solve for this.
The actual problem is to have Google not be knobheads about it, and the
only way that's realistically going to happen is through the law, but
that's not looking all that likely in my view.
fsmv wrote 1 day ago:
Just use adb. You can do adb wifi on device. You don't have to
distribute a signed apk just sign it fresh on device.
Retr0id wrote 1 day ago:
This is the way. You can also do adb-over-webusb with a second
device.
Permik wrote 1 day ago:
With apps like Shizuku you can do the whole nine yards all locally
untethered with one device :)
ianbutler wrote 1 day ago:
I think this means we need to rely on web technologies more. PWAs are
looking pretty good on mobile devices these days and you can publish
any web app you want with no reviewing authority. The web has a bunch
of crazy APIs now that let you build crazy things and for everything
else you're a hosted server away somewhere that can run more complex
jobs.
I believe devices I own should let me do whatever I want with them and
I agree that the verification is BS, but I'll work around it in the
ways I can which means building more for the web.
If that ever drops the open pretense (since both traffic and trust
authority are largely centralized and thus easily controllable) then
I'll only write for self hosted linux boxes.
We as individuals can only do so much. We'd need actual organization
and some measure of political power to do anything more since normal
people do not care about this.
srcreigh wrote 16 hours 34 min ago:
This is harmful speculation. Many PWA features are broken in small
ways which add up. The caniuse database does not test that a PWA
feature meets the spec and there is no better database. Nobody can
say that PWAs are "looking good" without such testing.
morshu9001 wrote 18 hours 46 min ago:
PWAs are at the mercy of Gapple have always been handicapped in just
the right places to not be viable vs installed apps. Most people
don't even know how to install one.
ianbutler wrote 17 hours 30 min ago:
Yeah but as I understand it Apple has become a lot more progressive
on PWAs in the last few years. Iâm under the impression theyre
viable
rs186 wrote 1 day ago:
Bad news for you, Google happens to have a tight grip on the entire
web ecosystem -- browser, search, ads etc.
ianbutler wrote 1 day ago:
I obviously understand this and mentioned as much indirectly in the
post. You can only do so much and the web is still more open than
Android is about to be so again, you do what you can.
nine_k wrote 1 day ago:
You need native apps to access specific hardware, and to run some
native code. WASM may help but it's limited, too.
Jaxan wrote 1 day ago:
How many apps rely on specific hardware or native code though? I
can only think of my banking apps when using nfc.
Wowfunhappy wrote 1 day ago:
I thought Brent Simmons did a great job laying out why PWAs don't
work: [1] The tl;dr is that a PWA implies an app which is based in
the cloud. So suddenly you need a server, and you need to store user
data, which means costs and dealing with privacy and security.
HTML [1]: https://inessential.com/2025/10/04/why-netnewswire-is-not-we...
Jaxan wrote 1 day ago:
Basically every native app has a server behind it to harvest user
data nowadays. So I donât think itâs an argument for why PWAs
wonât work.
Wowfunhappy wrote 1 day ago:
If the app is made by a company, sure.
It seems to me that, ironically, PWAs are uniquely ill-suited for
the type of non-corporate software where distribution outside
mainstream channels makes the most sense.
charcircuit wrote 1 day ago:
Practically you are going to have a server distribute a native
application anyways.
poisonborz wrote 22 hours 50 min ago:
Not the developer. This is all additional complexity and less
privacy for the user.
twixstar wrote 1 day ago:
I read the article, and I'm pretty certain he's talking about a
traditional web application. When we speak of PWAs we're thinking
of a set of APIs that let a web app behave like a native
application. i.e 'installation' + service workers, background sync,
IndexDB/FileSystem etc. You could probably make a self-sufficient
RSS reader with what's available.
teraflop wrote 1 day ago:
That explanation doesn't really make sense to me.
If something could be built as a native app without depending on a
central server, it could also be built as a PWA without a central
server. You don't need to store user data centrally at all, just
because it's a webapp. You can just have the clients use
localStorage or IndexedDB or whatever.
You still have to host the static files for the webapp itself, but
that can be made very cheap.
Of course, API feature parity between native and web apps is a
separate issue. But the argument about server costs doesn't seem
like a good one.
Wowfunhappy wrote 1 day ago:
Isn't localStorage limited to 5 MB of data?
koiueo wrote 1 day ago:
IndexedDB API is a bit more liberal in that regard
porridgeraisin wrote 1 day ago:
Yeah, better is the filesystem API
teraflop wrote 1 day ago:
Sure, but localStorage isn't really ideal for storing large
objects anyway, because it forces everything to be stored in
one big string-to-string map. It's great for small amounts of
data such as user preferences.
There are other APIs that allow you to store binary data
directly (which you'll probably want if you're storing large
files) and also to use/request larger quotas.
userbinator wrote 1 day ago:
Or you could just tell everyone out there that there are already tons
of older Android devices which will never get any of these hostile
updates, and if you're a developer, make sure your app runs on those
older versions. Spread the word about how hostile the newer devices
are, and let the lazy masses do what they're best at doing. Of course
there will always be rabid bootlickers who will gladly pay to put
Google's noose around their necks, but if they become the minority, and
the majority just stops upgrading, it could very effectively pull
control of Android away from Google. Giving everyone yet another reason
to not upgrade, especially given the huge Android marketshare in poorer
countries, could become a powerful force.
blueg3 wrote 1 day ago:
If this is an acceptable solution, just run a modern uncertified
Android instead.
Random09 wrote 1 day ago:
Good luck with unsecure phone
This is clearly a bad idea.
Aeglaecia wrote 1 day ago:
i thought google was going to push this as an update to play services
, thus affecting all models
immibis wrote 1 day ago:
I'm already banned from publishing Android apps through Google, but
apart from that, what would stop me making a server you can upload any
app to and sign it with my certificate?
maxloh wrote 1 day ago:
That could actually be done solely on the device. You can develop an
app to sign arbitrary APKs with users' own hobbyist certificate.
Lucky Patcher have done that for a decade.
sleirsgoevy wrote 23 hours 56 min ago:
Making every user to "verify" themselves with a government ID is a
no-go, because government IDs are no more trustworthy than a toilet
paper.
immibis wrote 1 day ago:
I could even just give out my certificate and private key (if I'm
allowed to have one). It's not like I need it to be private. Google
would probably blacklist the certificate and then we get to sue
Google based on the fact they said doing this would allow the app
to work, but they didn't follow through with what they said.
bitwize wrote 1 day ago:
> My vision of the hack is to distribute a verified loader apk, which
in turn dynamically loads any apk the user wants. A user obtains the
loader apk once and loads apps without installing as much as they want.
And a day after you release, Google will say "Oh no you don't" and
unverify your app, preventing it from being installed or run. Which is
you know, kind of the point of this maneuver.
Gander5739 wrote 1 day ago:
Doesn't [1] already handle this, and also support Xposed on top?
HTML [1]: https://github.com/Katana-Official/SPatch-Update
cyberax wrote 1 day ago:
This "attack" is not even theoretical. Android apps can just download
arbitrary binary code, mprotect(PROT_MAYEXEC) some area in RAM, link
the code there, and run it.
Google will simply revoke the keys for the "loader" APK. But that's
fine for malware, its authors will just use the next stolen credit card
to register a new account.
That's also why this has nothing to do with security.
clueless wrote 1 day ago:
what does it really have to do with?
baby_souffle wrote 13 hours 29 min ago:
> what does it really have to do with?
Giving google control over what code runs on $device regardless of
how that code got onto the device.
A revoked key doesn't care about how the APK got there...
andrewcchen wrote 1 day ago:
So like LiveContainer[1] which works around ios's signing requirements
HTML [1]: https://github.com/LiveContainer/LiveContainer
IgorPartola wrote 1 day ago:
Whoa that is neat! How does that not get shut down by Apple?
Wowfunhappy wrote 1 day ago:
They don't allow it in the app store, so you have a chicken-and-egg
problem...
zzrrt wrote 15 hours 31 min ago:
It works with AltStore or SideStore.
Wowfunhappy wrote 13 hours 22 min ago:
So you have to either live in the EU or have a helper app
constantly running on a PC on your networkâ¦
p1mrx wrote 1 day ago:
I suggested this a couple months ago: [1] Android may ultimately win
the arms race, but if they want to be evil, we should make their task
as tedious as possible.
HTML [1]: https://news.ycombinator.com/item?id=45084296
neuroelectron wrote 1 day ago:
Google doesn't need to make an argument to ban apps or developers.
zb3 wrote 1 day ago:
Well, I'd rather verify myself with the government identity than accept
a stock OS that literally woke me up with a fake message promoting
Gemini despite me spending almost 2 hours turning every possible
privacy-invasive setting off.
To me, the attention to these verification changes seems misplaced. We
need to defend the ability to unlock the bootloader, pressure Google to
revive AOSP and then encourage people to switch to a more user-friendly
OS.
You're already unable to install what you want on a stock OS due to
Android permission model treating you as a third-class citizen, after
Google and OEMs.
sleirsgoevy wrote 1 day ago:
The issue with government IDs is that they are, for all we know, not
trustworthy, but everyone treats them like they are. And you know, I
am not going to "verify" myself with Google with this kind of toilet
paperwork.
If Google decides to pull this off, then I guess reflashing to a
custom ROM with this crap patched out will be a very first step I'll
be recommending to anyone who cares.
zb3 wrote 14 hours 23 min ago:
It seems you missed my main point - the whole point is to fight for
this right to reflash a custom ROM, because they're slowly coming
for that too. First Play Integrity, now no AOSP releases and more
vendors disabling bootloader unlocking..
asimops wrote 1 day ago:
In my opinion, the only solution while keeping Google and Apple as
the developing entities is regulation.
Despite that, there are some things that should not be for profit in
my opinion. A good OS platform is one such thing.
cageface wrote 1 day ago:
I agree but I also think any meaningful regulation is off the table
for the next few years in the USA at least.
antiloper wrote 1 day ago:
This will not work because the goal of android developer verification
is to prevent running Google-sanctioned code. If you actually tried to
publish this, Google will revoke the signature on the loader APK.
NewJazz wrote 1 day ago:
Ah yes sanctioned. A word that has two opposite meanings.
layer8 wrote 1 day ago:
Contronyms are awesome, yet people are nonplussed.
t_mann wrote 1 day ago:
> verified loader apk, which in turn dynamically loads any apk the user
wants
Wasn't this kind of solution considered and sort of dismissed (because
of too much centralization iirc) by F-Droid (can't find the reference
now)? It seems like something that's worth trying, but in the end it's
just a band-aid. If it gets any traction Google will shut it down. The
real disease is dependence on a duopoly of (quasi)-proprietary OS for
the dominant computing platform of our time.
kevincox wrote 1 day ago:
I see a handful of problems.
1. The loader will just get banned.
2. The application ID and permissions are that of the loader. To have
different applications with separate data and permissions you would
need multiple copies of the loader.
3. You miss out on other android security features such as
application signing validation for updates.
asimops wrote 1 day ago:
While it is technically feasible, it is not a good idea to try and find
a technical solution to a people/organisation problem.
Do not accept the premise of assholes.
I hope we can get the EU to fund a truly open Android Fork. Maybe under
some organisation similar to NL Labs.
--- edit ---
Furthermore, the need for a trustworthy binary to be auditable to a
certain hash or something would make banning this a simple task if
Google would want to go that route.
Lindby wrote 21 hours 24 min ago:
It would be hard to find manufacturers to use it. None of the
existing Android phone manufacturers would be able to release phones
with this fork without also abandoning the official Android platform
on all markets. Google are very strict with this in their tos. You
cannot release devices using non official Android builds without
losing your right to use GMS and Android Brandice on your other
Android devices.
solarkraft wrote 1 hour 46 min ago:
This can also easily be framed as anticompetitive.
immibis wrote 1 day ago:
Technical things can affect people. Adversarial interoperability.
They're using a technical thing to cause a social thing anyway, and
fighting back with the same tactics is at least not surrendering.
StopDisinfo910 wrote 1 day ago:
I hope the EU actually enforces the DMA and forces Google and Apple
to stop their non sense.
jezek2 wrote 13 hours 21 min ago:
Unfortunatelly DMA is the reason Google is doing this. It allowed
Apple to require notarization for "security". Google is just
copying the same approach as it's now clear what the requirements
by the governments are.
Before it was unclear so it was better to allow installation of
apps without any verification to appear as more open.
Remember any regulation/law has unintended consequences. At one
point Apple decided that PWAs would no longer be supported in EU so
they don't have to provide equal capabilities to implement them in
alternative web browsers, fortunatelly they changed their mind by
obtaining an exception. PWAs is the only alternative choice for
making "proper" apps on iOS (no hacky sideloading methods).
I think overally DMA is more a loss than a win (good on paper,
terrible in practice). It codified worse things. The EU app stores
are still fully controlled by Apple (harder to install, they can
just decline or drag notarization of any apps or revoke your
license to dev tools, you need to still pay them, etc.).
For various apps the EU market is too small (esp. for things that
need to be global) to invest into the development so while you can
for example theoretically develop a real alternative web browser to
Safari/WebKit (forbidden by App Store rules) nobody is willing to
do it.
ekianjo wrote 1 day ago:
> hope we can get the EU to fund a truly open Android Fork
The same EU that keeps pushing for breaking encryption and
chatcontrol? No thank you
TeMPOraL wrote 1 day ago:
> breaking encryption and chatcontrol
The two are not equivalent issues; the first one is ill-formed as
stated.
Cryptography is a tool of control. It's "dual-use", in the same
sense like a knife or nuclear fission is - its moral valence
depends on who is wielding it, and to what end.
In the context we're discussing, encryption is being used against
the people. Working encryption is in fact needed to make chat
control work - it's fundamental to it, the same way it is to
Developer Verification and Safetynet/Remote Attestation. It would
be great if EU decided to break that set of encryption
applications. Alas, chat control only wants to break E2EE on
messages, and uses encryption elsewhere to guarantee E2EE stays
broken.
A more general comment about this thread, and related ones in the
past: people really need to stop thinking about "encryption" and
"security" as inherently good. They're not. Most of the social
problems with computing, the attempts at user disempowerment and
disenfranchisement, persist because they apply cybersecurity
solutions.
The core question of security is always: who exactly is being
secured, and from who.
AnthonyMouse wrote 1 day ago:
> Furthermore, the need for a trustworthy binary to be auditable to a
certain hash or something would make banning this a simple task if
Google would want to go that route.
This is actually the advantage of doing it. You make the thing (call
it a "personal app loader" or something rather than a "circumvention
tool"), they ban it, now you campaign against them or make antitrust
arguments presenting the ban as an anti-competitive practice or use
the ban to refute claims that they're not inhibiting third party app
distribution.
Even if you know they're going to be the villains, you still want to
make them actually do it so that everyone can see them doing it.
chii wrote 1 hour 38 min ago:
They (google) could cite the loader being "exploited" to run
"dangerous" apps like viruses/malware, and bypass the monopoly
issue.
I do think having a technical bypass is good - it isn't mutually
exclusive with also having a legal bypass. I just hope that the
gov'ts are smart enough, and agile enough, to make this happen
before it becomes too late (aka, once the gates close, it will
never open again, like apple's ecosystem).
closeparen wrote 1 day ago:
The same EU that's doing Chat Control?
supermatt wrote 22 hours 37 min ago:
It appears that you are an American who has conveniently forgotten
about FISA, EARN IT, CLOUD act, PATRIOT act, LAED, etc, etc, and
wants to take a dig at the EU for what, exactly? NOT passing Chat
Control? Seriously..
closeparen wrote 19 hours 39 min ago:
I do not think it is righteous or enlightened when the American
government flexes control over the tech sector. I can see how
Europeans might have thought this about the EU when it was just
GDPR, but subsequent developments have recast all of this as
being about government control and keeping the tech industry
âin its placeâ rather than a commitment to privacy and
freedom in and of themselves. I think that ought to temper the
righteousness.
supermatt wrote 3 hours 52 min ago:
What subsequent developments? It sounds like you are alluding
to the DMA.
The DMA is an attempt to reclassify what âmarketâ means in
the modern age where we have a global tech oligopoly. This is
because a simple âtestâ for monopolism doesnât work in
this world of multinational megacorps.
Again, your complaint is a double standard. You are doing
similar in the USA - albeit without an actual structured act -
as per the recent rulings on the Google Play store.
The EU has simply codified the rules for their vision of the
future where people arenât beholden to a handful of tech
overlords, whereas the USA is making similar incremental
âchangesâ through case-law. Iâm not saying either way is
correct, but it seems like they are both headed in the same
direction.
0xDEAFBEAD wrote 19 hours 51 min ago:
It's interesting how so many online discussions of internet
privacy devolve into nationalist chest-beating. I'm beginning to
suspect that people don't inherently value privacy all that much
-- they just want to brag about how their country is the most
private.
Recall that the premise of this thread is that the EU should
sponsor an alternative to Android. The EU vs US question isn't
really topical, since no one suggested that the US government
should sponsor an alternative to Android instead.
saubeidl wrote 1 day ago:
The same EU that shut down another attempt at Chat Control.
Bad legislation gets written everywhere, the difference is, in the
EU it doesn't pass.
exe34 wrote 1 day ago:
The EU is a big place, run by a lot of different people, with true
separation of powers. They don't have a president-king who can just
ignore court decisions.
jmnicolas wrote 1 day ago:
So we're gonna get access to Von Der Layen Pfizer sms right?
Were you offered to vote for Von Der Layen by the way?
victorbjorklund wrote 23 hours 56 min ago:
technically people didnât vote for Trump they voted for
electors which voted for him.
exe34 wrote 1 day ago:
I'm not in the EU! I can explain when somebody is wrong without
having a horse in the race myself.
Certhas wrote 1 day ago:
The EU is a parliamentary democracy. Von Der Leyen was proposed
by the democratically elected heads of the member states. She
was approved by the democratically elected parliament.
The chancellor in Germany is also not directly elected by
majority vote but by parliament.
Its a reasonable criticism that the EU structures make
democratic legitimisation very indirect, but that is at least
partly a result of the EU being a club of sovereign
democracies. The central tension was extremely evident during
the Greek debt crisis, you have a change in government in
Greece, but due to EU level constraints they can't enact a
change in policy. More independent power ininstitutions less
dependent on the member state, means the sovereign democratic
national governments can't act on their local democratic
mandates.
wqaatwt wrote 23 hours 33 min ago:
> The EU is a parliamentary democracy
Except the are a couple degrees of separation between the
democracy part and in the running the EU institutions.
The EU parliament is also a very superficial imitation of a
real parliament in a democratic state. It has very limited
say in forming the âgovernmentâ or decision making.
> result of the EU being a club of sovereign democracies
So either revert to it just being a trade union or implement
fully democratic federal institutions. The in between isnât
really working that well.
Certhas wrote 17 hours 28 min ago:
It isn't working well by what standard?
saubeidl wrote 23 hours 16 min ago:
> Except the are a couple degrees of separation between the
democracy part and in the running the EU institutions.
That's what parliamentary democracy means, yes.
wqaatwt wrote 23 hours 9 min ago:
No, of course not...
In parliamentary democracies the parliament is elected
directly and is generally sovereign (optionally
constrained by a constitution or some set of basic laws
and powers delegated to regional governments and such).
In no way does that describe the EU. It has no equivalent
body. Its imitation âparliamentâ is extremely weak
and barely has a say in who forms the closest EU has to a
âgovernmentâ.
Certhas wrote 17 hours 33 min ago:
The parliament approves and dismisses the commission.
In the last cycles the candidate who led the party who
won the parliamentary elections became head of
commission.
So this is just wrong. The EU parliament has more power
than US Congress or the UK parliament in this respect.
saubeidl wrote 22 hours 23 min ago:
But the parliament isn't the government in a
parliamentary democracy.
wqaatwt wrote 20 hours 52 min ago:
Yes, and? It forms the government and can dismiss it.
Certhas wrote 17 hours 35 min ago:
So this is typical of criticism of the EU
democratic structure: It's just factually wrong.
The EU Parliament can dismiss the commission. From
Wikipedia:
"The Parliament also has the power to censure the
Commission by a two-thirds majority which will
force the resignation of the entire Commission from
office. As with approval, this power has never been
explicitly used, but when faced with such a vote,
the Santer Commission then resigned of their own
accord."
The fact that the whole democratic setup is highly
complex is in itself a problem. But the concrete
deficits people mention are never true or don't
apply to other democracies either...
In practice the EU Parliament has been a lot more
trouble for the executive than is typical in
national bodies. The one valid point is that the
parliament does not have the right to initiate
legislation itself. That is unusual, but in
practice many people who are actually close to
political processes seem to say this is mostly
symbolic, as national bodies can't really draft
effective legislation without cooperation from the
executive either... Stil definitely something I
would love to see addressed.
exe34 wrote 19 hours 4 min ago:
They can also vote on bills, while we're bringing
up irrelevant gotchas.
immibis wrote 1 day ago:
FWIW EU members are sovereign. If they disobey EU laws they
can have benefits withheld but they won't be militarily
invaded for ignoring EU law the way a US state would (unless
they do something military themselves like invading another
country).
StopDisinfo910 wrote 1 day ago:
For all the disdain I have for her, Von Der Layen is the
candidate put forward by the PPE, the majoritarian party in the
EU parliament. So, yes, people were indeed allowed to vote.
wqaatwt wrote 23 hours 27 min ago:
She was primarily nominated by the EU council.
The parliament would have picked Weber, but nobody cared
since its just there to rubber stamp predetermined decisions.
He was the leader of the party which won the plurality in the
elections and had its support. EU had a real chance to move
towards becoming a real parliamentary democracy if it went
that way.
StopDisinfo910 wrote 19 hours 18 min ago:
That was the election before the current one. She was the
one out forward by the PPE this time and even then she was
the second candidate put forward by the PPE after Weber was
vetoed by France the previous time.
Thatâs the new Spitzenkandidate system. The council is
supposed to pick the candidate put forward by the main
political force in the parliament.
The EU is a real democracy anyway. All the members of the
council are themselves democratically elected. It has a
weird three parts political system but everyone in it is
elected or appointed by people elected.
deaux wrote 1 day ago:
The same EU that's doing NL Labs, the org mentioned in the comment
you're replying to.
rf15 wrote 1 day ago:
The same EU of which parts are trying to make chat control work and
are once again abandoning it. Politician get this particular fancy
idea every other year in all kinds of countries, not just EU.
Overreach out of desperation for a problem that cannot simply be
solved is wrong but understandable.
igor_akhmetov wrote 1 day ago:
Desperation for what exactly? More control?
ForHackernews wrote 23 hours 14 min ago:
They are trying to stop crime, including sex/drug trafficking
and child exploitation. If you want to have an intellectually
honest debate, you need to be clear that private communication
apps do make it more difficult for police to conduct legitimate
investigations. You do yourself no favours painting all
politicians as power-hungry caricatures.
0xDEAFBEAD wrote 19 hours 55 min ago:
If chat control is a good-faith effort to stop crime, why
can't Android developer verification be a good-faith effort
to stop cybercrime?
If politicians are not all power-hungry caricatures, is it
possible that the same is true for businesses?
Android has millions of users worldwide, many of whom are far
less computer-literate than HN users. I think it's very
reasonable for Google to put speed bumps in front of malware
developers trying to distribute through the Play Store. If
you're a half-decent dev, $25 is nothing compared to the
opportunity cost of your time in developing your app.
This whole thing seems to be a fairly recent announcement on
Google's part, so it's unsurprising they're still hammering
out details for hobbyist devs? How about making constructive
suggestions for ways that Google can protect ordinary people
without stopping power users?
ForHackernews wrote 18 hours 34 min ago:
I think the issue is not about distribution in the Play
Store (I don't actually have any problem with that: their
playground, their rules) but the fact that they are going
to break sideloading and alternative app sources like
F-Droid.
I struggle to see any good-faith need to erect additional
barriers to protect users from running the programs they
want on devices they own, when you already have to be
fairly expert to enable developer mode, install via adb,
etc.
0xDEAFBEAD wrote 9 hours 46 min ago:
That's fair.
ipaddr wrote 22 hours 29 min ago:
So do private in person conversations. Going the route of
North Korea putting two way speakers in each house would help
make those conversations available to the government. Think
of all of the child exploitation you could stop by removing
any sense of privacy. Of course they would figure a way
around this and everyday citizens would have to deal with the
lack of privacy but at least they thought of the children so
we should keep voting them in.
singpolyma3 wrote 1 day ago:
What's wrong with lineage?
numpad0 wrote 22 hours 55 min ago:
Active installs of LineageOS[1] as reported on official tracker is
4.3m instances right now. An MAU of 5m is like, less than Bluesky,
Switch 2 shipped so far, most F2P phones games you've heard of,
etc. The leverages it has is that of a game.
1:
HTML [1]: https://stats.lineageos.org/
IlikeKitties wrote 1 day ago:
It's not a good, secure project by a longshot. There's a good
comparison floating around:
HTML [1]: https://images.squarespace-cdn.com/content/v1/60f1421e1afc...
AnthonyMouse wrote 1 day ago:
That looks like someone made a list of mostly features specific
to GrapheneOS so they could make a chart where all of the other
alternatives (including stock Android) are full of red boxes.
Several of those are the opposite of security features, like
SafetyNet support, which might be a convenience in some cases but
it mostly makes it so you can't upgrade certain parts of the
system to newer versions even when the old versions have security
vulnerabilities.
Itoldmyselfso wrote 19 hours 33 min ago:
Or, far more playsibly, they added to the table features
GrapheneOS has, but others don't.
Here's the up-to-date comparison: [1] As far as I know, there
is no significant features other distros have that increase
their privacy or security over what GOS has. I'm not entirely
sure about the SafetyNet thing, but GOS is by far the most
up-to-date to the AOSP out of these distros.
HTML [1]: https://eylenburg.github.io/android_comparison.htm
AnthonyMouse wrote 17 hours 51 min ago:
The point isn't that GrapheneOS is bad but rather that it
doesn't imply there is anything wrong with LineageOS when
it's still better than Android itself.
Moreover, some of the stuff with green boxes is still kind of
a privacy fail. For example, with GNSS (i.e. GPS) your device
calculates its location from the timing of radio broadcasts
emitted by a network of satellites. It has extremely good
privacy properties because your device is a passive radio
receiver and neither the satellites nor anyone else know
you're there when you use it. "Network-based location" can
sometimes work when you're somewhere you can't hear the
satellites, but now you have Google or someone else building
a database of nearby wireless APs etc. in order to make it
work, and in the process you're effectively uploading your
location to them.
Itoldmyselfso wrote 16 hours 31 min ago:
GOS developers have said on multiple occasions that they
think LineageOS is worse for security than the stock OS on
multiple devices, as it doesn't keep up with current
privacy/security patches or provide all of the standard
protections. The comparison also does bring up these
faults. See also
HTML [1]: https://www.kuketz-blog.de/lineageos-weder-sicher-...
AnthonyMouse wrote 2 hours 4 min ago:
"Device does not force you to update" isn't a bug. The
bug is "device forces you not to update" which is the
thing you get with stock Android on the large majority of
Android devices.
Their objections in general seem to be fairly pedantic,
e.g. objecting to a connectivity check which could be
improved in a theoretical sense but in practice that
shouldn't be leaking anything you're not already giving
up by having a phone which is turned on and connected to
a cellular network.
IlikeKitties wrote 1 day ago:
>That looks like someone made a list of mostly features
specific to GrapheneOS so they could make a chart where all of
the other alternatives (including stock Android) are full of
red boxes.
No one else even bothered to make a list.
>Several of those are the opposite of security features, like
SafetyNet support, which might be a convenience in some cases
but it mostly makes it so you can't upgrade certain parts of
the system to newer versions even when the old versions have
security vulnerabilities.
Citation needed
AnthonyMouse wrote 1 day ago:
> No one else even bothered to make a list.
That doesn't make the biased list good.
> Citation needed
Are you not aware of what SafetyNet is? It's the thing where
Google certifies that the phone is running the software
produced for it by the OEM. The problem, of course, being
that the OEM stops issuing updates and then the certified
version has known vulnerabilities. Which is a lot of the
point of wanting to install a newer ROM on such a device,
except that then it won't pass SafetyNet because you replaced
the vulnerable but certified code with third party code that
has the patch but not the certification.
hilbert42 wrote 1 day ago:
You have to get some of the big names to unlock the bootloader
first. The trend towards locking it off permanently is alarming.
Edit: Google could ultimately use that as a lever in licensing
deals with manufacturers. It'd marginalize everything.
thaumasiotes wrote 1 day ago:
> I hope we can get the EU to fund a truly open Android Fork.
How are things in the EU on whether it's legal to buy a SIM card
without showing ID?
supermatt wrote 21 hours 24 min ago:
There is no such requirement in the EU - it is entirely up to the
individual country.
WhyNotHugo wrote 1 day ago:
> How are things in the EU on whether it's legal to buy a SIM card
without showing ID?
It varies per country. In some you can just buy one (or more) SIM
cards at a supermarket without any ID.
sigio wrote 1 day ago:
In many EU countries you can walk into many a supermarket or
phone-store and just buy a simcard with cash without questions
asked.
asimops wrote 1 day ago:
A secure OS is a prerequisite for secure digital services. We can
agree on that, right?
The task, therefore, is to convince enough politicians to establish
an independent unit that can address this issue without direct
political influence.
Fund the unit with enough money so that it can take care of the
cybersecurity and sovereignty of all citizens.
A side effect of this would hopefully be that these politicians
would then be digitally literate enough to recognize nonsense such
as chat control as such and reject it outright. I hope that most
politicians would not really want such omnipotent surveillance
tools if they could truly grasp their scope.
TeMPOraL wrote 1 day ago:
> A secure OS is a prerequisite for secure digital services. We
can agree on that, right?
Secure for who, and from whom?
Remote Attestation and Developer Verification both make Android
OS and platform more secure against malicious actors that would
want to defeat the guarantees the platform gives, guarantees that
enable secure digital services.
Yes, this includes protecting the banking services and DRM media
services and advertising platforms from malicious actors like you
and me, who pose a real threat to the revenues of the
aforementioned players, by:
- Expecting banking to do security right on their own side,
instead of outsourcing it to mobile platform and society at large
(like with "identity theft" trick);
- Enjoying entertainment and education in ways the vendor or IP
owner does not like or can't be arsed to support, and thus not
spending extra on the inferior ways that are supported;
- Not looking at the ads.
Same is with Chat Control. Chat Control improves security of the
society against threats such as sexual predators who want to hurt
children, or citizens who disapprove of how the current ruling
class is governing the people. To effectively provide that
security, Chat Control in turn relies on a secure OS and platform
providing secure digital services - in particular, secure against
those malicious actors that would want to circumvent Chat Control
protections.
Is the larger picture clear now? Security technologies are not
inherently good, they're morally ambivalent. They're "dual-use".
It's important to consider their deployment on a case-by-case
basis, always asking who is being secured, and what are the
actual threats they're being secured from.
immibis wrote 1 day ago:
> Chat Control improves security of the society against threats
such as sexual predators who want to hurt children,
no it doesn't. Chat Control is single-use.
TeMPOraL wrote 18 hours 47 min ago:
It does, to some extent. These projects wouldn't have the
support they had if they didn't have a plausible way to
deliver some improvement along the metrics they market. It's
the outsized harmful impact that's usually just left
unspoken.
Also, I'm not saying Chat Control is dual-use, I'm saying
crypto is. Chat Control actually needs working crypto to be
properly implemented.
exe34 wrote 1 day ago:
did you understand and disagree with the third paragraph? if
so, could you say in what way it didn't completely answer the
question you just asked?
IlikeKitties wrote 1 day ago:
I must sadly inform everyone here that the EU is pozzed beyond
recovery in regards to Google.
The reference implementation for the euid project is only
available for android and ios and uses the play integrity api
which makes usage of it on non google-certified devices
impossible.
HTML [1]: https://github.com/eu-digital-identity-wallet/eudi-app-a...
remix2000 wrote 1 day ago:
It is neither illegal nor hard to obtain such a prepaid SIM card.
kube-system wrote 1 day ago:
That very much depends on the country, many require ID.
remix2000 wrote 1 day ago:
You can use any country's SIM card in any other country,
regardless of its registration status.
kube-system wrote 1 day ago:
⦠if you have roaming coverage.
And even in that case, doing this for a long period of time
violates most roaming policies
qilo wrote 1 day ago:
Even with fair usage policy violations (like long term
roaming) the prices are still quite reasonable: 1.30
EUR/GiB (+VAT); from next year 1.10 EUR/GiB (+VAT).
HTML [1]: https://en.wikipedia.org/wiki/European_Union_roami...
gambiting wrote 1 day ago:
The only thing that happens is your data becomes a lot more
expensive, the card still continues to work as normal. I've
not lived in Poland for over 15 years now, and I still have
a polish SIM card that I use almost daily - the only thing
that I've lost due to roaming long term is cheap data
packs, I can still call and text as normal from my monthly
allowance.
kube-system wrote 1 day ago:
Maybe in the countries that you are familiar with that is
the case.
In some places your plan will be cancelled for roaming
beyond a certain number of days or quantity of usage.
Telecom laws and polices vary widely.
pohuing wrote 1 day ago:
There's eu(maybe even EEA?) wide free roaming legally
mandated since I think 2017 or so? But it's not a permanent
solution, your second paragraph still holds true.
kube-system wrote 1 day ago:
I know of some UK SIMs that do not roam.
Digit-Al wrote 1 day ago:
That's because we are no longer in the EU. Before
Brexit they were legally mandated to allow free roaming
in the EU. Now they are back to charging whatever
outrageous prices they wish.
scarlehoff wrote 1 day ago:
As far as I know it is only EU. Both UK and Switzerland
have some operators that roam and some that do not.
fwiw, fastweb in Italy provides roaming in both and has
a very generous fair usage policy.
asimops wrote 1 day ago:
Germany requires ID for all SIMs (for "normal" people). You can
buy activated SIMs in every bigger city if you know what to
look for though.
Kwpolska wrote 1 day ago:
The ID presented at time of purchase does not have to be the ID
of the actual user of the card. Your local drunkard will be
happy to get $10 to buy a SIM card for you. Or you could visit
eBay (or local equivalent) and get a valid SIM card without
leaving your house.
codedokode wrote 1 day ago:
In my country, giving a SIM card to another person who does
something illegal, is a crime. No doubt EU might soon have
the same law - they are pretty good at copying.
As a result, sites where I could rent a number for
verification, now don't offer local numbers anymore.
logifail wrote 1 day ago:
> The ID presented at time of purchase does not have to be
the ID of the actual user of the card
In some EU member states this might be fine, but definitely
not all.
> Your local drunkard will be happy to get $10 to buy a SIM
card for you.
Buying a SIM card was always the easy bit. Getting it
activated may not be, it depends on which country you're in.
[1] "For the Selfie-Ident you identify yourself with your
identity card, passport or residence permit. (Selfie-Ident is
currently possible worldwide with the German ID card,
residence permit and passport. Alternatively, you can use
Video-Ident and identify yourself in a video call with an
employee.)
Important: Temporary identification documents are not
supported due to internal check. You need a tablet or
smartphone with a camera and an internet connection."
HTML [1]: https://www.telekom.de/prepaid-aktivierung/en/start
econ wrote 1 day ago:
Surely others may use your phone?
logifail wrote 15 hours 55 min ago:
If you're happy to purchase a SIM card, register it in
your name, and hand it to someone else for them to use,
go right ahead.
Q: Who's paying the bills for that SIM?
econ wrote 12 hours 26 min ago:
I was referring to this part
> > The ID presented at time of purchase does not have
to be the ID of the actual user of the card
>In some EU member states this might be fine, but
definitely not all
It seems hard if not impossible to prevent or stop?
noosphr wrote 1 day ago:
>While it is technically feasible, it is not a good idea to
try and find a technical solution to a people/organisation
problem.
kube-system wrote 1 day ago:
The suggestion above wasnât a statement of practicality but
rather of EU motivations. Maybe you can also find a drunkard
to fork Android for you.
jraph wrote 1 day ago:
I'm confused, how are those two things related?
semolino wrote 1 day ago:
The commenter you replied to was implying that the EU does not
respect the privacy/freedom of mobile device users.
jraph wrote 1 day ago:
Okay, thanks.
I was confused bexause anonymity against the state is hardly
the only, or even a main point of android forks.
Privacy usually is, but against big tech typically.
peterhadlaw wrote 1 day ago:
Nanny state
vik0 wrote 1 day ago:
More like surveillance state
ulfw wrote 1 day ago:
Which states aren't? And for the love of god do not write US
now
gruez wrote 1 day ago:
Sounds like the UEFI shim loader that's signed by Microsoft but can
load an arbitrary EFI executable (with some signing checks). The
difference is that the UEFI shim loader is endorsed/condoned by
Microsoft. What about Google? This seems easily patchable, ostensibly
for "security purposes" (eg. disabling loading dynamic code).
p_l wrote 1 day ago:
Microsoft also forces manufacturers to provide an option to reset
Platform Key aka SecureBoot "root of trust" key - which is supposed
to be not possible in spec-compliant UEFI system.
They don't do it out of goodness of their hearts, which is why it's
more solid than relying on goodwill - Microsoft simply has an
offering that depends on that for certain high profile clients.
XorNot wrote 1 day ago:
I suspect it's also a defense against antitrust law suits - lock in
was how they got sued for things circa Internet Explorer.
Frankly they should still be getting sued for the way Edge and
Cortana are bundled.
leptons wrote 1 day ago:
Then Apple should get sued for bundling Safari, and also for
forcing all browser engines on iOS to use Safari - which is way
worse than anything Microsoft ever did with IE.
jcelerier wrote 1 day ago:
Yes
torstenvl wrote 1 day ago:
Apple does not have a platform monopoly on smartphones the way
Microsoft did on PCs.
AnthonyMouse wrote 1 day ago:
Microsoft was convicted of monopolizing the market for
IBM-compatible PCs, i.e. not Macs.
Which makes a lot of sense, because you couldn't run Windows
on a Mac nor MacOS on PCs from the likes of Dell or IBM, and
you couldn't run third party software for Macs on Windows or
vice versa. By contrast, you could run various types of Unix
on a Dell, and run Windows software on OS/2 or DOS software
on DOS competitors other than MS-DOS.
That distinction seems like it might be relevant to the
current situation.
torstenvl wrote 21 hours 32 min ago:
This is utterly irrelevant. I don't know what point you're
trying to make.
It remains objectively inarguable that Apple does not have
a platform monopoly on (ARM-compatible) smartphones the way
Microsoft did on ("Intel-compatible") PCs.
AnthonyMouse wrote 18 hours 34 min ago:
Are Apple's phones compatible with other ARM smartphones?
Can you install Android or LineageOS on one, or install
Android apps on iOS, or get iOS apps through Google Play
or the Epic Games store?
torstenvl wrote 17 hours 17 min ago:
No. Also irrelevant.
AnthonyMouse wrote 17 hours 8 min ago:
It seems extremely relevant to the market definition
that the alleged alternatives aren't actually
substitutes for one another.
If you have a car that runs on diesel fuel and there
is only one company that sells diesel fuel, it seems
like you want to claim that it's irrelevant and isn't
a monopoly because there is another company of the
same size that sells gasoline. Is it not relevant
that you can't actually use that in your car?
DIR <- back to front page