Shame on Google and Apple, it was always clear this was the end goal and next up is also your PC.
Right after will come the removal off apps they don't like and there is nothing you can do about it.
Stallman was right
"debugger vendors in 2047 distributed numbered copies only, and only to officially licensed and bonded programmers." - Richard Stallman, The Right to Read, 1997
A special carve out for anonymous apps only for people with government connections doesn't help because it fingerprints the operative.
Tor was originally a deniable communications tool.
People will be running pirated debugger copies if that comes to shove
99.9% of people DNGAF about OSS. They do care about doing what they need on their phone without malware/bloatware/nagware
Also publishing and development are separate activities
Stallman's "Right to Read" is an accurate reflection of reality in that sense.
So I moved to Dhizuku. It's a bit hard to setup, but once I'm done it's felt like untethered jailbreak - I don't have to complicated dance to start Shizuku now. Dhizuku basically make your phone a company phone, except it report to you. To setup a "managed main profile" you'd need to remove all accounts visible in Android account system and type a long ADB command so I don't think it can be maliciously done.
I suppose this will be how we'll use F-Droid in the next year for enthusiasts.
And why is a phone different from a computer? Nobody bats an eye when downloading program on computer, or visiting a website with arbitrary code.
The example was recent and very clearly put the developer at personal risk. But there are many gray-zones.
An app to decode car diagnostics codes isn't unlawful, but being personally identified could get you in alot of trouble by car companies anyway.
And what about making an independent news app in Russia? More clearly ok by our morals and law, but very dangerous for the developer.
I only have Linux PCs (laptops) and servers, 100% of my work and personal stuff is done there (though for work I do need to hop into MS365, Google Workspace, Zoom, etc, hooray for browsers, my final firewall between me and the walled gardens, though we can have a whole discussion on that).
For mobile, we have PostmarketOS, Phosh, Ubuntu Touch. I really must try living in them, is it on me? IDK, our government even has an identity app for iOS and Android. I should not be using it, I should stick to web. But its so much more convenient. I'm just weak, aren't I?
Maybe I should go for Ubuntu touch, with an iPad on the side or something. At least my most personal device is something I control then. Or just keep my Linux laptop handy (or make a cyberdeck!). But I want a computing platform that does not require carrying a bag. It's kinda sad. Even GrapheneOS (one of the most personal and secure mobile computing experiences out there)'s future is in the hands of its greatest adversary, the one that does not want you to have a personal computing experience.
1: None, no anonymous accounts allowed. 2: None. Civil what?. 3: It's the Google's company policy, don't use our products if you don't agree to it. 4: If devs write apps for this nearly impossible to develop Mac AppStore ecosystem, I don't see even a slightest problem here. 5: Just change package IDs.
Thank you for listening, see you again next time.
Yeah you're absolutely right, tell that to Facebook/Instagram/Temu/TikTok/Pinduoduo/(any other _spying_ apps) users.
It's also really stupid to drive a car in a flood, but we don't have cars check the weather forecast before starting up( maybe I shouldn't post this, might give someone some ideas).
[1] Feel free to discuss this too, if you want. I'm developing my opinion on it.
So, how can anyone expect FOSS mobile OSs to ever exist unless forced by law by the US or something?
Read up on the principles of the Free Software Foundation if you want all the details.
So, how do we get to a commodity layer for Mobile devices? It looked like it was going to be Linux (Android), and that was Google's intention. But now they are just using their significant resources to corrupt that original idea, using their trojan horse called "play services".
The public at large only cares about convenience, not about privacy. Why don't we? How much enshitification is enough to draw that line in the sand?
(I am holding out hope for the phone that the GrapheneOS project is planning to make.)
In 2025 you’d be viewed just as much suspicion for not building your stack on Freedom. I still have hope that we’ll get there with phones, too, some day.
Currently probably the best route is basing the OS on Android (so that you can benefit from all the existing apps), making a non-hostile reference device, and getting regulators' attention (the EU is probably the most likely to succeed) to break Google's monopoly on attestation.
This is largely what GrapheneOS is currently trying. I think what we can do as users is install GrapheneOS with sandboxed Google Play and for any apps that do not work, contact their developers. If GrapheneOS manages to get millions of users and get on the radar of app developers, that's the best shot I think.
But it feels like the window is closing quickly. So if you care at all about any of this, today is the day to get a GrapheneOS device and make yourself heard.
Yeah I agree his opinion is probably more balanced, however Right to read is a short story displaying characters with too much learned helplessness and too little agency so I'm just going based on what he literally put to paper
If the app is monetized, then the full mailing address is shared.
If money is involved, it’s fair for users to know who they’re dealing with. Developers who want to hide their personal identity can still do so legally with a shell company.
Taking it a step further, if I am going to run your code on my device, I want to know who I'm giving access to my data/cpu/hardware.
Just like with offline transactions, customers should know who they are giving money to.
----
> Google will display your legal name, your country (as per your legal address) and developer email address on Google Play. If you decide to monetise on Google Play, then Google will display your full address.
[0] - https://support.google.com/googleplay/android-developer/answ...
Heck, even one of Google's apps tracks speeding camera locations and police: https://play.google.com/store/apps/details?id=com.waze&hl=en
This is a huge factor. Mobile chip sets (CPU/SoC, crypto enclaves, GPU modems/basebands) are buried under NDAs a mile thick, and you can't just whack an oscilloscope on the bus like its 1979. Those companies treat their opaque hardware as their defense against IP theft, they'll never, ever give it up in the current environment.
And the cameras are super complex and require a bunch of DSP and AI to even vaguely work let alone do all the headline features.
Already starting on macos. Gatekeeper had setting where you could allow any app. Now it is removed. While still possible to allow individual app (you need to do it after every OS update), trajectory is now clear.
In fact that latter example might provide a solution. Set up a company willing to publish apps whilst hiding the actual developer's identity.
Plus, and doing what you suggest but in a country where board directors don’t need to be public really solves it.
You have to commercialize openness if you want the muscle of the consumer to be able to produce it.
Short presentation of the basic concept: https://youtu.be/SO46oEdlkY8
Some things with massive value in excess of the cost of production cannot be pursued by capital nor bought by the individual. Your choices are government, non-profit, or something in between all three. PrizeForge aims to be between all three and to completely change how we do consumer open source, incidentally bringing billions of dollars into making it.
Even the language we are using to describe the situation is problematic. Why do we say "side-load an app"? It should be just "run a program"!
An OS that doesn't let you run programs of your choice is laughable.
Google is a big company and there may have been some factions pushing to make android an open ecosystem, but I don't see that that was ever the companies intent overall.
So the "Right to read" is still bonkers.
I am allowed to invite guests into my home even if their identity isn't pre-registered with my landlord.
If the web was enabled, app stores wouldn't be possible and you could run anything without an installation. But somewhere along the line both Google and Apple realized that this isn't really to their benefit and "walled ecosystems" are an advantage.
Clearly it wasn't doing fine in 2018 when Apple became the first trillion dollar company. Nor was it when in 2012 when Apple's market cap exceeded oil companies, barely breaking half a trillion dollars. And the economy was definitely in shambles back in 2005 when no company even had a 400bn market cap! Seriously, how could the economy ever survive?!
Where would the wold be without all those innovations. Like the 2005 invention of YouTube, the 2007 release of the iPhone. Where would we be without such world changing technologies that followed with tech's rise in global dominance? Technologies like, Bitcoin, VR, and an even thinner iPhone? Do you even know how many peoples' lives these technologies have saved? Seriously? Because I don't...
In a way it's not. As you mention, we have several of them. But they won't have mass-market appeal until they can run the same sorts of apps that Android and iOS can run. And no, "just use the mobile website" is not an answer.
How do I deposit a check with my bank on my phone without the app? I can't; the mobile website doesn't have that functionality. How do I send someone money via Zelle without the app? I can't; the mobile website doesn't have that functionality.
How do I use contactless payments? I can't; the ability to build an app like Google Wallet or Apple Pay requires deep pockets and trusted payments industry connections that open source mobile OS developers will likely never have.
How do I use Google's productivity suite? I can't; the mobile websites aren't functional enough. How do I use Microsoft's? Ditto.
How do I use the remote-lock functionality of my car? I can't; that's only available through the Android and iOS apps.
I could go on, and on, and on, but I think you see the point. Many people who advocate for these alternative OSes don't get it. "Do you really need that functionality?", they ask. "Why can't you just do that stuff in a web browser on your laptop instead of on your phone?", they ask. "Just use a physical credit card like I do!" And then they wonder why their alternative mobile OS will never go mainstream.
People actually really care about those features and capabilities. It doesn't matter if the people who build these alternative mobile OSes don't care, or think they're stupid, or unsafe, or bad for privacy, or whatever. If you don't build what people want, they won't use your stuff.
Emulating Android sufficiently well enough to run Android apps is a decent start, but so many apps rely on Play Services and Play Integrity that it's a losing battle, or at best a cat-and-mouse game to keep things working.
On top of that, mobile chipset BSPs require financial commitments and being a Real Company. Most open source outfits can't cross that bar, and the likes of Qualcomm will be wary dealing with an organization that wants to do open source.
The use of managed language runtimes, and SaaS products with low code/no code, makes the OS kind of irrelevant, and many times we don't even consider Linux on the cloud vendor, it is seen as an implementation detail, as many workloads are done via managed deployments like Vercel, Netlify, Azure Web App Service, and similar services.
Debian here, and... yup. It's so weird to realize this. I have lots of browser windows open with lots and lots and lots of tabs open, but the only other app I have open is a Matrix client (which honestly is not that great; Element's web version has more features and better polish), and a terminal. If you can call a terminal a GUI app.
Sure, I do use native apps sometimes. A calculator app, GnuCash, VLC, some others. But they're not open all the time; they're infrequent-use apps. And a lot of my VLC use has been replaced by streaming on the web.
It's incredibly sad.
Is it the lack of deep, DNA encoded morality? What are we going to do about this? What is the DNA of an organization anyway?
How, as a society can we take away these stimuli that make it so natural to consume individual freedoms when we grow our tribe-size?
Maybe we need more freedom, more freedom to say: "F-this I'm out of here, I just like the set of rule of this other society better." Maybe we are still too constrained. By our ways of generating income, by our countries, continents and ultimately our planet. We have 1 lifetime, we have to make do with what we find.
Identification is only required if I want to sell stuff, at large scale.
Google's plan would also utterly destroy fdroid and similar projects.
Don't forget GrapheneOS, LineageOS and other de-googled FOSS Android Versions
Unfortunately no NFC Payments though, since they are only available for Google Wallet (which uses safetynet)
Has the UK gotten rid of public postboxes? Do you have to present government-issued ID to post a letter, flyer, or other mailpiece? Do the UK post-handling companies check the sender's claimed name and address on the mailpiece and toss it in the trash if it doesn't correspond to a registered combination of name and address?
> Where in the real world is anonymity considered ok?
Tons of places in the US, and I expect most everywhere else in the world... including the UK. (Or has the UK prohibited things like anonymous food pickup and late-night back-alley dalliances?)
If one is selling computer software, it makes some sense to keep track of the receiver of those funds... if for no other reason than to know who to go after if taxes on the sales aren't paid. However, if someone is giving away software perhaps on an AS IS basis and especially with NO WARRANTY, there's no reason to proactively keep track of who is offering that gratis gift. If some sort of legal problem ever arises because of the contents of that gift, go call the cops in and they can investigate after the fact.
I've been paying some attention to the conversation about Google's proposed policy for the past several days, and I've not seen anyone talking about the significance of the set of countries where this is rolled out to first: Brazil, Indonesia, Singapore, and Thailand. Perhaps there is no connection, but I haven't seen anyone asking what relevant repressive policies these four countries might have in common.
It's weird.
I bought a PinePhone, and after a few too many show-stopping issues (not being able to receive a call for a scheduled job interview was the last straw), I went back to using LineageOS without gapps. I'm not a developer either, just a fairly technical user, so when the device wasn't working, all I could do was report bugs, and things weren't improving fast enough. I haven't checked on progress in a while now. postmarketOS seemed like the one to follow, and they do also support some beefier devices like the OnePlus 6T, but then you'd miss out on the PinePhone's ability to easily remove the battery and to boot off the SD card in addition to eMMC.
I also felt a bit bait-and-switched that the PinePhone Pro came out not too long after the original and then everyone seemed to switch to that one. It reminded me of the awful Gemini PDA and how quickly they rushed out a successor without fixing any problems.
I don't know how many people realize but what can result from this can be very dystopian and is scary. But the best possible outcome from this I hope is that some day a wise government realizes how much of daily life is dependent on two corporations and passes regulations to standardize app runtimes. You should be able to publish applications that can run on any OS. Only then we'll see competition in the OS market.
Obviously even maintaining AOSP yourself requires a huge effort and a lot of people would need to donate development time/money.
Google, just like Apple, should be free to enforce any kind of verification they deems necessary on Google Play, as long as they allow third party stores to be on equal footing, which they don't.
It should be everywhere, no matter the place or the platform.
More accurate would be "run a program not approved by Google"
All wisdom aside... I think you're right. I takes a certain grit to start to appreciate the ultimate effect of software freedom culture and licensing. Never mind the the whole philosophy.
It's like explaining CRISPR (yeah I'm a biologist) to a normie... Ok, so lets start with what DNA is... proceeds to guide someone through a lifetime in the molecular biology field....
Why are you only listing DEs and not operating systems? (You also missed SXMo and more.) There are many more operating systems [0] and two working GNU/Linux phones, Librem 5 and Pinephone. Why people are ignoring them on HN?
Now they very kindly just display a warning.
iOS on the other hand historically required a jailbreak for this. I think that's where the confusion started. Android doesn't need a jailbreak, it doesn't need root (privileges), it doesn't need a custom ROM. You can just install stuff, it's normal. I think iOS users don't realize how different Android is and they just start repeating words like sideload and root without knowing what they mean, assuming it's just Android-speak for a jailbreak. They don't realize there's no jail in the first place.
I am aware English is a living language, and if enough people are wrong for long enough, they stop being wrong, but it's certainly painful to witness.
When Government goes bad, suddenly we are faced with the utmost need for privacy and anonymity, but we may by then be in a situation where privacy and anonymity are difficult to obtain, with all the consequences that then flow from that.
Respectfully, this claim is incorrect. See this 2013 essay [0] for one example out of many where concessions are made to practicality.
Folks who are unfamiliar with Stallman's writing and the general philosophy of the FSF and/or the GNU Project might find spending an hour or so reading through some of the essays here [1] (perhaps starting with this 1991 essay [2]) to be informative.
[0] <https://www.gnu.org/philosophy/is-ever-good-use-nonfree-prog...>
[1] <https://www.gnu.org/philosophy/essays-and-articles.html>
You've listed commercial activities. The vast majority of non-commercial activities don't require any sort of registration or identification.
Installing an app that your friend or internet stranger developed in their spare time is not a commercial activity and people shouldn't be forced to publish their personal information in order to do so.
IMHO, thats is them still having an unfair control over the android market so the EU will come for them eventually - and no doubt they will implement some other devious bullshit.
Ideally the world will wake up and realise multi-sector megacorps simply should not exist and split them all up accordingly - but I'm not holding my breath.
Didn't he give some wiggle room in GPL license ?
Not only that, but many of their core services (national payment network) are now exclusively offered in their app and no where else (yes, they will not allow you to do them in person or through their ATM). Your bank _will_ disable their website when you are the only one left using it.
I am not exaggerating. There is no way for me to use these core services if I don't use their app and they wont allow me to use their app thanks to their google play policy.
Unless otherwise mandated, their website will go away and they will have their way with your rights and make you pay for it.
Don't shrug this off. Fight this while you still can.
> The question here is, is it ever a good thing to use a nonfree program? Our conclusion is that it is usually a bad thing, harmful to yourself and in some cases to others. If you run a nonfree program on your computer, it denies your freedom; the immediate wrong is directed at you.
That is most certainly not making concessions for practicality in my book. So if anything, the citation you provided is IMO evidence for my claim.
The problem is that it's difficult for cooperatives to raise capital: they can issue debt, but not equity (because the definition of a co-op is that it is owned by members (usually customers and employees )-and no-one else). But debt is not really risk capital in the same way as equity and doesn't enable bold initiatives and innovation.
If you run a nonfree program on your computer, it denies your freedom; the immediate wrong is directed at you.
That does not mean you're an “evildoer” or “sinner” for running a nonfree program. When the harm you're doing is mainly to yourself, we hope you will stop, for your own sake.
Sometimes you may face great pressure to run a nonfree program; we don't say you must defy that pressure at all costs (though it is inspiring when someone does that), but we do urge you to look for occasions to where you can refuse, even in small ways.
If you recommend that others run the nonfree program, or lead them to do so, you're leading them to give up their freedom. Thus, we have a responsibility not to lead or encourage others to run nonfree software. Where the program uses a secret protocol for communication, as in the case of Skype, your own use of it pressures others to use it too, so it is especially important to avoid any use of these programs.
But there is one special case where using some nonfree software, and even urging others to use it, can be a positive thing. That's when the use of the nonfree software aims directly at putting an end to the use of that very same nonfree software.Likely this gives them another way to milk information out of you, push their marketing onto to you, and saves them from having to manage physical devices. The obvious downside is of course a degradation in security and further cementing the duopoly and more or less forced participation in it that we as citizens have to endure.
Maybe there's been a miscommunication somewhere but Android Developer Verification (what this thread is about) applies to all apps, even those installed outside of Google Play store.
This is not too hard. What is hard is to trust it enough. A FOSS OS, by definition, allows to install whatever software, and allows for modification of itself. It is built to overcome limitations, not impose them. In this regard, it's a perfect tool for a criminal who wants to circumvent security measures, because these are limitations. It's the same problem as with cheaters in online games, only with more than games on stake. Banks and payment systems want guarantees of integrity and protection, including protection from user's actions.
A FOSS OS also assumes that the user values the freedom, and is competent in its technical aspects. This is emphatically not true about many users. They choose iOS because it's locked down and thus they cannot inadvertently do something they don't understand, and can't be bothered to learn. More importantly, their grandmother cannot do something she doesn't understand but scammers persuade her to do.
It's a bit like driving on public roads. If you want to drive yourself, you have to reveal your identity and obtain a license. If you want the hassle, take a bus, but buses only go along their routes. Letting unlicensed people drive cars where they see fit was found unacceptably dangerous for everyone eround. Maybe mainstream mobile software development will follow this model, too :(
Now I have to keep my 4 year old phone with 2 year outdated Android to access the bank application. Which deemed more safe then my mobile with latest security updates. Haha
I was just saying that you can make the problem more narrow by not trying to support every device out there. Start small and pick your battles (which probably means using AOSP and using sandboxed AOSP).
I think the main issue of many previous attempts was what typically happens in the FLOSS community: there are N attempts rather than one coordinated attempt (Ubuntu Touch, Plasma Mobile, PostmarketOS, PureOS, etc.) and everybody is targeting different hardware. It's similar to how the Linux desktop got fragmented, though it's even more problematic for mobile, since the usage is probably 1/1000th of Linux desktop usage.
When was it? There are no complains from people daily driving both phones in the last couple of years AFAIK.
https://en.wikipedia.org/wiki/Epic_Games_v._Apple
If Google controls verification, then Google - not Epic - controls who can distribute Android apps on the Epic store.
As we're seeing, time and time and time again, it is harmful. The benefits may outweigh the harms today, but unless the steward of that nonfree software is extraordinarily careful and forward-thinking (as it were), those relationships inevitably go bad and become coercive over time. As we know, Stallman is (and always has been) right about this.
> That, to me, is very much refusing to make concessions to practicality within their ideology.
1) The last paragraph of the opening section is a plain and obvious concession to practicality: "But there is one special case where using some nonfree software ... can be a positive thing. That's when the use of the nonfree software aims directly at putting an end to the use of that very same nonfree software."
2) I'm not sure how saying "We'd be sad and would all be worse off if you used nonfree software, but do understand that there can be compelling real-world reasons to do so. Please don't use nonfree software, or -if that's not possible- consider small ways to avoid using it whenever opportunity presents itself." is anything but a concession to practicality. A hard-liner that refuses to make concessions to practicality wouldn't incorporate such a thing into their philosophy!
Respectfully, are you sure you're not letting knowledge of how Stallman uses/manages/etc his personal computing devices influence your interpretation of what these essays and the FSF's philosophy are about?
You cannot say that. This means we have thousand half-baked projects to choose from, and choice is good. At least this is what I was told.
At least for now.
I'm not aware of any major issues this has caused.
The trust isn't the issue. Google and Apple has made DRM easy for these companies to integrate, and therefore they do it. There isn't more to it than that.
A workaround for NFC payments I've heard about for folks running OSes on their Androids that don't support that feature is a smartwatch with NFC.
And my bank's web app developer couldn't even fix their log in bug for several months. I realize, now, it's because they want to sunset their web portal.
Which is extremely annoying ... what if I don't have my mobile!!
Lazy, and greedy corporates, just trying to save their costing with shortcuts, never realizing security is never achieved by taking shortcuts.
Oh? From the "Finding the right bargain" section of this 2002 essay [0]
> So perhaps novels, dictionaries, computer programs, songs, symphonies, and movies should have different durations of copyright, so that we can reduce the duration for each kind of work to what is necessary for many such works to be published. Perhaps movies over one hour long could have a twenty-year copyright, because of the expense of producing them. In my own field, computer programming, three years should suffice, because product cycles are even shorter than that.
Has his opinion changed since then?
[0] <https://www.gnu.org/philosophy/misinterpreting-copyright.htm...>
There are very few software examples, that couldn't be distributed as PWAs, including secure things like banking, etc. With WASM in the mix as well, theoretically the sky should be the limit.
Even more interestingly it hasn't happened - mainly because Apple and Google haven't got behind PWAs for obvious reasons, so the app ecosystem just doesn't exist. It's hard to see how this will changes, when mobile operating systems are dominated by two players, with very obvious incentives to make things worse for consumers but better for themselves, by grabbing as much control of the apps on their system as possible.
Tell me you live in the web bubble without telling it.
Discussion: https://news.ycombinator.com/item?id=45030967
This is not fascism, this is just a rational move from Google in a market economy. It feels like every time something like this happens, Americans rediscover what capitalism is and implies, then blame it on "human nature", "greed" or "fascism".
Decades of desktop malware used to drain bank accounts are not a major issue?
In any case my bank has not banned the use of Linux to do homebanking. Why? Because there isn't a easy to plug-and-play API to do DRM and remove consumer rights. This is largely for historic reasons, but there is no reason a FOSS mobile OS couldn't work.
“I could have made money this way, and perhaps amused myself writing code. But I knew that at the end of my career, I would look back on years of building walls to divide people, and feel I had spent my life making the world a worse place.”
You can even see this into the abominal products they release, rife with frankesteinian cobbled together bits and pieces from different 'orgs' trying to grab a piece of the (tr)action and the wild inconsistencies in the UX.
None of those limitations actually provide any security.
In order to use your bank's mobile app, you need your bank login credentials. It does not matter how secure a bank app on your phone is or whether it requires some kind of attestation because the attacker is going to get the victim to type them into a fake app or the attacker's web page which don't require any such thing and aren't even necessarily on the same device. And then it does not matter what kind of device you require the bank app to be installed on, because the attacker will get one of those and use the phished credentials in it.
There is no security value in requiring things that are useless.
> A FOSS OS also assumes that the user values the freedom, and is competent in its technical aspects.
This is not an assumption at all. The user is not required to write their own software or install anything from outside of a trusted repository. The value of the OS to such people is that someone else can write that software, and then as it matures it makes its way into the trusted repository.
But if mere mortals can't do that, if kids need an ID and a credit card in order to learn and experiment and hobbyists hit friction and spend their time on something else, then those things are killed in the cradle and never exist to begin with. And then instead of free software made by the people who wanted to use it, you're left with only apps made by predatory for-profit corporations and scammers that make it into the official store because their scams are profitable.
> It's a bit like driving on public roads. If you want to drive yourself, you have to reveal your identity and obtain a license.
It isn't a public road, it's your own phone.
Yes, banks* claim phones riddled with maximum severity security issues are secure. Also phones that are rooted but using magisk modules to conceal this fact, and use spoofed signatures from ancient hardware, but the most safe platform is not secure enough for them.
Go figure.
*not all, there are notable exceptions explicitly supporting secure platforms through the modern Hardware Attestation model.
The grip of Google, Microsoft and Apple are tightening. Microsoft's TPM requirements for Windows 11 are ostensibly for security, but they're also a mechanism to enforce hardware/software integrity and authentication. Google wants to extend their integrity APIs to Chrome and I doubt Microsoft would object to implementing something similar.
Soon enough computing and the web may end up segregated, with there being devices authenticated and controlled by a central authority and those that are not. In a lot of ways this is already the case, I can't access the 4K Netflix streams I'm paying for on Linux because of DRM and using anything other than stock Chrome can often get you flagged for annoying captchas. But it can get so much worse than that.
The entire unitized jet engines on Boeing aircraft drops right off and swaps right into another host, sometimes even to different types of aircraft. PCI soundcards come off a i386 PC and go straight into PPC Macs. AR15 pressure bearing parts don't merely interchange between examples from different time and place but its grip and stock mounting patterns are becoming a industry standard of its own. Early Tesla battery packs come apart into bunch of 18650s and could reassemble into new packs(though it's a big no-no due to RUD risks). Meanwhile, Prius power units or front seats are for Prius only; it won't go into dozen different Toyota models, at least without substantial parts changes, modifications, and reconfiguration. Bugatti Veyron uses its own custom tires that aren't even forward or backward compatible with their own successor.
Same for phones: .apk runs everywhere, Linux do not, cameras don't interchange, internal connectors don't fit together, LCDs specific to anything are default unobtainium. microSD cards works on everything, but the moment you look away, Huawei invents a new incompatible format for absolutely no reason. Apple "reinvents everything" every time but internal organizations of components are stable at macroscopic levels for few generations unlike most other manufacturers.
It's openness of PC that is unique and precious, not closed nature of everything else being odd and inconvenient.
Or using a bank that supports NFC payments (not using Google Wallet).
GrapheneOS Foundation raised this practice with European Commission because it unfairly penalises secure and safe competition giving instead a lie to the developers and banks that ancient, unsafe, vulnerable platforms are more secure.
You can see this is sort of adverserial to the FOSS way of doing things.
However, it's problematic if the banking apps also block regular configurations on something like GrapheneOS, e.g. by inspecting the initial call stack of an app. There are many such trivial to bypass ways of doing root detection and most are easily circumvented anyway.
BTW your password-based signup flow isn't working (on iOS Safari at least).
It is surely possible if only because the general population is not interested in infosec.
On the gripping hand,firmware writing practices being that they are; it is impossible to produce an uncrackable phone.
They requires that for any transaction past 50k THB per day (not per transaction) you'll need to provide face recognition. This means banks need to develop its internet banking solution past Web 1.0 era. From what I know (and I didn't do much research) most banks simply just shutdown internet banking instead of complying with that, only business banking get a separate website. My bank they simply merge the personal banking and corporate banking into a new system, but you still need to approve the transaction on a push notification (and perform face recognition).
It doesn't help that I believe many online casinos and scammers are scraping internet banking and even mobile banking APIs. There was a bank that apparently you could find PHP classes on GitHub that emulate their mobile app, and when that was in the news people were saying that the bank doesn't have proper security even though to use the class you'd need to provide exact same information in the app itself. Scammers used those code to move money from mules to mules, obfuscating the money's movement. The banks doesn't talk to each other either, so once the money goes through a few banks the chance you could trace it is almost none.
There was a court case that the court have ruled that if you were to get scammed to install apps on your phone that scam you for money, the bank is at fault as they have improper security. So they're heavily incentivize to protect users from themselves.
As for facial recognition, disabled people sent letters to Bank of Thailand, as legally blind people are not compatible with the liveness checks, the bank apps do block screen captures and refuse to work when any accessibility services is on and all BoT says about that is "we already told banks to do something" and the disabled people just send a second open letter this week, as many banks did nothing, some banks probably have a backend account flag to bypass the checks but didn't train the branch agents to perform such changes on the account.
Also Thailand has move into cashless - most local people don't use cash now except for small mom & pop shops that are doing dodging tax. Of course credit card is not accepted (or with minimum) - Thai business owners doesn't like fee no matter how small it is.
This is where antitrust laws are supposed to come into play. Play Services are a pain but in principle you can implement alternatives to them. It's the attestation stuff which is aggressively anti-competitive -- literally setting up a system with the primary function of excluding competing implementations from compatibility.
We can't let corporations get away with the fraud that competing with them is a security vulnerability.
> A fascist corporation can be defined as a government-directed confederation of employers and employees unions, with the aim of overseeing production in a comprehensive manner.
https://en.wikipedia.org/wiki/Corporatism#Fascist_corporatis...
Google goes even further than that: they do not only control and oversee all production via the Play Store, they also control all usage of their products. And while it may currently not be government-directed, they certainly are government-protected as long as they're allowed to run the only app store in town.
In any case, I hope this blows up in Google's face hard, ROMs like LineageOS become as popular they were back in their heyday, and root hiders get extra attention too so banking apps etc work seamlessly as on non-rooted phones. Requiring some developer ID crap is essentially as bad as Apple has it, reason for which I've always considered developers having Apple phones quite unserious.
For what it's worth scammers have zero problems scamming grandmothers with Apple computers and iphones.
It's is acceptable for the hack to be difficult so long as it exists. I'm sure later models will eventually be jailbroken too. In the meantime, all of nintendo's best efforts haven't ended the piracy of switch games which is what the vast majority of people care about, not getting their favorite linux distro to run on the hardware itself.
I don't really understand what you're talking about here. Android and iOS are American companies. American culture is John Deere locking down their equipment. Anti-consumer laws, pushing IP laws onto the rest of the world by treaty, being overly litigious, these are all American culture. I think the culture you're thinking of is nearly dead in a shell of corporatism.
The PC was a pretty unique event due to a confluence of historical factors that all came together in a certain way. It wasn't the way of things before, and it's been slowly moving away from how it was, and it's not really got anything to do with being American or not.
Basically it’s a passive variant of smartwatch payments: you can pay with a ring, or bracelet, or a mechanical watch. The cheapest option is this plastic thingy (currently out of stock): https://eu.k-pay.com/product/mavericks
I’m thinking about implanting one into my hand :^)
Also why does a gas station app need to send notifications? :)
It's specifically publicly-traded companies, because they cease to be controlled by real people who can make a human decision when there is a trade off between a marginal increase in profits and not being schmuck.
The irony is that they'd rather suffer losses from fraud if the fraud is less than the cost of setting up App-based TOTP and a campaign to get customers to use the app. Yet they suddenly get all in a huff about PCI compliance as CYA so they don't have to pay an app developer to figure out how to check "is phone rooted? Yes. Which OS?"
Even laptops can be locked down too.
I cannot imagine a legal defense for forcing someone to accept the terms of service of Apple or Google to use their bank account.
This was really interesting and somewhere there was a comment/quote that these countries are affected most with the malware distributed with side-loading, I can't find this comment now. But while trying to find some information, I found the info about 2023 Alphabet/states $700 m. settlement. It came mostly unnoticed on HN [1] (two posts, 2 comments), but there is interesting timings coincidence in the settlement text ([2])
...6.9.2 For a period of at least four (4) years from the Effective Date, Google will maintain the following functionality in Android version 14+ for Mobile Devices:
(a) Google will support APIs that enable sideloaded app stores that have received User consent to install apps to avoid automatic updates taking place while the User is using the app....
The settlement might be interesting in other other respects also. Even the forces (the states, U.S Attorney) that drove the suit in 2021-2023 might join here though during this admin it's really questionable.
[1]: https://news.ycombinator.com/item?id=38691926
[2]: https://www.oag.state.tx.us/sites/default/files/images/press...
AOSP is free and open source software.
> When referring to Android apps, "sideloading" typically means installing an application package in APK format onto an Android device. Such packages are usually downloaded from websites other than the official app store Google Play. For Android users sideloading of apps is only possible if the user has allowed "Unknown Sources" in their Security Settings.[1]
My govt's app did, but after bugging them a lot they removed safetynet.
My bank's app recently started warning me that I should "Turn off developer mode" for """security""" on every sign-in. This warning doesn't stop me from using the app yet, but I'm sure it'll get there.
It's impossibly convenient to be perfectly fair with you, however I know that my bank has stopped issuing the "BankID Card" (which was a card and pin device that allowed you to generate challenge numbers)- and now forces you to use the BankID app -- which will not run on rooted phones of course.
It's even slightly worse as the App requires NFC; so I can't keep a backup on my iPad (which is what I was doing before).
Their developers usually understand security well enough.
The problem, especially for banks, is that they're zero-risk driven, their ideal world is the one where risk doesn't exist. So instead of mitigating it they chase risk elimination (!= reduction) at any cost, while middle management needs to report that they improved something for the quarter. This results in all these kinds of stupid policies, where a 6 year old mobile, unmaintained for 4, is considered more secure than the weekly build of the community-based custom ROM running with locked bootloader signed with user-managed keys with strong protection (these days it's almost infeasible).
EDIT: to be clear, it's normally not the developers thinking up these policies, I have worked in a bank.
This is the sort of thug behavior you see in CCP China. If the govt can't directly detain overseas dissidents or other "undesirables", it goes after their families back in the mainland.
It shouldn't be a thing, but it is. In the Netherlands the newer digital-only banks are allowed to do this. No smartphone, no service.
The more established banks (systeembanken) do have alternatives, but realistically not using their app for login auth and transaction approval is a huge pain in the ass.
(My bank, ABN AMRO, has an app which thankfully works fine on GrapheneOS.)
Changing banks is easy when it's just about cash in a savings account. Not so easy in other cases.
I don't actually believe that. They chase risk elimination at any cost to you. If there's a significant cost to them, they're going to be all about quantitative tradeoffs.
Your concept of "common sense" is repulsive, as is your submissive attitude.
But notice that Google is doing this as the government in its home country is going bad (or at least getting dramatically, qualitatively worse than it has already been).
Some people see features where others see bugs.
My banks all require their own individual apps for authentication and authorization. I can use the website but to log in and authorize any transactions I need their app. Ironically this runs on my 8 year old Android 10 phone (used as a backup) so security can't be part of it.
If you have an influenctial social account with lots of followers, Google reaches out to you. They only react if something has a potential to hit their PR.
So in order to get in contact with Google, you reach out to influencers, not Google itself.
Also, you should read all the good arguments on HN why you shouldn't use Chromium even though it's technically FLOSS.
Waydroid allows me to run Android apps on my Librem 5.
> How do I deposit a check with my bank on my phone without the app? I can't; the mobile website doesn't have that functionality
So switch the bank to one not forcing you into the duopoly?
When Google does it, of course, same apk files and NDK binaries just run on every models of every make as if always worked that way.
American companies appear to be the worst offenders in the world when it comes to breaking compatibility and right to repair, and this isn't to say those anti-consumer changes are okay at all, but I do think the reality is that, you can't break something that never existed, and it exists a lot more commonly in American things than in things from elsewhere.
https://grapheneos.org/articles/attestation-compatibility-gu...
I doubt very much that it is possible for this practice to be legal, i.e. to condition the services of an European bank of the existence of a contractual relationship with a third party, which is non-European.
Nevertheless, nobody has enough spare time and money to challenge legally such banks.
Now I do my operations mostly through other banks that still have browser-based online banking, but I have not closed yet my last account at such a Societe Generale subsidiary, because I have regressed to use an antique SMS-based substitute for online banking, which is good enough for that account, which I keep only for a credit card used mostly for shopping in supermarkets or the like.
On the last change my bank made me call to their hotline (even though everything else is possible to be done online) to keep using a separate hardware device - which ended up being just "so, you don't want to do it on a phone?" - "yep" - "ok, should be with you in a week or so".
I nowadays consider my phones pretty much throwaway devices - I don't have full control, I can't fully trust them. Plus they could be stolen, break when I drop it into water outside, ... - so I think it's ridiculously stupid to tie anything important to a phone as main authenticator.
Overall the usefuleness of a phone has been declining steadily - the selling point of a smart phone originally was that I have an app, and because it's a reasonably trusted device it'll store credentials, and I can use the app without logging in every time. By now most of the apps are just repackaged websites, and because of that - and because they don't trust their backends - we now have quickly expiring tokens in use in the apps as well. Most of the apps I don't use every day - and over the last few months every single one wanted me to log in again next time I used it.
Adding to that the nonsense of "there's a new app available, download that first before using" which typically doesn't add anything of value to me, and we're now at a state that not only does the typical smart phone app not offer a benefit over just using a website - it now often is even worse than just using a website.
Turns out, some new enrollments topped up their accounts and dropped off before the final step that makes it show up on the home page, so now I know it's something, and something is worth doubling.
> existential threat to surveillance capitalism
Should I buy a gun? I'm an American.
[1] https://android.stackexchange.com/a/84248
[2] https://www.androidauthority.com/how-to-use-adb-android-3260...
Smart phones try to limit and firewall the interface between the two but tight integration is required for energy efficiency. So a smart phone, or a cell phone, can never be yours. They aren't good choices for doing computing and this legal reality is becoming more and more obvious with time.
It certainly is not harmful, in my view. I think that the FSF's position on this topic is ridiculous. No harm whatsoever is done by running a piece of closed source software on your computer.
> The last paragraph of the opening section is a plain and obvious concession to practicality
No, it's not, at all! It is ideological, not practical, to say that the only reason to deviate from one's ideology is if doing so advances the ideology even faster.
Commercial apps and services will require passkeys and device attestation, so you'll only be able to use open source software even if you have a device to run it.
The walls are closing in, and it's not just mobile. It's only a matter of time before passkeys are used to block Linux users from the commercial Internet as well.
I barely use my bank's website and could easily not use it at all and still have all the functionality that a bank provides.
What does "foss mobile OS" mean
(a) installed on a portable form factor,
(b) integrates with a cellular modem. or
(c) all of the above
For discussion purposes, assume "portable" means pocket-sized and battery-powered
When the RPi first came out I remember a blog where someone had rigged up a makeshift battery making RPi portable. At the time, HN commenters seemed impressed. Today, I connect a "phone" to an RPi running NetBSD^1 and use the phone as a battery
1. Linux provides wider assortment of drivers NB. I'm not using NetBSD to make phone calls
Today there are
non-portable VoIP phones with PoE, and
portable cellular modems running OpenWRT
Tomorrow, who knows
Convenience and control are mutually exclusive; this seems unlikely to change. Choosing the later over the former is personal preference. Every user is different
Trying to control a "phone" might be a waste of time, an exercise in futility, especially when it is running a corporate OS. Whereas controlling a gateway running an OS of the user's choice might prove to be relatively easy. Phones provide convenience, not control
No, that's unnecessary. Nobody will be taking you that seriously.
> some new enrollments topped up their accounts and dropped off before the final step that makes it show up on the home page
Did they actually put money in?
So, for a second experiment, I was actually running a stream for Emacs (yeah, yeah, I know, I know). They managed to raise all of $10 for themselves. The premise was to pay out a weekly prize for whoever developed something cool. Super simple.
There's so little data, but it very clearly, very, very clearly seems to say the enthusiasm is for PrizeForge to get good more than it was to use PrizeForge for something else.
And I'm going to keep expanding in various directions because there's no way I'm oriented yet, but it's not nothing. It's terrible UX, terrible everything, but just clearly enough on top of something.
In the Netherlands (and beyond) online payments (shops, Steam, etc.) are made via the IDEAL platform run by the Dutch banks collectively. That is a good thing, because payments are secure and easy, and no one needs a credit card. But that does mean using your bank's web service to approve those payments.
Using the bank's offline OTP hardware (where you insert your debit card and enter a PIN and the code generated by the bank's website for an OTP) is possible, but using the app is significantly less effort than that. There is very little point in resisting it. It's not a healthy situation, but it is the reality.
Of course, the problem for MS was that Apple (and Google) quickly closed those gaps, and they just simply had better overall products.
I run a Google'd OS for now but I haven't used my bank's terrible app in years and years. I use their terrible website via desktop mode instead.
(Don't know for sure, wouldn't use one myself.)
The fact the question was phrased in that way is disturbing. How far the loss of personal freedom has been normalized. Like the term "side loading", it's an insult to general-purpose computing.
But that wasn't the problem.
The iPhone and Android became popular because they were, respectively, good and "good enough" but free, and both Apple and Google had a good reputation at the time. Users were willing to buy those phones and developers were willing to make apps for them because they didn't expect those companies to screw them. The screwing only happened after they were no longer the underdogs and the network effect was already established.
Microsoft doesn't cast as an underdog and everybody expects them to screw you as soon as they get the chance, so not enough people were willing to give them the chance.
They could have overcome that to their own benefit if they would have bound their future selves from enshittifying the platform. Don't make "Windows Phone" under a proprietary license, make an actually open source Android fork which is an open platform like Windows instead of a closed one like iOS, but provide seamless integrations with the Microsoft cloud services instead of the Google ones. Write code that makes it work as well with Windows PCs as iPhones do with macOS. Make two phones yourself: a $999 Surface Phone with iPhone-quality hardware and a $199 one with basic hardware but nevertheless 12 years of security updates to get the low end of the market, provide something for kids/students and make it cheap for developers on the fence to get a device with your platform and make apps that integrate with your cloud services. You're not trying to sell an operating system, you're trying to take Apple's margins on the high end hardware and Google's cloud services revenue from the mass market.
But that's not what they did, and getting people to trust them with a closed platform wasn't in the cards.
Because with each single person who decides to run a particular non free software, that's a tiiiiiny bit more vendor lock on, a tiny bit of control lost, of power, freedom, given up.
And when enough people do this, what happens? Look at Google. Look at the post you're on. You tell me - what happens?
He's not wrong at all - it's just uncomfortable. This is a side effect of capitalism or maybe humanity. Its nothing you or I can single-handedly solve, or cause. But we each contribute to it a tiny amount.
On the one hand, I approve of self-administered biohacking.
On the other hand, you might need a Faraday glove to prevent tap to pay shenanigans by folks with a mobile card reader who bump check you.
I would not do this type of biohacking myself, but if you go down this path, look into how NFC skimmers work, because that and compromised card readers and unauthorized tap to pay events on portable card readers is a threat vector. I have heard that Google and Apple are working to roll out tap to pay from card to phone and phone to phone, which could allow folks to skim your NFC device to run an unauthorized transaction.
Now a company wants the identity of the companies it works with because it distributes their software, and it looks like a massive "scandal". Well at least I am realistic that the "scandal" is only within certain circles.
Apple and Google might have had a good reputation with consumers who were using feature-phones at the time... but they both had bad reputations with most existing smartphone users at the time. Those users were primarily business business users or power users who had requirements that weren't met by most of anything that Apple or Google was putting out at the time. RIM and Microsoft were building the smartphones that were most trusted at the time.
The mass consumer market for smartphones really didn't exist until Apple took phones in that direction. Before that, they weren't entertainment or consumer-focused devices, they were productivity devices.
iOS and Android, by their second or third release, were already better products than Windows mobile 6.5, both for entertainment and productivity. That's the reason they won. Neither of them were "free" to users -- and in fact the devices that they ran on were more expensive than Windows Mobile devices. People were only willing to pay more for these devices because they were doing something entirely different than what Windows Mobile did. They were consumer smartphone devices -- a new category of device that didn't exist.
This is not to be confused with Windows Phone -- which failed because it was way too late to market, way too far behind in ecosystem support, and didn't solve any new problems.
If you install the app then you are complicit in normalizing the requirement of signing terms of service and data sharing agreements to US technology companies in order to do banking.
Be the person that demands better. Be the squeaky wheel. Call politicians and press if needed. Stop this shit now before it becomes expected for school and healthcare too.
Feel free to say you are a member of the Church of Cryptography and that installing proprietary corporate controlled apps is against your religion.
Never been asked to install an app for banking, but a health care clinic dropped me as a patient for not buying a phone that can install their app. I was the first case where a patient refused to conform. Found a new clinic who was willing to earn my business with phone and email correspondence. The original clinic escalated the case to corporate HQ when I filed a public medical malpractice complaint, and they ultimately responded by adding a webapp.
DEMAND the right to live your life without corpotech in your pocket. I am now 5 years without a smartphone working as an engineer and founder with an active social life who frequently travels and it can absolutely be done.
This is fair to make and a better strategy. My comment was about calling out the messaging or strategy that the author went with. Choosing an idea of people should be able to decide the apps they are able to run is more agreeable of a message than a message of "think about developers who want to avoid consequences of breaking the law." The latter is an antisocial message that I do not think is as agreeable.
>We all agree that some amount of criminal activity must be tolerated
I don't agree with that. Especially with the upcoming rise of AI law enforcement. Much more freedom than a cell can be given while maintaining effective law enforcement.
https://grapheneos.org/articles/attestation-compatibility-gu...
> roll out tap to pay from card to phone and phone to phone
It’s already here! Stripe has supported it for a while now, and I’ve seen a bunch of other payment providers have it, too: https://stripe.com/terminal/tap-to-pay
So, I'm confused. What do you believe that Stallman is right about? If there's never any harm done by running nonfree software on your computer, then what's the problem? I must have misunderstood your commentary here [0] because this statement
> The thing is... he seems to have been right the whole time. Companies really do want to lock you out of controlling the devices you own, and do so at the first opportunity. So... Stallman was right.
certainly seems like you were claiming that there are harms inherent in the practice.
> It is ideological, not practical, to say that the only reason to deviate from one's ideology is if doing so advances the ideology even faster.
Not making a concession to practicality would be saying "There is no circumstance in which one should use nonfree software. Not even in the service of replacing that nonfree software with free software.". You're simply incorrect about this... especially when you also consider point #2 of the section you've quoted from.
The only issue I had on GrapheneOS was that I had to play with the location permissions a bit when I wanted to copy the BankID to GrapheneOS from another phone (I've got some pictures of that in this blog post: https://www.jonashietala.se/blog/2025/08/28/ill_only_buy_dev...).
All other Swedish bank accounts I've tried have also worked great (including Swish).
What do you mean? I can run AOSP on Google Pixel devices for example.
Example of the real-word problems with creating a FLOSS phone: https://puri.sm/posts/breaking-ground/
Life, uh, finds a way, after all.
> Even if you do, I think it’ll take about one chargeback to get your merchant account blocked.
Well, someone's merchant account might be blocked, but carders don't necessarily use their own accounts; in fact, I would doubt that many do, but criminals are often underestimating risks and overestimating rewards. It's almost a truism at this point that folks who do crime are not usually acting rationally, but I don't want to stereotype.
> It’s already here! Stripe has supported it for a while now, and I’ve seen a bunch of other payment providers have it, too: https://stripe.com/terminal/tap-to-pay
Finally! This feature is going to help a lot of small businesses in isolated areas where mobile phones are the primary (or only) computing devices that are commonly owned. This can create virtuous cycles that are somewhat unpredictable, which should help make these markets more dynamic and competitive.
Thanks for posting that Stripe link. Here's some more tap to pay links I was able to find, eventually. The search terms match too much, so it is a bit hard to disambiguate legacy NFC payment flows that use traditional or modern terminals from the new device to device payment flows. I remember hearing about Stripe's work on this feature, but since I didn't hear much after that, so I wasn't sure if the feature had ever shipped. I'm glad that this tech is getting in the hands of end users.
Apple-specific roundup of apps and vendors that support the feature:
https://apps.apple.com/story/id1620226212
https://www.apple.com/business/tap-to-pay-on-iphone/
These two are available on both iOS and Android, in case that is important for folks:
The only noticeable difference between most apps and websites nowadays is offline capability and deeper system integration.
Native apps have been dumbed down so hard there is barely anything left not taken care of by browsers.