←back to thread

Uncomfortable Questions About Android Developer Verification

(commonsware.com)
400 points ingve | 8 comments | 27 Aug 25 05:14 UTC | HN request time: 0.717s | source | bottom
Show context
userbinator ◴[27 Aug 25 06:06 UTC] No.45035952[source]
This shouldn't just be "questions"; this should be a full-on opposition. Do not give them even an inch, or they'll take a mile.

"debugger vendors in 2047 distributed numbered copies only, and only to officially licensed and bonded programmers." - Richard Stallman, The Right to Read, 1997

replies(5): >>45035983 #>>45036017 #>>45036375 #>>45037682 #>>45048988 #
teekert ◴[27 Aug 25 06:17 UTC] No.45036017[source]
Why is it so complex to have a foss mobile OS.

I only have Linux PCs (laptops) and servers, 100% of my work and personal stuff is done there (though for work I do need to hop into MS365, Google Workspace, Zoom, etc, hooray for browsers, my final firewall between me and the walled gardens, though we can have a whole discussion on that).

For mobile, we have PostmarketOS, Phosh, Ubuntu Touch. I really must try living in them, is it on me? IDK, our government even has an identity app for iOS and Android. I should not be using it, I should stick to web. But its so much more convenient. I'm just weak, aren't I?

Maybe I should go for Ubuntu touch, with an iPad on the side or something. At least my most personal device is something I control then. Or just keep my Linux laptop handy (or make a cyberdeck!). But I want a computing platform that does not require carrying a bag. It's kinda sad. Even GrapheneOS (one of the most personal and secure mobile computing experiences out there)'s future is in the hands of its greatest adversary, the one that does not want you to have a personal computing experience.

replies(21): >>45036070 #>>45036112 #>>45036243 #>>45036360 #>>45036380 #>>45036382 #>>45036412 #>>45036460 #>>45036478 #>>45036483 #>>45036501 #>>45036535 #>>45036675 #>>45036711 #>>45036838 #>>45037138 #>>45037190 #>>45037762 #>>45040244 #>>45041234 #>>45046932 #
rattyJ2 ◴[27 Aug 25 07:11 UTC] No.45036382[source]
I could be one of the people running an ungoogled phone, but my bank refuses to have an app that runs on an ungoogled OS for "security"
replies(4): >>45036466 #>>45036541 #>>45036680 #>>45037787 #
t_mahmood ◴[27 Aug 25 07:52 UTC] No.45036680[source]
My bank blocks my mobile with Lineage OS, and it's not even possible to login to the web site without the mobile app. Absolutely pathetic.

Now I have to keep my 4 year old phone with 2 year outdated Android to access the bank application. Which deemed more safe then my mobile with latest security updates. Haha

replies(4): >>45036812 #>>45037133 #>>45037323 #>>45043764 #
1. exe34 ◴[27 Aug 25 08:14 UTC] No.45036812[source]
last time I walked into the bank to do something, they tried to peddle their app. I giggled and said no, their developers don't understand security.

my phone is rooted and their app won't work.

replies(3): >>45036884 #>>45037986 #>>45038640 #
2. t_mahmood ◴[27 Aug 25 08:28 UTC] No.45036884[source]
Unfortunately, I can say with 100% confident, the customer service of my bank will not freaking understand what is a rooted phone, or LineageOS ...

And my bank's web app developer couldn't even fix their log in bug for several months. I realize, now, it's because they want to sunset their web portal.

Which is extremely annoying ... what if I don't have my mobile!!

Lazy, and greedy corporates, just trying to save their costing with shortcuts, never realizing security is never achieved by taking shortcuts.

replies(1): >>45037979 #
3. markus_zhang ◴[27 Aug 25 11:06 UTC] No.45037979[source]
They don’t care much about security as long as it doesn’t cost them much.
4. plqbfbv ◴[27 Aug 25 11:07 UTC] No.45037986[source]
> I giggled and said no, their developers don't understand security.

Their developers usually understand security well enough.

The problem, especially for banks, is that they're zero-risk driven, their ideal world is the one where risk doesn't exist. So instead of mitigating it they chase risk elimination (!= reduction) at any cost, while middle management needs to report that they improved something for the quarter. This results in all these kinds of stupid policies, where a 6 year old mobile, unmaintained for 4, is considered more secure than the weekly build of the community-based custom ROM running with locked bootloader signed with user-managed keys with strong protection (these days it's almost infeasible).

EDIT: to be clear, it's normally not the developers thinking up these policies, I have worked in a bank.

replies(1): >>45038267 #
5. Hizonner ◴[27 Aug 25 11:39 UTC] No.45038267[source]
> So instead of mitigating it they chase risk elimination (!= reduction) at any cost,

I don't actually believe that. They chase risk elimination at any cost to you. If there's a significant cost to them, they're going to be all about quantitative tradeoffs.

6. out_of_protocol ◴[27 Aug 25 12:16 UTC] No.45038640[source]
It's their security and not your security, don't mix up
replies(2): >>45039567 #>>45043072 #
7. exe34 ◴[27 Aug 25 13:42 UTC] No.45039567[source]
and yet their website works fine on my desktop Linux using a browser...
8. dpoloncsak ◴[27 Aug 25 18:16 UTC] No.45043072[source]
'their security' in what way? Is an app more likely to be exploited than a web browser?