←back to thread

Uncomfortable Questions About Android Developer Verification

(commonsware.com)
400 points ingve | 2 comments | 27 Aug 25 05:14 UTC | HN request time: 0s | source
Show context
userbinator ◴[27 Aug 25 06:06 UTC] No.45035952[source]
This shouldn't just be "questions"; this should be a full-on opposition. Do not give them even an inch, or they'll take a mile.

"debugger vendors in 2047 distributed numbered copies only, and only to officially licensed and bonded programmers." - Richard Stallman, The Right to Read, 1997

replies(5): >>45035983 #>>45036017 #>>45036375 #>>45037682 #>>45048988 #
teekert ◴[27 Aug 25 06:17 UTC] No.45036017[source]
Why is it so complex to have a foss mobile OS.

I only have Linux PCs (laptops) and servers, 100% of my work and personal stuff is done there (though for work I do need to hop into MS365, Google Workspace, Zoom, etc, hooray for browsers, my final firewall between me and the walled gardens, though we can have a whole discussion on that).

For mobile, we have PostmarketOS, Phosh, Ubuntu Touch. I really must try living in them, is it on me? IDK, our government even has an identity app for iOS and Android. I should not be using it, I should stick to web. But its so much more convenient. I'm just weak, aren't I?

Maybe I should go for Ubuntu touch, with an iPad on the side or something. At least my most personal device is something I control then. Or just keep my Linux laptop handy (or make a cyberdeck!). But I want a computing platform that does not require carrying a bag. It's kinda sad. Even GrapheneOS (one of the most personal and secure mobile computing experiences out there)'s future is in the hands of its greatest adversary, the one that does not want you to have a personal computing experience.

replies(21): >>45036070 #>>45036112 #>>45036243 #>>45036360 #>>45036380 #>>45036382 #>>45036412 #>>45036460 #>>45036478 #>>45036483 #>>45036501 #>>45036535 #>>45036675 #>>45036711 #>>45036838 #>>45037138 #>>45037190 #>>45037762 #>>45040244 #>>45041234 #>>45046932 #
rattyJ2 ◴[27 Aug 25 07:11 UTC] No.45036382[source]
I could be one of the people running an ungoogled phone, but my bank refuses to have an app that runs on an ungoogled OS for "security"
replies(4): >>45036466 #>>45036541 #>>45036680 #>>45037787 #
t_mahmood ◴[27 Aug 25 07:52 UTC] No.45036680[source]
My bank blocks my mobile with Lineage OS, and it's not even possible to login to the web site without the mobile app. Absolutely pathetic.

Now I have to keep my 4 year old phone with 2 year outdated Android to access the bank application. Which deemed more safe then my mobile with latest security updates. Haha

replies(4): >>45036812 #>>45037133 #>>45037323 #>>45043764 #
1. subscribed ◴[27 Aug 25 09:09 UTC] No.45037133{4}[source]
It's even better than that. Banks (for example Revolut) consider several years old phones, running ancient OS (last I checked they allowed A10) without security updates for some 7 years, so riddled with zero-click/RCE vulnerabilities, but they do not allow GrapheneOS, which is currently the safest OS in mobiles (on par/beating iOS, depending whom you ask).

Yes, banks* claim phones riddled with maximum severity security issues are secure. Also phones that are rooted but using magisk modules to conceal this fact, and use spoofed signatures from ancient hardware, but the most safe platform is not secure enough for them.

Go figure.

*not all, there are notable exceptions explicitly supporting secure platforms through the modern Hardware Attestation model.

replies(1): >>45037636 #
2. 3RTB297 ◴[27 Aug 25 10:21 UTC] No.45037636[source]
These are the same banks that very often have no app-based MFA login, and refuse to do anything other than send me an SMS TOTP.

The irony is that they'd rather suffer losses from fraud if the fraud is less than the cost of setting up App-based TOTP and a campaign to get customers to use the app. Yet they suddenly get all in a huff about PCI compliance as CYA so they don't have to pay an app developer to figure out how to check "is phone rooted? Yes. Which OS?"