Is it possible to allow sideloading and keep users safe?

Yes. It is a basic human right.

> This is a question where freedom, practicality, and reality all collide into a mess.

No; it isn't. The answer is clear and not messy. If you are not allowed to run programs of your choice, then it is not your hardware. Practicality and "reality" (whatever that means) are irrelevant issues here.

Maybe you prefer to use hardware that is not yours, but that is a different question.

The social structure of the smartphone app ecosystem is remarkably similar to the cable provider -> network -> show situation from before too.

They’re clearly just computers, they’re “hardware you own”, but you’ve never been able to run whatever software you want on them. But it’s been like this since the 1970’s and there’s never been an uproar over it.

For me the difference is that you know what you’re getting into when you buy a console, and it’s clear up front that it’s not for “general” computing. I’m inclined to put smart phones into this category as well, but I can see how reasonable people may disagree here.

People started free and equal, then some specialized into warriors[0] and gradually built deeper and deeper hierarchical power structures, called themselves "nobles" and started exploiting the "commoners".

At some point people snapped, killed a bunch of them (French revolution, US was for independence, etc.) and decided they wanna rule themselves.

And then companies started getting bigger and bigger, with deeper hierarchical power structures, the "nobles" call themselves "executives" or "shareholders" and the people doing actual productive work are not longer "commoners", they are "workers"[1].

[0]: And thus controlled the true source of power - violence.

[1]: Ironically admitting that people who are not workers are not doing real work, they are just redistributing other people's work and money.

If people still go for it, then it is their responsibility. A lot of things in life require responsibility because otherwise the results can be disastrous. But we don't forbid them, because it would be a huge violation of freedoms.

In that case, the solution should be to raise the lowest commmon denominator. Lots of issues like that could be prevented by investing in education to increase technology literacy. But long term investments (even public ones) do not match well with quarterly reports.

Unfortunately, the copyright lobby of the video game industry was too strong in the 70s/80s/90s, so here we are.

You have to take into account that the threat model here is vulnerable people, often older, being taken in by scammers who talk to them for weeks and gain their complete confidence. To the victims, it feels like a real romantic relationship, not someone who could even possibly be a scammer.

I think there is a huge difference. You can perfectly live your life without a game console. Even if you are a game addict and it is absolutely necessary for you to live, you could buy a PC and game on that.

Smartphones are a necessity nowadays. Some banks only have smartphone apps (or require a smartphone app to log in to their website). Some insurers want you to upload invoices with an app. Some governments require an app to log in (e.g. the Dutch DigiID). You need a smartphone to communicate with a lot of organizations and groups.

Smartphones have become extremely essential. And two companies can decide what does and what doesn't get run on a smartphone and they can take their 30% over virtually everything. They can destroy a company by simply blocking their app on a whim (contrast with game studios, which could always publish their game for PC or Mac or whatever).

It is not a healthy, competitive market. It is the market version of a dictatorship. And Google forbidding non-app store installs is making it worse.

Governments should intervene to guarantee a healthy market (the EU is trying, but I think they are currently worried about the tariff wrath).

Also, scams also happen outside smartphones.

What's next? Are we going to revoke people's control over their financials because they might be scammed? Let's have the bank approve before we can do a transaction. And since we are using their payment platform, maybe they should also take 30%.

Please stop feeding their narrative. Scammers are Google/Apple's "but think of the children".

It’s a more tricky issue where Google and other parties can restrict access to their services to devices they deem legitimate. Their services, their rules. Your hardware. Different arguments required.

It’s everywhere: Widevine is used to prevent stealing 4K content (incl ATSC 3.0), gaming providers use it for anti-cheat, banks use it to rate limit abuse. It’s not just Android.

(I say this as someone with an Apple Vision Pro running visionOS 1.0 with the hope to jailbreak it one day. I’m actually unable to do whatever I want to their hardware, unlike my Pixel phones.)

The banking system has been relying on remote attestation for decades to ensure that devices used in settling financial transactions have not been tampered with:

https://en.wikipedia.org/wiki/IBM_4758

Also, I think the chip-and-PIN cards used for most in-store transactions in Europe for the last 20 years rely on remote attestation and tamper resistance to prevent fraud.

Finally, in the domain of desktop and laptop computers, there is a big security hole in that most components (certainly, disk drives and storage devices, but basically any peripheral or board) are essentially embedded computers that can be pwned with the result that they stayed pwned even if the owner of the computer installs the OS from scratch. One solution to this would be for suppliers of peripherals and boards to get much better at securing their products or to stop using microprocessor to implement their products, but it would be quite a lot of work (and governmental intervention or at least intervention by industry-wide quasi-governmental entities that currently do not exist) to get from the current situation to the one I just described. The only products currently available that are secure against this threat (aside perhaps from using 40-year-old computers) use verified-boot technology to implement the security.

I.e., the only desktop and laptop computers you can buy where you can be reasonable sure some attacker hasn't installed malware in the computer's disk drive or track page or wifi module are things like Macs and Chromebooks, which implement the security using verified boot.

> Yes. It is a basic human right.

Says who?

What's your philosophical argument in favour of this?

https://www.youtube.com/watch?v=uqsBx58GxYY

Aren’t they? I ask my partner for investment opinions all the time.

> Let's have the bank approve before we can do a transaction.

Yes… That’s already how it works. Banks use heuristics to detect and prevent suspicious transactions. That’s why most of these scams ultimately involve crypto.

> hardware you own

My suspicion is: were you to list them, running programmes on hardware you own would be fairly low on that list.

Please explain how owning an item of hardware implies that running whatever computer program you want on it is a basic human right.

And it doesn't have to be children of parents, that's just the common example that's brought out every time this comes up.

Is it illegal to spin up a Linux server on your mobile phone?

Do you simply not care that this Linux computer that you have such warm feelings about is fairly easy to pwn (in part because of the lack of verified boot and in part because desktop Linux software is just much easier to pwn than the systems software on a Mac or a Chromebook or an iPhone or an Android phone) such that if you ever got to be an effective activist against some government or some powerful industrial interest, that government or industrial interest could fairly easily eavesdrop on everything you do with this Linux computer?

That doesn't sound much like protecting your individual rights.

Give the knowledgeable the freedom to use their skills. Separately, develop ways to help/protect specifically those that need it.

In the future, when your whole house is controlled by a computer, do you want that computer to be controlled by Google or to be controlled by yourself?

It's just not. Otherwise, all servers would be running your beloved iOS, wouldn't they?

>in part because of the lack of verified boot

This does not matter. I can generate my own keys.

>easier to pwn [...] than [...]an iPhone

Lol... If anything, phones are more vulnerable because you have less access to sandboxes and VMs.

Hey, look, an Apple CVE from two days ago. https://nvd.nist.gov/vuln/detail/CVE-2025-43284

And this one's from this month. https://nvd.nist.gov/vuln/detail/CVE-2025-43300

And here's Apple's sandbox failing, last month. https://nvd.nist.gov/vuln/detail/CVE-2025-43274

And yet you can't install an alternative OS like Mobian, postmarketOS or PureOS due to the closed drivers and specs.

Absolutely not a Scooby.

However, this isn't entirely a tech problem - it's a social/human one.

Not every mechanic has a driver's license. Sure, they may enjoy working on cars and the technology of cars... but for one reason or another they may have never gotten or have lost their driver's license.

Not everyone who is tech literate is similarly socially literate. I have programmer co-workers who have been scammed into sending gift card authentication codes or installed malware (or allowed the installation) onto their personal computing devices.

It isn't possible to prevent someone from accessing the internet any more than it is possible to prevent them from accessing a phone.

I am not saying that one should have a license to access the internet. Rather, I am saying that a device that holds and maintains the authentication mechanism for doing banking transactions, it is not unreasonable for the maker of that device and its software to attempt to mitigate the possibility that they are held liable for negligence in allowing user installed software to do banking without the owner's consent.

With the uncertainty that everything in the operating system and hardware is locked down to the point where no-consent access by malware to those banking capabilities is completely restricted (and thus they're not liable for negligence) - the wall that is being put up to try to prevent that is "no software that has not been vetted can be run on this device."

Consider that the phone is often the authentication mechanism and second factor for authorization to restricted systems. Authy, Microsoft Authenticator, and other 2nd factor applications typically do not run on general computing devices.

Technical literacy does not imply social or security literacy.

I don't like describing it as cycles because it is too simplistic and pretend it is inevitable, robbing people of agency.

I prefer to think of society as a system where different actors have different goals and gradually lose/gain influence through a) slow processes where those with influence gain more from people who are sufficiently happy to be apathetic b) fast processes when people become sufficiently unhappy to reach for the source of all real world influence - violence.

This happens because uneducated/dumb/complacent people let it happen. It can be prevented by teaching them the importance if freedoms and to always fight back. But that goes directly against the interests of those in power - starting from parents who want children to be obedient.

That’s just it. Software isn’t being vetted. Witness all the scam apps in the iOS and Android app stores. Even paid developer accounts don’t stop people from publishing these, nor does Apple’s walled garden protect you from them.

Obviously, the probability of it being a scammer reduces with the amount of time. In the end it's a function of time vs. effort. Scamming billionaires by marrying them and waiting until they die happens frequently enough. A 5 year scam for a few thousand bucks, unlikely.

As usual, use common sense, which you would have to do anyway if you do investments.

That said, for sensitive apps they tend to go through more strict scrutiny of their functionality. Publishing a "Wəlls Fargo" application will likely not get approval.

The question isn't "does it need to be 100%" but rather "if was not done at all, would Apple or Google be liable for flaws in their software (e.g. VM breakouts) that allows malware to do banking transactions, location tracking, or place calls (e.g. 1-900 number dialing) without user consent?"

I'm fairly certain that Apple and Google take measures to limit their liability. With how courts and countries are finding technology companies liable for such (consumer and data privacy protections), I would expect to see more restrictions on the device to try to further limit the company's exposure.

Indeed. And people were falling for scams long before the Internet. What's new is the push to make that the fault of bystanders... thus causing those bystanders to intervene. It's neither the bank's fault, nor Google's fault, if somebody falls for a scam. Or installs malware. Or whatever. If you try to make it their fault, they're going to do really annoying things that you don't want.

Sure, you can sell security tools, or curation, or whatever. Many people will even want to buy them, but things break when that starts being a duty. And the only way to prevent it from becoming a duty is to accept that people own their own mistakes.

... and it's really fucking annoying when their heuristics misfire-- which is not at all rare-- especially since they do all they can to externalize all costs of that to the customer.

This tends to be counter to consumer protection laws or data privacy laws.

A company that can be held to strict liability for their actions can be sued (and be found liable) even if they presented that the action is unreasonable or dangerous.

In saying a consumer who buys a 100% "you can do anything on it" device liable for every action that that device takes no matter what initiated that action?

To me, the argument that you should be able to do anything on the device and be held liable for all the actions that device allows is very similar to that of "the maker of the device has no liability for providing a device that can be misused."

If that is the case, then (to me) this would need to be something that would need to be changed by the courts and the laws (and such a company would need to pull completely out of Europe).

The proverbial grandparents will follow the instructions of the scammers and will click through all of that. We've had decades of empirical evidence: people will keep clicking and tapping on dialogue boxes to achieve their goal.

People have physically driven to cryptocurrency ATMs on the instructions of scammers:

* https://bc-cb.rcmp-grc.gc.ca/ViewPage.action?siteNodeId=2136...

* https://www.usatoday.com/story/money/2025/04/21/bitcoin-atm-...

Warning sheets will do nothing.

We've been trying to educate people about passwords and phishing for years/decades now, and it has not worked. Further, every day a new ten thousand (US) people need to be educated:

* https://xkcd.com/1053/

Many, probably most, of the people most at risk aren't going to do that.

When you're (somewhat) drunk, you know that you're drunk, and you're still able to comprehend how that will slow down your reactions while driving. When you're being scammed, you think you're right... and if you begin to doubt that, you may tend to push the thought out of your mind rather than follow it through, and to evade things that might bring it back. And it's very hard to admit to yourself that you're permanently impaired in that sort of way... especially when you're impaired in that sort of way.

You may be exaggerating it, but insofar as you're right, you're just describing the problem.

Providers still implement it where they can, like for blackout restrictions for US sports games: impossible to enforce on the web because I can spoof location. Very possible to enforce on iOS because jailbreaking is not possible. Possible to enforce on Android because you can check if spoofing was made possible.

It’s currently the primary reason I can’t play games online on Linux.

If someone else could use your car without your permission, do you own the car or do they?

If someone could grow their own plants in you back yard, do you own the garden or do they?

If someone else could choose what programs run on your computer, do you own the computer or do they?

Saying "basic human right" instead of just "basic right" may be odd, but definitionally, owning a thing means having the right to say how it is used. Either you own it and have that right, or you don't own it and don't have that right. That's what owning means.

Because at the end of the day the scammer is going to convince your grandma to go to the bank, withdraw the entirety of her savings and send them to the scammer in an envelope.

Any technical restrictions therefore only harm our personal freedoms and don't actually protect those who are vulnerable because those people's problems aren't technical in nature.

As always it comes down to insulting and emotionally guilt tripping people to screw them out of their freedoms and of course there's never even a shred of evidence to support any of these incredible claims. You're laying it on too thick, give us a break.

> You’re acting like we (and these massive corporations) haven’t been trying for decades at this point.

You're acting like this would make a dent in the total number of people who are scammed every day.

And it just so happens that the only acceptable remedy necessitates infringing on billions of people's personal freedoms which will, incidentally, secure trillions in future profits for these corporations. All that for a temporary speed bump that would only affect a minority of scammers who would adapt in a month.

There are times when it is necessary to limit the rights that a individual has so that the system that the individual lives within can work.

You can buy a radio transmitter, but you're not allowed to operate it without a license. You can likewise buy a car, but you aren't allowed to operate that either without a license.

You do not have the right to modify your phone so that it acts as a radio frequency jammer.

Possession of a device does not give an individual unrestricted rights to what can be done with it.

But that's a system design issue as opposed to an argument against user freedom.

I’m fine with government requiring smoke detectors in my home, I’m not fine with completely unregulated private entity deciding how I live in my home, bought with my money.

And in case of a muffler, there’s literally no one in this entire world who can stop me from removing it. There are repercussion for doing so, but nobody stole my rights from removing it.

Those of us with elderly parents and piblings (aunts/uncles).

(For the record I have nothing but disdain for those that choose to go this route. Looking at you rustup home page. In contrast LLVM has the decency to provide an apt repository for nightly images.)

Says the person that thinks they are losing personal freedoms when a company makes a product change and they just don’t want to bother switching to a different product.

Buy a different phone. This isn’t affecting your personal freedom.

And yes, it does affect the number of scams that people fall for, as evidenced by iOS’s hiding of links in scam messages. It forced scammers to try and get the scammee to jump through several more hoops just to be able to open links. Immediate drop in scams.

There are tons of things to be done. None of them are affecting your freedom. Buy a different phone.