A theoretical way to circumvent Android developer verification

While it is technically feasible, it is not a good idea to try and find a technical solution to a people/organisation problem.

Do not accept the premise of assholes.

I hope we can get the EU to fund a truly open Android Fork. Maybe under some organisation similar to NL Labs.

--- edit ---

Furthermore, the need for a trustworthy binary to be auditable to a certain hash or something would make banning this a simple task if Google would want to go that route.

> I hope we can get the EU to fund a truly open Android Fork.

How are things in the EU on whether it's legal to buy a SIM card without showing ID?

I'm confused, how are those two things related?

Nanny state

The commenter you replied to was implying that the EU does not respect the privacy/freedom of mobile device users.

It is neither illegal nor hard to obtain such a prepaid SIM card.

That very much depends on the country, many require ID.

More like surveillance state

The ID presented at time of purchase does not have to be the ID of the actual user of the card. Your local drunkard will be happy to get $10 to buy a SIM card for you. Or you could visit eBay (or local equivalent) and get a valid SIM card without leaving your house.

The suggestion above wasn’t a statement of practicality but rather of EU motivations. Maybe you can also find a drunkard to fork Android for you.

Germany requires ID for all SIMs (for "normal" people). You can buy activated SIMs in every bigger city if you know what to look for though.

>While it is technically feasible, it is not a good idea to try and find a technical solution to a people/organisation problem.

You can use any country's SIM card in any other country, regardless of its registration status.

A secure OS is a prerequisite for secure digital services. We can agree on that, right?

The task, therefore, is to convince enough politicians to establish an independent unit that can address this issue without direct political influence.

Fund the unit with enough money so that it can take care of the cybersecurity and sovereignty of all citizens.

A side effect of this would hopefully be that these politicians would then be digitally literate enough to recognize nonsense such as chat control as such and reject it outright. I hope that most politicians would not really want such omnipotent surveillance tools if they could truly grasp their scope.

… if you have roaming coverage.

And even in that case, doing this for a long period of time violates most roaming policies

Which states aren't? And for the love of god do not write US now

There's eu(maybe even EEA?) wide free roaming legally mandated since I think 2017 or so? But it's not a permanent solution, your second paragraph still holds true.

In many EU countries you can walk into many a supermarket or phone-store and just buy a simcard with cash without questions asked.

What's wrong with lineage?

The only thing that happens is your data becomes a lot more expensive, the card still continues to work as normal. I've not lived in Poland for over 15 years now, and I still have a polish SIM card that I use almost daily - the only thing that I've lost due to roaming long term is cheap data packs, I can still call and text as normal from my monthly allowance.

> How are things in the EU on whether it's legal to buy a SIM card without showing ID?

It varies per country. In some you can just buy one (or more) SIM cards at a supermarket without any ID.

The same EU that's doing Chat Control?

Even with fair usage policy violations (like long term roaming) the prices are still quite reasonable: 1.30 EUR/GiB (+VAT); from next year 1.10 EUR/GiB (+VAT).

https://en.wikipedia.org/wiki/European_Union_roaming_regulat...

You have to get some of the big names to unlock the bootloader first. The trend towards locking it off permanently is alarming.

Edit: Google could ultimately use that as a lever in licensing deals with manufacturers. It'd marginalize everything.

The same EU of which parts are trying to make chat control work and are once again abandoning it. Politician get this particular fancy idea every other year in all kinds of countries, not just EU. Overreach out of desperation for a problem that cannot simply be solved is wrong but understandable.

I know of some UK SIMs that do not roam.

Maybe in the countries that you are familiar with that is the case.

In some places your plan will be cancelled for roaming beyond a certain number of days or quantity of usage. Telecom laws and polices vary widely.

As far as I know it is only EU. Both UK and Switzerland have some operators that roam and some that do not. fwiw, fastweb in Italy provides roaming in both and has a very generous fair usage policy.

> The ID presented at time of purchase does not have to be the ID of the actual user of the card

In some EU member states this might be fine, but definitely not all.

> Your local drunkard will be happy to get $10 to buy a SIM card for you.

Buying a SIM card was always the easy bit. Getting it activated may not be, it depends on which country you're in.

https://www.telekom.de/prepaid-aktivierung/en/start

"For the Selfie-Ident you identify yourself with your identity card, passport or residence permit. (Selfie-Ident is currently possible worldwide with the German ID card, residence permit and passport. Alternatively, you can use Video-Ident and identify yourself in a video call with an employee.)

Important: Temporary identification documents are not supported due to internal check. You need a tablet or smartphone with a camera and an internet connection."

The same EU that's doing NL Labs, the org mentioned in the comment you're replying to.

Surely others may use your phone?

I must sadly inform everyone here that the EU is pozzed beyond recovery in regards to Google. The reference implementation for the euid project is only available for android and ios and uses the play integrity api which makes usage of it on non google-certified devices impossible. https://github.com/eu-digital-identity-wallet/eudi-app-andro...

It's not a good, secure project by a longshot. There's a good comparison floating around:

https://images.squarespace-cdn.com/content/v1/60f1421e1afcf4...

> Furthermore, the need for a trustworthy binary to be auditable to a certain hash or something would make banning this a simple task if Google would want to go that route.

This is actually the advantage of doing it. You make the thing (call it a "personal app loader" or something rather than a "circumvention tool"), they ban it, now you campaign against them or make antitrust arguments presenting the ban as an anti-competitive practice or use the ban to refute claims that they're not inhibiting third party app distribution.

Even if you know they're going to be the villains, you still want to make them actually do it so that everyone can see them doing it.

Okay, thanks.

I was confused bexause anonymity against the state is hardly the only, or even a main point of android forks.

Privacy usually is, but against big tech typically.

That looks like someone made a list of mostly features specific to GrapheneOS so they could make a chart where all of the other alternatives (including stock Android) are full of red boxes.

Several of those are the opposite of security features, like SafetyNet support, which might be a convenience in some cases but it mostly makes it so you can't upgrade certain parts of the system to newer versions even when the old versions have security vulnerabilities.

The EU is a big place, run by a lot of different people, with true separation of powers. They don't have a president-king who can just ignore court decisions.

> hope we can get the EU to fund a truly open Android Fork

The same EU that keeps pushing for breaking encryption and chatcontrol? No thank you

>That looks like someone made a list of mostly features specific to GrapheneOS so they could make a chart where all of the other alternatives (including stock Android) are full of red boxes.

No one else even bothered to make a list.

>Several of those are the opposite of security features, like SafetyNet support, which might be a convenience in some cases but it mostly makes it so you can't upgrade certain parts of the system to newer versions even when the old versions have security vulnerabilities.

Citation needed

In my country, giving a SIM card to another person who does something illegal, is a crime. No doubt EU might soon have the same law - they are pretty good at copying.

As a result, sites where I could rent a number for verification, now don't offer local numbers anymore.

> breaking encryption and chatcontrol

The two are not equivalent issues; the first one is ill-formed as stated.

Cryptography is a tool of control. It's "dual-use", in the same sense like a knife or nuclear fission is - its moral valence depends on who is wielding it, and to what end.

In the context we're discussing, encryption is being used against the people. Working encryption is in fact needed to make chat control work - it's fundamental to it, the same way it is to Developer Verification and Safetynet/Remote Attestation. It would be great if EU decided to break that set of encryption applications. Alas, chat control only wants to break E2EE on messages, and uses encryption elsewhere to guarantee E2EE stays broken.

A more general comment about this thread, and related ones in the past: people really need to stop thinking about "encryption" and "security" as inherently good. They're not. Most of the social problems with computing, the attempts at user disempowerment and disenfranchisement, persist because they apply cybersecurity solutions.

The core question of security is always: who exactly is being secured, and from who.

> No one else even bothered to make a list.

That doesn't make the biased list good.

> Citation needed

Are you not aware of what SafetyNet is? It's the thing where Google certifies that the phone is running the software produced for it by the OEM. The problem, of course, being that the OEM stops issuing updates and then the certified version has known vulnerabilities. Which is a lot of the point of wanting to install a newer ROM on such a device, except that then it won't pass SafetyNet because you replaced the vulnerable but certified code with third party code that has the patch but not the certification.

> A secure OS is a prerequisite for secure digital services. We can agree on that, right?

Secure for who, and from whom?

Remote Attestation and Developer Verification both make Android OS and platform more secure against malicious actors that would want to defeat the guarantees the platform gives, guarantees that enable secure digital services.

Yes, this includes protecting the banking services and DRM media services and advertising platforms from malicious actors like you and me, who pose a real threat to the revenues of the aforementioned players, by:

- Expecting banking to do security right on their own side, instead of outsourcing it to mobile platform and society at large (like with "identity theft" trick);

- Enjoying entertainment and education in ways the vendor or IP owner does not like or can't be arsed to support, and thus not spending extra on the inferior ways that are supported;

- Not looking at the ads.

Same is with Chat Control. Chat Control improves security of the society against threats such as sexual predators who want to hurt children, or citizens who disapprove of how the current ruling class is governing the people. To effectively provide that security, Chat Control in turn relies on a secure OS and platform providing secure digital services - in particular, secure against those malicious actors that would want to circumvent Chat Control protections.

Is the larger picture clear now? Security technologies are not inherently good, they're morally ambivalent. They're "dual-use". It's important to consider their deployment on a case-by-case basis, always asking who is being secured, and what are the actual threats they're being secured from.

That's because we are no longer in the EU. Before Brexit they were legally mandated to allow free roaming in the EU. Now they are back to charging whatever outrageous prices they wish.

So we're gonna get access to Von Der Layen Pfizer sms right?

Were you offered to vote for Von Der Layen by the way?

did you understand and disagree with the third paragraph? if so, could you say in what way it didn't completely answer the question you just asked?

I hope the EU actually enforces the DMA and forces Google and Apple to stop their non sense.

For all the disdain I have for her, Von Der Layen is the candidate put forward by the PPE, the majoritarian party in the EU parliament. So, yes, people were indeed allowed to vote.

The EU is a parliamentary democracy. Von Der Leyen was proposed by the democratically elected heads of the member states. She was approved by the democratically elected parliament.

The chancellor in Germany is also not directly elected by majority vote but by parliament.

Its a reasonable criticism that the EU structures make democratic legitimisation very indirect, but that is at least partly a result of the EU being a club of sovereign democracies. The central tension was extremely evident during the Greek debt crisis, you have a change in government in Greece, but due to EU level constraints they can't enact a change in policy. More independent power ininstitutions less dependent on the member state, means the sovereign democratic national governments can't act on their local democratic mandates.

Desperation for what exactly? More control?

Technical things can affect people. Adversarial interoperability. They're using a technical thing to cause a social thing anyway, and fighting back with the same tactics is at least not surrendering.

FWIW EU members are sovereign. If they disobey EU laws they can have benefits withheld but they won't be militarily invaded for ignoring EU law the way a US state would (unless they do something military themselves like invading another country).

> Chat Control improves security of the society against threats such as sexual predators who want to hurt children,

no it doesn't. Chat Control is single-use.

I'm not in the EU! I can explain when somebody is wrong without having a horse in the race myself.

The same EU that shut down another attempt at Chat Control.

Bad legislation gets written everywhere, the difference is, in the EU it doesn't pass.

technically people didn’t vote for Trump they voted for electors which voted for him.

> The EU is a parliamentary democracy

Except the are a couple degrees of separation between the democracy part and in the running the EU institutions.

The EU parliament is also a very superficial imitation of a real parliament in a democratic state. It has very limited say in forming the “government” or decision making.

> result of the EU being a club of sovereign democracies

So either revert to it just being a trade union or implement fully democratic federal institutions. The in between isn’t really working that well.

She was primarily nominated by the EU council.

The parliament would have picked Weber, but nobody cared since its just there to rubber stamp predetermined decisions.

He was the leader of the party which won the plurality in the elections and had its support. EU had a real chance to move towards becoming a real parliamentary democracy if it went that way.

> Except the are a couple degrees of separation between the democracy part and in the running the EU institutions.

That's what parliamentary democracy means, yes.

They are trying to stop crime, including sex/drug trafficking and child exploitation. If you want to have an intellectually honest debate, you need to be clear that private communication apps do make it more difficult for police to conduct legitimate investigations. You do yourself no favours painting all politicians as power-hungry caricatures.

No, of course not...

In parliamentary democracies the parliament is elected directly and is generally sovereign (optionally constrained by a constitution or some set of basic laws and powers delegated to regional governments and such).

In no way does that describe the EU. It has no equivalent body. Its imitation “parliament” is extremely weak and barely has a say in who forms the closest EU has to a “government”.

Active installs of LineageOS[1] as reported on official tracker is 4.3m instances right now. An MAU of 5m is like, less than Bluesky, Switch 2 shipped so far, most F2P phones games you've heard of, etc. The leverages it has is that of a game.

1: https://stats.lineageos.org/

It appears that you are an American who has conveniently forgotten about FISA, EARN IT, CLOUD act, PATRIOT act, LAED, etc, etc, and wants to take a dig at the EU for what, exactly? NOT passing Chat Control? Seriously..

So do private in person conversations. Going the route of North Korea putting two way speakers in each house would help make those conversations available to the government. Think of all of the child exploitation you could stop by removing any sense of privacy. Of course they would figure a way around this and everyday citizens would have to deal with the lack of privacy but at least they thought of the children so we should keep voting them in.

But the parliament isn't the government in a parliamentary democracy.

It would be hard to find manufacturers to use it. None of the existing Android phone manufacturers would be able to release phones with this fork without also abandoning the official Android platform on all markets. Google are very strict with this in their tos. You cannot release devices using non official Android builds without losing your right to use GMS and Android Brandice on your other Android devices.

There is no such requirement in the EU - it is entirely up to the individual country.

Yes, and? It forms the government and can dismiss it.

If chat control is a good-faith effort to stop crime, why can't Android developer verification be a good-faith effort to stop cybercrime?

If politicians are not all power-hungry caricatures, is it possible that the same is true for businesses?

Android has millions of users worldwide, many of whom are far less computer-literate than HN users. I think it's very reasonable for Google to put speed bumps in front of malware developers trying to distribute through the Play Store. If you're a half-decent dev, $25 is nothing compared to the opportunity cost of your time in developing your app.

This whole thing seems to be a fairly recent announcement on Google's part, so it's unsurprising they're still hammering out details for hobbyist devs? How about making constructive suggestions for ways that Google can protect ordinary people without stopping power users?

It's interesting how so many online discussions of internet privacy devolve into nationalist chest-beating. I'm beginning to suspect that people don't inherently value privacy all that much -- they just want to brag about how their country is the most private.

Recall that the premise of this thread is that the EU should sponsor an alternative to Android. The EU vs US question isn't really topical, since no one suggested that the US government should sponsor an alternative to Android instead.

I do not think it is righteous or enlightened when the American government flexes control over the tech sector. I can see how Europeans might have thought this about the EU when it was just GDPR, but subsequent developments have recast all of this as being about government control and keeping the tech industry “in its place” rather than a commitment to privacy and freedom in and of themselves. I think that ought to temper the righteousness.

Or, far more playsibly, they added to the table features GrapheneOS has, but others don't.

Here's the up-to-date comparison: https://eylenburg.github.io/android_comparison.htm

As far as I know, there is no significant features other distros have that increase their privacy or security over what GOS has. I'm not entirely sure about the SafetyNet thing, but GOS is by far the most up-to-date to the AOSP out of these distros.

That was the election before the current one. She was the one out forward by the PPE this time and even then she was the second candidate put forward by the PPE after Weber was vetoed by France the previous time.

That’s the new Spitzenkandidate system. The council is supposed to pick the candidate put forward by the main political force in the parliament.

The EU is a real democracy anyway. All the members of the council are themselves democratically elected. It has a weird three parts political system but everyone in it is elected or appointed by people elected.

They can also vote on bills, while we're bringing up irrelevant gotchas.

It does, to some extent. These projects wouldn't have the support they had if they didn't have a plausible way to deliver some improvement along the metrics they market. It's the outsized harmful impact that's usually just left unspoken.

Also, I'm not saying Chat Control is dual-use, I'm saying crypto is. Chat Control actually needs working crypto to be properly implemented.

I think the issue is not about distribution in the Play Store (I don't actually have any problem with that: their playground, their rules) but the fact that they are going to break sideloading and alternative app sources like F-Droid.

I struggle to see any good-faith need to erect additional barriers to protect users from running the programs they want on devices they own, when you already have to be fairly expert to enable developer mode, install via adb, etc.

The point isn't that GrapheneOS is bad but rather that it doesn't imply there is anything wrong with LineageOS when it's still better than Android itself.

Moreover, some of the stuff with green boxes is still kind of a privacy fail. For example, with GNSS (i.e. GPS) your device calculates its location from the timing of radio broadcasts emitted by a network of satellites. It has extremely good privacy properties because your device is a passive radio receiver and neither the satellites nor anyone else know you're there when you use it. "Network-based location" can sometimes work when you're somewhere you can't hear the satellites, but now you have Google or someone else building a database of nearby wireless APs etc. in order to make it work, and in the process you're effectively uploading your location to them.

So this is typical of criticism of the EU democratic structure: It's just factually wrong. The EU Parliament can dismiss the commission. From Wikipedia:

"The Parliament also has the power to censure the Commission by a two-thirds majority which will force the resignation of the entire Commission from office. As with approval, this power has never been explicitly used, but when faced with such a vote, the Santer Commission then resigned of their own accord."

The fact that the whole democratic setup is highly complex is in itself a problem. But the concrete deficits people mention are never true or don't apply to other democracies either...

In practice the EU Parliament has been a lot more trouble for the executive than is typical in national bodies. The one valid point is that the parliament does not have the right to initiate legislation itself. That is unusual, but in practice many people who are actually close to political processes seem to say this is mostly symbolic, as national bodies can't really draft effective legislation without cooperation from the executive either... Stil definitely something I would love to see addressed.

The parliament approves and dismisses the commission.

In the last cycles the candidate who led the party who won the parliamentary elections became head of commission.

So this is just wrong. The EU parliament has more power than US Congress or the UK parliament in this respect.

It isn't working well by what standard?

GOS developers have said on multiple occasions that they think LineageOS is worse for security than the stock OS on multiple devices, as it doesn't keep up with current privacy/security patches or provide all of the standard protections. The comparison also does bring up these faults. See also https://www.kuketz-blog.de/lineageos-weder-sicher-noch-daten...

If you're happy to purchase a SIM card, register it in your name, and hand it to someone else for them to use, go right ahead.

Q: Who's paying the bills for that SIM?

Unfortunatelly DMA is the reason Google is doing this. It allowed Apple to require notarization for "security". Google is just copying the same approach as it's now clear what the requirements by the governments are.

Before it was unclear so it was better to allow installation of apps without any verification to appear as more open.

Remember any regulation/law has unintended consequences. At one point Apple decided that PWAs would no longer be supported in EU so they don't have to provide equal capabilities to implement them in alternative web browsers, fortunatelly they changed their mind by obtaining an exception. PWAs is the only alternative choice for making "proper" apps on iOS (no hacky sideloading methods).

I think overally DMA is more a loss than a win (good on paper, terrible in practice). It codified worse things. The EU app stores are still fully controlled by Apple (harder to install, they can just decline or drag notarization of any apps or revoke your license to dev tools, you need to still pay them, etc.).

For various apps the EU market is too small (esp. for things that need to be global) to invest into the development so while you can for example theoretically develop a real alternative web browser to Safari/WebKit (forbidden by App Store rules) nobody is willing to do it.

I was referring to this part

> > The ID presented at time of purchase does not have to be the ID of the actual user of the card

>In some EU member states this might be fine, but definitely not all

It seems hard if not impossible to prevent or stop?

That's fair.

What subsequent developments? It sounds like you are alluding to the DMA.

The DMA is an attempt to reclassify what “market” means in the modern age where we have a global tech oligopoly. This is because a simple “test” for monopolism doesn’t work in this world of multinational megacorps.

Again, your complaint is a double standard. You are doing similar in the USA - albeit without an actual structured act - as per the recent rulings on the Google Play store.

The EU has simply codified the rules for their vision of the future where people aren’t beholden to a handful of tech overlords, whereas the USA is making similar incremental “changes” through case-law. I’m not saying either way is correct, but it seems like they are both headed in the same direction.

"Device does not force you to update" isn't a bug. The bug is "device forces you not to update" which is the thing you get with stock Android on the large majority of Android devices.

Their objections in general seem to be fairly pedantic, e.g. objecting to a connectivity check which could be improved in a theoretical sense but in practice that shouldn't be leaking anything you're not already giving up by having a phone which is turned on and connected to a cellular network.

This can also easily be framed as anticompetitive.

They (google) could cite the loader being "exploited" to run "dangerous" apps like viruses/malware, and bypass the monopoly issue.

I do think having a technical bypass is good - it isn't mutually exclusive with also having a legal bypass. I just hope that the gov'ts are smart enough, and agile enough, to make this happen before it becomes too late (aka, once the gates close, it will never open again, like apple's ecosystem).