Google’s Requirement For All Android Developers To Register And Be Verified Threatens To Close Down Open Source App Store F-Droid
from the formerly-open-ecosystem dept
It would be something of an understatement to say that Alphabet, Google’s holding company, is big and successful. Some Wall Street analysts are even predicting it could become the world’s most valuable corporation. Of course, even for business giants, enough is never enough. They always want more: more money, more power. As part of that tendency, Google seems to have decided that F-Droid, the free and open source app store for the Android platform, is a threat to the official Google Play Store that needs to be neutralized. At least that is likely to be the effect of Google’s announcement that it will require all Android developers to register and be verified before their apps can be allowed to run on certified Android devices. A post on the F-Droid blog explains what the problem is:
In addition to demanding payment of a registration fee and agreement to their (non-negotiable and ever-changing) terms and conditions, Google will also require the uploading of personally identifying documents, including government ID, by the authors of the software, as well as enumerating all the unique “application identifiers” for every app that is to be distributed by the registered developer.
According to the blog post, the impact on the F-Droid project would be severe:
the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all. F-Droid’s myriad users will be left adrift, with no means to install — or even update their existing installed — applications.
Google says registration is needed to “better protect users from repeat bad actors spreading malware and scams”. Registration “creates crucial accountability, making it much harder for malicious actors to quickly distribute another harmful app after we take the first one down.” Slightly less convenient, perhaps, but not much harder. The F-Droid blog post points out that its open source app store already has a far better approach to security than Google’s proposed registration and verification:
every [F-Droid] app is free and open source, the code can be audited by anyone, the build process and logs are public, and reproducible builds ensure that what is published matches the source code exactly. This transparency and accountability provides a stronger basis for trust than closed platforms, while still giving users freedom to choose. Restricting direct app installation not only undermines that choice, it also erodes the diversity and resilience of the open-source ecosystem by consolidating control in the hands of a few corporate players.
Google is at pains to emphasize “Verified developers will have the same freedom to distribute their apps directly to users through sideloading or through any app store they prefer.” But that’s not true: their “freedom” will be soon be conditional, subject to Google’s whim and veto (as the company’s recent removal of the ICE-spotting app ‘Red Dot’ demonstrates). As a special concession, the company says:
we are also introducing a free developer account type that will allow teachers, students, and hobbyists to distribute apps to a limited number of devices without needing to provide a government ID.
But again that is subject to Google’s approval, and only allows distribution to a “limited number of devices” – a circumscribed “freedom”, in other words. And for F-Droid it’s not even an option, because of the following:
How many F-Droid users are there, exactly? We don’t know, because we don’t track users or have any registration: “No user accounts, by design”
As the F-Droid post comments, Google’s move is not credibly about “security”, but actually about “consolidating power and tightening control over a formerly open ecosystem”:
If you own a computer, you should have the right to run whatever programs you want on it. This is just as true with the apps on your Android/iPhone mobile device as it is with the applications on your Linux/Mac/Windows desktop or server. Forcing software creators into a centralized registration scheme in order to publish and distribute their works is as egregious as forcing writers and artists to register with a central authority in order to be able to distribute their creative works. It is an offense to the core principles of free speech and thought that are central to the workings of democratic societies around the world.
Google’s attack on F-Droid is ironic. At the heart of Android, and the key element that allowed it to become so successful so quickly, is the GPL-licensed Linux kernel. Over the years, Google has increased its control over Android by adding more non-free elements. If, as seems likely, its latest move leads to the shutdown of the 15-year-old F-Droid platform, it would represent a further betrayal of the open source world it once supported.
Filed Under: android, f-droid, freedom, id, linux, macintosh, malware, open source, registration, reproducibility, scams, security, verification, wall street, windows
Companies: alphabet, google
Comments on “Google’s Requirement For All Android Developers To Register And Be Verified Threatens To Close Down Open Source App Store F-Droid”
Google wants full control of every app you use.
Google is evil.
Google back then: “Don’t be evil.”
Google now: “Don’t be stupid by being good.”
Re:
Google soon: “Don’t be evil, we are.”
They blessed our anti-trust and we’ve bent the knee to trump, now is the time to shine at being bastards!
In my opinion f-droid is a casualty of google preemptive anti-competitive attack on Epic launching a competitive app store for android. This should probably be prosecuted as an abuse of their monopoly position in app distribution for Android.
Well. Next time i have to get a phone, i will have to go a different route, i guess. No fucking loss.
The linked page says “developers will have the same freedom to distribute their apps directly to users”, so I’m kind of confused. Is the suggestion that this is double-speak? Like, maybe developers will still be able to distribute their apps to users—as long as they don’t expect the users to run those apps?
Also, has something changed recently? When this was announced earlier in the year, I thought I’d read that users would still be able to install apps via ADB; and, of course, install entire alternate operating systems, such as GrapheneOS, via the same mechanism. Why would F-Droid not live on for Graphene users?
Re:
Developers fundamentally won’t have the same freedoms. F-Droid and similar projects as they exist right now rely on the freedom to openly distribute anonymously, centralized registration conflicts with that. Google’s idea of “same freedoms” is “same freedoms as long as verify with us and comply with our terms” because Google is assuming there is no legitimate reason anyone might not want to do that.
So with that in mind, why not Graphene? The primary argument I’ve heard is that, even with F-Droid and other projects being tiny compared to the Play Store, they still rely on a network effect (they are more useful when more people use them, inherently). Cutting their userbases to just those running Graphene or other alternate OS would make that group even smaller, which means less developers will be willing to keep working on apps. The quality of F-Droid as a service would degrade.
Re: Re:
Thanks for the explanation. You and Arianity seems to agree it’s a bullshit statement. What about the ADB situation? Will users still be able to side-load apps via that method, or has the situation gotten worse that was previously announced/surmised?
Yeah, it’s not good, but it’d be Google cutting F-Droid’s userbase, not F-Droid. And what can F-Droid do except cease to exist, or continue to support Graphene and maybe a few others OSes? (Well, they can contact courts, legislators, and users to push back against Google; but if Google decide to plow ahead, F-Droid will still need to decide what to do for the years before we get any useful result.)
Similarly, what can app developers do other than publish via F-Droid, give in to Google’s demands, or give up on the concept of phone apps entirely (switching to web sites or desktop apps)? GrapheneOS itself somehow remains viable. There’s at least a chance that the users who care about free software—as those using F-Droid presumably do—will follow.
Re:
Yes. Basically, what Google is doing is verifying the dev, but not verifying individual apps. (For now)
So in order to sideload an app, the dev has to be approved by Google. After that happens, that dev will be able to release sideloadable apps. (Of course, the moment there’s a dev that is known for a controversial app, this becomes a problem anyway. Even assuming Google never restricts things further)
As far as I’m aware, alternate operating systems like GrapheneOS aren’t affected. Statement here (there are probably other ones with more detail)
The value proposition that doesn't show up as a line item on the corporate account books
At least half of Android’s value to me is simply being able to “side-load” apps from F-Droid on my “smartphone”.
Loading apps from F-Droid simply makes it so much easier to keep unwanted/unwarranted snooping away from my phone. (F-Droid has one particular, very simple feature that makes life so much easier: it explicitly breaks out and identifies “anti-features” — app features that I might not want or aren’t actually necessary for the function the app provides (like tracking me, tracking my habits/usage, serving ads, collecting data, not having a clear, easily activated account/data deletion mechanism, etc).
The result is that I can figure out whether I really want to install a particular app, much more quickly and easily on the F-Droid app store than on Google Play. (And you’d be surprised how many apps on the Google Play store are essentially the same code, dressed up in a different skin and with additional code to track/serve ads/whatever the developer chooses.)
Probably related: the F-Droid apps also tend to be noticeably easier on my battery (even when it’s clearly the same app, available from both Google Play and F-Droid).
I consider the ready accessibility of F-Droid (and similar app repositories) as an easy to use, viable app repository, to be a useful (and unfortunately necessary) check on Google’s corporate instincts to put its ability to control and exploit Android users ahead of providing its users with reasonable product/service on reasonable terms.
Sideloading is one of the major reasons I’ve been an Android user for so many years. I hope the EU steps up.
Re:
To what end? Their current goal (“chat control”) is to ensure that people cannot chat with each other, without government agents (including Google and Apple) spying on them. If everyone could just write and install their own software, they could bypass that.
Be careful about making vague wishes.
Re: Re:
The EU is far from perfect, but it’s been plenty aggressive on forcing Apple to open up it’s walled garden, in terms of monopolizing which apps can be downloaded/ran. The reason Apple now allows sideloading at all is because of the EU regulatory action (as well as most of the reason it allows 3rd party app stores).
Re: Re: Re:
Fair enough, but what is the current situation? As far as I can tell, for “sideloading”, Apple still mandates developers to create an Apple ID, agree to its terms, and have apps reviewed (but under slightly different rules). They call it a “notarization” process. I don’t know whether there are identity-verification rules, but if Google get away with them, maybe Apple will add them. They could try to justify it in the interests of parity and security, and point to the EU’s ongoing efforts at identity verification on the web.
Besides that, are you in the EU? Because Apple have gone to serious effort to make sure not a single user accidently gets EU rights they’re not entitled to. They’re gonna check your billing address, GPS location, regional settings, probably cell towers and Apple-ID-creation location… if you’re not actually in the EU, you’ll get nothing from the EU stepping up. And I wonder what happens to apps sideloaded under the EU rules if one leaves that area.
So that’s why I advise “wishing” more specifically. It’s not (just) pessimism. These monopolists have a history of trying to weasel out of legal obligations.
Re: Re: Re:2
Yeah, current situation is Apple going full malicious compliance. As far as I know, we don’t know yet if the EU will let it pass, or push it further (hoping for the latter). They’ve been pretty good about following up on malicious compliance. That said, any changes from Apple are EU-only (software, at least. We did get usb-c out of EU action, that was nice). Although, Google historically are slightly less assholes about keeping stuff like this region-specific out of pure pettiness.
It’s not ideal, but it’s what we’ve got, for now. Nothing is going to happen in the U.S. for the next ~2.5 years at an absolute minimum, and realistically much longer. At least from regulators. And unfortunately I don’t see there being enough public backlash to do much otherwise. The amount of people who sideload is a very small niche.
In terms of practical solutions for myself, I’m considering whether I can justify the swap to something like GrapheneOS. It’s just nice to see someone put the screws to them, even if we don’t get to enjoy the fruits of it.
Re: Re: Re:3
If we look at the EU-US privacy business, there was the “Safe Harbor”; after Max Schrems pointed the EU to the Snowden papers, that was declared invalid in 2015.
Then, to avoid anyone having to really change anything, the EU replaced it with “Privacy Shield”. After the same person pointed out that it was basically the same thing, it was declared invalid in 2020.
Then they replaced that with the “Data Privacy Framework” in 2022, and although few people can explain how it’s actually better, the courts said it looked okay. It seems they’re starting to look again, though, on account of a US administration that can’t be trusted to uphold promises to other countries.
So… the EU does react in a way that looks like progress. It’s less clear as to whether there really is substantial progress; sometimes it seems like they’re perpetually trying to catch up.
But, yeah, the USB-C ports were nice. I’m surprised Apple didn’t find some way to software-lock that in other regions, or replace it with some not-quite-USB part. (I once debugged a car head-unit that had a proprietary connector and protocol; but if we filed down the keying and re-inserted the connector at a 90-degree rotation, it’d speak USB.)
Someone will figure out how to circumvent that
One gps app has already figured out how to crack android auto and put their app in android auto
Because they are in Slovenia this app maker is not subject to American laws
American lew does not apply in Slovenia
Re:
Sure. Installing via ADB was already mentioned as a possible (un-confirmed) method. Alternate operating system distributions are another, and Google’s made no statement about stopping them; indeed, Pixel phones are one of the few models to actually allow it without jumping through hoops. (It doesn’t necessarily have to be as different as GrapheneOS; maybe someone just re-packages stock Android, as much as possible, with that one thing changed.)
Still, ease of use and public perception do matter. To the general public, this is something a mall kiosk will have to handle. Or maybe a tech-savvy friend or family member, if they’re lucky—the same people from whom they get the latest episodes of the shows not available on their chosen streaming platform. With the stigmas of “shadiness” that go along with such things.
The big questions, to me, are whether “normal” people are running F-Droid to start with. If not, maybe most of their users will actually do what’s necessary to continue being users. Either way, how much will Google crack down when people do work around it?
Well, AOSP project, like LineageOS might allow Fdroid to limp along (I use that comb), but without a mass exodus from google apps/services, it probably won’t last too long 🙁
The real question of concern is how will the company know if people are properly registered and not clever malware spies that have hacked an account? Maybe they need to add a biometric method of proving their identity, like a tattooed registration number. Updates could come in the form of star shaped patches. They could wear special armbands and restrict anything submitted that is out of band.
Re:
They could simply ask people whether they’re “malware spies”, like the US asks people whether they’re terrorists.
“First They Ignore You, Then They Laugh at You, Then They Attack You, Then You Win.”
It seems FOSS / F-droid is at phase 3.
How I wish that phase 4 would come, instead of more #Enshittification
lovely. i’m sure this won’t have any unforeseen consequences