Google details new 24-hour process to sideload unverified Android apps (Ars Technica)

Let me recommend you try traveling a bit in a developing country and talk to the locals. You'll learn why the locals are careful about talking to the police.

This sets aside the issue that useful police aren't universally available to begin with. Victims don't even have any legal recourse after the fact, from what I've heard from coworkers whose family back home have been scammed.

I'm extremely sympathetic to the desire to run the software of my choosing on computers that I own, without hassle. I don't think there is a trivial answer to the ethnical question how Google should accommodate our "happy path" user journey while mitigating this type of scam. Mitigating this somehow does seem like a worthy goal.

I'm sorry, but I don't follow how low trust in an institution increases the likelihood of imposters pretending to be that institution being followed blindly. You'd think it would be the opposite, no? That in countries where people do trust the police, they'd be more likely to believe that the police want you to sit still in front of your computer?

> awareness of rights is even lower, and bullshit detection sense almost non-existent.

This is obviously a serious problem, and I don't mean to mock it, but: is a *technical* solution really what's needed here? Even disregarding the hundreds of millions who needlessly gets the technical solution forced upon them – is it not incredibly patronizing for a tech company to try to patch over a serious societal issue by treating the members of that society as a danger to themselves? As incapable of owning their own devices without sleeping on it first?

Fail.

This is *extremely* risky, because you can easily sideload apps on the desktop.
We must immediately force desktop OS vendors to add a sideload delay to protect you.
I mean, this would just annoy you and not protect you at all. But well, all the victims!

I can do everything from my bank's web page in a standard browser (indeed the app is effectively just a thin wrapper around the web site!) ...except make deposits.

And simply having developer mode enabled on the phone is enough to make the app fail to launch (with an error about doing this "for a better user experience")

Yes and no. You cannot ignore the context, including the long history what led to this point.

Google put a decent amount of work into ensuring alternative app stores were not only viable but actively supported, along with supporting direct sideloading. And what did that get them versus Apple's "completely locked down with a single storefront" approach? *larger* penalties and legal headaches. (see; Epic vs everyone)

"Being more open with a relatively light touch" takes significantly more work, has left them worse off in today's legal+regulatory climate. So why bother?

And that doesn't even touch on the whole "wild west" aspect of Android OEMs shipping all manner of crap leading to massive amounts of blowback onto Google, which led Google to exercise incrementally greater control over the ecosystem. And oddly enough, the market/press/etc nearly-universally lauded Google for their efforts while parasites like Epic resented having to have _any_ conditions placed on their activities. I'm only using a Pixel phone because as every other option is (much!) shittier and/or physically too large.

This doesn't work well when the app just sets itself as a device admin. Never mind that malware can obfuscate itself past any hope of detection.

Highly admirable(if upheld in practice), but this is a minority view.

A lot of governments will be happy if it turns out that this works as claimed and Google can provide statistical evidence they have protected so and so many of their citizens from scams.

Not really comparable. People know knives, have handled knives for years if not decades. They know the uses and the risks.

Take a random person off the street and ask them: what are the risks of enabling developer mode, they'll ask you what developer mode is. If you ask them what the risks are of installing random applications on their phones they'll probably say they let other people install software. People have *no idea* about malware and what it can do. But the effects of their phone being infected are very concrete. It can and does ruin lives.

So yeah, a time delay you have to do *once* over the lifetime of the phone seems reasonable. You can debate the 24 hours.

An actual comparable real-world situation would be time-delay locks on safes at a business. The staff know what's in the safe, they know the risks of opening it. So you would argue we could remove the delays. But we don't, because we know duress can make people evaluate risks differently. And in the end it makes things safer for the staff as well. Yes, in theory thieves could hang around for a while waiting for the safe to open. In practice they don't for various reasons and so they don't even try.

I think it is impossible to educate people not to be duped by scammers, but as always, I could be wrong.

We have driving licenses for cars, and we also ban private possession of explosives.

> *Help* people around you. Do not restrict them.

Yes, and that's why I like that 24h restriction.

i wish i could recommend a free alternative, but there isn't a viable one i'm aware of :(

life's a bitch, and then you die :)

I'd wager that nearly *every* business does this to their own employees on a regular basis, with official communiques (be it direct or from official [IT/HR/etc] vendors) bearing a majority of the flags/markers/indicators that the required anti-phishing training says to watch out for.

(Most recently happened at $dayjob two days ago, and this is a company heavily involved in [offsensive] cybersecurity)

Including the banks themselves. We've had industrial phishing and social engineering attacks going on for... approaching 2 decades now. And still, in the past year, I have had a phone call from someone (with a foreign/non-native accent) saying basically:

"I'm with <your bank>, and we need to verify some of your recent transactions"

<me suspicious> "Ok...."

"If you can just confirm your name and Date of Birth"

"Uhm... but you just range me?"

"Well I need to verify who you are"

"You're calling me, I need to verify who you are surely?"

Now, I actually thought the call was genuine, cause I did just have an issue with some card payments, but I couldn't believe they'd call me up and then demand that *I* give my details to _them_, when they were behaving no differently to a scammer. I told them how bad this was, how they were *training* their users to fall for scams by doing this. They told me to search for the customer support number and phone them back.

Sigh.

They'll just tell you that none of these services are life-critical and participating in the modern society is a privilege that you should be ready to give up.

It's a great motte-and-bailey. Wonderful, really.

A: "Android is getting user-hostile by the day and it needs to stop."
B: "Google does not owe you anything, nobody is forcing you to use Android, go develop your own, filthy nerd."
A: "Except they are forcing me to use Android, services X and Y in country Z are only available through that."
B: "Well, it's your problem then, sucks to suck."

You mean you can't just use a credit/debit card? (We have to make sure we use the same card every time, or we lose discounts.)

Admittedly it's a PITA, but where we have a serious price difference (buying rail tickets), you can still just go down the station and buy your ticket in advance for a discount. Okay, finding a ticket office that's open can be a problem ...

Cheers,
Wol

Dang, that sounds... frustrating. I guess I just kind of assumed the US would be the hardest place to de-google, but, apparently, I stand corrected. Apologies.

Canada sounds best, but here in the US, there's just a few inconveniences holding back my libre phone (other than the slowness, lack of water resistance, and mild tendency to overheat).

The one I'm most stumped on (currently, now that proton has a very nice Auth app!!) is routing with traffic via something like Organic Maps. There are some hacks floating around, but certainly nothing that meets the spare-time implementable (even for this introvert nerd...) plus reliable.

And the fact that, by the time I have it working, I'll probably finally be upgrading to a car with CarPlay or Android Auto or whatever it is.