• Shimitar@downonthestreet.eu
    link
    fedilink
    English
    arrow-up
    131
    arrow-down
    3
    ·
    27 days ago

    Disclaimer: I have been a maintainer for LineageOS and a long time user.

    Whoever advocates for LineageOS don’t get it. Using LineageOS will not fix any issue like this.

    Already today using LineageOS means give up on banking apps, ID apps, and even McDonald’s and some games like Pokemon.

    Yeah because Google with play intergrity now demands valid keys that gets invalidated as soon Google detect they are used for such usage. The cat and mouse game suddenly got much harder to beat.

    So no, using LineageOS will soon be possible only with secondary devices and not your primary that you will need for your actual stuff to work.

    • pinball_wizard@lemmy.zip
      link
      fedilink
      English
      arrow-up
      44
      arrow-down
      15
      ·
      27 days ago

      Counterpoint: I use the McDonald’s app where it belongs - on a giant greasy ordering kiosk.

      But seriously, banks have websites. Everyone and everything has a website.

      I don’t need Android apps at the cost of my privacy or at the cost of control of my devices.

      I use GrapheneOS as my only phone, and I have done so for years.

      Whatever the topic, I don’t need an app for that.

      • hessenjunge@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        62
        arrow-down
        2
        ·
        27 days ago

        I don’t know about the US but on this side of the pond banks have their own 2nd factor apps. So to log in to a bank’s website you need an app - quite probably with play integrity.

        • AmbiguousProps@lemmy.today
          link
          fedilink
          English
          arrow-up
          17
          arrow-down
          1
          ·
          edit-2
          27 days ago

          That’s insane, I have never heard of such a thing, but I’m in the US where most banks don’t even have non-sms second factor.

          • LainTrain@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            10
            ·
            edit-2
            27 days ago

            That’s crazy. Yeah in the rest of the world you can’t do shit on a bank website, it’s mostly just view only, and the rest is via the app. If it lets you do anything at all, it’ll require 2FA via the app.

            You can transfer money from a savings account with one bank to another account with another bank just via tapping said bank account icon in the app, like you don’t even need the BIC/IBAN/AccNo/Name or any details, it knows where to go just because you have the app of the other bank, all you do is tap the icon.

            I’m not even sure you can withdraw the money from the savings account without having the app of the target bank installed on the phone, signed into the target account.

            Same way you can add a card to Google Pay by just tapping a button in the bank app, no details or anything required.

            Frankly I don’t even know where any one of my bank cards are, I remember for a good while I had a credit card that I didn’t actually have physically because when you open the credit card account (which requires extra checks compared to what is default - debit cards) they don’t bother to ship the physical thing to you unless you explicitly ask for it (via an option in the app), since most people just use it only via Google Pay because everywhere is cashless and uses only NFC.

            I didn’t realize at first but it meant that my “card” didn’t even have a PIN, because there was no way to physically have it, any large transactions are authorized in the app, everything else, including IRL is implicitly authorized by me unlocking my phone with my fingerprint, which is required to make NFC payments on Android. I think with Apple phones it’s required to open the app but for me since 2018 it’s been muscle memory to tap the fingerprint reader and slap the phone on the NFC reader on anything from the tube to the dodgy corner shop.

            To get the actual card details it’s a relatively hidden submenu in the app, to add to Google pay is a giant button on the card icon in the app.

            Convenient as hell but the sheer amount of privacy violations involved and info that must be gathered about the phone to do this in a compliant fashion makes me shudder.

              • LainTrain@lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                3
                ·
                25 days ago

                Yeah, happened to me. I tried to go to one of the bank locations but they not so subtly told me to fuck off and call their customer service instead if for some reason I couldn’t use the ‘in-app help menu’. The entire concept of me losing access to it seemed alien to them, as it I was born into the app or some shit, idk how much they pay those ghouls to stand there and gaslight folks like that but I sure hope it’s a lot.

                To restore it I had to call them and turned out I needed to know some kind of extra hidden secret “telephone banking” password after fighting past 10 people who could barely speak English. I didn’t know it ofc and like an hour later I was able to prove who I was.

        • miss phant@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          7
          ·
          27 days ago

          I’ve been using a dedicated TAN generator for banking since I first made my account but I don’t doubt that’s going away at some point, since debit cards from the same bank already require an app for 3-D secure.

          • LainTrain@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            24 days ago

            That’s not it, the TAN and 3-D Secure are different components to the 2FA required to access the bank account.

        • eleitl@lemmy.zip
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          2
          ·
          27 days ago

          No, hardware TAN generator work fine. If the bank wants to force me to use proprietary snake oil it’s time for a new bank. Or using a dedicated old smartphone just for the app.

        • Lka1988@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          25 days ago

          That sounds extremely inconvenient. Individual apps for 2FA? No thanks. I’m good with KeePass and Aegis, both open source, encrypted, and don’t require any extra hardware.

        • pinball_wizard@lemmy.zip
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          25 days ago

          Dang. Y’all need to pick better credit unions. MFA rolling token is an open standard. Any single app can support all of my (correctly implemented) tokens. I prefer Aegis, but they (correctly implemented MFA apps) all work.

          I don’t want to trust my money to someone who can’t implement standards compliant MFA.

          That would scare the daylights out of me.

          • hessenjunge@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            3
            ·
            24 days ago

            Well, they have a kind of 2FA since at least 30 years, long before rolling tokens were all over the place. Their latest implementations are as simple to use as Steam 2FA. If a bank isn’t able to implement a proper 2FA login there’s a ton of other security issues to worry about. Lastly, I think by using their own implementation/app they prevent their customers from using compromised apps.

            • pinball_wizard@lemmy.zip
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              24 days ago

              If a bank isn’t able to implement a proper 2FA login there’s a ton of other security issues to worry about.

              Exactly. Any organization whose MFA doesn’t work on Aegis, I take action to protect myself from their incompetence.

              Lastly, I think by using their own implementation/app they prevent their customers from using compromised apps.

              I’m sure they claim that. But I still recognize it as simple incompetence. They aren’t able or willing to hire someone with the Cybersecurity expertise to implement a relatively simple open specification.

              Y’all are welcome to risk your money there. It’s probably insured anyway, right?

              For me, that’s too much risk. Even if insurance makes me whole, getting robbed is a huge pain.

              • hessenjunge@discuss.tchncs.de
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                24 days ago

                Exactly. Any organization whose MFA doesn’t work on Aegis, I take action to protect myself from their incompetence.

                That’ll surely end their business. /s

                I’m sure they claim that. But I still recognize it as simple incompetence. They aren’t able or willing to hire someone with the Cybersecurity expertise to implement a relatively simple open specification.

                Just out of curiosity: What percentage of the population is capable of running Graphene/Aegis? What percentage, regardless of capability, is willing to do so?

                Creators of popular OSS regularly warn about downloading their stuff elsewhere or pay for it. How do you think that would apply to any 2FA application?

                Now think of how stupid the average person is, and realize half of them are stupider than that. (love some George Carlin). Given that even (very) stupid people have and need bank accounts: How would you implement an authentication that can’t easily be compromised to ripp off stupid people?*

                * Let’s just assume that you, the lead developer are not at all “incompetent”, quite the opposite. Also take into consideration that you need to keep cost down (hint: That means you want no one to call support because of 3rd party applications!).

                • pinball_wizard@lemmy.zip
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  23 days ago

                  This is actually a solved problem:

                  The credit union mplements (purchases from a competent vendor) their own custom branded standards compliant MFA solution.

                  This is what competent organizations already do.

                  Because the app is standards compliant, experts use Aegis instead of the branded app. Everyone else sticks with the branded app.

                  Also because the app is standards compliant, provided by a specialized vendor, and occasionally being used in unusual ways by expert users, serious security mistakes are much less likely to happen, and less likely to only be noticed by attackers.

                  I don’t expect my credit union to tell me to use Aegis - I expect them to use a credible MFA vendor that interoperates correctly when I do use Aegis.

      • Wispy2891@lemmy.world
        link
        fedilink
        English
        arrow-up
        18
        arrow-down
        2
        ·
        27 days ago

        Counter-counterpoint:

        Banks use their app to generate the otp and they reinvented the wheel so if you want to login you need to install it, can’t use a generic authenticator. I am not aware of any single bank in the EU that allows the use of generic authenticators.

        For McDonald’s, using the app gives at least 50% off. A menu in the app costs 5 euro while on the store kiosk costs 12 euro. I do not personally care because I find their food to be just barely edible, but I understand why there’s a need to install the app

        • thedarkfly@feddit.nl
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          27 days ago

          Some people have no smartphone at all. How can they be customers at your bank?

          • redjard@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            26 days ago

            My bank had a device that was basically a simple android phone running the 2fa app. The phone app got updated through new versions and eventually got the drm treatment, but the old app keeps working because it is still running on those dedicated 2fa “devices”.
            Naturally the bank is now trying their best to make people deregister the old “devices” and switch to only the “app”.

            The old app has no internet permissions. It reads qr from the camera and shows verification as a 6 digit code.
            The new app has internet permissions and is integrated with other apps so you can conveniently accept the request of your banking app in the 2fa app (on the same phone) with a single tap via an overlay. 2fa.

            • thedarkfly@feddit.nl
              link
              fedilink
              English
              arrow-up
              3
              arrow-down
              1
              ·
              26 days ago

              Damn… The two extremes of the cyberpunk dystopia: no tech at all vs tech slavery.

          • Wispy2891@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            26 days ago

            Pay a fee of 0.30€ to receive the otp via SMS every time they want to login without the proprietary otp app and 0.30€ for each payment to authorize

            • thedarkfly@feddit.nl
              link
              fedilink
              English
              arrow-up
              2
              ·
              26 days ago

              Fucking hell, y’all make me realize how lucky I am with my bank that runs without gapps.

    • Qwel@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      1
      ·
      27 days ago

      I’ve never had an issue with the three banking apps I tried on LineageOS, and I didn’t even know there was a McDonald’s app or pokemon games.

      If this list for /e/os roughly applies to LineageOS (with microG), I wouldn’t call it “only for secondary devices”, more “won’t work for some people”

      Did I miss something? AFAIK google is requiring devs to ID, not to use SafetyNet or whatever the “only-runs-on-certified-phones” thing is called

      • Azzu@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        26 days ago

        Same, my bank also doesn’t require strict play integrity. I think I ran into an issue with a dating app once, but that’s about it, and that’s no real loss.

        If my bank would suddenly stop working on Android with microG (with no simple alternative), I’d just switch to another bank, there are enough.

    • 0x0@lemmy.zip
      link
      fedilink
      English
      arrow-up
      7
      ·
      27 days ago

      I (for the moment) use stock android without a google account without any issues.
      Then again i don’t use banking apps on a smartphone.
      My gov provides ID apps and they work fine - then again, GPS is installed of course.
      Fuck McDonnalds.

      I’ll have to check app support on Linage or PostMarketOS in the near future.

    • Eagle0110@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      26 days ago

      Exactly, trying to find software alternative for what ultimately going to be locked down hardware is never going to be a sustainable solution.

      Alternative OS means nothing if there’s no widely supported open hardware with unlocked bootloader to run such OS long term, and Google is got all mainstream phone manufactures cornered legally and commercially with this and their requirement for manufecturer authorization for shipping GMS suite with their products.

      The only way out is this ridiculous decision of Google getting push backs from legislation, because there’s nothing manufecturers can do and without them there’s nothing FOSS developers can do to push back long term, and Google isn’t stopping themselves from doing Evil™.

      • masterofn001@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        27 days ago

        My bank app works without issue inside a private space with sandboxed Play services on my main user profile.

        I also have an investment app which runs without any issue whatsoever.

        Maybe I’m lucky and these Canadian companies just aren’t dicks about mandating google.

        As far as I’m aware, as of now, graphene does not meet googles attestation (Uncertified Device), because google says so, but is easily more secure.

        Google’s lockdown has zero to do with security.

    • splendoruranium@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      26 days ago

      Already today using LineageOS means give up on banking apps, ID apps, and even McDonald’s and some games like Pokemon.

      Yeah because Google with play intergrity now demands valid keys that gets invalidated as soon Google detect they are used for such usage. The cat and mouse game suddenly got much harder to beat.

      But if I’m already using LineageOS without GApps, this wouldn’t make any difference, right?

      Edit: Also - thanks for all your work!

      • Shimitar@downonthestreet.eu
        link
        fedilink
        English
        arrow-up
        1
        ·
        26 days ago

        And soon you will need a second device with locked down bootloader and play integrity to use mainstream apps.

        What when meta will require attestation to run WhatsApp? Not if, when…

        • splendoruranium@infosec.pub
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          25 days ago

          I agree that those things are going to happen, but again, I’m deliberately not using GApps and thus no Playstore apps, including WA. Using an undesirable product is a vote for the continued existence of that product, so the only winning move is not to play, isn’t it? 🤷

    • I Cast Fist@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      27 days ago

      I remember when internet banking meant installing some shitty “security” software on Windows before it would let you access the proper page on your browser.

    • eleitl@lemmy.zip
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      7
      ·
      27 days ago

      Seriously? Open computing is dead to you because you can’t order fast food or play games? I don’t even have Google Play on this GOS device. And, by the way, my banking app works fine on LineageOS. Not that I need it, since I use a hardware TAN generator.

    • CrayonDevourer@lemmy.world
      link
      fedilink
      English
      arrow-up
      45
      ·
      edit-2
      27 days ago

      You can blame the courts for this one. They basically ruled “Apple isn’t a monopoly, because they don’t even LET other people compete in the first place”. (which is about a bass-ackwards as it gets but whatever)

      Google saw this and went “shit…” so they’re rushing to implement the same thing.

    • Ugurcan@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      9
      ·
      27 days ago

      You would wish Google would turn into Apple. AAPL at least has the decency of respecting some privacy.

      Google, on the other hand, is an advertising company (not a tech company), selling all the people pocket size advertisement billboards named “Android” for years, and they’re taking the last step of seizing full control over it.

      • algorithmae@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        15
        arrow-down
        1
        ·
        27 days ago

        If you don’t think Apple is profiting off your data for advertising, I have a bridge to sell you

  • Wispy2891@lemmy.world
    link
    fedilink
    English
    arrow-up
    39
    ·
    27 days ago

    Why the Google identity check is completely useless:

    Step 1: scammer acquires stolen id card

    What’s the difference between malware developed anonymously and malware developed anonymously but registered under a fake id? It can be installed today and it can be installed tomorrow. Do they really believe that malware developers will doxx themselves when publishing their malware?

    • Mubelotix@jlai.lu
      link
      fedilink
      English
      arrow-up
      8
      ·
      27 days ago

      This. Every day there is a new legitimate dataset of ids for sale on the internet. I have seen enough never to trust ids anymore

    • Godort@lemmy.ca
      link
      fedilink
      English
      arrow-up
      13
      ·
      27 days ago

      Some friends and I were talking about the feasibility of that earlier today.

      It’s possible, assuming that you never need to use your phone as an MFA method, never need to scan a QR code, or never need to use an app for something because they lack a web version.

      • paequ2@lemmy.today
        link
        fedilink
        English
        arrow-up
        20
        ·
        edit-2
        27 days ago

        My company recently required us to have mandatory fun at a baseball stadium. Apparently, Ballpark MLB is the only way to receive tickets and get into the park… I had to sign up for some stupid account and download some stupid app because my company required it.

          • paequ2@lemmy.today
            link
            fedilink
            English
            arrow-up
            17
            arrow-down
            1
            ·
            27 days ago

            I could have technically said no… but I would have taken a hit politically. I’ve definitely been on teams where people have said “Oh, paequ2 doesn’t like us. He doesn’t want to hang out with us.” I mean, they’re not wrong. I don’t like people. But. You know. I still need people to review my PRs, approve them, ask them for help, ask them for pay bumps, etc.

            Forgive me Lemmy for my moment of weakness. I’ll go off to the corner and practice some self flatulation.

            • ThotDragon@lemmy.blahaj.zone
              link
              fedilink
              English
              arrow-up
              5
              ·
              edit-2
              27 days ago

              Self flatulation is so unironically funny in this context. I think you meant flagellation but really people are giving you more guff than you deserve over the situation. And your response was basically “well I’ll go fart by myself about it.” And like yeah, that’s about what all this is worth.

              • paequ2@lemmy.today
                link
                fedilink
                English
                arrow-up
                8
                ·
                edit-2
                26 days ago

                I think you meant flagellation

                I said what I said! I didn’t typo. 🏃 💨

        • dan@upvote.au
          link
          fedilink
          English
          arrow-up
          12
          ·
          27 days ago

          This is exactly what a Yubikey is for. They’re phishing-resistant too, as opposed to TOTP codes.

            • LainTrain@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              1
              ·
              27 days ago

              Lucky you can get away with that. My bank requires the app, without it you can’t even make transactions via the web UI because the 2FA is via their app. You can’t even order a new card or many times order a physical card via their web UI because they don’t bother sending you a physical thing anymore, intention being is that you add the card to Google pay for NFC and online payments and use it that way only. Everything is via the app. I actually have no idea what happens if I lose my phone, because as far as it has been made to appear my bank account is on my phone, there are no sign in details or anything of the sort, it’s either there or it isn’t.

                • LainTrain@lemmy.dbzer0.com
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  25 days ago

                  Yeah good luck with that, most places have been cashless since the pandemic, and there are no banks that don’t do this, they’re required to have 2FA by regulatory compliance and they all implement it as apps to offset compliance costs with data harvesting.

      • pinball_wizard@lemmy.zip
        link
        fedilink
        English
        arrow-up
        8
        ·
        edit-2
        27 days ago

        never need to scan a QR code

        QR wishes it can someday become as relevant as you’re giving it credit for. Haha.

        There is Aegis for MFA. It’s much nicer than the closed proprietary ones.

        Of course, if a job requires something incompatible, then I’ll let them buy me a dedicated device.

        Some services threaten me with “there’s no web version”, but they never end up being someome I want to do any business with, anyway. ¯(°_o)/¯

        But I do want a dumb flip phone again. They were cool.

        • /home/pineapplelover@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          4
          ·
          27 days ago

          This has come full circle because at my work, we refuse to buy hardware keys for employees because of the cost. Work is making them download Duo authenticator as the only means of MFA as well.

    • njordomir@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      26 days ago

      I hear you. My wife has also requested that I not deprecate certain proprietary apps until I can provide a good alternative that works on both Android and Apple. Last time was when we were traveling and wanted to share locations with each other in real time. I had to give WhatsApp location perms 🤮

      • Endymion_Mallorn@kbin.melroy.org
        link
        fedilink
        arrow-up
        0
        ·
        26 days ago

        Oh, I hear you there. I’ve had to give persistent location data to GMaps of all things, because she uses Apple and actually wanted me to get one of those devices just for location.

    • utopiah@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      27 days ago

      My wife will hate it, but so be it.

      Pretty sure you can build and self-host an SMS-whatever-she-is-using (e.g. Signal, DeltaChat, etc) bridge if somehow SMS isn’t enough.

    • passenger@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      54
      ·
      edit-2
      27 days ago

      If this comes to pass, f-droid might get closed as the userbase dwindles. Many apps will also cease to be developed and be left without updates. You will not get out with just updating to LineageOS. We should be looking at Linux phones at that point.

      • Vanilla_PuddinFudge@infosec.pub
        link
        fedilink
        English
        arrow-up
        24
        ·
        edit-2
        27 days ago

        Linux Phones have a few software hurdles to pass through to get usable.

        The biggest problem right now is adoption and contribution to the ecosystem, but there’s a few things in the way of outright using Linux apps on a phone. One is that most Linux apps aren’t made to be verical. Some newer ones can adapt to it, but many of the apps you likely would depend on using a Linux laptop are almost unusable on a Linux phone, like… vlc, for instance.

        The network stack isn’t as beaten to death for 4G and 5G as Android’s is. I work in a slightly iffy area, and on Android I’d have times where I’d lose signal, but it would always come back within 5-10 minutes or so. There’d be times on Linux when it wouldn’t until I’d missed two calls and three texts and an hour and a half had gone by because the system was choking on a comma or a misplaced semicolon it found somewhere in the background and wouldn’t reset until I forced airplane mode off and on. If I was at home, or in the city, I’d never notice this problem, but the second I hit a road trip or went to work, boy.

        Also, and this is just my phone, my OP6T had iffy microphone and earpiece settings. Pulse Audio was at the forefront of this audio stack almost entirely unchanged from its appearance on gnome or kde and on a phone it’s just confusing and obtuse as to what app is using what and what even is what. If you got it right, it was fine, then the next call it wouldn’t be, or would change back, again, probably more the 6T being a 6T than anything else.

        I think right now, in this interim period, I’m going to buy a hotspot that I can just slip a sim card into and tether a Linux phone to it. I can use Conversations on Waydroid and use JMP.chat to send phone calls and texts over XMPP. I did fine on my OP6T for my actual use of a phone. I was browsin’, I was textin’, I was sendin’ messages, I was doin’ terminal stuff, administratin’ my servers, readin’, listening to musicn’. It was fine. Will do some experimenting.

        • passenger@sopuli.xyz
          link
          fedilink
          English
          arrow-up
          8
          ·
          27 days ago

          Very insightful and interesting. Thanks. I am using GrapheneOS at the moment and only have read about the Linux phones. Of course an open android system that is decoupled from Google and their shenanigans would be great as well. But I am not very hopeful as Google has started a battle on several fronts…

      • pinball_wizard@lemmy.zip
        link
        fedilink
        English
        arrow-up
        10
        ·
        edit-2
        27 days ago

        f-droid might get closed as the userbase dwindles.

        Nah. F-Droid is already federation-ready. https://f-droid.org/docs/Installing_the_Server_and_Repo_Tools/

        I’ll run my own copy of the F-Droid servers, before I bend my knee to Google. So will others.

        Edit: But yes, you are correct that Linux phone is the long term solution. Android is a pile of corporate Java. Linux is a lean sleek set of mature highly optimized tools. Once the big show-stoppers are cleared, my Linux phone will be the envy of all who see me use it.

        • passenger@sopuli.xyz
          link
          fedilink
          English
          arrow-up
          11
          ·
          27 days ago

          The big problem is, I think many apps will cease to get updates as the devs stop developing on Android. Just running F-Droid is not going to solve this.

          • pinball_wizard@lemmy.zip
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            25 days ago

            My favorite Android apps are developed by people like myself who just wanted that app, and don’t really care if anyone else uses them.

            I assume we will all join the same BitTorrent link cloud thingy and swap APK files directly, if Google locks down Android.

            I will also switch to a Linux phone that much sooner, I imagine.

            Edit: Pro tip - if that world happens and you want stick with the crazy free range folks, look for updates in 2600 Magazine.

            • passenger@sopuli.xyz
              link
              fedilink
              English
              arrow-up
              1
              ·
              27 days ago

              I don’t know, Linux? But if they don’t want to get the dev certificate I doubt they continue to develop on Android.

              • 鳳凰院 凶真 (Hououin Kyouma)@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                1
                ·
                27 days ago

                Doubt it.

                Most of those on a Google ROM isn’t moving to GNU/Linux, its either Lineage, Graphene, etc…, or just give up on these non-google apps. “Linux” is so broken and dysfunctional compared to Android ROMs.

        • passenger@sopuli.xyz
          link
          fedilink
          English
          arrow-up
          6
          ·
          edit-2
          27 days ago

          I do not know, I hope it is there somewhere.

          What should happen at this point is EU and European governments (and why not others) doling out money to do it.

          The risk of the phone duopoly to Europe (among others) is too great now with the US already having succumbed to outright fascism and it’s tech sector running around rampant with blatant disregard for any kind of basic human rights. They all seem to correct themselves only after lawsuits and only in the EU sector.

      • Mubelotix@jlai.lu
        link
        fedilink
        English
        arrow-up
        4
        ·
        27 days ago

        Fdroid will not close, it’s decentralized. I have my little personal repository with apps I care about. Thousands of people do. Together we have pretty much everything

          • Lfrith@lemmy.ca
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            26 days ago

            Maybe an altstore type option will pop up so people don’t have to manually install or update each app they use with adb. Might lead to enough people still sideloading on non custom rom phones so there is still interest providing apps for people.

    • YiddishMcSquidish@lemmy.today
      link
      fedilink
      English
      arrow-up
      4
      ·
      27 days ago

      Holy crap I got one! So stoked to try it out! I’ve been seeing all the pixel stuff about it and just assumed it was flagships only, but my $150 unlocked phone is supported! Thank for the push I needed to look it up.

    • Lfrith@lemmy.ca
      link
      fedilink
      English
      arrow-up
      3
      ·
      27 days ago

      I think way forward for me once these restrictions come in place will be to go with custom rom for my main phone, and a cheap stock phone for just apps that aren’t custom rom friendly like bank apps. I don’t need bank apps on the go, so not really going to need to carry 2 personal phones around.

      • kjo@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        26 days ago

        This is the same as moto g45 5G i think. Apparently moto g 5Gmoto g45 5G.

        I am considering moto g45 5G at the moment.

        I will probably keep my current device for shit apps necessary for banking etc.
        I will install LineageOS on moto g45, and it will be for programs that will not have google’s approval / F-Droid stuff.

  • katy ✨@piefed.blahaj.zone
    link
    fedilink
    English
    arrow-up
    17
    ·
    27 days ago

    really hope someone finds a way to break google’s block on apks that aren’t registered. with more and more manufacturers locking down bootloaders, changing roms is no longer an option.

  • Raccoonn@lemmy.ml
    link
    fedilink
    English
    arrow-up
    16
    ·
    26 days ago

    The only apps I have installed from the play store are ones that came pre-installed with the phone. The rest are all from f-droid…

    LONG LIVE F-DROID ! !

  • MudMan@fedia.io
    link
    fedilink
    arrow-up
    16
    arrow-down
    4
    ·
    27 days ago

    I’m confused by this:

    The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.

    If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all. F-Droid’s myriad users5 will be left adrift, with no means to install — or even update their existing installed — applications.

    My understanding is that developers need to sign up with Google and once they have an account they can sign their own apks.

    How would this impact F-Droid in any way? Presumably by the time F-Droid enters the picture the developers of the apps they distribute would have already gone through that entire process, right? The apks will be tied to that new Google certificate, but after that they can still be distributed anywhere.

    I mean, don’t get me wrong, this has genuine, very serious, dealbreaking issues, in that Google can just cancel the account of a developer making apps they don’t like, the same way Apple has done in the past. That’s not great. But from F-Droid’s perspective all of that has happened upstream, they are not anywhere in that loop, unless I’ve misunderstood the changes.

    • pivot_root@lemmy.world
      link
      fedilink
      English
      arrow-up
      63
      ·
      edit-2
      27 days ago

      How would this impact F-Droid in any way?

      F-Droid itself builds the APKs to ensure that they’re reproducible and not signed on a development machine that could be compromised.

      https://f-droid.org/en/docs/FAQ_-_General/#is-your-building-and-signing-process-secure

      With these changes, either:

      • They use Google’s developer identity process to sign every APK they build with their own developer identity, which Google is likely not going to allow or is going to quickly find an example of a “malicious” app so they can blacklist all of them; or
      • They stop building APKs and just trust the developer provides a non-malicious, pre-verified APK;
      • They find a way to mediate the process between the original developer and Google. Knowing Google, they would make it as needlessly painful for everyone involved to discourage and punish alternative app stores.
      • MudMan@fedia.io
        link
        fedilink
        arrow-up
        13
        ·
        27 days ago

        Oooh, gotcha. That makes sense.

        I guess it’d make sense to take that first option as far as it will go, at which point the issue becomes litigating this the first time Google has their own weird censorship issue in the Apple mold. I’d expect if they ban all of F-Droid explicitly that would at least make more ripples than going after a single torrent client app or whatever. It may play out different from a regulatory perspective, too, if the practical effect is they ban third party stores.

        Side note, I’m really mad at the very deliberate choice Google made of categorizing all potential apps as either “apps meant for Google Play” or “student or hobbyist apps”. You know they know why that’s wrong, but it still makes you want to explain it to them.

    • calm.like.a.bomb@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      9
      ·
      27 days ago

      My understanding is that developers need to sign up with Google and once they have an account they can sign their own apks.

      Yes, and google asks for identification from the developers, and a lot of open source developers - having privacy in mind - don’t want to provide personal information. This is shitty beyond anything google has done before.

      • MudMan@fedia.io
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        27 days ago

        “Want” isn’t my concern. Presumably no developers want to give Google a piece of anything they generate, open source or not.

        My concern was not understanding how this interferes with F-Droid and that has been explained above: F-Droid builds their own APKs for verification and this process potentially makes that a lot harder while not providing a replacement for their verification from Google.

        That makes sense and it is indeed a dealbreaker. The other thing much less so.

  • Auth@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    26 days ago

    Google can do this for own their own store first. I doubt it will make any difference in the number of malicious and shit apps on that store. Requiring this be mandatory for everyone is clearly malicious.

    • KuroiKaze@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      25 days ago

      I feel like you don’t really know anything about the scam community, but a side loaded app is like 500 times more likely to be malware than a Play store app. The amount of millions that have been stolen from users in India, Mexico, Africa, and Brazil because of sideloaded apps is pretty staggering.

      I’m fairly certain fdroid should just be able to alter the way that they’re doing things a bit and still exist under the need to obtain a signing cert from Google.

      I mean personally I’m not on the same side with this. I would rather Google not do this without some way to disable it via the UI given enough warnings and what not.

  • thespcicifcocean@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    27 days ago

    wellp. time to go back to a time where phones were phones and not much more. i don’t need a smart phone, i barely wanted one to begin with. i just want a way to talk to people, send sms with a T9 keyboard, listen to preloaded MP3s and maybe play snake.

  • DupaCycki@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    25 days ago

    The USA with its corporations setting a new, unbeatable WR in any% glitchless turning into a dictatorship with zero human rights or freedoms.

    • Snoopy@piefed.social
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      21 days ago

      FDroid is an alternative app store where its main focus is Free (libre) software. Free in the sense of freedom. They have also strong focus on tracking. Under app, you have “anti-feature” that tell you that part of its code is not opensource or that there is sensible data. :)

      You should visit their website. ;)

      Here is some info from their website :)

      F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.

      FDroid respects your privacy. We don’t track you, or your device. We don’t track what you install. You don’t need an account to use the client, and it sends no additional identifying data when communicating with our web servers, other than its version number.

      We don’t even allow you to install other applications from the repository that track you, unless you first enable ‘Tracking’ in the AntiFeatures section of preferences.

      Any personal data you decide to give us (e.g. your email address when registering for an account to post on the forum) goes no further than us, and will not be used for anything other than allowing you to maintain your account.