4·
5 days ago(I don’t need strong censorship resistance; it just has to work in offices and hotel WiFis.
Wireguard on 443 or OpenVPN + Stunnel on 443
Wireguard is easier to setup because there’s no OpenVPN app that packages stunnel (afaik), so you have to run 2 apps on your phone to make it work.
A server like caddy can also accept HTTPS traffic for some regular websites next to the VPN server.
Wireguard uses UDP, so just run whatever you want on 443 TCP with caddy (unless you want QUIC for some reason?)
Anything beyond that and you’d be looking at using a proper obfuscation solution like Shadowsocks or obfs4, in which case you should look into Amnezia or Tor bridges.
Sideloading APKs is an easy vector but so is the Google Play Store. It’ll take scammers like 5 minutes to just perma move to GPlay shenanigans, and its already well known to have poor quality control and tons of malware available to download with the useless play protect logo.
This is just Google’s public justification for creating their walled garden. They already pulled this exact scam with Chinese OEMs which is how Huawei got banned, and others stopped selling in the US. They huffed up some story about CCP spyware and then mandated that GPlay be installed in full, otherwise face consequences from congress.
Even Samsung got pulled in and they essentially agreed to use GApps as the de facto communication suite for their phones in exchange for allowing Samsung to continue to use their Galaxy store.
They see stuff like AOSP as a threat because anyone can just fork the OS and make their own non google Android, and they don’t want any OEM to replace GPlay like what Motorola is attempting right now (hence the increased urgency to lock down Android).
Google’s monopoly in the mobile space revolves around every phone using GPlay, so they’ll do anything to maintain their control.