I’ve been an Android user since the HTC Desire in 2010.
I’m unsure what the author of the article is advocating, since the “raw deal” appears to be geared towards making the Android environment more secure.
The author laments that they now have to manually enable security bypass settings and that some (they call it developers, but I’m not sure if they’re referring to Application Development or Phone Platform Development) “developers” can lock down with further API checks.
I’ve been an ICT professional for over 40 years and security is always a balance. On the one end it looks like a phone in a locked room, inaccessible to anyone, on the other end it’s a free-for-all, open to anyone.
I’m not at all sure what the author wants, except for wanting to roll back time to something less secure.
Ultimately, the user should be able to decide for themselves how much security they are willing to compromise for power and flexibility. Whether this particular compromise is acceptable would depend on just how annoying it is in practice, but it’s a trend I’m not a fan of.
On the plus side, if this compromises third party app store usage even more, it may be more fuel for the anti-trust lawsuits aimed at Google (although who knows how that will play out given who is becoming president).
These new security features do not (and can not) apply to apps distributed outside of the Play Store, so it won’t compromise third party stores whatsoever.
As someone who’s always been side loading apps and doing custom configs, it’s just so much harder compared to what it used to be. So many hidden settings. So many menus you have to go through in the right order. So many reverts that happen each update.
You say it’s in the name of security, but I don’t see it. Something is fundamentally broken here, if Google really believes this is the best path forward
Edit: and btw, I work in big tech too. I know how this update came to be. Some L6 looking for his packet decided to “decrease infected devices by 10%” by adding this friction, and everyone nodded along since the negative impact isn’t measurable.
It makes it frustrating to use, not secure.
When installed program stops working after 30 or whatever days of me not using it because my great white master decided that it doesn’t need what was granted by me at installation is not security it’s just spitting in my face. I don’t care about what “developers” want why should anyone?
I’ve been the person people came to (and paid money to) when they installed something stupid on Windows XP in 2003. Quite a few people do need their hand held to use a computer effectively.
Until that era, app developers were generally considered trustworthy. Malware existed, but anything that openly advertised itself, that users would install intentionally was unlikely to work against their interests. “Spyware” was a new category. App permissions in smartphones represent a recognition that app developers do not necessarily share the users’ interests.
I certainly don’t want knowledgeable users locked out of making decisions for themselves (even bad ones), but arranging the UI so that someone with a limited understanding will have a hard time finding the dangerous settings isn’t a bad thing.
I can Install on a Mac without any Roadblocks another Operating System, and I can Install Apps without the need for a Developer Account or a certificate unrestricted.
Otherwise I’m using GNU/Linux which also doesn’t try to “protect” me in the interest of some Corporation
Actually, no you cannot. You need to adjust and grant permissions for anything you install on a Mac OS system today.
Source: I own a Mac, it’s less than six months old. Installing stuff is full of permission requests.
As for Linux, I’ve used and installed it for over 25 years. It’s not ready for 3 billion home users and at the rate it’s going, it won’t ever get there.
Yes, I know, Android is Linux, well done, here’s an elephant stamp.
I’ve also been using Linux for a similar amount of time, and it’s only at work now I have to use Windows.
And as for home users using Linux? I have a few family members quite happy with Ubuntu / Firefox since all they need is a browser and VLC for their “PC”, so I don’t know where you got that “it’ll never get there” metric from.
Alright they don’t have a clue how Jellyfin works on that box, but they sure do appreciate and use it a lot these days now they’ve got used to it / dumping Netflix.
Of course you can Install Asahi Linux on a modern Mac, and you can Sideload Apps too. Both Things which are Not possible on iOS without Major Roadblocks
According to the article there are now more than 3 billion Android users. I have no information to the contrary.
How do you expect to attempt to secure that many devices by allowing the platform to continue as it was?
You call it dumbing down, which I understand, but how do you stop all the click-happy people from installing the next nefarious “game”, when they already have little to no chance to avoid email spam and SMS scams, let alone LLM generated “custom targeted” exploits.
I get that there are users who use this (now) vanishing functionality, but are they representative of the total user base, or edge cases? Neither you nor I have any hard data on that, but I know that as an ICT professional, I’m an outlier.
I’m no friend of Google’s business model, but I don’t believe that they’re purposefully shooting themselves in the foot,mind you, I’ll concede that it has a poor track record in the past few years.
Let’s progress the conversation.
How would you protect essentially computer and security illiterate users from malware in a scalable and sustainable manner?
As an aside, I’m a long term (25+ years) Linux user and have used pretty much everything since the 6502 was part of the picture. In my professional opinion we haven’t begun to figure out how to do this in the desktop world, Android is so far the closest we’ve managed and I’m not seeing anything here (yet) that makes me see this as a mistake.
That’s not at all true. We no longer expect drivers to change sparkplugs (or batteries), even checking oil levels is beyond most, let alone using a manual gearbox or disabling airbags.
You have to understand that the fact that you’re here in this community participating in this discussion already puts you in a very small subset of humanity with technology skills not in evidence in the general public.
how to use their stuff. We don’t expect them to know what’s under the hood. But we do expect them to have knowledge of the rules of the road, what the traffic signs mean, the fact that driving at high speed into a wall is not desirable etc. Simple everyday stuff required to be able to use, not maintain, a car.
“read the stuff on screen and at least try to understand it” is the barest minimum. But we don’t even expect that of anyone anymore. Or even something as simple as if you see a red flashing sign saying “IF YOU DO THIS YOU WILL BE IN DANGER!”, at least try having a 2nd look
I’ve been writing software for a very long time. Users are essentially stupid and lazy. They don’t read what’s on a screen, even if it’s the only thing on the screen, even if you don’t give them any other options than clicking “Ok”.
When I say stupid, it’s not that they’re dumb, it’s that their mental model of the world doesn’t match the computer one, saying things like: “well, that’s stupid, it should be like this”, followed by a completely illogical and unimplementable world view of the problem they think is being solved.
For the majority of humanity, computers are magic and no amount of arguing here is going to change this in our lifetime. It’s why AI is welcomed with open arms and no thought to its reality.
Those “stupid and lazy” users own their phones, not you. They are the admins of their devices, not you. And as admins they should have full control over the security policy, not you.
They are the admins of their devices, not you. And as admins they should have full control over the security policy, not you.
I can’t agree with you there, a few years ago I installed Mint on my mum’s old desktop. It was either that or pay for a new Windows license to “upgrade” to Win10. She doesn’t have admin, doesn’t even know what admin is and would be unwilling to learn if she did know.
Not all users need to be admins, in fact most don’t want it.
Me, however, I get pissy if the machine stops me doing what I want to do.
You call it dumbing down, which I understand, but how do you stop all the click-happy people from installing the next nefarious “game”, when they already have little to no chance to avoid email spam and SMS scams, let alone LLM generated “custom targeted” exploits.
That’s the neat Part, you don’t
Their choice, their consequences. There are enough warnings on the way there, they are free people and were informed about the risks
As an aside, I’m a long term (25+ years) Linux user and have used pretty much everything since the 6502 was part of the picture. In my professional opinion we haven’t begun to figure out how to do this in the desktop world
App Distribution via Flatpaks and Immutable OS are already pretty much there. Did you try a recent Fedora Version?
I just wish the system had a global setting for “I know what I am doing, stop trying to protect me”. Stop revoking permissions you think I don’t need. stop restricting everything. Just turn all of those things off by default. I only have a couple apps installed, let me be the judge of me. And stop having me reconfigure every app individually just so you’ll let it run for as long as I want it to.
Yeah, the author and people are fussing over without reason. Regular users do not understand the implication of sideloading apps. I have had people get their telegram/whatsapp hacked because someone sent them a malicious link and they sent their login credentials to that website/app.
Restricting sensitive permissions will mean such people are better protected from such mistakes. Advanced users can still bypass the requirements even though it may be slightly complicated.
One can justify it however they like but it’s going to end up making the experience worse for competent users anyway. Much like this Android 12 security change that made it permanently more annoying to manipulate files.
Yeah, this change (scoped storage) is annoying. You need adb, root or system level apps to bypass the requirement. File access is also slow. That’s the reason image loading and image deletion is slow in Google Photos app compared to the native gallery app of my smartphone.
Anyway, the trend is clear. More security for the end user. You can root, flash a custom rom, or use a linux based smartphone if you do not like the restrictions. It’s more friction but that’s not going to change for the better.
I’m not at all sure what the author wants, except for wanting to roll back time to something less secure.
I’m not sure what the author wants either because the article is written in such a both sides style.
I know what I want though, and it definitely includes access to “dangerous” permissions; I’ve had root on my smartphone pretty much as long as I’ve been using one. I don’t mind making those a bit awkward to turn on though, and it seems like that’s what’s going on here. If anything, I’d like to see that broadened to all apps rather than just installs outside app stores.
What I don’t want, and what I’m concerned about is that this is a stepping stone to is a system where some permissions are only available to apps from Google-approved app stores, or a scenario like iOS where apps can only be installed from stores or with Google-approved developer credentials.
I’m unsure what the author of the article is advocating, since the “raw deal” appears to be geared towards making the Android environment more secure.
“These tighter security measures protect average users from malicious apps but risk alienating power users, amateur developers, modders, and enthusiasts who depend on Android’s flexibility.”
The author acknowledges this in literally the second sentence.
I’ve been an Android user since the HTC Desire in 2010.
I’m unsure what the author of the article is advocating, since the “raw deal” appears to be geared towards making the Android environment more secure.
The author laments that they now have to manually enable security bypass settings and that some (they call it developers, but I’m not sure if they’re referring to Application Development or Phone Platform Development) “developers” can lock down with further API checks.
I’ve been an ICT professional for over 40 years and security is always a balance. On the one end it looks like a phone in a locked room, inaccessible to anyone, on the other end it’s a free-for-all, open to anyone.
I’m not at all sure what the author wants, except for wanting to roll back time to something less secure.
Ultimately, the user should be able to decide for themselves how much security they are willing to compromise for power and flexibility. Whether this particular compromise is acceptable would depend on just how annoying it is in practice, but it’s a trend I’m not a fan of.
On the plus side, if this compromises third party app store usage even more, it may be more fuel for the anti-trust lawsuits aimed at Google (although who knows how that will play out given who is becoming president).
These new security features do not (and can not) apply to apps distributed outside of the Play Store, so it won’t compromise third party stores whatsoever.
They do apply to Apps only distributed Outside Play Store and certain Approved third Party stores, did you even read the article?
they do. that’s the definition of sideloading. or why do you think the opposite?
As someone who’s always been side loading apps and doing custom configs, it’s just so much harder compared to what it used to be. So many hidden settings. So many menus you have to go through in the right order. So many reverts that happen each update.
You say it’s in the name of security, but I don’t see it. Something is fundamentally broken here, if Google really believes this is the best path forward
Edit: and btw, I work in big tech too. I know how this update came to be. Some L6 looking for his packet decided to “decrease infected devices by 10%” by adding this friction, and everyone nodded along since the negative impact isn’t measurable.
Users are further forced to sacrifice their privacy to Google and Google Play rather than use something like F-droid.
It makes it frustrating to use, not secure. When installed program stops working after 30 or whatever days of me not using it because my great white master decided that it doesn’t need what was granted by me at installation is not security it’s just spitting in my face. I don’t care about what “developers” want why should anyone?
Removed by mod
Somehow No One needs that much Holding Hand or “Security” on the Computer, where No revenue streams of Google/Apple are affected
I’ve been the person people came to (and paid money to) when they installed something stupid on Windows XP in 2003. Quite a few people do need their hand held to use a computer effectively.
Until that era, app developers were generally considered trustworthy. Malware existed, but anything that openly advertised itself, that users would install intentionally was unlikely to work against their interests. “Spyware” was a new category. App permissions in smartphones represent a recognition that app developers do not necessarily share the users’ interests.
I certainly don’t want knowledgeable users locked out of making decisions for themselves (even bad ones), but arranging the UI so that someone with a limited understanding will have a hard time finding the dangerous settings isn’t a bad thing.
You have a very distorted view of security. The Apple computer ecosystem closely mirrors their phone and tablet system.
Microsoft Windows is an absolute shitshow and continues to get worse at every iteration.
I can Install on a Mac without any Roadblocks another Operating System, and I can Install Apps without the need for a Developer Account or a certificate unrestricted.
Otherwise I’m using GNU/Linux which also doesn’t try to “protect” me in the interest of some Corporation
Actually, no you cannot. You need to adjust and grant permissions for anything you install on a Mac OS system today.
Source: I own a Mac, it’s less than six months old. Installing stuff is full of permission requests.
As for Linux, I’ve used and installed it for over 25 years. It’s not ready for 3 billion home users and at the rate it’s going, it won’t ever get there.
Yes, I know, Android is Linux, well done, here’s an elephant stamp.
I’ve also been using Linux for a similar amount of time, and it’s only at work now I have to use Windows.
And as for home users using Linux? I have a few family members quite happy with Ubuntu / Firefox since all they need is a browser and VLC for their “PC”, so I don’t know where you got that “it’ll never get there” metric from.
Alright they don’t have a clue how Jellyfin works on that box, but they sure do appreciate and use it a lot these days now they’ve got used to it / dumping Netflix.
Of course you can Install Asahi Linux on a modern Mac, and you can Sideload Apps too. Both Things which are Not possible on iOS without Major Roadblocks
As an It professional I must disagree. Dumbing down the platform isn’t good. Let’s hope Magisk Deny list keeps working.
Happy to debate.
According to the article there are now more than 3 billion Android users. I have no information to the contrary.
How do you expect to attempt to secure that many devices by allowing the platform to continue as it was?
You call it dumbing down, which I understand, but how do you stop all the click-happy people from installing the next nefarious “game”, when they already have little to no chance to avoid email spam and SMS scams, let alone LLM generated “custom targeted” exploits.
I get that there are users who use this (now) vanishing functionality, but are they representative of the total user base, or edge cases? Neither you nor I have any hard data on that, but I know that as an ICT professional, I’m an outlier.
I’m no friend of Google’s business model, but I don’t believe that they’re purposefully shooting themselves in the foot,mind you, I’ll concede that it has a poor track record in the past few years.
Let’s progress the conversation.
How would you protect essentially computer and security illiterate users from malware in a scalable and sustainable manner?
As an aside, I’m a long term (25+ years) Linux user and have used pretty much everything since the 6502 was part of the picture. In my professional opinion we haven’t begun to figure out how to do this in the desktop world, Android is so far the closest we’ve managed and I’m not seeing anything here (yet) that makes me see this as a mistake.
we expect everyone to take the time to learn how to use anything else. We just use the same expectations for tech stuff.
deleted by creator
That’s not at all true. We no longer expect drivers to change sparkplugs (or batteries), even checking oil levels is beyond most, let alone using a manual gearbox or disabling airbags.
You have to understand that the fact that you’re here in this community participating in this discussion already puts you in a very small subset of humanity with technology skills not in evidence in the general public.
how to use their stuff. We don’t expect them to know what’s under the hood. But we do expect them to have knowledge of the rules of the road, what the traffic signs mean, the fact that driving at high speed into a wall is not desirable etc. Simple everyday stuff required to be able to use, not maintain, a car.
“read the stuff on screen and at least try to understand it” is the barest minimum. But we don’t even expect that of anyone anymore. Or even something as simple as if you see a red flashing sign saying “IF YOU DO THIS YOU WILL BE IN DANGER!”, at least try having a 2nd look
I’ve been writing software for a very long time. Users are essentially stupid and lazy. They don’t read what’s on a screen, even if it’s the only thing on the screen, even if you don’t give them any other options than clicking “Ok”.
When I say stupid, it’s not that they’re dumb, it’s that their mental model of the world doesn’t match the computer one, saying things like: “well, that’s stupid, it should be like this”, followed by a completely illogical and unimplementable world view of the problem they think is being solved.
For the majority of humanity, computers are magic and no amount of arguing here is going to change this in our lifetime. It’s why AI is welcomed with open arms and no thought to its reality.
Those “stupid and lazy” users own their phones, not you. They are the admins of their devices, not you. And as admins they should have full control over the security policy, not you.
I can’t agree with you there, a few years ago I installed Mint on my mum’s old desktop. It was either that or pay for a new Windows license to “upgrade” to Win10. She doesn’t have admin, doesn’t even know what admin is and would be unwilling to learn if she did know.
Not all users need to be admins, in fact most don’t want it.
Me, however, I get pissy if the machine stops me doing what I want to do.
deleted by creator
That’s the neat Part, you don’t
Their choice, their consequences. There are enough warnings on the way there, they are free people and were informed about the risks
App Distribution via Flatpaks and Immutable OS are already pretty much there. Did you try a recent Fedora Version?
I just wish the system had a global setting for “I know what I am doing, stop trying to protect me”. Stop revoking permissions you think I don’t need. stop restricting everything. Just turn all of those things off by default. I only have a couple apps installed, let me be the judge of me. And stop having me reconfigure every app individually just so you’ll let it run for as long as I want it to.
Yeah, the author and people are fussing over without reason. Regular users do not understand the implication of sideloading apps. I have had people get their telegram/whatsapp hacked because someone sent them a malicious link and they sent their login credentials to that website/app.
Restricting sensitive permissions will mean such people are better protected from such mistakes. Advanced users can still bypass the requirements even though it may be slightly complicated.
One can justify it however they like but it’s going to end up making the experience worse for competent users anyway. Much like this Android 12 security change that made it permanently more annoying to manipulate files.
Yeah, this change (scoped storage) is annoying. You need adb, root or system level apps to bypass the requirement. File access is also slow. That’s the reason image loading and image deletion is slow in Google Photos app compared to the native gallery app of my smartphone.
Anyway, the trend is clear. More security for the end user. You can root, flash a custom rom, or use a linux based smartphone if you do not like the restrictions. It’s more friction but that’s not going to change for the better.
I’m not sure what the author wants either because the article is written in such a both sides style.
I know what I want though, and it definitely includes access to “dangerous” permissions; I’ve had root on my smartphone pretty much as long as I’ve been using one. I don’t mind making those a bit awkward to turn on though, and it seems like that’s what’s going on here. If anything, I’d like to see that broadened to all apps rather than just installs outside app stores.
What I don’t want, and what I’m concerned about is that this is a stepping stone to is a system where some permissions are only available to apps from Google-approved app stores, or a scenario like iOS where apps can only be installed from stores or with Google-approved developer credentials.
“These tighter security measures protect average users from malicious apps but risk alienating power users, amateur developers, modders, and enthusiasts who depend on Android’s flexibility.”
The author acknowledges this in literally the second sentence.