> In a pilot program launched in Singapore, the tech giant now blocks the installation of certain sideloaded apps—particularly those requesting sensitive permissions such as SMS access or accessibility services—if they are downloaded via web browsers, messaging apps, or file managers.
There are a lot of qualifiers on this: Only in Singapore, only on apps requesting certain permissions frequently used by scams, and only when downloaded via certain paths.
I don’t see the full details but this implies that it’s still possible for advanced users to side load whatever they want. They don’t want to make it easy for the average user to start sideloading apps that access SMS permissions or accessibility controls.
If it takes a few extra steps for the advanced user to sideload these apps that’s not really a big infringement on freedom like this purism PR piece is trying to imply. Unfortunately sideloaded apps are a problematic scam avenue for low-tech users.
> The move, developed in partnership with Singapore’s Cyber Security Agency, is designed to prevent fraud and malware-enabled scams.
I think you're dismissing legitimate concerns without fully understanding them, because through the right lens you realize how this can be anticompetitive in the mass market.
Even if some technically inclined folk can install what they want, the masses will stay in the walled garden so that Google can get their cut and exert ideological control. Even now, both Google and Apple engage in practices across their product that are designed to scare people away from third party applications. From Google's terminology when describing Google in banners as "a more secure browser" etc, to Apple requiring a secret incantation in order to run unsigned apps.
All of this kind of mind control bullshit should be eradicated via regulation. Companies should not have a license to be deceptive towards their users.
The comment you're responding to includes the line:
> The move, developed in partnership with Singapore’s Cyber Security Agency, is designed to prevent fraud and malware-enabled scams.
Your comment seems to disregard it and instead lay this entirely at Google's feet as if they're seeking anti-competitive behavior - but if this was driven by a government, does Google really deserve all the blame?
(Note that I am explicitly not endorsing the move. I think sideloading should be left mostly untouched.)
Singapore is far from a nation known for free speech or to pick the side of liberty should it come into conflict with security. I've no doubt whatsoever that approved apps on a CTS "hardware backed" remote attestation phone is more secure. It's also possible to remotely own such a device unambiguously, and provides a central place where apps can be taken offline. It's win win from the point of view of a security agency. It's not from mine.
> but if this was driven by a government, does Google really deserve all the blame?
Of course. If the government ordered Google to assist in a genocide against some demographic, and Google goes along with it, it doesn't matter if the government is also evil. Google is evil for playing ball.
And we don't have to speak in hypotheticals. Both Google and Amazon are actively engaging in tech-assisted genocide.
I would love to, but this is the wrong forum. This is going to sound weird if you understand these events purely literally, but me and you are ideologically aligned, but not dialectically aligned. There is a much greater truth to this entire situation.
> The masses will always stay in the walled garden. It's where they want to be and they don't even realize there are walls. It is just what is for them.
The walls should have open doors, though, versus prison bars. Physical switches on devices (much like older Chromebook devices had) used to opt out of the walled garden should be mandated by consumer protection regulations.
It's not entirely unlike the qualified/accredited investor rules which won't let you invest in unregulated securities without income/net worth/certification requirements. No form exists which would allow someone to say "hey, I get why these wall are here, but I understand and am opting out of your protection".
I personally think there should be (I value individual rights/freedom over preventing someone from harming themselves), but I also see why we ended up here. When bad things happen, people demand action and government wants to be seen as doing something.
> Physical switches on devices (much like older Chromebook devices had) used to opt out of the walled garden should be mandated by consumer protection regulations.
I don’t want to live in the same society as the person that wrote this asinine comment with this much confidence. We are just ideologically incompatible
How so? I understand the tension between freedom to tinker and consumer protection. It's OK to assign different values to either of them. And there are definitely ways to reconcile the two positions. Some of that will have to come through nuanced regulations.
For example, it could be regulated that if the flip is switched (or a fuse is blown irreversibly) on a device, responsibility for the device and its software fall entirely onto the owner. So if they get phished on an unprotected device and lose their life savings, it's entirely on them. Manufacturers and service providers have no obligation to support them.
Once you have enough power to legislate and enforce this, what's to stop a future administration from tightening the ratchet just a little bit further and forcing users to purchase TPM computers with unbreakable DRM and encrypted blobs running who knows what, and no ability for users to modify their system, change hardware or operating systems without either running afoul of the law or losing access to banking and insurance?
My comment (GGGP) was about regulating devices to require physical switches to allow the owner of the device to opt for freedom. I'm not sure where you got DRM-type stuff out of that.
I think efuses being blown by device manufacturers should be illegal.
I think bootloaders that don't allow the device owner to run whatever software they want should be illegal.
I think device owners should be permitted to repair their devices without losing functionality because of DRM embedded in the parts themselves.
I think a physical switch, exercisable only with physical access, should be present on locked-down devices to allow the owner to exercise their ownership over the device. If that means that "attestation" functionality breaks and that causes some third-party software to "break" so-be it.
(I think the problem with banks, etc, requiring "trusted" devices is also in the realm of consumer protection, probably in banking regulation. I haven't thought about it deeply.)
Think about it some more. I'm talking about the incremental increases in power coupled with unpredictable administration changes, and how each new increase in federal power creates multiple branches for slightly increasing power even more, until without realizing it, we've let our government slowly move the Overton window right where it needs to be for an authoritarian power grab and restriction of freedoms. We have to be extremely careful about the powers we give our governments, because they do not give them back without a fight, and they're always looking to expand their reach.
Well, you do realize that there are already a lot of laws covering these things, right? If you're this cynical, then you need to realize that stuff like what you describe could be legislated at any time. There's no real barrier.
Obviously, why do you think I'm raising awareness? Right-to-repair is a huge issue across multiple regions and industries, with uneven progress across the US.
Normal users complain about not being able to change things on their devices all the time. My whole family was pissed about the latest android update because Gemini was foisted on them and they didn't know how to turn it off.
I don't think they cheeref at the arrival of the Microsoft Store on Windows, for example.
That's what's pushed for on the current smartphones, and they accept it; they easily don't see the problems, and it can seem complex for them to avoid it.
Other than when talking with other techies and on forums like this one I've never heard anyone complain about ads in Windows or the Microsoft Store. Again, for most people, computers and web sites and apps just are what they are. They don't even realize there's any other way.
Yeah, it's like saying the masses wanted high-fructose corn syrup, or lead, or asbestos, or BPA, or CFCs, or whatever other cost-saving or profit-increasing but classist and consumer-hostile product or practice was foisted upon us and sweetened with deep propaganda and gaslighting, bankrolled by global corporate interests.
> All of this kind of mind control bullshit should be eradicated via regulation. Companies should not have a license to be deceptive towards their users.
I agree with you. However, the impact of scams should not be underestimated either.
To me it seems like fighting teen pregnancy by preaching abstinence. We should be teaching a higher baseline of computer literacy, and providing more secure systems that keep the user in control and in the know when it comes to their own device and the software running on it.
Attacking the problem by reducing user freedoms and increasingly monopolistic control is not the answer, even though Google's PR department would tell you otherwise.
Yeah, it's definitely a piece to the puzzle. I still think it's not so hard to prove that increasingly technical literacy, outlawing deceptive UX and language that prey on information asymmetry, and providing increased autonomy with more fine-grained and visible security controls is a net win for the population, whether or not this particular method of Google's is effective enough against spam compared to some baseline.
Agreed. Android already has seriously big whitelisting requirement for installing applications from outside the Google Play store.
The correct way to do it would be to whitelist other good stores, and allow developer mode installs with an extra process that says explicitly I am extra sure this may be danger, but no. This would reduce Google's income streams.
The way I see it, it must be attacked the way default Internet Explorer was attacked.
> To me it seems like fighting teen pregnancy by preaching abstinence.
More like fighting teen pregnancy by mandating chastity belts... With the same ultimate problems too: those most determined to overcome the block will make use of bolt cutters or their digital equivalent.
.... This doesnt stop scammers. Software will never stop scammers. Its pretty wild that people would be willing to sacrafice their freedom permantely so a scammer can spend two weeks thinking of another approach to scam.
You are correct. But it's not about stopping scammers, it's about making their lives as difficult as possible. The problem is, as seen with Facebook [1], even that was not enough to stop "self-xss" exploits.
The actual way to stop the scammers would be to sanction their host countries into oblivion: India, Philippines and Myanmar are big in targetting English speaking countries, and Turkey when it comes to German speaking countries. Scammer Payback alone has made so many complaints with very little follow up from local authorities, partially due to open corruption. Either these countries clean up their act or they get dropped from SS7 (phone) and the Internet. But I see no way of this ever happening.
> There are a lot of qualifiers on this: Only in Singapore, only on apps requesting certain permissions frequently used by scams, and only when downloaded via certain paths.
Only certain permissions actually matter. That's one of three.
But "only in singapore so far" is not reassuring.
And "downloaded via certain paths"? Browsers and file managers are the normal ways to put files onto a phone. That doesn't reassure me at all.
Unless they block ADB, I wouldn't say it's accurate to claim they're "blocking sideloading". That said, it's clearly a balancing act between protecting people from installing malware but allowing them to intentionally install things they really do want to install, regardless of what permissions they need.
Every time the technical sophistication required to install apps from anywhere but Google's store (I don't love the term "sideloading" since it kind of denormalizes the act) is increased, the chances anyone will put in the effort to distribute apps any other way goes down. It also means apps Google doesn't want in its store are less likely to get made; I'd really like to see something that prioritizes notifications for me, for example, and I think that's against Google's rules.
I'm sure making it harder to obtain software outside a first-party app store provides some protection to some users from scams, but I really don't want that to be the answer. I don't claim to have a good one myself.
They don't, and they don't even block F-Droid. You can also just disable Play Protect (though Google won't let you while you're on a call, probably a smart move). According to the Singapore police, scammers also have victims download VPNs of Google Play to work around the regional restrictions.
I don't think the restrictions are doing much for victims. I assume Google was pressured into doing this by the authorities, or may be doing this to get in a good spot politically.
requiring a user to own a PC in order to sideload apps (with adb) would, in fact, count as blocking sideloading, albeit partially. so i don't think that's the right limit
That's a little higher bar than plugging in a usb cable and running ADB... but I would agree that most users probably won't figure out how to sideload from a terminal.
>There are a lot of qualifiers on this: Only in Singapore,
We had a big client from Singapore who only agreed to buy our SaaS subscription after we integrated SingPass (Singapore's national digital identity system) for user login.
When I read "Singapore" in the OP I immediately remembered about it.
The client is not with us anymore, but we still have this thing somewhere in the codebase :)
> There are a lot of qualifiers on this: Only in Singapore, only on apps requesting certain permissions frequently used by scams, and only when downloaded via certain paths.
Those "certain paths" include "file managers"; how exactly would you sideload an app without providing the file?
It will always be possible to side-load apps on Android if you really want. It is one big strength of Android. There are many Android's no-internet deployments in the wild that rely on this feature.
There are a lot of qualifiers on this: Only in Singapore, only on apps requesting certain permissions frequently used by scams, and only when downloaded via certain paths.
I don’t see the full details but this implies that it’s still possible for advanced users to side load whatever they want. They don’t want to make it easy for the average user to start sideloading apps that access SMS permissions or accessibility controls.
If it takes a few extra steps for the advanced user to sideload these apps that’s not really a big infringement on freedom like this purism PR piece is trying to imply. Unfortunately sideloaded apps are a problematic scam avenue for low-tech users.
> The move, developed in partnership with Singapore’s Cyber Security Agency, is designed to prevent fraud and malware-enabled scams.
This explains why it’s only in Singapore for now.