Android apps are blocking sideloading and forcing Google Play versions instead
Android apps are blocking sideloading and forcing Google Play versions instead
"Select Play Partners" can block unofficial installation of their apps.
You might sideload an Android app, or manually install its APK package, if you're using a custom version of Android that doesn't include Google's Play Store. Alternately, the app might be experimental, under development, or perhaps no longer maintained and offered by its developer. Until now, the existence of sideload-ready APKs on the web was something that seemed to be tolerated, if warned against, by Google.
This quiet standstill is being shaken up by a new feature in Google's Play Integrity API. As reported by Android Authority, developer tools to push "remediation" dialogs during sideloading debuted at Google's I/O conference in May, have begun showing up on users' phones. Sideloaders of apps from the British shop Tesco, fandom app BeyBlade X, and ChatGPT have reported "Get this app from Play" prompts, which cannot be worked around. An Android gaming handheld user encountered a similarly worded prompt from Diablo Immortal on their device three months ago.
Google's Play Integrity API is how apps have previously blocked access when loaded onto phones that are in some way modified from a stock OS with all Google Play integrations intact. Recently, a popular two-factor authentication app blocked access on rooted phones, including the security-minded GrapheneOS. Apps can call the Play Integrity API and get back an "integrity verdict," relaying if the phone has a "trustworthy" software environment, has Google Play Protect enabled, and passes other software checks.
Graphene has questioned the veracity of Google's Integrity API and SafetyNet Attestation systems, recommending instead standard Android hardware attestation. Rahman notes that apps do not have to take an all-or-nothing approach to integrity checking. Rather than block installation entirely, apps could call on the API only during sensitive actions, issuing a warning there. But not having a Play Store connection can also deprive developers of metrics, allow for installation on incompatible devices (and resulting bad reviews), and, of course, open the door to paid app piracy.
If the Play Store becomes required like that then Android's already-shaky status as an open source base platform is going to go out the window. I'm glad there are non-Google distros of Android but there really needs to be more of a push to make a completely FOSS phone platform.
There are Linux phones available. I,m going to guess popularity of those devices to increase soon.
That was the hope with Android, too.
The problem is that as the OS is "free" that means it costs less functionally for the device manufacturer to get an OS on the device, so now they can pour more money into bloatware.
Android was supposed to stop bloatware but all it did was enable it.
Even without a forced "store" Linux is prey to the same issue of piecemeal support from various vendors all with in-house solutions that all stink.
I,m going to guess popularity of those devices to increase soon.
I don’t want to be pessimistic about it, however I think it’s gonna be like Windows: enshittification will happen, but inconvenience is “too small” for people that they’ll rather check for a workaround than leave the platform.
My guess is that we need something more appealing like the Steam Deck to make people take the step.
But part of the appeal of Linux is the fact that you can repurpose existing computers running other OSes to run Linux instead. This is a great way to lower the barrier to entry for Linux, because it's easy to test it on a Live USB or a dual boot. It's much harder to do this on phones because they have locked bootloaders.
Another problem is that phones are not productivity devices - they're consumption devices. Maybe this is just my personal bias, but I don't think people will be as passionate about liberating their phones because they're inherently less useful than computers. Convenient, yes, but useful? Not as much.
That said, I would love to be proven wrong. I would definitely consider a Linux phone if they become more popular/useful, but I can't really justify spending hundreds of euros/dollars on something for which I don't see any particular use.
There aren't, really. There are a few antiques and half baked things.
A big problem is that these days, unless you're the size of Apple or Samsung, it's impossible to get a reasonable hardware soc and modem other than one which only runs a soon obsolete blob laden android which is going to be EOL before you've even finished your design.
The hardware is not there. The firmware/hw data/platform isn't there even to begin OS work with. And there's a global shipping, regulation and mobile operator hell waiting on the other side. And a product lifecycle that's only a few years long.
Yes, I've worked for phone manufacturers.
The more I think about it, this may finally convince me to...shudders...switch to an iPhone. I've always stayed on Android because despite the recent Google bullshit, it still for the most part lets me do whatever. Side-loading apks is a huge part of that.
If it's turning into a shittier iOS clone, what's the point?
There are Linux mobile operating systems like PostmarketOS, but they are too early in development to be used by most people.
Murena phones look promising. And you can download their e/OS if you want to flash the phone you have, provided it's supported. https://murena.com
Seems stupid of them to crackdown on sideloading given their recent and ongoing monopoly spanking.
If someone would be buying those, someone would be selling. You have all the opportunity to fork current android, put it on a different platform, make sure all the drivers are open source instead of blobs, and sell it.
I'd really want to buy one. But I'll only do that after you somehow make sure the 3-5 major messaging apps, 2-3 major browsers, and a really good maps app are available.
So, basically, it's a 100 mil endeavor for an MVP really. So, I think, the chances of someone actually pulling it off are pretty slim.
This seems like a brilliant feature to roll out as they're getting investigated by the DOJ for being a monopoly.
Also, didn't the EU declare that Apple needs to allow other app stores on their devices?
This seems like a bonehead move all around..
everyone wants to be like apple
In this case, it seems like it's the app makers themselves who are requiring the Play Store, though. Unless I'm misreading this, the developers are using the Integrity API to determine if the app was installed through "official channels" (in this case, the Play Store). Feels like people should be upset at the companies behind the apps, here.
Google : "You don't own your phone, we own you."
I unironically think so. It offloads the blame onto individual app developers. Google can turn around and say oh well it’s what the market wants
Just the term "side loading" instantly frames installing software on a device you own as something shady.
Yes, that's the implication, and it's certainly intentional for you to think of it like that.
I've had people clueless about tech tell me that:
using Linux and not buying Windows I rob MS's developers,
not doing things the way big corporations want I deprive them of profits and thus rob their workers,
using your own device the way you want it is a crime if you have to bypass what the vendor does,
GPL and BSD licenses are not real sovereign citizen stuff, and if I'm not paying someone for software, I'm robbing the working class,
repairing things yourself in your house is robbing people working in those trades,
reading things in the Web is robbing university professors and book store workers and publishers,
having to learn a particular technology while doing my task at work means I'm a fraud and rob my employer or our clients, because apparently I have to keep all the today's tech in my head before needing any of it,
if I don't know some single thing another person knows, they are obviously better qualified than me (say, that other person can write Windows device drivers, while the job is about systems integration),
...
and I don't remember more stupid shit from those people and I don't want to, but generally being not a dumb ape in today's world is considered suspicious apparently.
After that wonderful experience I might be silent about my views with people usually, but really I'll never stop being anarchist (whatever kind of anarchism that is).
"side-loading" is literally the norm on Windows and Linux
This poster gets it!
What is a "trustworthy software environment"?
Does that mean that it will get mad and fail you for having Developer options enabled? Having F-Droid installed? Having it plugged into a computer?
There's a bank here that refuses to let you log into their app if you have developer options enabled. Their service was getting much better until that point, but I dropped them completely after that.
I use developer options to get better screen density on my large ass screen, and to you know...develop apps 🤷♂️
FUCK THESE ASSHOLES WHO THINK THEY CAN TELL ME WHAT I CAN AND CAN NOT DO WITH MY PHONE
People seriously need to start pushing back on the word "secure" being used as a blanket excuse for every restriction.
It feels like every time that word is used, no one is willing to call out the fact that user freedom is equally as important and it's a lazy, disrespectful developer who won't take that into account by finding ways to maintain both.
The Papa Murphy's app does this as well, it's ridiculous
According to the dumbfucks making the government application of Belgium (to read official communication) trustworthy means having developer mode disabled.
Androids best advantage used to be full control of the device... Those were the days. Then it started with saying they know better than you, then locking you out. Now I'm waiting on a new, better solution.
Honestly it's not like native Linux is too far fetched, but there would have to be a big open source common ground device collaboration.
Man I really hate how they stripped your permissions to access the internal and external storage, files can no longer access data from other apps even if you say allow all file access. Also if your phone supports SD cards, you might notice that you don't have write access to it for some reason on later versions of android. (I really struggled with this with my Galaxy S9 on Lineage), had to use apps that remounted my SD card and what not
So the EU's been forcing Apple to allow sideloading and Google goes Nah, it'll be fine?
Waiting for steamphone
So the EU's been forcing Apple to allow sideloading and Google goes Nah, it'll be fine?
No but you see we at Google aren't locking down sideloading. It's the individual app developers. With the api we gave them for that express purpose. Totally not us locking stuff down though, so EU please ignore us trying to indirectly close doors in our walled garden?
the same API that helps your app ASO
Ehh, this is basically just another form of DRM. No different than you having a Steam and GOG model. You can make your apps using DRM and enforce certain constraints
Google is allowing the app developers to choose (for now?). With Apple, developers never had the option to allow other stores or sideloading.
Google and Apple have come out against legislation that would broaden sideloading rights for smartphone owners, citing security and reliability concerns.
Fuck off google.
...as I upvote you from my Pixel. ☹️ I give the sad face because Google isn't who they once were and I'm just going to have to deal with that.
Never ask a company to pick between the right thing and profit. It was all a matter of time till Google needed to stop growing and start producing profit for investors.
To make it worse the Pixel 9 starts at $800 just like iPhone. So if you're buying Android you don't really save money over an iPhone like you used to.
Google and apple you can let us worry about our security ourselves, thank you, though I'm sure you have our best interests in mind and only that
What's the point of having an android phone then? I fucking hate android so much, but I only use it, not iOS, because of sideloading.
OfIf they take that away from us then why not just get an iPhone then? Our only hope is Linux phones picking up a little.This is just Google's clever way of not removing the sideloading feature from their OS.
They let app developers to prevent users from using sideloaded app.
This way they can avoid antitrust lawsuits.
I have high hopes for apps like lucky patcher and Revanced manager to help us avoid this bullshit
It's the apps that prevent themselves being sideloaded. Presumably, their devs will enact similar policy on EU iOS too.
Fuck me, it's like a butterfly effect, every mother fucker now will follow suit.
F-Droid
Most of the apps I have and use are installed via Droidify. The ones that aren't are company apps, like banking or airline. I could just used the web sites for those; they're only conveniences.
My phone isn't rooted, and I didn't read the article so I don't know how this will affect me. If push comes to shove, I'll simply bite the bullet and get a phone I can install Linux on next time, regardless of how polished for daily driving it is.
One reason would be that with an iPhone, you're paying two to five times the price of an Android phone with comparable hardware.
Hardware isn't everything. Apple has a couple of advantages over iPhone that let them do more with less:
- iOS needs to support a MUCH fewer devices than Android. Even before they switched to their own silicon, they've been optimizing the OS to the hardware really well giving you devices that go toe to toe with Android flagships of the same generation with SIGNIFICANTLY better hardware and like double the RAM. Also why Apple doesn't really care to increase RAM as much as the android side of things.
- Apple silicon is actually really good and making their own hardware allows them to optimize on both sides of the equation and lets them do more with less.
The selling points for Android (at least the way I've seen it over the years) have always been full control (talking about non-root, I'd rather not go down the root rabbit hole here) and (since iPhone 11 started doing firmware blocks on parts) reparability...but both seem to be going out the window lately.
Prices are crap though, but then again Android phones on the top end don't seem much better. 1-2 gen old iPhones are usually a bit more reasonable though tbh.
I do the same on android, as I have always owned a Samsung Note/Ultra. Only this year have I purchased a OnePlus phone, and I'll never fucking do it again, I hate this phone so much. Going back to Samsung for sure once the S25 Ultra drops.
the google store environment is such a pain, at work we have android based Zebra barcode readers... today when I was sideloading our app one of the devices kept uninstalling it because of google play... what a fucking pain in the ass
only when intune fully took it over did it stop...
DONT MAKE ME LIKE INTUNE GOOGLE.... JFK
Did you turn off Play Protect?
And yeah, when we set these barcode scanners up, unfortunately it made me appreciate Intune's Android management tools. I despise Microsoft and Google, but Microsoft won that round of "Who do I hate the least right now?"
I had a workflow that I designed in May and then we had to wait for the fiscal year to turn over before we could get another batch of the new style of devices. Between May and this week, Microsoft and Google must have made some changes because my workflow didn't work as directed. I hadnt needed to disable Play Protect for that initial workflow. I just waited until the Intune enrollment was clearly done (policies and profiles were completed in Intune) before I did the customization of the device with abs and such, that seemed to make the other devices go according to plan.
John F. Kennedy?
He'd probably try eating the stupid thing!
It's not like dedicated people aren't going to be able to just patch out the calls to this API from the apps themselves...
This feels like yet another attempt at DRM that is doing more harm than help.
You mean like literally every single attempt at DRM since the Big Bang?
Indeed, I already bypass SafetyNet and Play integrity with some kind of xposed module, I don't expect this to change.
Why would that be possible? Wouldn't the developer have their server rejected any calls from "unsigned" apps?
If functionality exists in the client app, there's nothing to be done to stop someone from bypassing checks.
Looking into it further this looks like it's an API between the backend of a service and Google though. That would be difficult to defeat, but you could probably spoof the identity of the requesting device with enough effort
Possibly, but many apps don't actually need to phone home to function.
Of course that doesn't stop developers arbitrarily requiring it.
I get most of my stuff via F-Droid or I could use Obtainium. My tablet is Google-free. This sounds like my phone should be Google-free as well.
Yeah but banking apps are starting to check integritynet, and (in France, at least) they're pretty much mandatory to do anything useful with your bank account/credit card online... I think Uber does too, I boycott them but others might follow suit...
Currently running lineageos, but I think I'll just give up and go for a Pixel for my next phone... Sucks to let google win but I like to do useful things with my phone...
yup they are tightening their grip again
Turing in to Apple
Waging war against ad blockers and third party clients and now this it seems?
Amazing that they can't seem to see that they are not going to win any customers by trying to out Apple Apple.
Haha, gross: We can't control the devices we own.
Was always inching closer, but looks like android has fully outstayed its welcome. The revolving door of executives hit its last person with any integrity on the ass on their way out the door.
They’re still pissed that people won’t put up with their shitty YouTube app and use Revanced instead, eh?
I have an android DAP (music player) that runs Android 7. It's a box with a headphone jack (remember those?) and it's sole purpose is to play offline music from an SD card.
I side-loaded a few music players, because there's no way I'm putting my Google password in android 7 in 2024.
I'd be upset if I couldn't side load. These DAPs never have an up to date android.
Let's hope the music apps I use don't block sideloading.
Poweramp won't. Musicolet?
Likely android 7 would not honor (or even be aware) of this new metadata bit. You'll be fine 🙂
The only reason I'm still sticking with Android is the ability to sideload
I have no reason to use an android if this is the road Google wants to follow and expect my next phone to be an iPhone SE
May as well sideload on iOS~
I'm in this boat. I really liked using Android and tinkering with it. If I do so now I cannot even use my banking app without doing aftercare each update
I just won't use any apps that do this. Simple.
Good luck when banking apps start doing this.
personally, i wouldn't trust a third-party created app with my banking details. what's more, i've removed all banking apps from my phone.
i don't need to allow access to my finances on the device which is most likely to get pinched out of everything i own. plus google and apple don't need to know which banks have accounts of mine.
imo that additional inconvenience to conduct all banking transactions from a browser is worth the candle.
Oh shit..
I already have to do this. My office wants everyone to use the MS authenticator app, won't run on LineageOS. Even if it did, I wouldn't install it, but still.
Ended up making them purchase a hardware security key for me instead.
Google Pain Services. Google Pisses Itself API.
Long live custom degoogled ROM.
which cannot be worked around.
Well, at least not without root lol
Root detecting apps to Side loading detecting apps:
First time?
I installed FakeStore and set the app's relevant
/data/system/packages.xmlproperties from Aurora Store to FakeStore (installer="com.android.vending" packageSource="0" installInitiator="com.android.vending", the same as Google Play Store) and rebooted, which was enough to fool the public transport app I'm using. Is this the workaround you're talking about, or does it require MicroG too?Yea that sounds about right, really hiding root is straight up magic as is (even though it's a cat and mouse game lol) and achieving that is 98% of the hard work of hiding the fact an app has been sideloaded. Short of a complete overhaul from Google where they actually try that is.
Which, if I'm being honest, doesn't seem like they are. It seems like a rather simple system all things considered. There's no Playstore specific keys or signatures or file checks or hashs as far as I can tell. Its just a flag and checking if Playstore exists on the device at all
"root access is used to bypass security measures!!!! We will make it harder to root your phones to keep your data safe" – Google
Well that fucking sucks
gee I wonder how long it will be before I can download the custom patches to get around this
Revanced patches will go BRRRRR on these
I use apps that aren't available in my region for language study, so this could end up being a real problem for me.
Good that most apps I use now are open source but for those few that I still get from Aurora Store it might be a death sentence but perhaps this API could be spoofed?
From where does the aurora store get the binaries?
From the Play store
OK I'm not going crazy then.
This is stupid. I will dig further into the real impact to Graphene.
Yeah, it happens to Spotify mods as well. This isn't good
Ew. Fuck google
I hate having to be on the side of "Defending" google... but this is the app makers fault, They are the ones using whats provided and installing the artificial limitations.
Google just provided the capability to do it. The app makers are executing it.
No, thanks for the clarification. I misunderstood that part.
i JUST started enjoying adfree YouTube via revanced, now it could go away?! fuck lol
This has absolutely nothing to do with ReVanced.
oh okay, thanks
Lucky Patcher?
I'm pretty new to this sort of stuff. I was planning to buy Google Pixel 8 sometime in November when they usually have sales. And install GrapheneOS. I never used this type of stuff before.
So will I have some trouble installing some stuff like some of mobile games, banking app, emails, etc? I'm in Canada if this help.
This explains why I couldn’t install retroarch on the GalaxyS24 Ultra of a friend via apk or google play store. Would not work, but somehow the Galaxy store version worked….
App developers need ways to know the app has not been modified in unsanctioned manner, glad to see Android finally catching up on security with integrity checks.
No, this will only lead people without access to Google Play to be forced to get it from somebody who has modified the app to fake the check.
Which obviously sucks but also is exactly what developers want or just don't care
If they don't have access to Play, then the developer of that app specifically does not want to service them as a user. Developers have to enable this feature in their own apps for it to do anything. If that developer wanted to support de-Googled users, they wouldn't enable this in the first place.
It's my phone. If I'm specifically going out of my way to do that, they have no right to force me to do it their way.
Why do you think apps should verify their integrity in the first place? In the case of banking apps or other online apps, the APIs they use should be secure in the first place so a user can't achieve anything meaningful by modifying API calls. In the case of offline games with monetization, a hacker who makes a pirated APK will also remove the restriction so legitimate players on non standart ROMs will get screwed. In the case of messaging apps with a "delete messages" or "one time view" function ie. Whatsapp, the sender shouldn't take that their actions will be respected by other clients because modded apps exist and Whatsapp doesn't care if you install it on a rooted device.
This!
APK signatures exist and they're enough for making sure the file you got isn't modified. Warning people when they use apks for stuff like banking, I get, but if they wanna take the risk, it's on them.
Blocking root makes no sense because I'd argue that if the person knows enough to root their phone and got past all those bricked phone/thermonuclear war warnings, the onus is on them to not get their keychain compromised by giving root to some random app. Again, a warning is fine.
Aside from that, people need to understand: THE CLIENT IS NEVER SECURE. NO EXCEPTIONS.
Any self respecting secure API is made under the assumption that all the calls are coming from some malicious state actor using
curluntil proven beyond doubt that it's an actual user.API are secure only if you can secure the authentication details. A modified app (be it as something modified and distributed on a unsanctioned channel, or custom injected by another malicious actor/app) can easily siphon out your authentication tokens to a third party unbeknownst to you the user. However, if the app verifies it came from the approved source and have not been tempered with, then it is much easier to lean on ASLR and other OS level security to make it harder to extract the authentication info.
Multiplayer game operators have obligation to curb modified clients so their actual paying clients have a levelled playing field. By ensuring their apps are only distributed via approved channels and unmodified by malicious players, this improves their odds at warding off cheaters creating a bad time for those that actually pay them to play fairly.
These are just simple cases where this kind of security is beneficial. I am glad Android is finally catching up in this regard.
Personally, it's not Google's place to dictate how an app verification ecosystem works. If a company has developed an app, they need to be the ones to make sure it's secure in the first place, not trusting a monopolist tech company that has almost all control with how someone uses their phone.
Google has rules yes, but Android is open-source and should be open with a free & open market for apps. After all, we paid for the device.
Yup, this is important for certain apps with a high security bar. Surprised at all the downvotes.
Slippery slope. Soon it wil be for all fucking mundane apps because they don't want you running a modded version...which is my fucking choice to do