Quick note: Google's Advanced Protection program disallows sideloading apps, so you can't install F-droid.
Edit: Note that the Advanced Protection program is opt-in for users that require the highest degree of security Google can offer. Regular users won't be impacted by this.
I wonder what the actual numbers are on malware installed via side-loading and malware installed from the play store.
There is no shortage of sketchy apps on the play store.
Through my personal bias I would imagine that most people side-loading apps tend to be people using F-Droid who know more or less what they're doing. Although I'm sure there are some people who blindly follow sketch website telling them to install sketchy APK directly. But do these people really outnumber people installing flashlight app from play store that steals your data?
All this locking down your device "for your own protection" assumes that the play store software is actually vetted and secure, but that second piece never seems to fall in to place.
This random article [1] suggests that 67% of malicious app installs comes from the play store itself. So this whole "Advanced Protection" scheme only protects against 23% of threats. Pretty weak IMO.
The problem is, it's much easier to be socially engineered into installing something from the Play Store, or far worse, the Chrome Web Store, and both have extremely unchecked amounts of malware.
The real difference is between "apps that have to give Google 30%, and apps that don't".
Likely but not because no filtering at is is better than mediocre filtering rather precisely because it's not easy for a user to "accidentally" side load.
Tons of apps are referencing 100% turing complete web content and not taking flak.
NORPS don't "accidentally" side load by means of typing stuff in a terminal that makes them both feel hackerman and scared shitless at the same time.
Only boomers and ties believe it's not about anti competitive behavior.
> There is no shortage of sketchy apps on the play store.
Certainly the Play store being a walled garden which appears to be full of weeds, nightshade, and hemlock is one of the key factors in pushing me over to iOS.
If side-loading is generally discouraged to the point where it's a hassle, then it's a less attractive entry point for malware authors... so I'd expect the result is that there are ultimately fewer malware instances installed.
If side-loading becomes easy and normalized though...
Sure but does a 23% malware rate justify further restricting side loading? Seems like snake oil security, rather than addressing the bigger problem of malware through the official channels.
Wow! That is a very big deal!!! Almost all of the Apps I have on my Android phone are installed from F-Droid, and I try to avoid installing any Apps from other sources, exceptions force upon me by my social circle, like WhatsApp.
I have a PinePhone but it is not yet ready as a daily driver, and also the difference in hardware performance between my Android phone (which I bought this year) and PinePhone (or even Librem) is abismal. I wish there was at least one (or many) linux phone ready to be a daily driver and with hardware comparable to modern Android phones (or iPhones), but unfortunately that is not yet the case, although the community has made a massive effort this year to advance the state of linux on phones, at least for PinePhone...
I use a MacBook for work and same thing, almost all the apps I have I installed using homebrew (and the UI apps, with brew cask)
EDIT: I see that, at least for now, it's optional and you can un-enroll, which is good.
> EDIT: I see that, at least for now, it's optional and you can un-enroll, which is good.
It's always going to be optional. It's their solution for high-risk users (think: journalists, whistleblowers, and similar), it's not meant to be for everyone.
Disclaimer: No Google affiliation, but I've tested the program a long time ago before it was available to everyone.
The problem will start with such offerings only if third parties (like employers or banks) demand turning this on. The patronizing of users that started with saftynet is horrifying. I think it will become crucial that some commercialy relevant group uses non play store content. Otherwise the affordance to use non main stream stuff will become higher and higher.
I have a strict "if you want me to use a phone for work, then issue me a work phone" policy. No, I will not install your MDM app on my personal phone, because that is tantamount to surrendering my phone to the company.
I mean it makes sense. The employer requires you to only trust Google-approved apps since something like an evil maid (or mugging, or blackmail, etc) attack on an unlocked phone is part of their threat model.
And it seems reasonable for an employer. What about banks? The argument I'm coming up with just isn't as compelling for no other reason than I'm 'only' risking my money, not corporate access.
> I have a PinePhone but it is not yet ready as a daily driver, and also the difference in hardware performance between my Android phone (which I bought this year) and PinePhone (or even Librem) is abismal.
I don't know about it being so much a hardware performance issue, rather than a software optimization issue. Personally, I don't think I need much performance, but I have had issues unlocking my Pinephone because the lockscreen seems to have a hard time keeping track of my finger as I slide it or press the keypad buttons. I've also had a number of kernel panics in the few times that I've used it (I got it just recently).
For the Pinephone to be my daily driver I just need to be able to run Whatsapp on it (so run an Android emulator with access to the SIM card, I imagine; haven't tried) and take real 5MP images. That's all I really need to switch the SIM card and leave my Android phone at home. It can even drop calls and I won't really care (not that it does; I haven't tried).
EDIT: I see I misread a bit and thought you meant its low performance prevented its use as a daily driver. I don't think it makes sense for linux phones to be offered with more expensive hardware until the software catches up to enable their use as daily drivers for more people. I think we're at a stage where the buyers are primarily people that are looking to possibly contribute to the software to get it to that point. Being a cheap phone is important for that.
Your Whatsapp running on an Android emulator doesn't need to have any access to the SIM card. You only need to have the SIM card on some phone so you can enter the code you're receiving by textwhen signing in for the first time.
You can then use a bridge to connect it to Matrix and chat using Whatsapp from any Matrix client.
Oh wow! Thank you so much for the tip! I've never used Matrix, but I'll look into that! Not having to depend on the Whatsapp client sounds like a dream.
> Almost all of the Apps I have on my Android phone are installed from F-Droid ... I see that, at least for now, it's optional and you can un-enroll, which is good.
I can't see it going away. Google uses it to fend off monopoly accusations, viz you aren't locked in, you can always use another app store. Apple doesn't, and they are in a much more threatening territory when it comes to anti-trust law suites against their app store because of it. https://www.cnbc.com/2020/10/06/house-antitrust-subcommittee...
Google has far worse anti-trust problems than Apple in general because they own 80% of some markets, and is being reminded of it repeatedly by ongoing law suites being brought in various countries. https://www.vox.com/recode/2020/12/16/22179085/google-antitr... But for Google Play they have a free pass, and I don't think they aren't likely to give it up any time soon.
I learned recently that having Advanced Protection enabled also rewrites all URLs in your email messages to use the Google URL redirector, even when accessed via IMAP.
It breaks PGP signatures, among other things.
No way to turn it off without disabling all of Advanced Protection. Sweet, huh?
Office 365 does that too - and Twitter by the way... Copying & pasting URL is becoming mostly a tedious rigmarole of opening the link, seeing what it finally resolves to - and only then copying & pasting...
Which advantages does Advanced Protection give you in particular so that you have enabled it? It seems that things like hardware 2fA should work without it as well? Genuinely curious.
It forbids 2FA with anything other than U2F hardware, which is practically unphishable. I don't really trust the Google auth system without the hard "disallow all non-hardware-based auth" restriction, due to the innumerable stories about sim swapping, et c.
I am on it and like it. It seems to explicitly forbid a bunch of edge cases in the login auth that would otherwise be tricky to configure properly and keep up to date. Yes, you can set up and use hardware key auth without it, but it's nice to guarantee that you can never login without a hardware key no matter what. IIRC it closes off a few other types of misconfiguration or over-authorization that might allow someone to exfiltrate data from your account.
I use f-droid, and I'm lucky enough to be one Android version behind. Can someone who's upgraded let me know what to expect when I upgrade? The blog post mentions that adb still works. Does this mean I'll have to use adb once to install f-droid and have it work normally after that, or will _every_ app need to be installed using adb?
Advanced Protection is an opt-in for people at risk of targeted attacks. Unless you have a company phone, it's unlikely to be enabled without your knowledge.
And even if you disable it, it can still block you.
I didn't try to reset my phone completely, but I have to Force Stop the Google Play Store and empty cache/user's data to install any apk
You can sideload apps via ADB. And once an app is installed that way you can then update it normally with an APK going forward. (I have Advanced Protection and I do this.)
Thanks for the clarification. I was going to say I might as well just switch to Apple if I can't sideload and enjoy some freedom with my phone even if it's not as free as I would like.
> Quick note: Google's Advanced Protection program disallows sideloading apps...
According this rule, all web browsers should be removed from Google Play too, as JavaScript apps (embedded in webpages) are "sideloading apps" by design.
Ok thanks. Somehow must have missed that one - I guess it's voluntary unless you install some work related app where company security policies pretty much default to switching off any possible loophole. I don't like where this path is going to lead :(
> Note that the Advanced Protection program is opt-in for users that require the highest degree of security Google can offer. Regular users won't be impacted by this.
Yet. Google seems to be restricting Android more and more with each release.
I fully switched to the PinePhone last year because of this.
The AP program is optional and only for people with high security needs. The restrictions make it utterly inappropriate for unskilled users, so it will never be expanded to the general population.
Edit: Note that the Advanced Protection program is opt-in for users that require the highest degree of security Google can offer. Regular users won't be impacted by this.
Edit: proof https://imgur.com/a/yktPNIc
Edit 2: see @haunter's comment for a link to the change announcement