pmdr 2026-02-24 17:43 UTC link

The undersigned are basically a list of entities Google would like to see disappear.

dfabulich 2026-02-24 17:44 UTC link

The most controversial claim in this letter is in the section that "Existing Measures Are Sufficient."

In Google's announcement in Nov 2025, they articulated a pretty clear attack vector. https://android-developers.googleblog.com/2025/11/android-de...

> For example, a common attack we track in Southeast Asia illustrates this threat clearly. A scammer calls a victim claiming their bank account is compromised and uses fear and urgency to direct them to sideload a "verification app" to secure their funds, often coaching them to ignore standard security warnings. Once installed, this app — actually malware — intercepts the victim's notifications. When the user logs into their real banking app, the malware captures their two-factor authentication codes, giving the scammer everything they need to drain the account.

> While we have advanced safeguards and protections to detect and take down bad apps, without verification, bad actors can spin up new harmful apps instantly. It becomes an endless game of whack-a-mole. Verification changes the math by forcing them to use a real identity to distribute malware, making attacks significantly harder and more costly to scale.

I agree that mandatory developer registration feels too heavy handed, but I think the community needs a better response to this problem than "nuh uh, everything's fine as it is."

A related approach might be mandatory developer registration for certain extremely sensitive permissions, like intercepting notifications/SMSes...? Or requiring an expensive "extended validation" certificate for developers who choose not to register...?

kelp6063 2026-02-24 17:46 UTC link

why anyone thinks "open letters" and petitions to a trillion-dollar company will get them to change their mind is beyond me

jonathanstrange 2026-02-24 17:47 UTC link

For me this change is a problem not just because of the ID upload to Google but mainly because it's another nail in the coffin of native software solutions. It increases friction and anything that increases friction is bad.

Concretely, my original plan was to provide an .apk for manual installation first and tackle all this app store madness later. I already have enough on my plate dealing with macOS, Windows, and Linux distribution. With the change, delaying this is no longer viable, so Android is not only one among five platforms with their own requirements, signing, uploading, rules, reviews, and what not, it is one more platform I need to deal with right from the start because users expect software to be multiplatform nowadays.

Quite frankly, it appears to me as if dealing with app stores and arbitrary and ever changing corporate requirements takes away more time than developing the actual software, to the detriment of the end users.

It's sad to watch the decline of personal computing.

drnick1 2026-02-24 17:50 UTC link

Isn't the obvious solution to use an AOSP fork that does not have to comply with the registration requirements? Distributions like Graphene and Lineage are completely unaffected.

rm30 2026-02-24 18:12 UTC link

Registration just creates friction for legitimate developers (thousands) while bad actors simply rotate shell companies and fake/stolen IDs.

This conflates identity verification with criminal deterrence, they're not the same thing.

EmbarrassedHelp 2026-02-24 18:29 UTC link

The problem with mandatory developer registration, is that it gives Google and Governments the ability to veto apps.

It would not be unsurprising for a government to tell Google they must block any VPN apps from being installed on devices, and Google using the developer requirements to carry out the ban.

pserwylo 2026-02-24 20:03 UTC link

Many people online and in person telling me "Google backed down" or "Google has an advanced flow" are typically referring to these two statements from Google staff:

> Based on this feedback and our ongoing conversations with the community, we are building a new advanced flow that allows experienced users to accept the risks of installing software that isn't verified. [0]

> Advanced users will be able to"Install without verifying," but expect a high-friction flow designed to help users understand the risks. [1]

Firstly - I am yet to see "ongoing conversations with the community" from Google. Either before this blog post or in the substantial time since this blog post. "The community" has no insight into whether any such "advanced flow" is fit for purpose.

Secondly - I as an experienced engineer may be able to work around a "high-friction flow". But I am not fighting this fight for me, I am fighting it for the billions of humans for whom smart phones are an integral part of their daily lives. They deserve the right to be able to install software using free, open, transparent app stores that don't require signing up with Google/Samsung/Amazon for the privilege of: Installing software on a device they own.

One example of a "high friction flow" which I would find unacceptable if implemented for app installation on Android is the way in which browsers treat invalid SSL certificates. If I as a web developer setup a valid cert, and then the client receives an invalid cert, this means that the browser (which is - typically - working on behalf of the customer) is unable to guarantee that it is talking to the right server. This is a specific and real threat model which the browser addresses by showing [2]:

* "Your connection is not private"

* "Attackers might be trying to steal your information (for example, passwords, messages or credit cards)"

* "Advanced" button (not "Back to safety")

* "Proceed (unsafe)" link

* "Not secure" shown in address bar forever

In this threat model, the web dev asked the browser to ensure communication is encrypted, and it is encrypted with their private key. The browser cannot confirm this to be the case, so there is a risk that a MITM attack is taking place.

This is proportionate to the threat, and very "high friction". I don't know of many non-tech people who will click through these warnings.

When the developer uses HSTS, it is even more "high friction". The user is presented all the warnings above, but no advanced button. Instead, on Chromium based browsers they need to type "thisisunsafe" - not into a text box, just randomly type it while viewing the page. On Firefox, there is no recourse. I know of very few software engineers who know how to bypass HSTS certificate issues when presented with them, e.g. in a non-prod environment with corporate certs where they still want to bypass it to test something.

If these "high friction" flows were applied to certified Android devices each time a user wanted to install an app from F-Droid - it would kill F-Droid and similar projects for almost all non-tech users. All users, not just tech users, deserve the right to install software on their smart phone without having to sign up for an "app store" experience that games your attention and tries to get you to install scammy attention seeking games that harvest your personal information and flood you with advertisements

Hence, I don't want to tell people "Just install [insert non-certified AOSP based project here]". I want Android to remain a viable alternative for billions of people.

[0] - https://android-developers.googleblog.com/2025/11/android-de...

[1] - https://x.com/matt_w_forsythe/status/2012293577854930948

[2] - https://wrong.host.badssl.com/

cyanydeez 2026-02-24 20:05 UTC link

When do we think PWA and WebRTC will be attacked and degraded as insecure?

tsoukase 2026-02-24 20:13 UTC link

Banning apps installation outside PlayStore will be a disaster for power-ish users and will start a fight between Google and community. I abandoned rooting my devices because I could achieve all I wanted through apps (mostly ad- and nag-freedom, it's impossible to be online without ad blocking). But all these were downloaded as APKs. I cannot imagine how the first day without these will be.

WarmWash 2026-02-24 20:26 UTC link

The judge told Google that Apple is not anti-competitive because Apple has no competitors on it's platform (this all stemming from the Epic lawsuits).

Google listened.

Blame the judge for one of the worst legal calls in recent history. Google is a monopoly and Apple is not. Simple fix for Google...

Same comment I made a few days ago, I feel it bears repeating as much as possible until it's really driven home how detrimental and uninformed that decision was.

arjie 2026-02-24 20:30 UTC link

If I'm being honest, I suspect this

> Disproportionate impact on marginalized communities and controversial but legal applications

applies more to the elderly in third-world countries who are constantly scammed through fraudulent side-loaded apps than it does to hackers who want to install whatever software they want but do not want to use a non-Google AOSP distribution.

jdlyga 2026-02-24 20:33 UTC link

To be honest, if both Android and iOS were walled gardens, I'd choose iOS every time. I choose Android specifically because of its openness. But if that weren't the case, I'd prefer the smoother UX and stronger Apple ecosystem.

asim 2026-02-24 20:38 UTC link

I think we're about to see an explosion in "mini apps". It's taken 10+ years for us to catch up to WeChat and China but this regulation and other issues are going to block a lot of innovation and we're better off surfacing tiny PWA or SPA like apps that get loaded in native apps or we just do away with that entirely. The time has come.

atlgator 2026-02-24 22:55 UTC link

"Don't be evil" → "Don't be evil without registering first and uploading your government ID."

The most telling detail is the sequencing. Google spent years in court arguing Android is open to fend off antitrust regulators, won key battles on that basis, and is now quietly closing the door they swore under oath was permanently propped open. The antitrust defense was the product roadmap's cover story. And framing this as security is particularly rich from the company whose own Play Store routinely hosts malware that passes their review. The problem they're solving isn't "unverified developers distribute harmful apps" — it's "unverified developers distribute apps we can't monetize or control."

eqvinox 2026-02-25 00:37 UTC link

Can someone explain to me why Google's plans don't collide with the EU DMA? They're locking down the platform, that's what the DMA is supposed to prevent, I thought.

schmorptron 2026-02-25 11:56 UTC link

Before this LLM age the solution would've been to make the user solve a leetcode problem to access a developer mode.

ChoGGi 2026-02-25 14:08 UTC link

Hey Google, how about you clear all the malware from the play store then work on sideloading?

wernsey 2026-02-25 16:20 UTC link

Google's concerns about security rings hollow to me. I believe it is strictly to exercise more control over the platform.

The appeals to people in Southeast Asia being scammed reminds me of a blog by Cory Doctorow last year: Every complex ecosystem has parasites [1]

The gist of it is that technology can be useful, but that usefulness comes with a price: sometimes bad actors are going to commit fraud or other undesirable actions.

As an example, you can reduce the amount of banking app scams to 0% by simply denying any banking apps on phones. But because of banking apps' usefulness we're not going to do that, so there will be some non-zero risk that you will get scammed.

As a technical user I chose Android for its usefulness, accepting that there may be a (minute) chance that I get scammed, but it is a risk I am willing to take, and Google will unilaterally take this choice away from me.

Still, I don't believe Google's security concerns are sincere, so I think I just wasted my time typing all of this

[1] https://pluralistic.net/2025/04/24/hermit-kingdom/

pbnjeh 2026-02-26 23:56 UTC link

1) As I saw Rossman recommend the other day, once Android phones are locked down, just get an iPhone. I’ve had a Pixel 8 Pro and was considering the upcoming 11. If this lockdown goes through, I guess not.

2) I hope the lockdowns don’t strangle tethering. My other consideration is to use whatever phone for calls, texts, and “secure” apps. The rest I’ll do on an unrestricted device that just uses the phone as a data connection. More crap to carry, but crap that does what I want and need and not what “they” insist upon.

P.S. And that may mean spending less on future phones. Especially if I also switch my higher quality camera image needs to a real camera. Sigh, yet more physical crap, but I’m pissed enough to do it, and then each individual device would be less of a feature compromise than what a phone provides — other than size and portability, which are indeed quite significant.

JoshTriplett 2026-02-24 17:50 UTC link

If you can "coach someone to ignore standard security warnings", you can coach them to give you the two-factor authentication codes, or any number of other approaches to phishing.

verdverm 2026-02-24 17:51 UTC link

I personally see an unmoderated app store as more detrimental to the end users. The harm happens at scale.

gleenn 2026-02-24 17:52 UTC link

It matters to me because I'm reading it now and feel more informed about this problem. Throwing the towel in and saying it's all pointless isn't helpful.

turblety 2026-02-24 17:54 UTC link

Google are also destroying that path by delaying the releases more and more.

Cyph0n 2026-02-24 18:33 UTC link

Does your logic extend to PCs? If not, why?

Because I hope you realize that clamping down on “sideloading” (read: installing unsigned software) on PCs is the next logical step. TPMs are already present on a large chunk of consumer PCs - they just need to be used.

jeroenhd 2026-02-24 18:34 UTC link

Developer registration doesn't prevent this problem. Stolen ID can be found for a lot less money than what a day in a scam farm's operation will bring in. A criminal with access to Google can sign and deploy a new version of their scam app every hour of the day if they wish.

The problem lies in (technical) literacy, to some extent people's natural tendency to trust what others are telling them, the incompetence of investigative powers, and the unwillingness of certain countries to shut down scam farms and human trafficking.

My bank's app refuses to operate when I'm on the phone. It also refuses to operate when anything is remotely controlling the phone. There's nothing a banking app can do against vulnerable phones rooted by malware (other than force to operate when phones are too vulnerable according to whatever threshold you decide on so there's nothing to root) but I feel like the countries where banks and police are putting the blame on Google are taking the easy way out.

Scammers will find a way around these restrictions in days and everyone else is left worse off.

jeroenhd 2026-02-24 18:38 UTC link

It's something apps that will soon break can point their users to so they know to blame Google and a bunch of incompetent governments.

Google will not change their minds, they're too busy buying goodwill from governments by playing along. There aren't any real alternatives to Android that are less closed off and they know it.

criddell 2026-02-24 18:40 UTC link

> The problem with mandatory developer registration, is that it gives Google and Governments the ability to veto apps.

Don't they already have that power?

bigstrat2003 2026-02-24 18:49 UTC link

> I agree that mandatory developer registration feels too heavy handed, but I think the community needs a better response to this problem than "nuh uh, everything's fine as it is."

Why would the community give a different response? Everything is fine as it is. Life is not safe, nor can it be made safe without taking away freedom. That is a fundamental truth of the world. At some point you need to treat people as adults, which includes letting them make very bad decisions if they insist on doing so.

Someone being gullible and willing to do things that a scammer tells them to do over the phone is not an "attack vector". It is people making a bad decision with their freedom. And that is not sufficient reason to disallow installing applications on the devices they own, any more than it would be acceptable for a bank to tell an alcoholic "we aren't going to let you withdraw your money because we know you're just spending it at the liquor store".

nickorlow 2026-02-24 18:55 UTC link

Yeah, Google is terrible at validating developers are non-malicious on google play. plenty of fake/malicious/garbage apps make it through the filter.

wackget 2026-02-24 18:57 UTC link

No, because many apps refuse to run on third-party distros due to misguided notions of them being insecure. It's easy to say "just don't use those apps" but in reality, people are rightly unwilling to put up with any friction and so will simply continue to use Google's version of the OS.

OutOfHere 2026-02-24 19:01 UTC link

It's worse than that. Google will be able to track who's using a particular app because it has to be installed the official way. This means for example that anyone who has installed an ICE Tracking app will be reported to the government and perhaps added to a terrorist list.

OutOfHere 2026-02-24 19:04 UTC link

Precisely! Google doesn't care one bit about civil society; it cares about power to itself even if this means punching freedom and liberty in the face. Personally I think it'll be a good thing if this restriction finally wakes up people to seek alternatives to Google.

Retr0id 2026-02-24 19:05 UTC link

Because the company either has to address it, or stop pretending it's "listening to concerns" or whatever. Even if it doesn't change the outcome, it makes it clearer that the company is engaging in bad faith.

marcprux 2026-02-24 19:06 UTC link

I am the author of the letter and the coordinator of the signatories. We aren't saying "nuh uh, everything's fine as it is." Rather, we are pointing out that Android has progressively been enhanced over the years to make it more secure and to address emerging new threat models.

For example, the "Restricted Settings"¹ feature (introduced in Android 13 and expanded in Android 14) addresses the specific scam technique of coaching someone over the phone to allow the installation of a downloaded APK. "Enhanced Confirmation Mode"², introduced in Android 15, adds furthers protection against potentially malicious apps modifying system settings. These were all designed and rolled out with specified threat models in mind, and all evidence points to them working fairly well.

For Google to suddenly abandon these iterative security improvements and unilaterally decide to lock-down Android wholesale is a jarring disconnect from their work to date. Malware has always been with us, and always will be: both inside the Play Store and outside it. Google has presented no evidence to indicate that something has suddenly changed to justify this extreme measure. That's what we mean by "Existing Measures Are Sufficient".

[^1]: https://support.google.com/android/answer/12623953

[^2]: https://android.googlesource.com/platform/prebuilts/fullsdk/...

jamesnorden 2026-02-24 19:51 UTC link

No bank in my country has an app that works with those, so it's not an option for me anymore.

UncleMeat 2026-02-24 20:25 UTC link

Friction does matter. Yes, criminals will create fake accounts with stolen IDs and stolen credit cards. But creating 1,000s of these is hard. Creating polymorphic banking trojans is simple.

I don't know if this trade off is worth it, but the idea that it won't affect this abuse at all is false.

pas 2026-02-24 20:32 UTC link

Sorry, which exact ruling are you referring to? How did the court arrived at this finding (that seems irrelevant, false)?

andyferris 2026-02-24 20:33 UTC link

Like many things in the US, this should be settled by congress not judges.

Things that everyone relies on for life are generally regulated by law. Telecom platforms for instance. I’d say the mandatory software platform I need for my bank, drivers license, daily communication, etc should be in this bucket.

The EU declaring both Apple and Google gateway platforms is a much better approach. Congress is abdicating its responsibility to craft the legal frameworks for equal access in the modern age.

singpolyma3 2026-02-24 20:46 UTC link

You're welcome to it I suppose. As someone forced to use iOS for the past year I'm still waiting to find any smooth UX or strong ecosystem...

TheJoeMan 2026-02-24 21:13 UTC link

Elon's vision for the X "everything" app. It's great for them, now every single thing you do has the full gamut of privacy permissions. Playing a "mini-game"? Full accurate GPS coordinates available to it because you also have the ride-hailing "mini-app".

tavavex 2026-02-24 22:07 UTC link

The thing that everyone here ignores is that the friction isn't just for safety. It's by design. For some reason, everyone is giving Google as much benefit of the doubt as possible. But no, they want to drive out small developers in general, and this is just one piece of the puzzle. Google has already put up unrelated barriers to publishing apps on Google Play, required every app developer to dox themselves to every user (meanwhile Apple is far more permissive and allows an opt-out for non-commercial apps), they downrank apps by small developers, use alternate UX that disincentivizes installing lesser known apps, put up big scary warnings like "This app isn't installed often" or "Fewer people engage with this app" on the pages of those apps. The only explanation is that they want more money and less upkeep and moderation with the pesky small developers, and the real money-makers are the big corporate apps. They're recreating "the rich get richer" in their microcosm.

jhasse 2026-02-24 23:25 UTC link

Did your users really consider your app if it wasn't in the Play Store?

redbell 2026-02-25 08:22 UTC link

> Same comment I made a few days ago..

This! I was about to reply that you have already posted this comment four days ago: https://news.ycombinator.com/item?id=47092480

Editorial Channel

What the content says

Structural Channel

What the site does