this post was submitted on 29 Sep 2025
469 points (99.6% liked)

Android

32029 readers
65 users here now

DROID DOES

Welcome to the droidymcdroidface-iest, Lemmyest (Lemmiest), test, bestest, phoniest, pluckiest, snarkiest, and spiciest Android community on Lemmy (Do not respond)! Here you can participate in amazing discussions and events relating to all things Android.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules

1. All posts must be relevant to Android devices/operating system.

2. Posts cannot be illegal or NSFW material.

3. No spam, self promotion, or upvote farming. Sources engaging in these behavior will be added to the Blacklist.

4. Non-whitelisted bots will be banned.

5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.

6. Memes are not allowed to be posts, but are allowed in the comments.

7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.

8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.

Community Resources:

We are Android girls*,

In our Lemmy.world.

The back is plastic,

It's fantastic.

*Well, not just girls: people of all gender identities are welcomed here.

Our Partner Communities:

!android@lemmy.ml

founded 2 years ago
MODERATORS
MargotRobbie@lemmy.world
Rooki@lemmy.world
Thekingoflorda@lemmy.world
L3s@lemmy.world
_MoveSwiftly@lemmy.world
469
F-Droid and Google's Developer Registration Decree | F-Droid (f-droid.org)
submitted 1 week ago by Grazed@lemmy.world to c/android@lemmy.world
125 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] Shimitar@downonthestreet.eu 127 points 1 week ago (13 children)

Disclaimer: I have been a maintainer for LineageOS and a long time user.

Whoever advocates for LineageOS don't get it. Using LineageOS will not fix any issue like this.

Already today using LineageOS means give up on banking apps, ID apps, and even McDonald's and some games like Pokemon.

Yeah because Google with play intergrity now demands valid keys that gets invalidated as soon Google detect they are used for such usage. The cat and mouse game suddenly got much harder to beat.

So no, using LineageOS will soon be possible only with secondary devices and not your primary that you will need for your actual stuff to work.

[–] pinball_wizard@lemmy.zip 29 points 1 week ago (2 children)

Counterpoint: I use the McDonald's app where it belongs - on a giant greasy ordering kiosk.

But seriously, banks have websites. Everyone and everything has a website.

I don't need Android apps at the cost of my privacy or at the cost of control of my devices.

I use GrapheneOS as my only phone, and I have done so for years.

Whatever the topic, I don't need an app for that.

[–] hessenjunge@discuss.tchncs.de 59 points 1 week ago (12 children)

I don’t know about the US but on this side of the pond banks have their own 2nd factor apps. So to log in to a bank’s website you need an app - quite probably with play integrity.

[–] pinball_wizard@lemmy.zip 0 points 6 days ago (1 children)

Dang. Y'all need to pick better credit unions. MFA rolling token is an open standard. Any single app can support all of my (correctly implemented) tokens. I prefer Aegis, but they (correctly implemented MFA apps) all work.

I don't want to trust my money to someone who can't implement standards compliant MFA.

That would scare the daylights out of me.

[–] hessenjunge@discuss.tchncs.de 3 points 5 days ago (1 children)

Well, they have a kind of 2FA since at least 30 years, long before rolling tokens were all over the place. Their latest implementations are as simple to use as Steam 2FA. If a bank isn’t able to implement a proper 2FA login there’s a ton of other security issues to worry about. Lastly, I think by using their own implementation/app they prevent their customers from using compromised apps.

[–] pinball_wizard@lemmy.zip 1 points 5 days ago* (last edited 5 days ago) (1 children)

If a bank isn’t able to implement a proper 2FA login there’s a ton of other security issues to worry about.

Exactly. Any organization whose MFA doesn't work on Aegis, I take action to protect myself from their incompetence.

Lastly, I think by using their own implementation/app they prevent their customers from using compromised apps.

I'm sure they claim that. But I still recognize it as simple incompetence. They aren't able or willing to hire someone with the Cybersecurity expertise to implement a relatively simple open specification.

Y'all are welcome to risk your money there. It's probably insured anyway, right?

For me, that's too much risk. Even if insurance makes me whole, getting robbed is a huge pain.

[–] hessenjunge@discuss.tchncs.de 1 points 5 days ago* (last edited 5 days ago) (1 children)

Exactly. Any organization whose MFA doesn’t work on Aegis, I take action to protect myself from their incompetence.

That'll surely end their business. /s

I’m sure they claim that. But I still recognize it as simple incompetence. They aren’t able or willing to hire someone with the Cybersecurity expertise to implement a relatively simple open specification.

Just out of curiosity: What percentage of the population is capable of running Graphene/Aegis? What percentage, regardless of capability, is willing to do so?

Creators of popular OSS regularly warn about downloading their stuff elsewhere or pay for it. How do you think that would apply to any 2FA application?

Now think of how stupid the average person is, and realize half of them are stupider than that. (love some George Carlin). Given that even (very) stupid people have and need bank accounts: How would you implement an authentication that can't easily be compromised to ripp off stupid people?*

* Let's just assume that you, the lead developer, are not at all "incompetent", quite the opposite. Also take into consideration that you need to keep cost down (hint: That means you want no one to call support because of 3rd party applications!).

[–] pinball_wizard@lemmy.zip 1 points 4 days ago

This is actually a solved problem:

The credit union mplements (purchases from a competent vendor) their own custom branded standards compliant MFA solution.

This is what competent organizations already do.

Because the app is standards compliant, experts use Aegis instead of the branded app. Everyone else sticks with the branded app.

Also because the app is standards compliant, provided by a specialized vendor, and occasionally being used in unusual ways by expert users, serious security mistakes are much less likely to happen, and less likely to only be noticed by attackers.

I don't expect my credit union to tell me to use Aegis - I expect them to use a credible MFA vendor that interoperates correctly when I do use Aegis.

[–] AmbiguousProps@lemmy.today 16 points 1 week ago* (last edited 1 week ago) (3 children)

That's insane, I have never heard of such a thing, but I'm in the US where most banks don't even have non-sms second factor.

load more comments (3 replies)
load more comments (10 replies)
[–] Wispy2891@lemmy.world 16 points 1 week ago (9 children)

Counter-counterpoint:

Banks use their app to generate the otp and they reinvented the wheel so if you want to login you need to install it, can't use a generic authenticator. I am not aware of any single bank in the EU that allows the use of generic authenticators.

For McDonald's, using the app gives at least 50% off. A menu in the app costs 5 euro while on the store kiosk costs 12 euro. I do not personally care because I find their food to be just barely edible, but I understand why there's a need to install the app

load more comments (9 replies)
[–] Qwel@sopuli.xyz 12 points 1 week ago (1 children)

I've never had an issue with the three banking apps I tried on LineageOS, and I didn't even know there was a McDonald's app or pokemon games.

If this list for /e/os roughly applies to LineageOS (with microG), I wouldn't call it "only for secondary devices", more "won't work for some people"

Did I miss something? AFAIK google is requiring devs to ID, not to use SafetyNet or whatever the "only-runs-on-certified-phones" thing is called

load more comments (1 replies)
load more comments (11 replies)
[–] Ambiance6195@lemmy.dbzer0.com 97 points 1 week ago (4 children)

Fucking google at it again. Straight up turning into apple.

[–] primrosepathspeedrun@anarchist.nexus 1 points 2 days ago

If you see a Googler, spit in its face

[–] CrayonDevourer@lemmy.world 45 points 1 week ago* (last edited 1 week ago)

You can blame the courts for this one. They basically ruled "Apple isn't a monopoly, because they don't even LET other people compete in the first place". (which is about a bass-ackwards as it gets but whatever)

Google saw this and went "shit..." so they're rushing to implement the same thing.

load more comments (2 replies)
[–] herseycokguzelolacak@lemmy.ml 40 points 1 week ago

Fdroid is just the best. Around half of the apps on my phone are from Fdroid and Izzy.

[–] Wispy2891@lemmy.world 40 points 1 week ago (1 children)

Why the Google identity check is completely useless:

Step 1: scammer acquires stolen id card

What's the difference between malware developed anonymously and malware developed anonymously but registered under a fake id? It can be installed today and it can be installed tomorrow. Do they really believe that malware developers will doxx themselves when publishing their malware?

load more comments (1 replies)
[–] Endymion_Mallorn@kbin.melroy.org 34 points 1 week ago (5 children)

When Android stops working properly, I'll move back to a dumb/feature phone. My wife will hate it, but so be it.

[–] Godort@lemmy.ca 13 points 1 week ago (15 children)

Some friends and I were talking about the feasibility of that earlier today.

It's possible, assuming that you never need to use your phone as an MFA method, never need to scan a QR code, or never need to use an app for something because they lack a web version.

[–] paequ2@lemmy.today 20 points 1 week ago* (last edited 1 week ago) (2 children)

My company recently required us to have mandatory fun at a baseball stadium. Apparently, Ballpark MLB is the only way to receive tickets and get into the park... I had to sign up for some stupid account and download some stupid app because my company required it.

[–] Godort@lemmy.ca 14 points 1 week ago

The future is stupid.

[–] sexy_peach@feddit.org 10 points 1 week ago (1 children)

What if you said no?

[–] paequ2@lemmy.today 16 points 1 week ago (6 children)

I could have technically said no... but I would have taken a hit politically. I've definitely been on teams where people have said "Oh, paequ2 doesn't like us. He doesn't want to hang out with us." I mean, they're not wrong. I don't like people. But. You know. I still need people to review my PRs, approve them, ask them for help, ask them for pay bumps, etc.

Forgive me Lemmy for my moment of weakness. I'll go off to the corner and practice some self flatulation.

load more comments (6 replies)
load more comments (14 replies)
load more comments (4 replies)
[–] kjo@discuss.tchncs.de 28 points 1 week ago (6 children)

Looks like I'm searching for a device that can run LineageOS, then.

🤗

[–] passenger@sopuli.xyz 54 points 1 week ago* (last edited 1 week ago) (10 children)

If this comes to pass, f-droid might get closed as the userbase dwindles. Many apps will also cease to be developed and be left without updates. You will not get out with just updating to LineageOS. We should be looking at Linux phones at that point.

[–] Vanilla_PuddinFudge@infosec.pub 24 points 1 week ago* (last edited 1 week ago) (1 children)

Linux Phones have a few software hurdles to pass through to get usable.

The biggest problem right now is adoption and contribution to the ecosystem, but there's a few things in the way of outright using Linux apps on a phone. One is that most Linux apps aren't made to be verical. Some newer ones can adapt to it, but many of the apps you likely would depend on using a Linux laptop are almost unusable on a Linux phone, like... vlc, for instance.

The network stack isn't as beaten to death for 4G and 5G as Android's is. I work in a slightly iffy area, and on Android I'd have times where I'd lose signal, but it would always come back within 5-10 minutes or so. There'd be times on Linux when it wouldn't until I'd missed two calls and three texts and an hour and a half had gone by because the system was choking on a comma or a misplaced semicolon it found somewhere in the background and wouldn't reset until I forced airplane mode off and on. If I was at home, or in the city, I'd never notice this problem, but the second I hit a road trip or went to work, boy.

Also, and this is just my phone, my OP6T had iffy microphone and earpiece settings. Pulse Audio was at the forefront of this audio stack almost entirely unchanged from its appearance on gnome or kde and on a phone it's just confusing and obtuse as to what app is using what and what even is what. If you got it right, it was fine, then the next call it wouldn't be, or would change back, again, probably more the 6T being a 6T than anything else.

I think right now, in this interim period, I'm going to buy a hotspot that I can just slip a sim card into and tether a Linux phone to it. I can use Conversations on Waydroid and use JMP.chat to send phone calls and texts over XMPP. I did fine on my OP6T for my actual use of a phone. I was browsin', I was textin', I was sendin' messages, I was doin' terminal stuff, administratin' my servers, readin', listening to musicn'. It was fine. Will do some experimenting.

load more comments (1 replies)
[–] pinball_wizard@lemmy.zip 10 points 1 week ago* (last edited 1 week ago) (1 children)

f-droid might get closed as the userbase dwindles.

Nah. F-Droid is already federation-ready. https://f-droid.org/docs/Installing_the_Server_and_Repo_Tools/

I'll run my own copy of the F-Droid servers, before I bend my knee to Google. So will others.

Edit: But yes, you are correct that Linux phone is the long term solution. Android is a pile of corporate Java. Linux is a lean sleek set of mature highly optimized tools. Once the big show-stoppers are cleared, my Linux phone will be the envy of all who see me use it.

[–] passenger@sopuli.xyz 11 points 1 week ago (4 children)

The big problem is, I think many apps will cease to get updates as the devs stop developing on Android. Just running F-Droid is not going to solve this.

[–] pinball_wizard@lemmy.zip 2 points 6 days ago* (last edited 6 days ago)

My favorite Android apps are developed by people like myself who just wanted that app, and don't really care if anyone else uses them.

I assume we will all join the same BitTorrent link cloud thingy and swap APK files directly, if Google locks down Android.

I will also switch to a Linux phone that much sooner, I imagine.

Edit: Pro tip - if that world happens and you want stick with the crazy free range folks, look for updates in 2600 Magazine.

load more comments (3 replies)
load more comments (8 replies)
[–] ohellidk@sh.itjust.works 14 points 1 week ago

Still using LOS, haven't looked back...

load more comments (4 replies)
[–] DeathByBigSad@sh.itjust.works 18 points 1 week ago

DOWN WITH GOOGLE

DOWN WITH GOOGLE

DOWN WITH GOOGLE

...

[–] cupcakezealot@piefed.blahaj.zone 17 points 1 week ago (3 children)

really hope someone finds a way to break google's block on apks that aren't registered. with more and more manufacturers locking down bootloaders, changing roms is no longer an option.

load more comments (3 replies)
[–] furycd001@lemmy.ml 16 points 1 week ago

The only apps I have installed from the play store are ones that came pre-installed with the phone. The rest are all from f-droid....

LONG LIVE F-DROID ! !

[–] MudMan@fedia.io 11 points 1 week ago (3 children)

I'm confused by this:

The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.

If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all. F-Droid’s myriad users5 will be left adrift, with no means to install — or even update their existing installed — applications.

My understanding is that developers need to sign up with Google and once they have an account they can sign their own apks.

How would this impact F-Droid in any way? Presumably by the time F-Droid enters the picture the developers of the apps they distribute would have already gone through that entire process, right? The apks will be tied to that new Google certificate, but after that they can still be distributed anywhere.

I mean, don't get me wrong, this has genuine, very serious, dealbreaking issues, in that Google can just cancel the account of a developer making apps they don't like, the same way Apple has done in the past. That's not great. But from F-Droid's perspective all of that has happened upstream, they are not anywhere in that loop, unless I've misunderstood the changes.

[–] pivot_root@lemmy.world 63 points 1 week ago* (last edited 1 week ago) (1 children)

How would this impact F-Droid in any way?

F-Droid itself builds the APKs to ensure that they're reproducible and not signed on a development machine that could be compromised.

https://f-droid.org/en/docs/FAQ_-_General/#is-your-building-and-signing-process-secure

With these changes, either:

  • They use Google's developer identity process to sign every APK they build with their own developer identity, which Google is likely not going to allow or is going to quickly find an example of a "malicious" app so they can blacklist all of them; or
  • They stop building APKs and just trust the developer provides a non-malicious, pre-verified APK;
  • They find a way to mediate the process between the original developer and Google. Knowing Google, they would make it as needlessly painful for everyone involved to discourage and punish alternative app stores.
[–] MudMan@fedia.io 13 points 1 week ago

Oooh, gotcha. That makes sense.

I guess it'd make sense to take that first option as far as it will go, at which point the issue becomes litigating this the first time Google has their own weird censorship issue in the Apple mold. I'd expect if they ban all of F-Droid explicitly that would at least make more ripples than going after a single torrent client app or whatever. It may play out different from a regulatory perspective, too, if the practical effect is they ban third party stores.

Side note, I'm really mad at the very deliberate choice Google made of categorizing all potential apps as either "apps meant for Google Play" or "student or hobbyist apps". You know they know why that's wrong, but it still makes you want to explain it to them.

load more comments (2 replies)
load more comments
view more: next ›