it already has a lock, by default you're not allowed to install apps in android you have to accepts a bunch of prompts and configurations (the key) and now you won't even have the key

Is it a lock? I buy a building and the builder put an id verification lock on the doors and I am not allowed to remove it. And they also require a separate one time fee of 2 to 5 percent of the purchase price.

There is a big difference between opt-in and opt-out that isn't semantics. You can't slowly discourage, deprecate and delete the default the way you can an opt-in, because too many people keep using it.

Stockholm syndrome is so pity when detected.

Boiling the frog.

To do what I want with my own property seems pretty essential to me.

>"'essential' means can't be bothered to wait 24 hours (once)?"

Essential means to get fucking lost and let me do with the hardware I paid for whatever I want.

You are missing the part that new 24 hour process was a response to backlash. It was not even in their plan.

Which is frankly hilarious because the Microsoft Store is the worst offender when it comes to hosting straight-up scams.

I'm not the only one who has noticed: https://www.reddit.com/r/windows/s/6y39VNaLUh

F-Droid exists and they have a much better track record than Google. I'm not actually serious, I just think if there's a single app repo that should be allowed to install apps without a scary 24h verification cooldown, it's Google's proprietary closed-source app store that needs the scary process, not F-Droid.

I think compared to the alternatives, this is the best answer.

Even if you are a bank or whatever, you shouldn't store global secrets on the app itself, obfuscated or not. And once you have good engineering practices to not store global secrets (user specific secrets is ok), then there is no reason why the source code couldn't be public.

No more absurd than letting a megacorp control what I install on my own device.

It's also true, the best way to audit software is source-code and behavior analysis. Google and Apple do surprisingly minimal amounts of auditing of the software they allow on the Play Store and App Store, mostly because they can't, by design. It should shock absolutely nobody then that those distribution methods are much more at risk of malware.

> You could gate the functionality behind verification of an anti-scam awareness and education training and certification course, scammers would coach people through the entire course and the verification step, and people would still be victimized.

The problem with this line of reasoning is that it proves too much, which really gets to the heart of the issue.

If people are willing to be led to the slaughterhouse in a blindfold then it's not just installing third party code which is a problem. You can't allow them to use the official bank app on an approved device to transfer money because a scammer could convince them to do it (and then string them along until the dispute window is closed). You can't allow them to read their own email or SMS or they'll give the scammer the code. If the user is willing to follow malicious instructions then the attacker doesn't need the device to be running malicious code.

Whereas if you can expect them to think for two seconds before doing something, what's wrong with letting them make their own choices about what to install?

That's unfortunate if true but it isn't a convincing argument to force the rest of society to live in proverbial padded cells. There's a minimum bar here. Some people probably shouldn't have online accounts and aren't responsible enough to manage their own finances. The rest of us are (hopefully at least marginally) functional adults.

Nothing is perfect, but by what percentage would you think scams that leverage sideloading would drop? 1%? 10%? 50%? 90%? 99%?

> Google is not going to let their main phone app product become associated with Grandma losing her savings!

How did they manage to survive as the grandma-account-draining brand for over 15 years, though? They're still the market leader.

One of the best arguing tactics the pro-control side has come up with is "The way it works right now is JUST not good enough". And then you don't need to argue any further or substantiate that. You just force your opponent into coming up with new measures because obviously right now we have an emergency that must be dealt with immediately. So far, this reasoning has worked for program install restrictions, de-anonymizing internet users, all sorts of other random attestation and verification measures, and it will be used for so much more.

My question to all that is - what has happened NOW that changed the situation from how it was just a couple years back?. Google hasn't been sitting idle for all these years, they've been adding measures to Android to detect malicious software and prevent app installs by clueless users - measures that were striking a balance between safety and freedom. Why is everything safety-related in the last few years suddenly an emergency that must be rectified by our corporate overlords immediately and in the most radical ways? How did we even survive the 2010s if people are less secure and more prone to being scammed with the new restrictions right now than they were back then?

I'm not saying there's not an issue, but without hard stats, these issues will always be magnified by companies as much as possible as the wedge to put in measures that benefit them in ways other than the good-natured safeguarding of the consumer. In an open society, there's always a point where you balance the ability to act freely with ensuring that the worst actors can't prosper in the environment. Only one of these things is bad, but you can't have both. You need a middle ground.