Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
palata 17 hours ago

> Google's play protect prevents me from using some apps on my phone running graphene. My banking app is one of them.

Well, your bank is the one choosing to prevent your from running it on GrapheneOS. That's my whole point again! We need to regulate that: it should be forbidden to ban alternative OSes!

Now complaining about the fact that side-loading will require a ONE TIME, "annoying" procedure is not helping this AT ALL. It's just "oh no, I could do it with one click, and now I have to do it in 9 clicks, that's terrible, we need to bring it back to 2 clicks because anyway we won't win if we hope to bring it back to 1 click".

I'm exaggerating of course, it is a big problem for e.g. F-Droid (and maybe others?). But my point is that it's just cosmetic, it's not helping the cause. It's not moving us one inch closer to a better world. On the contrary: it's monopolising the attention of policymakers. They already don't understand much, and we flood them with complaints they don't understand (because really, 99.99% of the Android users don't give a shit about side loading, why would the policymakers care?).

The solution is simple: make it mandatory to allow alternative OSes (which is pretty much as simple as making it mandatory to unlock/relock the bootloader, and maybe remove a few other barriers that exist just for locking us in) and making it illegal to ban alternative OSes with Play Integrity (which is what banks are doing). That's all. No need to fight every decision Google makes and still lose every single time.

We need to get our act together and get the policymakers to do the right thing. But to be fair to the policymakers, technical people on the internet are asking for everything and its contrary.

fooqux 16 hours ago | parent [-]

I'd be happy with either approach, frankly. I just think yours is slightly less realistic.

> Well, your bank is the one choosing to prevent your from running it on GrapheneOS. That's my whole point again! We need to regulate that: it should be forbidden to ban alternative OSes!

The bank isn't banning graphene os. They're banning anything Google labels as untrusted. I think that's an important distinction. This is Google's doing. I don't have the ability to declare "this is my device and I trust it and everything on it" to the banks. And I can see Google's point in that it would be extremely difficult to do this in a way that couldn't be exploited maliciously. Are there ways for the .001 percent of people out there who understand this? Absolutely. But only if our overlords let us and even then we're back to the point that this is only for the people in the know.

Which is why I personally don't think enforcing alt OSes will help. We have it now; most people don't know and wouldn't care if they did. Play protect is the same. The amount of people this would impact is beyond minimal. However the problem isn't minimal; this is already a huge problem and it's getting bigger quickly. Giving people the keys won't fix it fast enough, or for enough people.

Tech already controls our life and that fact is only getting more worrisome. It's past time for the governments to treat this the same as electricity. Everything standardized, everything regulated, and I can plug whatever the hell I want into it. I don't want to just break free for myself. In order to really make change, my grandma needs to think of her phone like a power outlet.

This is a great discussion, by the way.

palata 16 hours ago | parent [-]

> The bank isn't banning graphene os. They're banning anything Google labels as untrusted.

I don't agree here :-). AOSP provides an attestation mechanism that totally works with GrapheneOS [1]. Google provides Play Integrity on top of that, as an easy way to check that the phone is signed by Google. It doesn't say "it's unsafe if it is not signed by us", it just says "here is a way to verify that it is signed by us".

The bank chooses to check that it is signed by Google and to refuse everything that is not. The bank chooses that.

First, they don't need to check at all. Many banks don't, it seems like it's a new thing. I don't believe that there is any security concern there: it probably has to do with policy, or security theatre. It isn't serious security, because serious security would not ban GrapheneOS. I doubt it is to help Google, I think it's just incompetence (and a cheap way to do security theatre).

Most apps run on GrapheneOS, most apps don't use Play Integrity. Those who do choose to do it. And there are banks that choose to support the GrapheneOS attestation, though it's the exception.

[1]: https://grapheneos.org/articles/attestation-compatibility-gu...

fooqux 11 hours ago | parent [-]

I feel like this is semantics. I don't know all what they say, but I'd eat my breakfast cold if the word "safety" didn't come up in the PowerPoint deck. We may have to agree to disagree on this.

My point was that this is the direction the world is moving to. Maybe it's not total coverage yet, but every year more and more of our stuff only operates with verified trust through the entire process. Everything from video games to movies to programs. We're already sitting here complaining about Google enforcing developer verification, how long until Google turns on play integrity by default? And then how long until it's the only option? It'll come if something doesn't change.

And I still agree with the post way up above that these devices are too important now. I don't care about Google's interests here.

palata 4 hours ago | parent [-]

> My point was that this is the direction the world is moving to.

And I agree with that, but it feels to me like it reinforces my initial point: fighting the Google flavour of Android is a lost cause.

> We're already sitting here complaining about Google enforcing developer verification

Which isn't a problem on alternative Android OSes like GrapheneOS.

> how long until Google turns on play integrity by default

Agreed. The solution is to be able to use an alternative Android OS like GrapheneOS :-).

> It'll come if something doesn't change.

And what needs to change is that regulations need to make it illegal to actively choose to ban alternative Android OSes.

The thing with regulations is that you need to find something applicable. When people complain about centralised system and lobby for regulations that will help their federated system, without even debating about whether or not the federated system is "better", the fact is that it is not applicable. It is not reasonable to say "so now, if you write a messenger app, it has to use the Matrix protocol because Matrix convinced us of it". If I want to write a different protocol, I should be able to do it, right?

But what I am suggesting here is both reasonable and applicable: currently those banks have to add code to their app in order to ban alternative OSes. If a regulation makes it illegal, they just have to remove it, and banks who don't have it yet just don't add it. It's easy to verify: if my banking app doesn't boot on GrapheneOS, I can complain to the regulator, and the regulator can trivially verify it.

Same thing for allowing to unlock/relock the bootloader: super easy to verify, a regulation would work great.

Now back to the article: what are we asking? That the process of installing an unverified app manually is not made "so hard", with "hard" being some variant of "it's terrible if I have to wait 24h one time in order to enable this", for something that approximately nobody does. Look at all the effort that has been put against this change... and again they will lose. And if they managed (very unlikely) to get regulation for that, they would be screwed next week by the next change.

That's why I say it's the wrong fight: not only it's a lost cause, but it is strictly less useful than the simpler solution of defending alternative Android OSes with simple regulations.