A theoretical way to circumvent Android developer verification

153 pointsposted 17 hours ago
by sleirsgoevy
(enaix.github.io)

123 Comments

asimops

16 hours ago

While it is technically feasible, it is not a good idea to try and find a technical solution to a people/organisation problem.

Do not accept the premise of assholes.

I hope we can get the EU to fund a truly open Android Fork. Maybe under some organisation similar to NL Labs.

--- edit ---

Furthermore, the need for a trustworthy binary to be auditable to a certain hash or something would make banning this a simple task if Google would want to go that route.

AnthonyMouse

6 hours ago

> Furthermore, the need for a trustworthy binary to be auditable to a certain hash or something would make banning this a simple task if Google would want to go that route.

This is actually the advantage of doing it. You make the thing (call it a "personal app loader" or something rather than a "circumvention tool"), they ban it, now you campaign against them or make antitrust arguments presenting the ban as an anti-competitive practice or use the ban to refute claims that they're not inhibiting third party app distribution.

Even if you know they're going to be the villains, you still want to make them actually do it so that everyone can see them doing it.

closeparen

12 hours ago

The same EU that's doing Chat Control?

rf15

11 hours ago

The same EU of which parts are trying to make chat control work and are once again abandoning it. Politician get this particular fancy idea every other year in all kinds of countries, not just EU. Overreach out of desperation for a problem that cannot simply be solved is wrong but understandable.

igor_akhmetov

3 hours ago

Desperation for what exactly? More control?

ForHackernews

19 minutes ago

They are trying to stop crime, including sex/drug trafficking and child exploitation. If you want to have an intellectually honest debate, you need to be clear that private communication apps do make it more difficult for police to conduct legitimate investigations. You do yourself no favours painting all politicians as power-hungry caricatures.

exe34

6 hours ago

The EU is a big place, run by a lot of different people, with true separation of powers. They don't have a president-king who can just ignore court decisions.

jmnicolas

4 hours ago

So we're gonna get access to Von Der Layen Pfizer sms right?

Were you offered to vote for Von Der Layen by the way?

Certhas

3 hours ago

The EU is a parliamentary democracy. Von Der Leyen was proposed by the democratically elected heads of the member states. She was approved by the democratically elected parliament.

The chancellor in Germany is also not directly elected by majority vote but by parliament.

Its a reasonable criticism that the EU structures make democratic legitimisation very indirect, but that is at least partly a result of the EU being a club of sovereign democracies. The central tension was extremely evident during the Greek debt crisis, you have a change in government in Greece, but due to EU level constraints they can't enact a change in policy. More independent power ininstitutions less dependent on the member state, means the sovereign democratic national governments can't act on their local democratic mandates.

wqaatwt

38 minutes ago

> The EU is a parliamentary democracy

Except the are a couple degrees of separation between the democracy part and in the running the EU institutions.

The EU parliament is also a very superficial imitation of a real parliament in a democratic state. It has very limited say in forming the “government” or decision making.

> result of the EU being a club of sovereign democracies

So either revert to it just being a trade union or implement fully democratic federal institutions. The in between isn’t really working that well.

saubeidl

21 minutes ago

> Except the are a couple degrees of separation between the democracy part and in the running the EU institutions.

That's what parliamentary democracy means, yes.

wqaatwt

15 minutes ago

No, of course not...

In parliamentary democracies the parliament is elected directly and is generally sovereign (optionally constrained by a constitution or some set of basic laws and powers delegated to regional governments and such).

In no way does that describe the EU. It has no equivalent body. Its imitation “parliament” is extremely weak and barely has a say in who forms the closest EU has to a “government”.

immibis

2 hours ago

FWIW EU members are sovereign. If they disobey EU laws they can have benefits withheld but they won't be militarily invaded for ignoring EU law the way a US state would (unless they do something military themselves like invading another country).

StopDisinfo910

3 hours ago

For all the disdain I have for her, Von Der Layen is the candidate put forward by the PPE, the majoritarian party in the EU parliament. So, yes, people were indeed allowed to vote.

wqaatwt

32 minutes ago

She was primarily nominated by the EU council.

The parliament would have picked Weber, but nobody cared since its just there to rubber stamp predetermined decisions.

He was the leader of the party which won the plurality in the elections and had its support. EU had a real chance to move towards becoming a real parliamentary democracy if it went that way.

exe34

2 hours ago

I'm not in the EU! I can explain when somebody is wrong without having a horse in the race myself.

victorbjorklund

an hour ago

technically people didn’t vote for Trump they voted for electors which voted for him.

saubeidl

an hour ago

The same EU that shut down another attempt at Chat Control.

Bad legislation gets written everywhere, the difference is, in the EU it doesn't pass.

deaux

7 hours ago

The same EU that's doing NL Labs, the org mentioned in the comment you're replying to.

StopDisinfo910

3 hours ago

I hope the EU actually enforces the DMA and forces Google and Apple to stop their non sense.

singpolyma3

12 hours ago

What's wrong with lineage?

hilbert42

11 hours ago

You have to get some of the big names to unlock the bootloader first. The trend towards locking it off permanently is alarming.

Edit: Google could ultimately use that as a lever in licensing deals with manufacturers. It'd marginalize everything.

IlikeKitties

7 hours ago

It's not a good, secure project by a longshot. There's a good comparison floating around:

https://images.squarespace-cdn.com/content/v1/60f1421e1afcf4...

AnthonyMouse

6 hours ago

That looks like someone made a list of mostly features specific to GrapheneOS so they could make a chart where all of the other alternatives (including stock Android) are full of red boxes.

Several of those are the opposite of security features, like SafetyNet support, which might be a convenience in some cases but it mostly makes it so you can't upgrade certain parts of the system to newer versions even when the old versions have security vulnerabilities.

IlikeKitties

5 hours ago

>That looks like someone made a list of mostly features specific to GrapheneOS so they could make a chart where all of the other alternatives (including stock Android) are full of red boxes.

No one else even bothered to make a list.

>Several of those are the opposite of security features, like SafetyNet support, which might be a convenience in some cases but it mostly makes it so you can't upgrade certain parts of the system to newer versions even when the old versions have security vulnerabilities.

Citation needed

AnthonyMouse

5 hours ago

> No one else even bothered to make a list.

That doesn't make the biased list good.

> Citation needed

Are you not aware of what SafetyNet is? It's the thing where Google certifies that the phone is running the software produced for it by the OEM. The problem, of course, being that the OEM stops issuing updates and then the certified version has known vulnerabilities. Which is a lot of the point of wanting to install a newer ROM on such a device, except that then it won't pass SafetyNet because you replaced the vulnerable but certified code with third party code that has the patch but not the certification.

immibis

2 hours ago

Technical things can affect people. Adversarial interoperability. They're using a technical thing to cause a social thing anyway, and fighting back with the same tactics is at least not surrendering.

thaumasiotes

15 hours ago

> I hope we can get the EU to fund a truly open Android Fork.

How are things in the EU on whether it's legal to buy a SIM card without showing ID?

asimops

14 hours ago

A secure OS is a prerequisite for secure digital services. We can agree on that, right?

The task, therefore, is to convince enough politicians to establish an independent unit that can address this issue without direct political influence.

Fund the unit with enough money so that it can take care of the cybersecurity and sovereignty of all citizens.

A side effect of this would hopefully be that these politicians would then be digitally literate enough to recognize nonsense such as chat control as such and reject it outright. I hope that most politicians would not really want such omnipotent surveillance tools if they could truly grasp their scope.

TeMPOraL

4 hours ago

> A secure OS is a prerequisite for secure digital services. We can agree on that, right?

Secure for who, and from whom?

Remote Attestation and Developer Verification both make Android OS and platform more secure against malicious actors that would want to defeat the guarantees the platform gives, guarantees that enable secure digital services.

Yes, this includes protecting the banking services and DRM media services and advertising platforms from malicious actors like you and me, who pose a real threat to the revenues of the aforementioned players, by:

- Expecting banking to do security right on their own side, instead of outsourcing it to mobile platform and society at large (like with "identity theft" trick);

- Enjoying entertainment and education in ways the vendor or IP owner does not like or can't be arsed to support, and thus not spending extra on the inferior ways that are supported;

- Not looking at the ads.

Same is with Chat Control. Chat Control improves security of the society against threats such as sexual predators who want to hurt children, or citizens who disapprove of how the current ruling class is governing the people. To effectively provide that security, Chat Control in turn relies on a secure OS and platform providing secure digital services - in particular, secure against those malicious actors that would want to circumvent Chat Control protections.

Is the larger picture clear now? Security technologies are not inherently good, they're morally ambivalent. They're "dual-use". It's important to consider their deployment on a case-by-case basis, always asking who is being secured, and what are the actual threats they're being secured from.

immibis

2 hours ago

> Chat Control improves security of the society against threats such as sexual predators who want to hurt children,

no it doesn't. Chat Control is single-use.

exe34

4 hours ago

did you understand and disagree with the third paragraph? if so, could you say in what way it didn't completely answer the question you just asked?

remix2000

14 hours ago

It is neither illegal nor hard to obtain such a prepaid SIM card.

kube-system

14 hours ago

That very much depends on the country, many require ID.

Kwpolska

14 hours ago

The ID presented at time of purchase does not have to be the ID of the actual user of the card. Your local drunkard will be happy to get $10 to buy a SIM card for you. Or you could visit eBay (or local equivalent) and get a valid SIM card without leaving your house.

kube-system

14 hours ago

The suggestion above wasn’t a statement of practicality but rather of EU motivations. Maybe you can also find a drunkard to fork Android for you.

logifail

9 hours ago

> The ID presented at time of purchase does not have to be the ID of the actual user of the card

In some EU member states this might be fine, but definitely not all.

> Your local drunkard will be happy to get $10 to buy a SIM card for you.

Buying a SIM card was always the easy bit. Getting it activated may not be, it depends on which country you're in.

https://www.telekom.de/prepaid-aktivierung/en/start

"For the Selfie-Ident you identify yourself with your identity card, passport or residence permit. (Selfie-Ident is currently possible worldwide with the German ID card, residence permit and passport. Alternatively, you can use Video-Ident and identify yourself in a video call with an employee.)

Important: Temporary identification documents are not supported due to internal check. You need a tablet or smartphone with a camera and an internet connection."

econ

7 hours ago

Surely others may use your phone?

noosphr

14 hours ago

>While it is technically feasible, it is not a good idea to try and find a technical solution to a people/organisation problem.

codedokode

5 hours ago

In my country, giving a SIM card to another person who does something illegal, is a crime. No doubt EU might soon have the same law - they are pretty good at copying.

As a result, sites where I could rent a number for verification, now don't offer local numbers anymore.

asimops

14 hours ago

Germany requires ID for all SIMs (for "normal" people). You can buy activated SIMs in every bigger city if you know what to look for though.

remix2000

14 hours ago

You can use any country's SIM card in any other country, regardless of its registration status.

kube-system

14 hours ago

… if you have roaming coverage.

And even in that case, doing this for a long period of time violates most roaming policies

pohuing

13 hours ago

There's eu(maybe even EEA?) wide free roaming legally mandated since I think 2017 or so? But it's not a permanent solution, your second paragraph still holds true.

kube-system

11 hours ago

I know of some UK SIMs that do not roam.

Digit-Al

4 hours ago

That's because we are no longer in the EU. Before Brexit they were legally mandated to allow free roaming in the EU. Now they are back to charging whatever outrageous prices they wish.

scarlehoff

9 hours ago

As far as I know it is only EU. Both UK and Switzerland have some operators that roam and some that do not. fwiw, fastweb in Italy provides roaming in both and has a very generous fair usage policy.

gambiting

12 hours ago

The only thing that happens is your data becomes a lot more expensive, the card still continues to work as normal. I've not lived in Poland for over 15 years now, and I still have a polish SIM card that I use almost daily - the only thing that I've lost due to roaming long term is cheap data packs, I can still call and text as normal from my monthly allowance.

kube-system

11 hours ago

Maybe in the countries that you are familiar with that is the case.

In some places your plan will be cancelled for roaming beyond a certain number of days or quantity of usage. Telecom laws and polices vary widely.

WhyNotHugo

12 hours ago

> How are things in the EU on whether it's legal to buy a SIM card without showing ID?

It varies per country. In some you can just buy one (or more) SIM cards at a supermarket without any ID.

sigio

13 hours ago

In many EU countries you can walk into many a supermarket or phone-store and just buy a simcard with cash without questions asked.

jraph

15 hours ago

I'm confused, how are those two things related?

semolino

14 hours ago

The commenter you replied to was implying that the EU does not respect the privacy/freedom of mobile device users.

jraph

6 hours ago

Okay, thanks.

I was confused bexause anonymity against the state is hardly the only, or even a main point of android forks.

Privacy usually is, but against big tech typically.

peterhadlaw

14 hours ago

Nanny state

vik0

14 hours ago

More like surveillance state

ulfw

13 hours ago

Which states aren't? And for the love of god do not write US now

ekianjo

6 hours ago

> hope we can get the EU to fund a truly open Android Fork

The same EU that keeps pushing for breaking encryption and chatcontrol? No thank you

TeMPOraL

5 hours ago

> breaking encryption and chatcontrol

The two are not equivalent issues; the first one is ill-formed as stated.

Cryptography is a tool of control. It's "dual-use", in the same sense like a knife or nuclear fission is - its moral valence depends on who is wielding it, and to what end.

In the context we're discussing, encryption is being used against the people. Working encryption is in fact needed to make chat control work - it's fundamental to it, the same way it is to Developer Verification and Safetynet/Remote Attestation. It would be great if EU decided to break that set of encryption applications. Alas, chat control only wants to break E2EE on messages, and uses encryption elsewhere to guarantee E2EE stays broken.

A more general comment about this thread, and related ones in the past: people really need to stop thinking about "encryption" and "security" as inherently good. They're not. Most of the social problems with computing, the attempts at user disempowerment and disenfranchisement, persist because they apply cybersecurity solutions.

The core question of security is always: who exactly is being secured, and from who.

ianbutler

12 hours ago

I think this means we need to rely on web technologies more. PWAs are looking pretty good on mobile devices these days and you can publish any web app you want with no reviewing authority. The web has a bunch of crazy APIs now that let you build crazy things and for everything else you're a hosted server away somewhere that can run more complex jobs.

I believe devices I own should let me do whatever I want with them and I agree that the verification is BS, but I'll work around it in the ways I can which means building more for the web.

If that ever drops the open pretense (since both traffic and trust authority are largely centralized and thus easily controllable) then I'll only write for self hosted linux boxes.

We as individuals can only do so much. We'd need actual organization and some measure of political power to do anything more since normal people do not care about this.

rs186

10 hours ago

Bad news for you, Google happens to have a tight grip on the entire web ecosystem -- browser, search, ads etc.

ianbutler

4 hours ago

I obviously understand this and mentioned as much indirectly in the post. You can only do so much and the web is still more open than Android is about to be so again, you do what you can.

nine_k

11 hours ago

You need native apps to access specific hardware, and to run some native code. WASM may help but it's limited, too.

Jaxan

2 hours ago

How many apps rely on specific hardware or native code though? I can only think of my banking apps when using nfc.

Wowfunhappy

12 hours ago

I thought Brent Simmons did a great job laying out why PWAs don't work: https://inessential.com/2025/10/04/why-netnewswire-is-not-we...

The tl;dr is that a PWA implies an app which is based in the cloud. So suddenly you need a server, and you need to store user data, which means costs and dealing with privacy and security.

teraflop

12 hours ago

That explanation doesn't really make sense to me.

If something could be built as a native app without depending on a central server, it could also be built as a PWA without a central server. You don't need to store user data centrally at all, just because it's a webapp. You can just have the clients use localStorage or IndexedDB or whatever.

You still have to host the static files for the webapp itself, but that can be made very cheap.

Of course, API feature parity between native and web apps is a separate issue. But the argument about server costs doesn't seem like a good one.

Wowfunhappy

11 hours ago

Isn't localStorage limited to 5 MB of data?

teraflop

10 hours ago

Sure, but localStorage isn't really ideal for storing large objects anyway, because it forces everything to be stored in one big string-to-string map. It's great for small amounts of data such as user preferences.

There are other APIs that allow you to store binary data directly (which you'll probably want if you're storing large files) and also to use/request larger quotas.

koiueo

10 hours ago

IndexedDB API is a bit more liberal in that regard

Jaxan

2 hours ago

Basically every native app has a server behind it to harvest user data nowadays. So I don’t think it’s an argument for why PWAs won’t work.

Wowfunhappy

an hour ago

If the app is made by a company, sure.

It seems to me that, ironically, PWAs are uniquely ill-suited for the type of non-corporate software where distribution outside mainstream channels makes the most sense.

twixstar

9 hours ago

I read the article, and I'm pretty certain he's talking about a traditional web application. When we speak of PWAs we're thinking of a set of APIs that let a web app behave like a native application. i.e 'installation' + service workers, background sync, IndexDB/FileSystem etc. You could probably make a self-sufficient RSS reader with what's available.

charcircuit

7 hours ago

Practically you are going to have a server distribute a native application anyways.

thr0w4w4y1337

13 minutes ago

LlamaLab's Automate has a non-root privileged service via network adb service. Would it be possible to simplify app installation via adb the same way? An app that reads apk, sends it over pre-paired ADB. Sounds like a much simpler solution.

whatshisface

7 hours ago

>My vision of the hack is to distribute a verified loader apk, which in turn dynamically loads any apk the user wants. A user obtains the loader apk once and loads apps without installing as much as they want.

Google's not going to let you keep your signing key if you do this with it.

sleirsgoevy

an hour ago

What about this idea? Make a movement among the devs who are willing to distribute "legitimately" (via Google Play or "authorized" sideload), to sign their apps with intentionally insecure private key. Then some community will just mine up these certificates in already published apps and publish them somewhere on GitHub.

gruez

16 hours ago

Sounds like the UEFI shim loader that's signed by Microsoft but can load an arbitrary EFI executable (with some signing checks). The difference is that the UEFI shim loader is endorsed/condoned by Microsoft. What about Google? This seems easily patchable, ostensibly for "security purposes" (eg. disabling loading dynamic code).

p_l

15 hours ago

Microsoft also forces manufacturers to provide an option to reset Platform Key aka SecureBoot "root of trust" key - which is supposed to be not possible in spec-compliant UEFI system.

They don't do it out of goodness of their hearts, which is why it's more solid than relying on goodwill - Microsoft simply has an offering that depends on that for certain high profile clients.

XorNot

14 hours ago

I suspect it's also a defense against antitrust law suits - lock in was how they got sued for things circa Internet Explorer.

Frankly they should still be getting sued for the way Edge and Cortana are bundled.

leptons

14 hours ago

Then Apple should get sued for bundling Safari, and also for forcing all browser engines on iOS to use Safari - which is way worse than anything Microsoft ever did with IE.

torstenvl

13 hours ago

Apple does not have a platform monopoly on smartphones the way Microsoft did on PCs.

AnthonyMouse

4 hours ago

Microsoft was convicted of monopolizing the market for IBM-compatible PCs, i.e. not Macs.

Which makes a lot of sense, because you couldn't run Windows on a Mac nor MacOS on PCs from the likes of Dell or IBM, and you couldn't run third party software for Macs on Windows or vice versa. By contrast, you could run various types of Unix on a Dell, and run Windows software on OS/2 or DOS software on DOS competitors other than MS-DOS.

That distinction seems like it might be relevant to the current situation.

antiloper

15 hours ago

This will not work because the goal of android developer verification is to prevent running Google-sanctioned code. If you actually tried to publish this, Google will revoke the signature on the loader APK.

NewJazz

15 hours ago

Ah yes sanctioned. A word that has two opposite meanings.

layer8

13 hours ago

Contronyms are awesome, yet people are nonplussed.

Telaneo

11 hours ago

While neat, it glosses over the actual problem, while maybe not even solving it (depending on what you deem the problem to be in the first place). It solved the immediate problem today, but not in a way that's going to remain solved.

I'd imagine Google would plug any major holes in their soon to be closed garden, assuming that is their intention. So this and any other fix to the problem of 'install app through not-Google Play' that goes via technical means that Google can just cover up after a month or two doesn't actually move the needle any meaningful amount.

In the same vein, using adb isn't a real solution to that same problem for most people, since having to use adb is a massive jump in required effort that's going to leave all the normies behind, with only the super-dedicated willing to go through the hassle, and an equivalent amount of developer effort is going to be left behind as well, since their audience just got decimated, and they themselves might not even bother to develop something that even their dad or sister is going to bother/be able to install. Anything that's much more complicated than 'go to website, download thing, run thing, click your way through' doesn't solve for this.

The actual problem is to have Google not be knobheads about it, and the only way that's realistically going to happen is through the law, but that's not looking all that likely in my view.

fsmv

11 hours ago

Just use adb. You can do adb wifi on device. You don't have to distribute a signed apk just sign it fresh on device.

Retr0id

10 hours ago

This is the way. You can also do adb-over-webusb with a second device.

Permik

4 hours ago

With apps like Shizuku you can do the whole nine yards all locally untethered with one device :)

VladStanimir

4 hours ago

I am not a app developer however from what I read on the android developer site you just need to provide some form of id, the singing key and the app id.

You don't have to distribute via the app store, you dont have to get Googles permission to publish the app or have them sign it.

This looks like purely app validation, we only run apps we can prove originate from the author.

huem0n

20 minutes ago

Under that logic, even if the app is "malicious" it would still be possible to install it. And thats not true, if somthing is deemed malicious, its blocked. Is app that hurts Google's dominance "malicious"? Who is it that decides what is malicious?

t_mann

15 hours ago

> verified loader apk, which in turn dynamically loads any apk the user wants

Wasn't this kind of solution considered and sort of dismissed (because of too much centralization iirc) by F-Droid (can't find the reference now)? It seems like something that's worth trying, but in the end it's just a band-aid. If it gets any traction Google will shut it down. The real disease is dependence on a duopoly of (quasi)-proprietary OS for the dominant computing platform of our time.

kevincox

15 hours ago

I see a handful of problems.

1. The loader will just get banned.

2. The application ID and permissions are that of the loader. To have different applications with separate data and permissions you would need multiple copies of the loader.

3. You miss out on other android security features such as application signing validation for updates.

numpad0

9 hours ago

> My vision of the hack is to distribute a verified loader apk, which in turn dynamically loads any apk the user wants.

Right back to Symbian signed AppTRK and rolling back hardware clocks. Great.

zb3

15 hours ago

Well, I'd rather verify myself with the government identity than accept a stock OS that literally woke me up with a fake message promoting Gemini despite me spending almost 2 hours turning every possible privacy-invasive setting off.

To me, the attention to these verification changes seems misplaced. We need to defend the ability to unlock the bootloader, pressure Google to revive AOSP and then encourage people to switch to a more user-friendly OS.

You're already unable to install what you want on a stock OS due to Android permission model treating you as a third-class citizen, after Google and OEMs.

sleirsgoevy

an hour ago

The issue with government IDs is that they are, for all we know, not trustworthy, but everyone treats them like they are. And you know, I am not going to "verify" myself with Google with this kind of toilet paperwork.

If Google decides to pull this off, then I guess reflashing to a custom ROM with this crap patched out will be a very first step I'll be recommending to anyone who cares.

asimops

14 hours ago

In my opinion, the only solution while keeping Google and Apple as the developing entities is regulation.

Despite that, there are some things that should not be for profit in my opinion. A good OS platform is one such thing.

cageface

12 hours ago

I agree but I also think any meaningful regulation is off the table for the next few years in the USA at least.

bitwize

14 hours ago

> My vision of the hack is to distribute a verified loader apk, which in turn dynamically loads any apk the user wants. A user obtains the loader apk once and loads apps without installing as much as they want.

And a day after you release, Google will say "Oh no you don't" and unverify your app, preventing it from being installed or run. Which is you know, kind of the point of this maneuver.

cyberax

14 hours ago

This "attack" is not even theoretical. Android apps can just download arbitrary binary code, mprotect(PROT_MAYEXEC) some area in RAM, link the code there, and run it.

Google will simply revoke the keys for the "loader" APK. But that's fine for malware, its authors will just use the next stolen credit card to register a new account.

That's also why this has nothing to do with security.

clueless

10 hours ago

what does it really have to do with?

fifticon

7 hours ago

these holes will be closed and turning into flaming jumping hoops, so this is not viable. fight the people designing the game.

charcircuit

7 hours ago

>Google assures that it would be possible to install applications locally using ADB, but there are no details on this

It's going to be the same as Play Protect using the PackageVerifier API. Even if won't trust that Play Protect will continue to allow adb installs, if you go to the developer options you can disable package verifiers for adb installs.

>the concept

This would not really work considering you can't do a lot of things at runtime. You can't create activities, you can't create services, you can't declare permissions, you can't use permissions, etc. Pretty much everything in your manifest can't be done properly. You can't really do a job faking it. You would have to declare a ton of dummy activities with all different permutations of things like launch mode, document launch mode, intent filters, etc.

What you can do are things like game engines like how the android godot editor works where you aren't loading full android apps, but projects into the editor.

userbinator

12 hours ago

Or you could just tell everyone out there that there are already tons of older Android devices which will never get any of these hostile updates, and if you're a developer, make sure your app runs on those older versions. Spread the word about how hostile the newer devices are, and let the lazy masses do what they're best at doing. Of course there will always be rabid bootlickers who will gladly pay to put Google's noose around their necks, but if they become the minority, and the majority just stops upgrading, it could very effectively pull control of Android away from Google. Giving everyone yet another reason to not upgrade, especially given the huge Android marketshare in poorer countries, could become a powerful force.

blueg3

10 hours ago

If this is an acceptable solution, just run a modern uncertified Android instead.

Aeglaecia

12 hours ago

i thought google was going to push this as an update to play services , thus affecting all models

Random09

12 hours ago

Good luck with unsecure phone This is clearly a bad idea.

nacozarina

7 hours ago

yeah, googs can get rekt, I’m not even

immibis

14 hours ago

I'm already banned from publishing Android apps through Google, but apart from that, what would stop me making a server you can upload any app to and sign it with my certificate?

maxloh

12 hours ago

That could actually be done solely on the device. You can develop an app to sign arbitrary APKs with users' own hobbyist certificate. Lucky Patcher have done that for a decade.

sleirsgoevy

an hour ago

Making every user to "verify" themselves with a government ID is a no-go, because government IDs are no more trustworthy than a toilet paper.

immibis

2 hours ago

I could even just give out my certificate and private key (if I'm allowed to have one). It's not like I need it to be private. Google would probably blacklist the certificate and then we get to sue Google based on the fact they said doing this would allow the app to work, but they didn't follow through with what they said.