110
Let's talk security: Answering your top questions about Android developer verification
(android-developers.googleblog.com)
this post was submitted on 01 Oct 2025
110 points (95.8% liked)
Android
20365 readers
231 users here now
The new home of /r/Android on Lemmy and the Fediverse!
Android news, reviews, tips, and discussions about rooting, tutorials, and apps.
πUniversal Link: !android@lemdro.id
π‘Content Philosophy:
Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.
Support, technical, or app related questions belong in: !askandroid@lemdro.id
For fresh communities, lemmy apps, and instance updates: !lemdroid@lemdro.id
π¬Matrix Chat
π°Our communities below
Rules
-
Stay on topic: All posts should be related to the Android OS or ecosystem.
-
No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to !askandroid@lemdro.id.
-
Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to !androidmemes@lemdro.id.
-
No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.
-
No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.
-
No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.
-
No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.
-
No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.
-
No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!
-
No affiliate links: Posting affiliate links is not allowed.
Quick Links
Our Communities
- !askandroid@lemdro.id
- !androidmemes@lemdro.id
- !techkit@lemdro.id
- !google@lemdro.id
- !nothing@lemdro.id
- !googlepixel@lemdro.id
- !xiaomi@lemdro.id
- !sony@lemdro.id
- !samsung@lemdro.id
- !galaxywatch@lemdro.id
- !oneplus@lemdro.id
- !motorola@lemdro.id
- !meta@lemdro.id
- !apple@lemdro.id
- !microsoft@lemdro.id
- !chatgpt@lemdro.id
- !bing@lemdro.id
- !reddit@lemdro.id
Lemmy App List
Chat and More
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I know I will get downvoted for this opinion, but I like this.
Developers who decided not to use Play Store can still do so, but are required to identify themselves. I get that not everyone is willing to do this, but there still is a free way to compile apps yourself and put it on your phone.
I am a developer myself and I have published apps for iOS and Android in the past and this process still is way easier than anything an iOS developer has to do to just install an app on his personal phone.
Imagine if every program on your PC had to be verified by Microsoft, or Canonical.
Fuck that noise.
This won't increase security. This just allows Google to tighten the reigns on their system to push out alternative app stores and enhance their monopoly. What do you think will be in the developer agreement - guarantee there's clauses preventing YouTube frontend apps (Freetube, Grayjay) and root alternative apps (Magisk, Shizuku). If it's not there on day one it will magically appear in a few months - and then the rug will be pulled from under those devs and they'll be banned from working on Android again on anything, potentially sued, and Google will be able to enforce it because they know exactly whom the devs are and have their government IDs.
I totally agree with you that having Google as the only one able to assign these certificates is a problem. This needs to change (and I rely heavily on the EU to enforce this), but I still think that everyone who is publishing an app to an undisclosed number of people (and therefore there is no implicit trust by design) should identify him- or herself to some authority.
I agree if someone makes something like the ice app for their country the government should be able to track them down if they want. There shouldn't be a way for citizens to distrupt things for any reason. We need government to control every aspect of our lives and key is to make everything trackable for a safer world so the authorities in power can remain in power.
Every action should be identifiable. Including lemmy. It disturbs me that such a site where people arent required to provide real IDs exists.
Why? Google is demanding personal ID for devs, but we have no idea who wrote code for the Google apps we install - was it a Californian, was it slopped together by an AI, was an NSA analyst supplying code? Sorry, Google deems that's all private. Code is closed. Trust us.
Now, open source devs who value their privacy are forced to give it all up for users to continue using their vettable code that has earned them user trust over years or decades - just to give Google direct power over them. Power to ban from the store, power to sue, to litigate - you presume for benevolent reasons, however there is not much reason to believe this, given Google's history.
Google has repeatedly spread malware through their store and it has had real world impacts, so if they want to improve their security and more thoroughly vet the devs that they charge to use their store to distribute their code, fine - that's their call. But that's not all they're doing, is it - they're demanding ID from any dev that uses any storefront, even if that storefront is completely out of Google's hands and has over a decade of never distributing a single piece of malware.
Don't be fooled, this is a ploy to kill third party apps and third party stores, while enabling Google to strike at any devs of apps they take issue with.
They're taking away a BIG freedom in android, which is installing apps from wherever you want, however you want, and when you want.
And google play itself has WAY MORE malware than all FOSS sources combined.
Do you reconsider now?
FOSS is a thousand times more reliable than the standard app on play store.
Honestly this was one of the few major advantages to using android over iOS. Might have to consider a switch now..
no no no, hold your horses!
there is hope in custom roms and root!
and maybe, ADB (therefore shizuku).
unless you mean a switch to linux phones
then, do it.
That freedom is still there. The only thing going away is installing from an undisclosed source.
Why should we have to disclose the source to google? It's evil, and this is just more bullshit they are trying to get your data.
You'll get downvotes because this is just rationalizing kow-towing to Google.
There's no technical, nor security reasoning to rationalize this.
There is security reasoning
The internet has a ton of malware and having a better way of identifying apps isn't a bad thing. The problem is when it is used in order to make Google the sole gatekeeper of alllowed apps.
The malware is already on the Play Store.
Google is already doing nothing about malware that you can officially download directly from Google.
Google play is huge
Every time Google finds malware they take it down and improve their processes. I'm definitely not a big fan of Google but they do handle security pretty well. (Except for malware in ads)
There are plenty of reasons to hate Google. However, just because there have been cases of malware on Google play doesn't mean that downloading apps is somehow less risky. You should stick to trusted sources and avoid questionable apps. The core problem here is the fact that the solution Google came up with for malware prevention allows them to block third party app stores and potentially apps not liked by Google like NewPipe.
I would have far less of an issue Android app verification if it was instead implemented in AOSP with a way for users to configure it in settings. Bonus if it allows users to install trusted certificates from third parties.
Yes and they actually have a malware service that already runs on side loaded apks. This isn't about security and you can't convince me otherwise.
The solution they "came up with" just didn't just happen to exclude those apps. It is the entire purpose.
We have had anti-malware on desktops for decades. None of them set a system hard line at phoning home to (insert mega globo corp) to install software on hardware, I repeat, you own. It's yours. You paid for it. What you do with it is none of Google's concern.
Are you stubborn?
You don't understand how easy it is to get a fake Id/passport with any photo you like in some countries.
Bad actors already do this, which clearly doesn't stop bad apps from appearing in the play store. If the main reason why this new thing exists is to prevent malware and such, and it immediately fails to do that, what other motives do you think there could be?
You may have apps on iOS and Android, but you're either very naive or privileged enough that can't see a problem with this whole verification.
Well yes. That's what happens when your only argument boils down to "It could be worse".
My argument isn't "it could be worse" - my argument is "that's how it should have been from the beginning".
Then you deserve them even more. Fuck privacy and freedom I guess?
"No no, my argument is even worse than that!"