You might sideload an Android app, or manually install its APK package, if you’re using a custom version of Android that doesn’t include Google’s Play Store. Alternately, the app might be experimental, under development, or perhaps no longer maintained and offered by its developer. Until now, the existence of sideload-ready APKs on the web was something that seemed to be tolerated, if warned against, by Google.
This quiet standstill is being shaken up by a new feature in Google’s Play Integrity API. As reported by Android Authority, developer tools to push “remediation” dialogs during sideloading debuted at Google’s I/O conference in May, have begun showing up on users’ phones. Sideloaders of apps from the British shop Tesco, fandom app BeyBlade X, and ChatGPT have reported “Get this app from Play” prompts, which cannot be worked around. An Android gaming handheld user encountered a similarly worded prompt from Diablo Immortal on their device three months ago.
Google’s Play Integrity API is how apps have previously blocked access when loaded onto phones that are in some way modified from a stock OS with all Google Play integrations intact. Recently, a popular two-factor authentication app blocked access on rooted phones, including the security-minded GrapheneOS. Apps can call the Play Integrity API and get back an “integrity verdict,” relaying if the phone has a “trustworthy” software environment, has Google Play Protect enabled, and passes other software checks.
Graphene has questioned the veracity of Google’s Integrity API and SafetyNet Attestation systems, recommending instead standard Android hardware attestation. Rahman notes that apps do not have to take an all-or-nothing approach to integrity checking. Rather than block installation entirely, apps could call on the API only during sensitive actions, issuing a warning there. But not having a Play Store connection can also deprive developers of metrics, allow for installation on incompatible devices (and resulting bad reviews), and, of course, open the door to paid app piracy.
I’m pretty new to this sort of stuff. I was planning to buy Google Pixel 8 sometime in November when they usually have sales. And install GrapheneOS. I never used this type of stuff before.
So will I have some trouble installing some stuff like some of mobile games, banking app, emails, etc? I’m in Canada if this help.
The EU is going to be furious about this
I hope so. I don’t want Android to become the new Apple
Nah, I doubt it. The app developers are freely adding this themselves.
The EU should limit Google giving developers this ability is what they mean
Ew. Fuck google
I hate having to be on the side of “Defending” google… but this is the app makers fault, They are the ones using whats provided and installing the artificial limitations.
Google just provided the capability to do it. The app makers are executing it.
Good that most apps I use now are open source but for those few that I still get from Aurora Store it might be a death sentence but perhaps this API could be spoofed?
From where does the aurora store get the binaries?
From the Play store
Yeah, it happens to Spotify mods as well. This isn’t good
They’re still pissed that people won’t put up with their shitty YouTube app and use Revanced instead, eh?
That’s not on Google Play so it doesn’t affect it. I honestly don’t know what the point of this is.
Oh I see, so it only affects modded apks… They probably want to crack down on all those slightly-shady “spotify premium free”-apks.
No, it only affects vanilla apks where the dev implemented the check. For some reason the dev might forbid to run the app to users that side loaded the app instead of getting it from play store
Patched/modded apks are unaffected because the check is patched out
That seems likely. The question comes down to where the line should be drawn. Allow the apps the be installed and then when the data is eventually reported/found by the app owners to have them file law suits against those who are “stealing” from them, or to not allow the cracked application to be loaded in the first place, which is easily disguised as a security protocol because if an app has code in it that is not originally supposed to be there, it is very possibly a form of malware, which then can hurt the users in the long run or short run if it actually acts malicious and starts doing shit like old school viruses did on PC.
People want to say we own the device so we should be able to do whatever we want, but blatantly allowing people to install cracked apps with keyloggers onto their phones unintentionally will get them sued, and ultimately hurt how many people stay using their products.
Imagine every user and password with the site listed was suddenly just accessible by everyone. It would be a hellscape of credit card companies trying to stop accounts because you order 18 pizzas off the dominos app in Georgia, and another 13 sandwiches in the burger king app at the same time in Jersey.
We need to have the freedom to load apps we trust, but if you look at the standard user base, that’s who they have to make the phones for.
Could do something like make the users agree to terms by taking the phone into developer mode that makes them non responsible somehow? Might not hold up in court when they get sued though. “All the photos I took on my phone got shared online”
I think things are fine the way they are, we don’t need to interfere, unless for profits ofcourse.
People want to say we own the device so we should be able to do whatever we want, but blatantly allowing people to install cracked apps with keyloggers onto their phones unintentionally will get them sued, and ultimately hurt how many people stay using their products.
Imagine every user and password with the site listed was suddenly just accessible by everyone. It would be a hellscape of credit card companies trying to stop accounts because you order 18 pizzas off the dominos app in Georgia, and another 13 sandwiches in the burger king app at the same time in Jersey.
We need to have the freedom to load apps we trust, but if you look at the standard user base, that’s who they have to make the phones for.
It has been 16 years since Android came on the scene. Why do you think that these things are going to become such a big issue now in 2024 and beyond?
The only reason I’m still sticking with Android is the ability to sideload
I have no reason to use an android if this is the road Google wants to follow and expect my next phone to be an iPhone SE
I’m in this boat. I really liked using Android and tinkering with it. If I do so now I cannot even use my banking app without doing aftercare each update
May as well sideload on iOS~
I read through your tutorial. One thing it doesn’t mention(probably, ADHD means sometimes I skip a line or two and don’t realise) is if there’s a lower limit for iOS version. Does it assume the person following along has a device <X years old?
Works fine on latest version.
What’s the oldest version it works on?
I am not really sure, iOS 13 I suppose?
Cool, thanks.
The only caveat is you Gotta pay yearly $99 for dev account or be limited to 3 apps.
Looks like you’re someone who doesn’t read but it uses DNS filters to use revoked certificates.
Google and Apple have come out against legislation that would broaden sideloading rights for smartphone owners, citing security and reliability concerns.
Fuck off google.
Google and apple you can let us worry about our security ourselves, thank you, though I’m sure you have our best interests in mind and only that
…as I upvote you from my Pixel. ☹️ I give the sad face because Google isn’t who they once were and I’m just going to have to deal with that.
Never ask a company to pick between the right thing and profit. It was all a matter of time till Google needed to stop growing and start producing profit for investors.
To make it worse the Pixel 9 starts at $800 just like iPhone. So if you’re buying Android you don’t really save money over an iPhone like you used to.
Never ask a company to pick between the right thing and profit.
It’s fundamentally impossible for a publicly traded company not to choose profit over ‘The Right Thing’, fullstop. Shareholders feel that have a fundamental right to growth, and if Google’s CEO were to choose ‘The Right Thing’ over profit, the shareholders can oust them in favor of a CEO willing to choose profits.
Enshittification is where every public company ends up, because the line MUST go up, no other alternative is acceptable.
Can we do anything ?
Custom ROM or just go back to a flip phone.
It’s only going to get worse with the big players from this point on.
I honestly think I’ll be getting a feature phone next time. I’ll keep an old smartphone just for Android Auto and that’s it.
This seems like a brilliant feature to roll out as they’re getting investigated by the DOJ for being a monopoly.
I unironically think so. It offloads the blame onto individual app developers. Google can turn around and say oh well it’s what the market wants
Google : “You don’t own your phone, we own you.”
This has almost nothing to do with Google, it’s a feature that has to be enabled by the app developer. Meaning they want to exclude users getting the APK for their app from elsewhere.
Kinda. It might be 3rd parties using it but it is 100% an API designed by Google to keep apps on Google Play.
For all we know it could have been requested years ago by developers who have apps that get pirated but there was no mechanism in place to implement it at the time, and wasn’t a priority.
Just because it’s beneficial to Google maintaining more direct control now, that doesn’t necessarily mean that’s the origin.
Well, there is a separate system for pirating prevention, the Google Play license check. That has existed for years.
If an app gets pirated they’re going to have thrown out this check too.
Also, didn’t the EU declare that Apple needs to allow other app stores on their devices?
This seems like a bonehead move all around…
Android already has other apps stores, like F-Droid.
Yes, I know. The point is that people seeking privacy eventually won’t be able to use their banking apps and other online financial accounts unless they’re signed into Google Play to ‘authenticate’ the app.
AKA force you into letting them steal more of your private info…
I kinda understand it from the bank’s perspective… They need to reduce risk which is why a lot of banking apps check if the phone is rooted (if it’s rooted, how can you be sure that a malicious app with root access isn’t patching the app in memory and redirecting transfers to a different account?)
Having said that, I really don’t think they need to restricted it such that the app can only be installed through the Play store, as long as the app is properly signed and uses certificate pinning to prevent MitM attacks.
Fidelity apps doesn’t require any of this shite?
But some shiti cash-app does?
I wonder why 🤔
everyone wants to be like apple
In this case, it seems like it’s the app makers themselves who are requiring the Play Store, though. Unless I’m misreading this, the developers are using the Integrity API to determine if the app was installed through “official channels” (in this case, the Play Store). Feels like people should be upset at the companies behind the apps, here.
Okay. Then either use older backup versions of those apps before the requirement of the Play Store, or just quit using those apps and services and switch to less enshittified apps and services.
Easier said than done these days, I know…
What’s the point of having an android phone then? I fucking hate android so much, but I only use it, not iOS, because of sideloading.
OfIf they take that away from us then why not just get an iPhone then? Our only hope is Linux phones picking up a little.It’s the apps that prevent themselves being sideloaded. Presumably, their devs will enact similar policy on EU iOS too.
Fuck me, it’s like a butterfly effect, every mother fucker now will follow suit.
One reason would be that with an iPhone, you’re paying two to five times the price of an Android phone with comparable hardware.
Hardware isn’t everything. Apple has a couple of advantages over iPhone that let them do more with less:
- iOS needs to support a MUCH fewer devices than Android. Even before they switched to their own silicon, they’ve been optimizing the OS to the hardware really well giving you devices that go toe to toe with Android flagships of the same generation with SIGNIFICANTLY better hardware and like double the RAM. Also why Apple doesn’t really care to increase RAM as much as the android side of things.
- Apple silicon is actually really good and making their own hardware allows them to optimize on both sides of the equation and lets them do more with less.
The selling points for Android (at least the way I’ve seen it over the years) have always been full control (talking about non-root, I’d rather not go down the root rabbit hole here) and (since iPhone 11 started doing firmware blocks on parts) reparability…but both seem to be going out the window lately.
Prices are crap though, but then again Android phones on the top end don’t seem much better. 1-2 gen old iPhones are usually a bit more reasonable though tbh.
F-Droid
Most of the apps I have and use are installed via Droidify. The ones that aren’t are company apps, like banking or airline. I could just used the web sites for those; they’re only conveniences.
My phone isn’t rooted, and I didn’t read the article so I don’t know how this will affect me. If push comes to shove, I’ll simply bite the bullet and get a phone I can install Linux on next time, regardless of how polished for daily driving it is.
Right on. I do use F-Droid and droidify. I also use Obtanium. Linux phone has never sounded better, godammit. Like you, I really don’t give a shit about those banking apps and other shit, web browsers are more than enough in this day and age.
This is just Google’s clever way of not removing the sideloading feature from their OS.
They let app developers to prevent users from using sideloaded app.
This way they can avoid antitrust lawsuits.
I have high hopes for apps like lucky patcher and Revanced manager to help us avoid this bullshit
which cannot be worked around.
Well, at least not without root lol
Root detecting apps to Side loading detecting apps:
First time?
I installed FakeStore and set the app’s
installed_by
* property from Package Manager to FakeStore (com.android.vending
, the same as Google Play Store), which was enough to fool the public transport app I’m using. Is this the workaround you’re talking about, or does it require MicroG too?* Not what it’s actually called, can’t remember that
Yea that sounds about right, really hiding root is straight up magic as is (even though it’s a cat and mouse game lol) and achieving that is 98% of the hard work of hiding the fact an app has been sideloaded. Short of a complete overhaul from Google where they actually try that is.
Which, if I’m being honest, doesn’t seem like they are. It seems like a rather simple system all things considered. There’s no Playstore specific keys or signatures or file checks or hashs as far as I can tell. Its just a flag and checking if Playstore exists on the device at all
“root access is used to bypass security measures!!! We will make it harder to root your phones to keep your data safe” – Google
Haha, gross: We can’t control the devices we own.
I genuinely don’t even know where to buy an affordable device that is free from this kind of control. Some company always has outsized control (and in some cases arguably surveillance) over anything you can find on the market. It sucks so bad.
Ironically, it might be Pixel + Graphene
How tricky is this to install and use? I have a samsung and use lots of the usual apps. Wondering if it would be feasible for that purpose.
Haven’t tried yet but it’s becoming increasingly appealing to me lol
What is a “trustworthy software environment”?
Does that mean that it will get mad and fail you for having Developer options enabled? Having F-Droid installed? Having it plugged into a computer?
There’s a bank here that refuses to let you log into their app if you have developer options enabled. Their service was getting much better until that point, but I dropped them completely after that.
I use developer options to get better screen density on my large ass screen, and to you know…develop apps 🤷♂️
FUCK THESE ASSHOLES WHO THINK THEY CAN TELL ME WHAT I CAN AND CAN NOT DO WITH MY PHONE
People seriously need to start pushing back on the word “secure” being used as a blanket excuse for every restriction.
It feels like every time that word is used, no one is willing to call out the fact that user freedom is equally as important and it’s a lazy, disrespectful developer who won’t take that into account by finding ways to maintain both.
If it detects wrongspeak it will tell the authorities.
U joke but that’s where we are going
I express it as a joke but it’s a ploy to make people realize this.
According to the dumbfucks making the government application of Belgium (to read official communication) trustworthy means having developer mode disabled.