Well this is neither bad nor good. Because custom Roms will have a hatch out of it.
This is against something the article itself describes:
> We've actually been unknowing victims of illicit Google app distribution here at Ars before. We once imported a Xiaomi Redmi 3 smartphone from China to review, and, upon booting it up, we were very surprised to find it came with the Google apps pre-installed. As a device from China, this should not have happened. After we posted the review, Xiaomi contacted us with some very scary news: "The Redmi 3 should not come with Google Play pre-installed because it is a China-only product." Xiaomi told Ars. "It is very likely that the Play Store you saw was preinstalled by the importer/seller. This is a very common practice with the unauthorised importers."
> This would mean the reseller opened our phone, unlocked the bootloader, flashed on a new ROM with Google Play, re-locked the bootloader, and stuck the phone back in the box. There was no obvious evidence that our device had been tampered with, and, while hopefully the seller only installed Google apps, they could have just as easily loaded malware onto the device. A message like this during setup would have been a big red flag that something was wrong.
Which I find quite disturbing. That a seller (even on Amazon) could import cheaper "china" only phones and sell it to me as the EU/US version. (it's basically incorrectly labeled)
That has been a * value-added feature* for years. Since at least 2014 when I started buying 'Chinese' Android phones. Many sellers advertise it as an advantage over their competition.
Not of interest to me since I install LineageOS over the top, but useful to very many people and not at all 'scary' to them. Why is it any scarier than trusting the OEM's build? In fact the seller has more reputation to lose if he does something nefarious. The OEM can just shrug and issue a press release if they get caught installing dodgy stuff; a seller might go out of business.
Here's the rule-of-thumb, these small time sellers are interested in sales, not pwning you. They may counterfeit but they aren't going to bother installing backdoors nor are they sophisticated enough to do so. They may inadvertently do so out of incompetence but that was not their goal.
People who really do want to pwn you wear suits and sit in large offices and they will get you to do it voluntarily by signing a EULA.
You don't need NSA cash, you just need a place that will pay your X dollars to put in their advertising / monitoring malware on the device. The reincarnation of the browser bar.
Good luck doing that in China. It is provably the best and quickest way to end up in an unmarked grave or a secret prison and doom your family at the same time.
People so often rationalize away a plausible scenario of government surveillance by showing how it would require someone to be an irrational actor -- under a simplified, incomplete set of assumptions about the world. I do not understand why, after Snowden. Humans are not rational, and you cannot exhaustively list all the possible forces that might affect someone's decision.
The manufacturers may be based in China, but the importers, distributors, and sellers here discussed are not necessarily so. And I suspect you could happily replace NSA in the parent comment with any private or government intelligence agency of your choice. I wouldn't expect an unscrupulous distributor to suddenly grow scruples about precisely where the cash comes from.
How do you install LineageOS on a random Chinese android device? How do you find the builds? I guess LineageOS only supports a handful of devices. Just curious about the process. I might as well start doing the same.
Going to the list of supported devices and doing a stupid count (-> document.querySelectorAll("table.device tr") - I didn't see a count after a few seconds, so..), I'd say it's a bit more than a handful. :) 237 unless I messed up.
But compare the length of the lists for e.g. Samsung and LG with those for Huawei or Xiaomi. You're much less likely to find a ROM for a random Chinese device than for the large brand phones that are somewhat common in the US. It might be because Chinese manufacturers are even less concerned about the GPL (I once tried to look for kernel sources for my Huawei device and only found dead links) or maybe Chinese developers are less involved in the LineageOS community, but it's more likely than not that there won't be any LineageOS build available.
You can normally buy the complete source code together with CAD models for all the plastic parts, circuit board designs and datasheets for all the chips for $50 on those super dodgy chinese source code exchange websites.
The only problem then is typically getting it all to compile will be many person-months of work. There will typically be hundreds of toolchains, many missing, lots of build scripts missing or wrong, etc.
It's still nowhere as near as Ubuntu on a desktop, my Android device isn't in the list and who knows how many weeks of debugging I would need to make it work...
Surely that's something I would do always. But imagine getting a non branded Chinese phone with decent specs and being able to put ROM of your choice! That would be fun!
Not really! The thing is from a broader perspective it seems the popular Chinese brands have relatively cheap smartphones but if you are from any of the South Asian countries, these phones are still pretty expensive for us. There are lots of small local companies that sell re-branded phones imported from China and those are even cheaper.
Xiami phones have two officials ROM from the manufacturer, chinese and international.
The chinese ROM is Asian languages and English only. It is loaded with the usual Asian apps instead of google play. The phone is not usable out of the box for a westerner, for instance you don't have a typical English keyboard. You can install google play by following the instructions.
The international ROM has 10+ European languages. It comes with google play and the usual apps pre installed.
Both ROM can be downloaded from the manufacturer website but you need special hardware and possibly an unlock code to swap them.
It's possible that the importer gave an international version that is perfectly legit, or that he installed google play by himself, which is also legit. The ROM can be checked in the about page.
Some re sellers might replace the system with a fake OS loaded with adware/spyware but that's a different problem.
I think it's just bad. I use Lineage OS on all my devices -- I just bought a Tab S2[1] because it's among the initial round of devices supported by LOS15.1. It kind of feels like being put on notice.
Chances are it'll be cracked sooner rather than later, but installing a custom ROM[2] is difficult enough as it is. It seems super unlikely to be a reaction to imports from China, which remain a niche phenomenon. And it's pointless anyway if they end up cracking it.
At that point it'll only affect people who sideload the Google stuff on devices they only have limited control over, aka Amazon customers.
[1] Which presumably won't be affected since it's a certified device; my phone's not, though.
[2] Previously known as installing an operating system.
> Which I find quite disturbing. That a seller (even on Amazon) could import cheaper "china" only phones and sell it to me as the EU/US version. (it's basically incorrectly labeled)
The bigger problem here is the fact that the device had Gapps preloaded as system private apps, which have special privileges and can do things which normal apps can't. They also get permissions granted automatically.
That's usually not a problem with Google sofware, but whoever preloaded Gapps could preload pretty much any kind of app which would have full system privileges and ability to hide itself.
I'm curious to know what mechanism allows users of custom ROMs to register their device IDs, but not users of pre-installed ROMs on "unlicensed devices".
Wow, I never realized that it's effectively impossible to tell if an Android device has a custom ROM intentionally set up to not look like a custom ROM.
Is there any chance of Android gaining a "Secure Boot" logic—not in the sense of desktop PCs, but in the sense of ChromeOS devices? (i.e. not that you can't boot custom ROMs, but that you'd get a click-through warning each boot from the hardware boot loader that the OS signature check has failed.)
You can fairly easily flash a custom ROM onto a ChromeOS device and remove the boot-up warning. It does require taking apart the device quite significantly, and then flashing different u-boot firmware using a firmware flasher. But it's definitely possible. The problem with ChromeOS devices' "secure boot" is that it is disabled if you want to boot something not trusted in the firmware, so if you have a custom OS you have to disable one of the main security features of the device (unless you flash different firmware onto the device).
Oh, and Android already has this feature. But as with ChromeOS you can disable the warning if you re-lock the bootloader. However, each time you unlock (or relock in the case of Pixel devices) the bootloader, the device will be reset to factory defaults.
> Oh, and Android already has this feature. But as with ChromeOS you can disable the warning if you re-lock the bootloader.
Ah, I was basically imagining that there was some separate "bootloader" stage sitting on a chip that can't be user-flashed (and is hopefully even fully WORM, like old school OTP-NVM PROMs) which would handle the secure-boot logic.
So I guess I should rephrase my hypothetical technology as "like Secure Boot in x64-platform PCs—where the CPU checks the BIOS signature and then the BIOS checks the boot loader signature and then the boot loader checks the OS signature—and where the CPU and BIOS can't be tampered with after the factory, thus guaranteeing the sanctity of the bootloader—but where a failure of the boot loader to verify the OS just results in a click-through boot warning."
There is a signature burned into efuses in the CPU that is used as a root of trust for the BIOS, which implements SecureBoot.
In theory this protects the boot chain from tampering. In practice vendor BIOS implementations are usually buggy garbage, so while you cannot replace the BIOS (because then the signature would fail and the platform won't boot) it may be possible to circumvent the security features by exploiting some bug in the IBV code or in their UEFI implementation.
> Is there any chance of Android gaining a "Secure Boot" logic—not in the sense of desktop PCs, but in the sense of ChromeOS devices? (i.e. not that you can't boot custom ROMs, but that you'd get a click-through warning each boot from the hardware boot loader that the OS signature check has failed.)
Android has that already. Vendors just patch over that as well. As do many custom rom users, I’ve patched the unlocked warning out on my devices as well.
Wow, I never realized that it's effectively impossible to tell if an Android device has a custom ROM intentionally set up to not look like a custom ROM.
Just like root, that's the whole point --- to run an OS that's otherwise completely compatible with the apps and everything else, but is customised in the way you want it.
My OnePlus3 running LineageOS does this. I haven't checked to see if it's possible to patch out.
It's very confusing seeing all of these HNers clamouring for more locked down bootloaders. It doesn't seem to be in the spirit of this community at all.
Re locking boot-loader after any aftermarket changes to stock android generally results in trouble. I wonder whether there's more to this aspect of the story.
> Well this is neither bad nor good. Because custom Roms will have a hatch out of it.
Given most of Google's other recent moves related to Android, I wouldn't count on that escape hatch being around for too long. More likely they're offering it as a short-term transition and will find a 'reason' to shut it once they've quantified the impact as minimal in a couple of years.
I doubt that. Kicking the Rom builders out of the Android Eco-System would probably cause the rise of a new mobile OS. So as long as Google doesn't want to end its monopoly they won't do that.
No it wouldn't. You're seriously underestimating the resources and money it would take to even attempt that. Google has an army of Android developers working on all aspects of the OS from design, security, tooling, architecture, infrastructure, features, bug fixes, etc. Others have tried and spectacularly failed because it's hard. Besides, you'll never have the developer support.
What I want to know is why isn't Google allowing users to uninstall some of the apps that come with the devices? You can only disable them.
Surely they can't still use the excuse that deleting those apps will "mess with the OEM's image", now that Project Treble exists, and everything can be put into their own separate modules?
If they do use that excuse, I don't buy it. It's likely an internal decision to cater to their partners who don't want their users to uninstall those apps. But it's really a petty move from the OEMs, too, because if I'm willing to disable that app, then I might as well uninstall it, because clearly I don't intend to ever use it.
with a rooted phone I was able to delete such a system app using pm uninstall, was this doing a remount,rw on the system partition to remove it under the hood, or how does this work then?
Because I thought that was more of a "you pay us to make your app unremovable preinstalled on all of our phones"-thing rather than anything technical.
It works by actually deleting the data from the system partition, that's not a big deal.
But what happens is that there isn't any way using just the device to reset it back to factory defaults, and that's a problem now. If your average joe can uninstall the play store by accident, they then can't get it reinstalled again without a PC and some technical knowhow.
By making it so you can only "disable" preinstalled apps, you limit the damage that can be done, and because of partitions you don't really harm the user at all (because that space wouldn't be reclaimed if fully deleted anyway).
It's also why most "preinstalled" apps are now just a 4kb placeholder that makes google play go and download the latest version of the app the second it's connected, so if you "disable" it you are only left with a 4kb "skeleton" of an app there.
Yep which makes sense for play store etc., except samsung pre-installs the facebook app in this way. I would be surprised if facebook does pay samsung nothing for this. Similar how google pays mozilla to keep google as the default search engine.
System partition is read only. Updates in modern android are not file based but block based (to allow dm-verity to work, since before and after each update every block's content is guaranteed). If you remount /system as read write even once, updates can no longer apply, since block diffs applied to a filesystem different than expected will almost certainly do bad things.
Any full uninstall of a system app would require remounting /system as rw.
What is your beef with "disabling"? Under the hood it is the same thing as uninstall, minus the file removal or the actual apk. App doesn't run, has no permissions, is never loaded/mapped into RAM.
The system partition is simply the factory image, nothing more nothing less. It doesn't inherently mean privileged, either. There's 2 different app locations in the system partition, 1 for real system apps with system privileges (/system/priv-app) and one for just preinstalled stuff with the same privileges you'd get from installing from the play store (/system/app)
So will they be present after a full device reset. The alternative's to download them after reset. But that would not always work if you were in an area with a bad connection.
> What I want to know is why isn't Google allowing users to uninstall some of the apps that come with the devices? You can only disable them.
Other people already responded and stated the reason, that wasn't directly stated. In addition to those apps being on system read-only partition and not being easy to modify it you should also know that the app doesn't take any extra space from your data partition (obviously, when app is disabled and all its data was cleared)
What is annoying me most are those apps that you can't disable :/ also they could either make it easier to disable or make it diabled by default and on first boot offer user to enable it if they want it, but that won't happen because they want to ham fist those apps to us.
> What I want to know is why isn't Google allowing users to uninstall some of the apps that come with the devices?
Interesting that you are "blaming" Google for this instead of vendors, when (usually) it vendors who make their crap uninstallable. Or do you see lot of uninstallable stuff in AOSP?
A significant number of Google apps are mandatorily non-uninstallable on all Android phones (including Pixels), such as Gmail, Play Books, Play Movies, Play Music, Gmail, Google Maps, formerly G+ and Hangouts. I haven't used Android in a while, but I wouldn't be surprised if Allo and Duo have been added to the list.
Most of the bloatware problem is, in fact, Google's apps. If you have duplicates on your phone, it's because Samsung or whoever else made their own apps, but were forced to ship Google's anyways.
The bloatware is the Samsung apps. If Samsung wants to go that route, they could choose to use the open source version of Android along with their own apps.
Those Google apps are part of the default Android experience. And I'd prefer a consistent experience as possible from phone to phone. It should however it possible for the end user to install any other apps of their own preference. I certainly don't want to manufacturers and carriers to force them upon me.
You bought a Samsung phone, why wouldn't you have Samsung apps? Apple phones have Apple apps. Everyone need not have a single company's apps shoved forcibly down their throats.
Don't you expect Apple phones to have Apple apps and Samsung phones to have Samsung apps? Why is Google supposed to be the dictator of experience on a Samsung device?
And in a world where 85% of phones run Android, do you consider that an upside? That people only have the choice between Apple or Google experiences, and no others?
Samsung is certainly within their rights to take the free portion of Android and replace the rest of the missing stuff with they own funky little apps.
> A significant number of Google apps are mandatorily uninstallable on all Android phones (including Pixels),
Point taken and conceded.
Although I'd point out a small subtlety in the matter that they are definitely not mandatorily non-uninstallable on all Android phones, namely those that do not ship Gapps to begin with.
Phones running Android that don't ship with GApps aren't allowed to be called "Android phones". Being able to use the Android trademark requires that you pass Android certification, a part of which requires including the GApps on the handset (and I expect they even require that you make some of them non-uninstallable).
Unless it's explicitly described as EU/US version (I assume there's no difference in quality or hardware), I don't see the problem in buying a "China only" phone?
do they really disable them? I always thought that LTE modems only come with certain frequency bands.
I can slightly remember that the iphone 5 only had 2 or 3 frequency bands while at the beginning of lte some providers did use the frequency which the iphone had more often, so some providers had better lte support.
But I can hardly remember, it was some years ago and my provider switch basically came within the lte rollout.
I mean it probably also consumes more energy to scan more bands (ok that could be solved with software)
The Moto E4 Plus for example will only activate it's NFC if you put a sim card from one of the big european carriers. If you put in a sim card from a small carrier or a USA carrier, suddenly all mention of NFC vanishes from all menus.
I worked abroad for 12 years, 10 even in China where dual sims are even more common. Even my Chinese colleagues would often use an iPhone and just switch the SIM in the airplane, it isn’t that hard. Dual sims are actually meant for (a) people with a personal and business SIM or (b) people cheating on their wife (so an official SIM and a SIM for the xiaosan(s)). Both very niche even in China.
Dual SIM simply isn’t really a feature that would drive phone sales in the states.
the english language already has characters like commas and periods to delineate sentences, inserting newlines and '>' characters is only breaking the flow. this is really bad form.
Initial > lines indicate quoted material. This is extremely common in e-mail. Because the developers of Hacker News have chosen not to implement block-quote markup, this is what we are stuck with. (The alternative being unreadable-on-mobile code blocks.)
English doesn't have a standard way to do block quotes. And you definitely need block quotes when it's an entire paragraph containing its own quotes. Using ">" is just fine as a way to accomplish that goal.
This is Markdown formatting. The comment boxes on reddit support it, as does the text post box on hacker news, but not the comment boxes. A shame really.
While people think this is a move to curl illicit app activity(which is the cover issue), I think there's a much bigger motive. It's the fight against Amazon.
Depending on how strictly this is enforced, now Amazon Fire Tablet users won't be able to use Google Play store (they were able to with an apk till now) which cuts off access to the app ecosystem on the Google Play Store.
Now there are quite a few apps on Amazon's App store[1], but obviously many users will feel the pain.
So now they will not have access to the following - Google Assistant, Google Home and Google Maps which will hurt the most.
>Amazon doesn't want their tablets to have the Play Store
Sure, but their customers do. It will be a lot less attractive option for some people if Google comes out with its own tablet, since it will have Google and Amazon's apps (setting aside the possibility of price difference)
I also partly agree with what habura said.
I think Amazon does care about the Google Play at bit because the developer fees on the apps go to Amazon rather than Google.
On the other hand it is also more about the services ecosystem that Amazon and Google are offering.
Take the following:
1. Cloud storage - Google Drive vs Amazon Drive
2. Digital content stores(books, movies, etc)
3. Music Subscription. (this came later, but still helps my point)
Amazon might've weighted the above and thought that if it has a monopoly of these services, people would go with Amazon rather than Google's services, since it will be available on more devices.
Note: This is all speculation, and even maybe as another user called it, a 'baseless conspiracy theory' so take it with a grain of salt. Longterm corporate decisions are hard to decode with confidence.
Yes, I get that Google is not really pressed in the tablet space (as it seems to be dead in the water, no new shiny tables for ages), but this interpretation reads too much into Google's tablet strategy. (Which is so far to concentrate on mobiles, and pay lip service to the tablet line by simply allowing Acer et al. to use a/the Google brand.)
> developer fees
??? So far Google Play dev account is free, of course Firebase is expensive as fuck.
It does, but sure puts Google in a good position if it needs to. Even right now even if Google doesnt make tablets, it would rather have other companies which are cooperative (get the Android CTS) get the edge. I assume you've heard of the passive aggressive fight between then.
>Google Play dev account is free
I was talking about the 30% store cut that Google gets for paid apps. Also you need to pay $25 to have a developer account, so that's not free either
Hm, we have a published app, and continue to pay $0 for it. But looking at search results the 25 was already there in 2014, so ... maybe it's just for new accounts?
> strategy
Agreed! The embrace extend and E-something always works wonders, even if you don't do it, you just have to be in the position to be able to do it.
I imagine Amazon wouldn't be opposed to preinstalling the Play Store. But getting permission from Google to do that comes with a long list of requirements. You are either at the mercy of Google's requirements and conditions or you develop replacements for every Google App (which are way more than most users realize). Amazon are basically the only company daring to try the latter path.
Its too bad Prime Video does not have chromecast even on proper Andriod devices. It is sort of annoying. I do not use Prime Video with Chromecast/Google Assistant because of this. Why not support it? Given that everything else (Spotify, Netflix, etc.) supports Chromecast/Google Assistant, why not this?
I'm being spited in the service of platform wars. Argh.
Or if Google comes out and starts restricting more things, it just might result in users choosing other Android options. Samsung tablets are an option.
The first thing I did after I got my FireHD8 was to sideload google apps.
But the side effect was losing the battery life and making my tablet useless. I then did a factory reset and just sideloaded MoonReader and that was it.
The battery lasts longer now.
I'm actually hoping they get more draconian. Before when people tried to make FOSS smartphone software/hardware it lost momentum, because 1) it's hard and 2) people could just use Google's stuff for free. My hope is that by them becoming more Apple/Microsoft-esque, they push people to make better alternatives. But it's really hard to get people unhooked from "free".
Shouldn't the customer also have a right to do whatever they want with the device they paid good money for? Google is intentionally disabling the device without providing any evidence of breach of terms. I don't agree that this is their right.
This gives a consumer the ability to do whatever they want with a device[1]. Its a change aimed at stopping OEMs from providing unlicensed devices. (Edit: or really from providing official Google apps on those devices. There's nothing wrong with forking Android for your device, but Google does want to control whether or not Gmail runs on it, especially if that device doesn't meet certain standards.)
[1]: See the "custom ROM" thing at the bottom. There's a caveat that the current implementation has a limit of 100 device ids. There's some discussion/debate about what that will end up meaning. If it ends up meaning 100 devices, that's fine for any consumer use pattern. It may in practice end up meaning 100 flashes, which is/could be problematic for certain users (custom ROM developers, as an example).
In cases where users' freedoms for legitimate uses are curtailed I believe we should be siding with the end users. Maybe in time we will see microsoft banning chrome, firefox, steam etc from running on devices not certified by MS. Its "their OS" so "its their right".
Well my analogy was that the 'service' MS provides is the OS Platform API, and its blocking applications from executing on their platform. Which would be ridiculous. A user should be able to run any software they want.
Similarly, as a user (paid or otherwise) of Google's services, unless specific evidence is given that the user is abusing their services, Google is in the wrong here of blocking someone preemptively.
Google is not blocking third-party apps from running on its platform. It's blocking its own proprietary apps from running on third-party platforms which happen to share the same base. A more appropriate analogy might be MS not releasing Internet Explorer for the Mac... which they haven't since IE5.
Apparently google isn't smart enough to realize people aren't rational. People think of finite resources differently than infinite resource and any such counter is perceptively a counter ticking away towards losing access to accessing your email and apps and the logically emotional response is to ditch google entirely next upgrade cycle even if you will never reasonably reach zero.
If you were right, Apple wouldn't be printing money as much as they do.
Android users will ditch google and switch to... What? Apple? Where you can't install anything at all except through the tightly controlled Apple app store?
They refuse to show me how my data is being used. They refuse to allow me to control my own data. They refuse to set up their system in such a way that they can't abuse my data. They also have really close ties with at least one group that blatantly disregards privacy.
Dont get me wrong, Android is a dumpster fire, but at least they give me some control over my OS.
In other discussions we've had, I know you've chosen not to use Apple (and not even using Google's services, IIRC). That's fine, and completely your choice. In the interest of keeping the conversation as civil as possible (we all know how inflammatory OS and privacy matters can get even without added fuel), can we lower the rhetoric level a bit? You want the option to compile and install your own OS. You choose not to trust what Apple says they do (such as encrypting most (admittedly not all) of the data in flight and at rest, making it inaccessible to them. I don't think there are any reasonable people that would disagree with your choice to not use Apple because of your priorities.
You can choose to phrase these things in the much more aggressive "They refuse...", or, if you're interested in reasonable, constructive discussion, you can choose to phrase it in a way that shows a bit more respect for the choices others may make based on their priorities and values, that they might reasonably make those decisions, just as I think you would want them to consider yours. As one HN member to another, please? (Don't worry: this is the last time I'll ask. I just hate watching conversations derail into people talking past each other.)
I guess I dont see what is wrong with what I'm saying. Apple does refuse to do these things.
I'm not at all saying that people shouldn't have the right to choose. In fact, I stongly agree that if someone does want to use Apple's software, they should, and damned what I say.
I'm just pointing out that the poster was continuing to spread a myth that we have no proof of, and in fact we have evidence pointing in opposition of.
I stongly want people to make their own choices, but more importantly, I want them to be properly educated before making those choices.
This, and then I'm out: The way one phrases things can be just or more important than the content of what one is saying. "Shut up" and "Please, be quiet" can have very different effects. "Apple refuses to ..." as opposed to "I want to do ... because ... and I can't with Apple" can convey the same content while producing very different results. And the medium makes a difference as well: tone of voice and body language can temper otherwise aggressive language in person, but we don't have those extra channels online. And this can be even more important on contentious topics.
You feel strongly about the topic, right? Likewise others do as well. And if you want them to actually listen to what you have to say, it's important not to put them on the defensive. It's even more important to pay attention if you want to have a reasonable, constructive discussion. That's one of the things that's good about HN, and one we need to protect.
I guess that I dont see how "Apple refuses to let me manage my own data" is different from "I would like to manage my own data, but Apple refuses to let me".
FWIW, I'm not dismissing what you are saying, but I genuinely dont see how it changes anything.
Responding because of "I guess that I dont see how..." for some specific examples.
> "They refuse to show me how my data is being used."
Apple includes a lot of information about what and how data is stored for their services. Nearly every service is optional, with the exception of getting OS updates and using the App Store for third-party apps. I can understand people who choose not to either believe Apple or want to connect to Apple for OS updates or apps, but that's pretty limited in terms of data. Reasonable people can believe that they do show you how your data is stored, so it's important to be more specific about what you're getting at.
> "They refuse to allow me to control my own data."
They refuse to allow you to control your data in arbitrary ways. Again, you don't need to use their services to store data, and you could chose to install your own software that manages your data pretty much how you see fit. Reasonable people can believe that they allow you to control your own data if you want to.
> "They refuse to set up their system in such a way that they can't abuse my data."
If you don't trust what they've documented, and require compiling your own software, yup, you're stuck. But if you do trust them, they encrypt nearly all of the data (if you chose to use their services) in flight and on disk, so they can't abuse your data.
> "They also have really close ties with at least one group that blatantly disregards privacy." I think you should just come out and name whatever it is you're getting at here.
In each of these cases, if you're specific about what you want to do, it does make a difference in how it comes across.
Based on this and our previous discussion, I think it's more clear and accurate for you to say "I want to be able to audit and compile from source to confirm how my data is being used, and Apple refuses to allow me do that." Hard to disagree with that, if that's your position. Also makes clear your criteria for privacy and trust, without people possibly (incorrectly) thinking you're being deliberately obtuse or ignorant about Apple and privacy.
> Apple includes a lot of information about what and how data is stored for their services.
Apple says a lot of things. Just like FB said that they were being responsible with our data. I'm asking Apple to show me what they are doing with my data. If they've been designing their systems properly, this should be simple to do.
> Nearly every service is optional, with the exception of getting OS updates and using the App Store for third-party apps.
But there's still a lot of data that goes back to Apple, which doesn't have to go through them at all.
> Reasonable people can believe that they do show you how your data is stored, so it's important to be more specific about what you're getting at.
But AFAIK, they don't show. They only tell. And I think reasonable people would be distrustful of Marketing-Speak.
> They refuse to allow you to control your data in arbitrary ways.
It doesn't matter how they refuse to allow me to control my data, it matters that they allow me to control my data.
> Reasonable people can believe that they allow you to control your own data if you want to.
But those reasonable people would be factually wrong. It's a fact that their products refuse to decouple themselves from Apple's servers.
> it's important to be more specific about what you're getting at.
Any data. Updates, documents, telemetry data, logs, etc.
I believe that reasonable people would look at what Apple says, then seeing that their actions don't follow, would distrust them. If Apple is spending a lot of effort protecting my data, then why do they work so hard to hide that away from me. To me, that seems like it could have huge marketing potential.
Until I can download an iso and reinstall any phone with it like Ubuntu on a laptop, we might as well call it not open. The current situation is just a hacky Windows XP-like mess which still has some open-source bits in it for legacy reasons.
> Google has way enough power to dictate standards, for most companies, not having access to the Play Store is assured death.
Still it would require the hardware to change, not Android. But you're right that Google could do something about it if it wanted to. So blame Google, not Android ;)
> There's very few then, I don't know any personally.
The Lenovo Yoga 900 was an example. Linux was (or still is? Dunno) missing the required RAID drivers to boot at all.
Also keep in mind that Ubuntu requires binary blobs to work correctly, how many depends on the hardware.
This means that Ubuntu isn't 100% open either and that "openness" isn't binary, otherwise Ubuntu would be "not open" in the same way Windows and macOS are, which obviously isn't the case.
> Still it would require the hardware to change, not Android. But you're right that Google could do something about it if it wanted to. So blame Google, not Android ;)
That's a bit of semantic but yeah Google is 100% responsible of the hacky mess of the Android landscape nowadays. Also the ROMs themselves (even official ones) are looking more like the hacking days of WinXP themes than anything remotely well designed.
> This means that Ubuntu isn't 100% open either and that "openness" isn't binary, otherwise Ubuntu would be "not open" in the same way Windows and macOS are, which obviously isn't the case.
Yeah for sure Ubuntu isn't 100% open, but at least the proprietary parts tend to reduce in the long run and there's ways to debug it. If you cannot even run the OS on the hardware without using some buffer overflows in the first place, that's another level.
I would like an Android distribution which could run on 98% of the Android smartphones without much work, we're pretty far from that.
> 100%? What about the hardware manufactures which release closed source and buggy drivers?
They should just be rejected from the Play Store as part of the guidelines. In Windows, the drivers cannot make blue screens anymore, they are sandboxed, they should follow the same model and enforce it with their agreements.
What percentage of apps are available on third party app stores? Openness isn't zero with Android, it's just an obscene fractional portion that might as well be zero.
AOSP is crippled/barely functional due to parts being abandoned in favor of Google Apps. And as far as sideloading, where are you supposed to get the apps? The Play Store won't let you download them off the web, because that would let them out of the walled garden. Most companies won't link their APKs, they just link you to the Play Store.
You might get lucky and it's popular enough to be on APKMirror, but there's really not a "good" way to sideload.
Oh, and most apps require Play Services to run now, and won't work even if you do sideload them.
Its close enough to zero and getting worse not improving. Its time for people who care about making things stop trying to make things with android and ditch the platform.
Yes, and the consumer has the right to do whatever they want with the hardware and OSS components of Android. They don't have any right to use the Play Store or other Google specific components. You can sideload your own.
FWIW, Google is allowing power-users a work around where you register the device to your own account, and then you can use their products. It seems as if they're targeting bootleggers who may be selling tampered products to non-savvy consumers, which isn't unreasonable imo.
>They don't have any right to use the Play Store or other Google specific components. You can sideload your own.
They do, if they purchased the device (and have a legitimate account with google). Google AFAIK has not provided any evidence to affected users detailing how they have breached their terms.
Android is an operating system that is open source.
The Google Play Store is a proprietary software package that is released on some devices which use a proprietary licensed version of Android.
Using the open source operating system known as Android does not entitle you magically to Google's other proprietary software. Google only gives the Play Store to some certified hardware handsets, that meet requirements they arbitrarily decide on.
There was an issue with vendors, who were using open source Android (legally), sideloading the proprietary Google play store without permission (illegal) and then selling that to Consumers.
Again, you can sideload your own different store that isn't Google Play. Your account isn't being banned or restricted - you can sign in on Google Play on a valid device that's allowed to have it - but this is Google's only recourse against manufacturers sideloading the Play store when they aren't allowed to.
>There was an issue with vendors, who were using open source Android (legally), sideloading the proprietary Google play store without permission (illegal) and then selling that to Consumers.
Users are seeing this also with Google's own hardware.
Flashing your own rom onto a device invalidates the certification it has. You can restore it to default settings, or use the user bypass for it (which if you're flashing your own rom is trivial.)
Believe me, I completely understand what you're saying. I don't see myself being convinced that the user is in the wrong here, unless Google provides specific evidence that the user has abused their services for doing something nefarious.
Nobody is saying that the user is in the wrong. Google specifically provides a mechanism for users of custom ROMs to register their devices and get around this block.
I don't agree its their right to do this. Slowly changing the ecosystem from one purporting to be open source to a walled garden is not what I signed up for. A big selling point of AOSP was to have an open place for people to develop that would be less encumbered by a single company like Apple. Sadly Google has been slowly moving code out of AOSP into the proprietary portion.
Google is in a partnership with Verizon on the pixel 2, they wouldn't risk losing that deal by preventing OEMs from installing the bloatware they want on people's phones.
For the same reason so much engineering talent works in adtech, which is also all about making user experience worse - because there's money to be made there, and people involved don't give a shit.
Though unless they somehow own the hardware and fully own the software, this might not be a bad thing. People will open their eyes and third party stores will get a chance (of course, that comes with it's own set of security/privacy/etc problems, but that's a different matter).
I'm glad to see they left a door open for users of custom ROMs. While inconvenient, it will end up as just another item on the already complicated guides for installing custom ROMs. Let's just hope this option doesn't disappear one day
Note that it appears there is a 100 registration limit per Google account. And each factory reset changes the ID the phone is registered under. For a lot of ROM folks, this is probably not going to last very long.
Wow, if that's true, that changes the whole tone of this. Hopefully this is just a temporary oversight, and Google allows the opportunity to delete and reuse these 100 slots.
What is your reason for "five years"? And yes, Android ROM folks kinda shock me with how often they fiddle with their phones, and I also don't have time for that kind of business.
I suspect there'd be bursts of burning multiple in a single day, for what it's worth. People flashing a phone, realizing something isn't working after they set up their registration again, and having to flash again.
Five years because there was a link recently on HN that indicated that was the average length of time that the top-end Android phones get updates. It's the only metric I have seen regarding the useful life of an Android device.
An open source implementation of the to google services layer exists already: the microG project[^1]. Combine it with f-droid, and apps like Yalp store[^2], and the phone functions perfectly.
I've made a guide a little while ago on how to do this on a Nomu S10, one of the cheap, MediaTek based, rugged phones[^3].
Travel apps, say, Ryanair, Easyjet, Booking, are working without a single glitch, including push notifications.
Version 8 of Google Maps and version 3 of translate (the one with the 200+MB language packs that people actually understood, unlike the AI-powered 30MB ones in the new versions) don't need Google Services Framework, neither does Osmand.
Netflix, Spotify, amazon videos work fine, amazon anything works fine.
Even whatapps (which I sadly had to install due to the lack of other channels with a few groups) functions as expected.
The only app I'm using and has problems is Monzo: most of the push notifications don't come through, only sometimes one of them, and you have to - gasp! - manually refresh by pulling the screen down.
No it does work well, I've used that for a long time and everything worked fine. The issue is more about to actually get an Android ROM to work on your phone than the Gapps.
An Android ID is 64-bit hex string set at first boot and regenerated every time a factory reset is performed.
...and likely quite easy to set to any value you want on the "unoficially open" Mediatek platforms. This is the little-known secret amongst the Chinese Android community --- cheap and featureful devices with no locked bootloaders or other anti-user crap, easy "unbrickable" recovery, and plenty of leaked documentation from the hardware level up. Roughly equivalent to a PC, in that while a lot of them come with preloaded software you might not want, it's also not hard to remove that and customise to your heart's content, and join in the community of others doing the same.
I give it at most a month before this block is cracked. Unless there's some insanely crazy DRM-esque things Google is doing, it doesn't seem so difficult to bypass; and even then, the Android hacking community is full of people who love a challenge. See the constant cat-and-mouse game of detecting and hiding root, for example.
How can this be legal? Google is effectively using it's dominant market position in mobile apps stores, mapping and search to remove from the market other compatible operating systems. Derived from the same open source core as it's own, but that is irrelevant for this discussion, they are not licensed Android versions, therefore they are compatible competitors.
It seems more like a move to control their own software licenses. If a device isn't licensed to run GApps, then why should it be allowed to use the services?
And from another direction, if a manufacturer refuses Google's terms for including the software, then why should that manufacturer get the benefit of being able to include the software, outside of its licensing terms?
Perhaps you should first start off by answering in what world is it legal for shady OEM's and middlemen to pre-install proprietary Google Play Services on devices that weren't certified by Google.
I'm not entirely sure you are following my point: it's illegal to install that software precisely because Google has restricted their use on competitor platforms. In the general case, there is nothing wrong with licensing your code as you see fit, however when you have a market dominant position things change dramatically from a regulatory perspective. See the repeated run-ins Microsoft had with competition regulators on both sides of the Atlantic.
The point to debate is whether Google has a dominat position in say search. Not if "this world" grants a right to unfettered anticompetitve and monopolist business practices - it does not.
Having always been careful about ensuring that my Android phones don't accidentally get logged into any Google account, I'm all for this change and glad that Google is actually making life easier for once.
I find this very hard to do. Which Android devices do you use? Most of the ones I've touched don't have an obvious way to opt out of google crapware and google accounts.
I currently have a Moto G; I previously used a Moto X, and before that a Galaxy Nexus. Of course the google apps nag me to log in or create an account, if I happen to launch one by accident, but the phone itself works fine without one.
For one of the phones I couldn't find a way to get through setup without creating a google account, so I just entered a bunch of garbage info, then deleted or froze all the google related services and reset the accounts database. Its sole entry after that was my Signal login.
On my chinese noname Android 5.1 phone I didn't register on the initial screen and it just works without using Google account. I don't use Google Play and other Google apps though.
Do you think none of your data makes it to Google in any form if you aren't logged in? Like, say, use of maps and web browsing?
Association between the data and you is easy. As long as you've ever logged in to Google on a desktop (or any device for that matter), and another third party non-Google account on the same device, the moment you log into that third-party (non-Google) account on the phone, your identity could be tied to the data by Google if Google has a data sharing partnership that enables that with the third party. Even if you refrain from logging in to a Google account on the phone.
Slightly off-topic, but I see this complaint a lot:
> Android distributions that don't pass Google's compatibility requirements aren't allowed to be called "Android" (which is a registered trademark of Google)
This is supposed to be a straitjacket that prevents everyone except Amazon from deviating from Google's Master Plan.
It reminds me of what happened with personal computers, where, amid a field of slightly different hardware from different manufacturers, devices started to be sold as "IBM PC-compatible", which eventually just shortened to "PC" because nobody cares whether their computer has official IBM branding or not.
What's stopping people from releasing phones with an "Android-compatible" OS? Who would care?
I've seen this idea proposed countless times, but they always seem to either fail to deliver in terms of "FOSS" or turn out to be a kickstarter phantom project that never ships.
There was a post today, by one of the KDE developers who has been involved with the postmarketOS crew in getting mainline kernel support, i.e 4.16 and not with whatever fork Android ships on, for an off-the-shelf device (Nexus 5)
The biggest group of victims here is most probably those with Amazon devices that have Gapps sideloaded. Are there any other large segments this would affect, seeing has how custom ROM users are (for now) spared?
I imagine that the body of (non-western) people who have gotten their phones from less scrupulous vendors would be significantly larger than the relatively small number of Amazon sideloaders.
"Certified" means they have signed Google's Mobile Applications Distribution Agreement, a confidential contract where Google permits access to Google Apps in exchange for the manufacturer agreeing to load up all of Google's required bloatware, set Google Search as default, comply with all of their compatibility requirements, and agree to not release any devices running alternative versions of Android.
well as custom ROM user for 7 years all I can say it's I survived without gapps for years in China and I was fine, I will be fine if they won't allow me to sign in as well outside China, after all only two Google apps (with UI) left on my phone are Play store (Yalp store covers that) and Photos (well, there is no real alternative for unlimited backup but Flickr would do it and sharing through some messenger)
only thing they will accomplish by locking their ecosystem it's they will have two less users when I will remove gapps from wife's phone as well
Great! Does this mean Google will stop installing PlayStore crap on my Android phone that doesn't have a Google account?
I deleted all that stuff, but it came back with an update.
No, it means the exact opposite. This is another escalation of Google's efforts to ensure that all of their apps are installed on every Android phone sold whether users want them or not. Previously, some companies were working around the requirement that every device they sold had Google apps if they wanted the right to include them on any device by illicitly sideloading the apps; this makes that impossible.
I don't see any problem here. If you use custom ROM you probably don't want to give information about yourself to Google anyway.
It would be even better if Google reviewed ROMs before certification. I have a noname chinese phone that sends data about the phone including a phone number to China (but Google is not much better - every time you enable geolocation it displays an annoying popup asking to agree to send GPS data to Google. Well, at least they ask for permission).
Ohh, interesting, okay thank you. In that case is there a list for the certified phones?
EDIT: Actually, wait, are you sure this is correct? Didn't the article say "Users of custom Android ROMs—which wipe out the stock software and load a modified version of Android—will start seeing this message, too"? I was trying to figure out which ROMs that included.
Good. Let Google force open source replacements to their nosey apps. In the long run, this is shooting themselves in the foot. At this juncture, people don't really need Google apps other than perhaps Gmail, which has an IMAP endpoint.
I think so too. There is so much adware and spyware in the Play Store, it's better for everyone to try alternatives from FDroid and other App Stores.
Also it's a nice strategy so people forget that you cannot update most Android phones anyways. And IMHO their Google Apps Suite is actually far creepier than Facebook because it's literally with you all the time.
This is against something the article itself describes:
> We've actually been unknowing victims of illicit Google app distribution here at Ars before. We once imported a Xiaomi Redmi 3 smartphone from China to review, and, upon booting it up, we were very surprised to find it came with the Google apps pre-installed. As a device from China, this should not have happened. After we posted the review, Xiaomi contacted us with some very scary news: "The Redmi 3 should not come with Google Play pre-installed because it is a China-only product." Xiaomi told Ars. "It is very likely that the Play Store you saw was preinstalled by the importer/seller. This is a very common practice with the unauthorised importers."
> This would mean the reseller opened our phone, unlocked the bootloader, flashed on a new ROM with Google Play, re-locked the bootloader, and stuck the phone back in the box. There was no obvious evidence that our device had been tampered with, and, while hopefully the seller only installed Google apps, they could have just as easily loaded malware onto the device. A message like this during setup would have been a big red flag that something was wrong.
Which I find quite disturbing. That a seller (even on Amazon) could import cheaper "china" only phones and sell it to me as the EU/US version. (it's basically incorrectly labeled)
Edit: formatting