[HN Gopher] Google have declared Droidscript is malware
___________________________________________________________________
Google have declared Droidscript is malware
Author : croes
Score : 775 points
Date : 2021-04-27 14:11 UTC (8 hours ago)
(HTM) web link (groups.google.com)
(TXT) w3m dump (groups.google.com)
| sequoia wrote:
| > ...after taking into consideration the information that you
| have provided, we have confirmed that we are unable to reinstate
| your publisher account.
|
| I hate when using euphemism slides into flat out lying like this.
| They are not "unable" to reinstate the account, in fact they are
| _the only party_ able to reinstate the account, that 's why the
| account holder was contacting them instead of someone else. They
| are "unwilling" to reinstate the account.
|
| I know it's all just bullshit but it bothers me anyway.
| zaphirplane wrote:
| Yes the wording is intended to soften the interaction. They use
| "we" to refer to the team you are interacting with emphasis on
| bound by the company policy/process
|
| You may see "we" as the company itself setting its own policy/
| process
| shockeychap wrote:
| Agree. 100%.
| vaer-k wrote:
| As a cashier, I am certainly "able to" just hand you the goods
| and let you leave without paying, but in reality due to laws,
| regulations and good morals I am unable to do that.
| onion2k wrote:
| It's reasonable to say you're unable to do something because
| it's against the law and doing it would make you a criminal.
| Equally its fair to say you 'can't' do something that would
| go against your morals.
|
| That is not equivalent to what's happening here. There is no
| law preventing Google reinstating the account, and
| corporations don't have morals because they're not people.
| The only thing preventing them doing it is that the employees
| involved choose not to.
| sequoia wrote:
| As a cashier you are not empowered to make this decision. You
| are not "able to" violate store policy this way and keep your
| job. If a store owner or manager wishes to give someone a
| product for free or issue a full refund, yes they are "able
| to" do that.
|
| The rep in TFA uses "we," referring to Google. Google _is_
| able to reinstate accounts, and The Google Ad Traffic Quality
| Team is able to reinstate accounts depending on their
| judgement of whether someone is violating policy. If they are
| not able to reinstate accounts, can you explain to me why
| they 're adjudicating account ban appeals? Do they say "no"
| to everyone?
|
| The key point here is that the agent(s) are responsible for
| _interpreting_ the policy. They have decided that Droidscript
| violates their policy, and I personally have no opinion about
| that. But to imply that it 's "out of [our] hands]" is
| dishonest.
|
| Just say "upon review we've determined that your app violates
| our policies so we will not be reinstating your account."
| NateEag wrote:
| No, you _will_ not do that, and made that decision so long
| ago it feels inviolable to you.
|
| When someone points a gun at a cashier and says "this is a
| robbery and I'm gonna shoot you if you move a muscle," the
| cashier usually uses their ability to hold still out of
| concern for their safety.
|
| The distinction matters.
| pushrax wrote:
| Seems like an extremely minor gripe (as you mention, it's all
| just bullshit) to be the top comment.
|
| Though FWIW I'm unable to disagree.
| yomansat wrote:
| Reminds me of KBB.com who were "unable" to remove my personal
| data after they determined I'm not in California.
|
| They share your phone/email with lots of dealers if you request
| a quote and don't read the fine print like I didn't...
| joemi wrote:
| It's not lying because there is some implicit information in
| the "we are unable" statement. What is implied in statements
| like this is that they're unable due to their policies.
|
| If not for implications like this, almost every single use of
| "unable" (or "can't", for that matter) ever in a sentence would
| be "lying" unless something is against the laws of physics.
| tolmasky wrote:
| A pet peeve of mine is the deferral and personification of
| "policy". Policy is just your opinion that you happen to have
| written down in the past. It holds no power over you, you
| write the policy! It's not like the US law, which while also
| just words on paper, is enforced (and often chosen by) other
| people over you. Me deferring to the law (vs. my own opinion)
| has meaning because they _can_ be different. The way we
| really know this is that we repeatedly see policy broken all
| the time -- again, because it 's just a pretend separate
| agent, not an actual entity that wields power over you. It
| does in fact ultimately just serve to disguise an active
| action as a passive one "Oh, I checked the book of rules
| (that I wrote) and it said I can't let you do that. Shucks.
| Man, that book, its a tough negotiator. Nothing we can do I'm
| afraid." I think it is their right to write the rules, but
| just own up to it. Say "we aren't doing it because we don't
| want to," that's the truth, because if they did want to, they
| would, regardless of the "policy".
| caconym_ wrote:
| You aren't wrong, but (taking the corporate entity in
| question as a monolith, which is fair from the outside)
| "unwilling" is a much more honest word choice in cases like
| this since it clearly communicates that there was a real
| practical decision that could feasibly have gone either way.
| "Unable" lines up better with things that are infeasible,
| e.g. Apple can't recover the data on an encrypted hard drive
| without the password or recovery key because it's literally
| impossible or would at least require nation-state level
| computing resources to have a realistic shot at cracking even
| a weak password.
|
| "Unable" is dishonest because it passes responsibility beyond
| the veil of the typical user's ignorance. We're so used to
| this sort of language that we're conditioned to allow it even
| when we _know_ it's bullshit. It shuts down discussion and
| allows its wielder (inevitably a corporation) to avoid
| explaining itself. In the developed Western world we have a
| big problem with letting corporations do whatever the hell
| they want without explaining themselves, so I don't think we
| should let them get away with this sort of thing anymore, and
| not being satisfied with mealy-mouthed evasion is one of the
| first steps down that road.
| Closi wrote:
| > They are unable due to their policies
|
| Unable due to their policies, which they wrote and they can
| change (and which they often choose not to follow anyway).
|
| I agree with OP - it's not that Google isn't able to do this,
| it's that Google doesn't want to.
| StavrosK wrote:
| Well, I am unable to give someone your money because you
| won't agree. It's not against the laws of physics, but I
| still can't do it. Google _can_ do it, they just don 't want
| to.
|
| Hell, they can even change their policies if they want, so
| they aren't really "unable".
| thaumasiotes wrote:
| > Well, I am unable to give someone your money because you
| won't agree. It's not against the laws of physics, but I
| still can't do it.
|
| If you tried hard enough, you could probably manage this.
| r00fus wrote:
| Using a less accurate phrase instead of a more accurate one
| because it benefits/shields you is a dark pattern.
|
| Were the implied statement made explicit, then yes it'd be
| accurate.
| sequoia wrote:
| I disagree. If you buy a product from me with 30 day warranty
| and it breaks on day 31 and you contact me, I will not give
| you a refund because: a) I haven't agreed to do so b) I'm not
| bound to do so c) I don't think it's warranted in this case.
|
| But I'm not _" unable"_ to issue a refund.
|
| In another case I may say "hm it's out of warranty but you
| know what, it really shouldn't have broken like that and
| you're a good customer, so I'll give a refund anyway." I can
| do that because I am _able_ to issue a refund.
|
| As for their policy, they are both the authors and
| _interpreters_ of their own policy, so the "my hands are
| tied" argument is pure BS. If they are unable to reinstate
| accounts, why do they have an appeals process at all?
| bipson wrote:
| "I can't agree with you"
|
| "I cannot continue this relationship"
|
| "I can't kill this guy"
|
| "I just can't eat meat anymore"
|
| "I cannot continue like this"
|
| These are all examples where someone clearly _could_ for
| physical reasons, but they _can 't_ for other reasons they
| are bound to, _whatever_ these reasons are.
| nxpnsv wrote:
| Yep they are all lies. I _almost_ can't agree with you
| more.
| hossyposs wrote:
| Yes, but without those reasons these are just ambiguous
| unprovable statements.
|
| Without reasoning we cannot tell if the auxiliary verb is
| even correct.
|
| "I can't eat meat anymore because it's illegal", really
| should read "I shouldn't eat meat anymore" as although
| it's a bad idea you're still physically capable of eating
| meat.
|
| I think the issue we're talking about is ambiguity, and
| this really just emphasises the point.
| antonvs wrote:
| This all depends on having free will. Otherwise, those
| statements could all be literally true.
| zepto wrote:
| Technically you are right.
|
| However the key here is exploiting the ambiguity.
|
| 'We are unable to' is a cowardly way of saying 'we choose
| not to', or 'our policy dictates'.
| TheRealPomax wrote:
| If it's based on a real policy that can be verified by
| others, then there is no ambiguity here. "We reviewed
| your case, and based on our policy, we cannot reinstate
| your account. Because if we did, we'd be the ones
| violating our policy, and someone -including you- could
| then actually sue us for unfair business practices,
| rather than merely complaining about overly restrictive
| policies that are blindly enforced through a system that
| is hard to penetrate".
|
| No lying, no ambiguity. They can't reinstate this
| account.
|
| Should they change their policy so that _after_ that
| change, they can? Maybe, but good luck getting them to.
| zepto wrote:
| They can always either change or make an exception to the
| policy.
|
| A policy is just their way of doing things, written down.
|
| It's not magic.
| wizzwizz4 wrote:
| That's
| https://en.wikipedia.org/wiki/Selective_enforcement,
| which can be a problem, especially when contracts
| reference the policy.
| 7OVO7 wrote:
| the first sensible and rational comment I see here (I
| hope more comment like this in this post).
| IncRnd wrote:
| > If it's based on a real policy that can be verified by
| others, then there is no ambiguity here.
|
| In this particular case, the ambiguity is exactly that -
| Google didn't say what what real policy was broken or
| how.
| gralx wrote:
| "We refuse to" might be clearest of all.
| tshaddox wrote:
| And yet no one, including people in this thread who are
| claiming that the intent of Google's wording is to
| deceive, are actually the slightest bit unclear about
| what Google means.
| CrendKing wrote:
| If Google chose to use the "uncowardly" wording, I'm sure
| someone would just post saying Google is arrogant and
| cocky bastard. No matter what someone will find some
| point to complain. Human nature.
| zepto wrote:
| That seems like a dismissal that could be applied to any
| criticism of any corporation.
|
| Can you explain what value it adds in this specific case?
| matz1 wrote:
| What value to add to criticize this specific case?
|
| Whether they use "unable" or "choose not too" shouldn't
| matter.
|
| Just treat it the same.
| javajosh wrote:
| "People will criticize no matter what you do" is a great
| line. It gets used a lot - not so much here, I've
| noticed. Probably because it doesn't address the
| particulars of any criticism, and instead provides a
| nihilistic view of the world where "real improvement" is
| impossible.
|
| "We're unable to" shifts responsibility to something
| vague, unspecific. It's like the "run around" only with
| this phrase you've been redirected to /dev/null. I'm glad
| the OP said something.
| pseudalopex wrote:
| Those express moral convictions or imminent psychological
| crises. A corporation experiences neither.
| fuyu wrote:
| If I were to ask you if I could get a refund for an item
| out of warranty, what language would you use to refuse me?
| I'm struggling to come up with a response that doesn't use
| the terms "unable" or "can't" that wouldn't come across as
| fairly rude.
| akiselev wrote:
| "We do not issue refunds for items with expired
| warranties"
|
| Notice that the policy is clearly stated in the rejection
| and there is no ambiguity.
| random5634 wrote:
| You would be lying - and people will call you out on
| this, because they will find out that you have in fact
| issued refunds for products with expired warranties.
| TheDong wrote:
| This level of semantics is pointless.
|
| They could write "We generally do not issue refunds for
| items outside of warranty" and they're back to the
| statement being just one level more vague, and thus more
| true.
|
| But in reality, both of those mean the same thing.
| Writing "We don't issue refunds outside of warranty
| periods" has an understood "excluding exceptional
| circumstances". Everyone knows it's there. Only people
| who are pedantic to the point of uselessness will argue
| about this, and you'll find out that the courts generally
| have little sympathy for that.
|
| All human languages so far are inexact. Math is probably
| the most exact language we've invented for communicating
| ideas, but languages that the general public knows are
| all inexact.
|
| If the correct thing is communicated unambiguously,
| that's already a success, even if a pedantic person can
| say "I know you mean that you don't 'generally' do it, so
| the absolute there is a lie", the fact that the pedant
| can point it out means they absolutely understood what
| was being conveyed correctly.
| sequoia wrote:
| > Unfortunately the warranty on your product has expired
| and we do not issue refunds for products outside the
| warranty period.
|
| If you pressed me I would admit that yes, in some
| exceptional cases we issue refunds for products outside
| of warranty but we're not doing so in this case because
| [whatever, the product broken due to misuse, etc.].
|
| To say I _am not_ issuing a refund or that I _do not_
| issue refunds on out-of-warranty is truthful or
| reasonably so. It 's perfectly possible to communicate
| that without being rude or claiming to be "unable."
| Spivak wrote:
| That feeling is specifically because we all know that
| depersonalizing and speaking passively 'softens' the
| blow.
|
| "As your product is out of warranty we will not be
| issuing a refund."
|
| Sounds rude, right? Because it draws attention to the
| fact that the decision is, at some level, completely
| arbitrary. But if you have your left hand write the
| policy and your right hand enforce it then you can say.
|
| "I'm sorry but I'm unable to issue a refund because your
| product is out of warranty."
|
| Makes it sound like that's just how the world works,
| doesn't it? And you come away feeling like "aww man they
| _can 't_" instead of "they _won 't_, money grubbing
| assholes." Customer service is, at its core, about
| managing emotions and often delivering bad news in a way
| that preserves the company's image.
| tannhaeuser wrote:
| How about "I'm afraid I can't do that, Dave"?
| edoceo wrote:
| computer says no
| 7952 wrote:
| You are not eligible for a refund under our warranty. Let
| us know if you have any more questions.
| georgeecollins wrote:
| Yes, but it is a dodge. Like an apology wrapped in an excuse.
| I read this post and I made a mental note to try to never say
| I am "unable" when I am unwilling. It's corporate speak that
| I have used myself.
| dalbasal wrote:
| You're right, but I think you're not doing justice to the
| OP's complaint.
|
| You're right that this isn't solely a faceless corporate
| thing. People say "I can't" when "I won't" for the same
| reasons Google did. We even ask " _can_ you watch my kids? "
| Again, the same reasons drive the language. It lets a false
| but face-saving implication stand: You will pick up my kids
| _if you can_ and if you won 't than I'll assume you couldn't.
|
| We also "ask" our employees or waitresses to do things, even
| though it's technically an order.
|
| All this is good and fine. Language is _supposed_ to embed
| cultural niceties that speak to our values and smooth
| relations between people.
|
| The Orwellian shit comes in when it comes in. These cross
| from figures of speech into euphemization and the Orwellian
| point is that these things run deep. A bank manager is
| literally unaware of where her own prerogatives,
| organisational norms, hard corporate policies and regulatory
| rules begin and end. They are constantly implying (and
| thinking) that whatever is annoying/abusing their customers
| is not because of them. Usually it is.
| whycombinater wrote:
| https://www.youtube.com/watch?v=IRgsfHc8kqU&ab_channel=Harry.
| ..
|
| https://youtu.be/Y1QQSFlm0dI?t=81
|
| The audience is laughing because this notion is ridiculous.
| dabbledash wrote:
| Usually when I say that I can't do something I mean it's not
| within my power to do it.
| echelon wrote:
| Companies should not be gatekeepers of computing.
|
| We've gone from a world where we can run any software on our
| devices, to one where Apple and Google tell us how we can make
| money, what we can run, and what speech is permitted.
|
| It's Orwellian, but with corporate greed instead of nation
| state fascism.
| [deleted]
| barneygale wrote:
| Fuck google.
| swiley wrote:
| I've declared Android is malware then: The whole point of an OS
| is to run code for the user but Google has turned it into an
| additive adware delivery platform.
| darksaints wrote:
| Funny, the entire google android ecosystem is malware IMO. No I
| don't consent to your data harvesting...at the very least give me
| an optout.
| throwaway823882 wrote:
| So, what would be needed to start a real, honest-to-god
| replacement for Android/iOS?
|
| You'd need a whole governance structure for your project so it
| wasn't controlled by a sole entity. There would need to be
| assurances that using your project was stable long-term. That
| there were adults driving the bus, and that everyone could use
| the bus, etc.
|
| You'd need to provide a roadmap for everything needed to be built
| to replace Android, piece by piece. (I guess you could re-use
| sections of open source code, but some would need to be rewritten
| from scratch?)
|
| You'd need to contact developers, vendors, service providers,
| etc, the whole ecosystem existing around smart phones, and get
| them on board with your project. Sell it to them as "no longer
| being answerable only to Google and Apple". You'll also have to
| provide alternative revenue sources, as they may depend heavily
| on Google and Apple services for their revenue.
|
| And then you need to find people to do the work, and get paid for
| it.
|
| I'm guessing all this would take at least 6-12 months to get off
| the ground and some serious capital.
| coffeecat wrote:
| > In your case, we have detected invalid traffic or activity on
| your account (Publisher Code: pub-********) and as a result it
| has been disabled. Because of this, the ability to serve and
| monetise through all products which depend on AdSense will also
| be disabled (for example, AdMob and YouTube).
|
| > We understand that you may want to know more about the issues
| that we've detected. Because this information could be used to
| circumvent our proprietary detection system, we're unable to
| provide our publishers with information about specific account
| activity.
|
| > Once you've made changes to your site(s), app(s) or channel(s)
| to comply with our programme policies and terms of service, you
| can reach out to us using our appeal process. Please make sure
| that you provide a complete analysis of your traffic or other
| reasons that may have led to invalid activity in your appeal.
|
| I realize that the term Kafka-esque is a bit overused nowadays...
| but this sounds exactly like a plot summary of Der Process.
| eMGm4D0zgUAVXc7 wrote:
| PSA: "Der Process", English "The Trial", is old enough so you
| can read it for free on the internet, e.g. on Project
| Gutenberg:
|
| https://gutenberg.org/ebooks/7849
|
| It's a really entertaining read.
|
| And yes, it perfectly matches this situation - right in the
| very first sentence already.
| danudey wrote:
| "We've noticed that you're violating our policies."
|
| "Which policies?"
|
| "That's none of your business."
|
| "How are we violating them?"
|
| "I'm not going to tell you."
|
| "What can we do?"
|
| "Fix the issues, and then appeal."
|
| "Which issues?"
|
| "I've said too much already."
| mike_d wrote:
| I used to work detecting ad fraud. Publishers would do bad
| things, call in, and try to get their account rep to get
| details.
|
| Obviously I can't say "of the last 2500 ad clicks zero of
| them had any mouse movement over the ad before the click
| event" because then the publisher obviously just fixes their
| fraud software.
|
| This isn't specific to Google or even advertising. Every
| company has figured out when dealing with abuse and fraud
| sharing the minimum amount of information is beneficial to
| the health of the ecosystem as a whole.
| vaastav wrote:
| What about false positives? How did you account for that?
| PeterisP wrote:
| You make your peace with the fact that you'll have a
| certain rate of false positives, where you'll
| intentionally lose also some legitimate business in order
| to keep most of the "ecosystem" cleaner. Perhaps an
| unsatifying answer, but that's it.
|
| It's not a situation like putting someone in prison where
| "beyond all reasonable doubt" is the appropriate mark;
| you can refuse to do business based on mere suspicion
| that may be mistaken. With fraud detection, you have to
| balance the tradeoff between false positives and false
| negatives, but you'll certainly have both.
| tempestn wrote:
| In a case like that, sure. But they don't provide any
| information even when they _want_ the publisher to make a
| change. Our Adsense account once got suspended because ads
| were appearing on pages that contained user-entered search
| keywords. Occasionally users would enter keywords that
| google considered 'naughty', and didn't want their ads
| appearing alongside. If they'd just told us that, we could
| have added a screen to not show ads with the list of
| keywords they had a problem with. Instead it was an
| infuriating, weeks-long process of pulling teeth to get
| clues as to what the problem might even be, and then making
| a list of every conceivably bad word we could find or
| imagine (admittedly that part was a bit fun) before we were
| finally able to get re-approved. And presumably we only got
| that much leeway because we were a reasonably large
| account.
| breakingcups wrote:
| Seeing it spelled out like this really puts things even more
| in perspective.
| obviouslynotme wrote:
| I am going to save this and print it out with the title "This
| is why we don't do business with Google."
| jedberg wrote:
| Any time there is an article about Google just cutting someone
| off for no reason, I like to bring this up:
|
| 20 years ago my AdSense account was frozen for click fraud -- my
| appeal is still pending. Ironically the website it was on was
| shut down 19 years ago.
| hilbert42 wrote:
| What else can you expect from a monopoly that _knows_ its above
| the law--as there isn 't any that's either applicable or
| enforceable?
|
| Thus, being above the law Google has no need to concern itself
| with bothersome matters such as fairness, justice and _one being
| considered innocent before the Law until proven otherwise by due
| process._
|
| Do we really have to go demonstrate on the streets before our
| legislators will act to stop this out-of-control monster?
| mlindner wrote:
| This piece of software (based on the comments) sounds absolutely
| like malware, or at least a malware-enabler. Glad such things
| aren't possible on iOS.
| blakesterz wrote:
| I had to go look to see what this was:
|
| "DroidScript is an easy to use, portable coding tool which
| simplifies mobile App development. It dramatically improves
| productivity by speeding up development by as much as 10x
| compared with using the standard development tools. It's also an
| ideal tool for learning JavaScript, you can literally code
| anywhere with DroidScript, it's not cloud based and doesn't
| require an internet connection. Unlike other development tools
| which take hours to install and eat up gigabytes of disk space,
| you can install DroidScript start using it within 30 seconds!"
| 1vuio0pswjnm7 wrote:
| Sounds too good to be true. Is this open source and available
| on F-Droid. If not, it should be.
| kbelder wrote:
| This is my primary hacking tool for throwing little scripts
| together on Android. You can bring up an IDE in chrome on your
| PC and interactively execute it on your phone. I hope this gets
| fixed.
|
| I wouldn't really be surprised if EVERY scripting/programming
| app in the play store technically violates some play store
| rules, though.
| yaur wrote:
| Do these scripts run as the IDE? If so it seems like they
| could be held responsible for any bad behavior engaged in by
| their users.
| teknopaul wrote:
| Let's be clear: for Google's definition of bad.
| ehsankia wrote:
| > I hope this gets fixed.
|
| Define "fixed", it was removed from Play Store but anyone can
| still install from APK or F-Droid, right?
| matoro wrote:
| It's closed-source and paid. Not allowed on F-Droid.
| [deleted]
| narwally wrote:
| Well damn, now I want to download it. I've never gotten into
| mobile development because getting started always seemed like
| a chore, but this sounds like it would be fun to play around
| with.
| loa_in_ wrote:
| Whatever you choose, moving to mobile development is
| extremely fun once set up. Usually IDE if your choice
| reloads the app on the phone over the cable for you, so the
| feedback loop is really nice.
| stevewodil wrote:
| Try Flutter! Great SDK to get started with mobile
| development, and dart is a really nice language
| Steltek wrote:
| Having tried neither, Flutter sounds like the polar
| opposite of both the experience and capability that GP
| mentioned. I'm sure it's nice but can it be developed
| interactively in a PC browser as described above?
| ajross wrote:
| Time for one of these again.
|
| So... having read through their marketing material, this is an
| on-device tool that opens up what appears to be most of the
| Android application API to at least the user of the device, and
| potentially to any Droidscript applications they grab from
| other sources, and... maybe to other apps on the device? It's
| not clear from a quick read how extensive the runtime control
| is.
|
| So just right out of the gate this is defeating basically the
| entirety of the Play Store vetting process. Droidscript itself
| may not be engaged in advertising fraud, but it makes
| advertising fraud trivial to deploy. (And it needs to be said:
| this is the kind of app that would never have been legal at all
| on any version of iOS.)
|
| Add to that that it's a closed source IDE for an open platform,
| and my intuition sides with Google here. My guess is that when
| details come out it will turn out that at-least-plausibly
| harmful Droidscript garbage was being pushed to users and
| Google decided to kill it.
| kemonocode wrote:
| Still seems strange to me they focused so hard on the ad
| fraud part of it, unless they had a sudden change of heart
| and needed an excuse to get Droidscript out of the Play
| Store. They could just as well simply have said that any app
| that allows for easy, arbitrary code execution is a security
| liability and won't be accepted on the Play Store, which does
| include a fair number of root-required tools that have been
| removed at some point before. I don't necessarily agree with
| it, but that'd be a pretty believeable justification.
|
| My gut feeling says these devs aren't telling the whole
| story.
| qwertox wrote:
| > Droidscript itself may not be engaged in advertising fraud,
| but it makes advertising fraud trivial to deploy.
|
| I think that this is what has happened. The author of
| DroidScript claims that
|
| > Unfortunately we also have to inform our users that we
| could no longer support AdMob for use in their own apps
| either, because we can't test it anymore and can't guarantee
| that Google won't treat them in the same brutal way.
|
| So apparently users were able to do stuff with AdMob on
| DroidScript's back, and _maybe_ AdMob registered these
| fraudulent actions with some Google-ID which was assigned to
| DroidScript.
| vultour wrote:
| > Play Store vetting process
|
| You mean the one that doesn't exist?
| indymike wrote:
| Interpreters are problematic as they all are for executing
| what amounts to arbitrary, un-vetted and unsigned code.
| Weather or not to allow them should be up to the user and it
| is. Google is saying here, if you want this, you'll have to
| sideload it.
| protoman3000 wrote:
| I don't get your point. Sideloading apps was always possible
| on Android even without a jailbreak. We're not in Apple
| world, so it's unclear which Playstore rules got broken here.
| lupire wrote:
| Side loading is an Android OS feature, not a Play Store
| feature. Can you sideload via Play Store apps? F-Droid
| isn't in Play Store, but APK Manager is, so I'm confused.
| rOOb85 wrote:
| > Can you sideload via Play Store apps?
|
| Yup. Check out aurora store. It's a open source frontend
| to the google play store. All apps can be
| installed(except of course paid apps. Though if you
| bought the app and sign in to the account with aurora you
| can)
| Jach wrote:
| You've always been able to use any of the web browsers in
| the store to download and install a random APK from a
| website (for example F-Droid), you don't even need to
| sideload it. Sideloading apps is mostly just a relevant
| concept for developers or for users who have no
| alternative to getting custom code on a device. (Edit:
| Speaking of ad fraud brought up by the GGP, there are
| also many automation apps, at least one (Automate) uses a
| plugin flow-chart architecture exposing all sorts of
| functionality, with users able to share custom scripts.
| Not to mention tons of plain "auto-clicker" apps.)
| yjftsjthsd-h wrote:
| > Droidscript itself may not be engaged in advertising fraud,
| but it makes advertising fraud trivial to deploy.
|
| No more than being able to build an app on my laptop and push
| it over ADB.
|
| > (And it needs to be said: this is the kind of app that
| would never have been legal at all on any version of iOS.)
|
| It also needs to be said that this is why I don't use Apple
| devices. What they inflict on their platform is not an
| argument for what should happen elsewhere.
| eptcyka wrote:
| Chrome is closed source and has developer tools, and has damn
| near every permission Android provides. You can app your apps
| on it, as long as they are of the web variety. Should we not
| ban chrome too?
|
| If droidscript enables ad fraud, isn't it an issue with how
| the android sandboxing model is fundamentally broken? Given
| that there are far more people using phones than computers,
| and a lot of new smartphone users will have never used a
| desktop or laptop computer, droidscript might be their first
| venture into programming and/or hacking. Let's not shut it
| down.
| lupire wrote:
| Chrome polices websites with per-site permissions,
| controlled by the user. Does DroidScript give users the
| same level over control over 3rd party code?
| robocat wrote:
| Chrome does not provide raw access to the APIs from
| JavaScript. Instead everything is sandboxed to the hilt.
|
| Also the product has a very heavy emphasis on security, the
| security team is superb quality and well funded, and Google
| know that the team is trustworthy.
| overgard wrote:
| We're talking about a development tool. Of course it's going
| to make any use of the device possible -- that's the entire
| point. If the point here is that any development tool
| shouldn't be allowed in the store (which I think google and
| apple are mostly fine with), that's a pretty sad thing in my
| opinion. Maybe google is "right" in enforcing their policies,
| but is it helping anyone?
| Pxtl wrote:
| That said, an open-source version of this on F-droid would be
| hella cool, but wrapping every API with Javascript sounds
| non-trivial.
| yjftsjthsd-h wrote:
| > wrapping every API with Javascript sounds non-trivial.
|
| I am not an expert in JS or the Android API, but I wonder
| if you couldn't do it automatically? If types line up
| closely enough, I would think that you could get a list of
| Android APIs (pull it from AOSP if you have to) and
| mechanically translate to a JS API.
| nitrogen wrote:
| If Android's JVM supports reflection, you could do it
| dynamically at runtime, and there are probably already
| JS+JVM integrations that would work.
| JosephRedfern wrote:
| Drozer does (did?) this, except with Python rather than
| JS. https://github.com/FSecureLABS/drozer
| lupire wrote:
| Apache Cordova exposes APIs to JS.
| wzdd wrote:
| > this is the kind of app that would never have been legal at
| all on any version of iOS.
|
| Pythonista is a complete Python programming environment which
| provides access to camera, music, contacts, the network, and
| so on, and has been available for iOS since 2016. What
| specifically distinguishes Droidscript from Pythonista such
| that you think Apple would reject Droidscript?
|
| https://apps.apple.com/us/app/pythonista-3/id1085978097
| antman wrote:
| You can't use it to create a backup script to online backup
| your phone data. For good measure iOS also blocks all apps
| since they would lose iCloud revenue.
| judge2020 wrote:
| I'm sure they've already lost a lot of money to Google
| Photos's previously-free photo backup.
| easton wrote:
| Droidscript has support for writing custom intents, which
| Pythonista (and Scriptable, a JavaScript version of the
| same thing) do not have. A malicious Droidscript
| application could access other applications on the device.
|
| https://symdstools.github.io/Docs/docs/app/SendIntent.htm
| munk-a wrote:
| I know that this has but a fat chance of being taken
| seriously by Google but... Isn't this a good chunk of the
| reason why people here on HN and elsewhere have been
| arguing for much more granular intent management on
| Android like they had in the early days?
|
| When we get permissions boiled down to one or two popups
| we end up with issues providing accurate privileges to
| applications (and might be forced to allow WhatsApp to
| trawl through our contact list if we ever want to send a
| picture in it).
|
| Granular control shifts the power to the user and allows
| programs like this to have more fine tuned privileges.
| sdenton4 wrote:
| Alas, granularity very quickly turns into users clicking
| through piles of crap without thinking about it. With
| great power comes great user error.
| munk-a wrote:
| I disagree - it turns into users clicking through piles
| of crap if you've got a crap UX. If the UX is well tuned
| to display this information and let the user break out to
| greater levels of detail or keep things simple then you
| can find a good middle ground.
|
| Given the amazing strides in usability we've seen in
| nearly every other field it baffles me why everyone isn't
| onboard with the fact that we can take the learnings from
| elsewhere and bring them to the domain of permissions.
|
| Permissions are almost always hierarchical and grouped
| into classifications that make it easier to present the
| user with fewer more meaningful choices than asking the
| user to approve whether an app can see each contact on
| their phone one-by-one.
|
| I'm honestly a bit cynical (puts on tinfoil hat) that
| marketers have held us back here since a lack of granular
| permissions aligns quite well with their effort to grab
| as much personal data as possible.
| sdenton4 wrote:
| There's so many crazy gotchas in android permissions,
| though... eg, most users won't know that there's a
| connection between wifi and geolocation data. That's a
| non-obvious connection with a real trade-off: the app
| might have some interesting wifi-based functionality, but
| in exchange the app authors might harvest your geo data.
|
| Consider the permissions for the lowly keyboard app...
|
| A proper understanding of fine-grained permissions
| basically requires a working knowledge of how that
| permission might be or has in the past been abused.
|
| And ultimately, fine-grained permissions are probably
| answering the wrong questions. The user expresses some
| basic trust via the initial app installation; what
| permissions ultimately help with is deciding whether or
| not to keep trusting the developer. If the app ask for
| lots of unexpected stuff, it's probably malware and
| should be uninstalled. If the permissions seem
| reasonable, the app is probably fine, and the user just
| wants to delegate responsibility to the app to do what it
| needs to do to get shit done.
|
| It's really /all/ about trust. If you can't trust a
| random app, installation is a high-friction event. Check
| the stars, number of users, read a bunch of recent
| reviews, carefully go through permissions providing
| access for exactly what's needed. If you /can/ trust a
| random app, you can just install it, use it to read the
| fscking QR code and go on with your day. The need for
| trust is why we've ended up with centralized app stores
| with stringent content policies, and all the false
| positives that come along with it.
| amelius wrote:
| Are Play Store regulations the only defense against this
| kind of attack? If so, then yikes!
| JeremyBanks wrote:
| Android's fine-grained permissions system isn't a good
| fit for something like Droidscript; one script could use
| a permission for valid reasons, then another could do
| something bad.
| veeti wrote:
| You can't access any random application just by sending
| intents. Available intents must be exposed to other apps
| if desired - for example, the camera app has a "show the
| camera for taking a photo" intent.
| quotemstr wrote:
| If you don't want another process sending you an intent,
| don't export your entry point. This isn't hard. Security
| through obscurity is no security at all.
| franga2000 wrote:
| I've done some, although not a lot of, native Android
| development and I'm not quite sure what's so bad about
| sending intents. "Could access other applications" sounds
| dangerous, but as far as I know that "access" is limited
| to things those apps have explicitly decided to allow
| external apps to access.
| spinny wrote:
| Probably it's not the capability to send custom intents.
| Everytime i buy a new device, i look for apps with
| unknown or curious names, check the manifest and use an
| app like Intent (https://play.google.com/store/apps/detai
| ls?id=krow.dev.schem...) to poke around.
| easton wrote:
| Applications could be exposing intents they assume will
| be used by trustworthy applications (i.e. apps in the
| Play Store). A user could download a Droidscript (which
| as I understand doesn't trigger the unknown sources
| policy) which then tries to use intents it shouldn't need
| without asking the user for permission.
|
| If Droidscript required unknown sources to do anything
| (not just APK exports), then other apps could check the
| unknown sources policy on the device and disable certain
| intents (which they may do anyway at the moment, since
| that would mean that the applications installed may be
| untrustworthy). But this way there isn't any way to tell.
| zshift wrote:
| > Applications could be exposing intents they assume will
| be used by trustworthy applications (i.e. apps in the
| Play Store).
|
| This is a poor assumption to make. Any data coming into
| your application should be assumed to be malicious. This
| would be the same as a server just accepting any data
| made to its API calls without any validation.
| tremon wrote:
| _trustworthy applications (i.e. apps in the Play Store)_
|
| Please don't equate trust with any app store like that.
| Firstly, many incidents have shown that this blanket
| trust isn't warranted, and second, the final arbiter of
| trust is the _owner of the device_ , not the owner of the
| app store.
| grawprog wrote:
| Yes...Droidscript allowed one to use the tiny computer in
| their pocket similarly to the way one could use the large
| computer on the desk. One could script small apps on their
| tiny computer and they could access most of the same api as
| java apps. It was pretty awesome.
| passivate wrote:
| > My guess is that when details come out it will turn out
| that at-least-plausibly harmful Droidscript garbage was being
| pushed to users and Google decided to kill it.
|
| Yes, I'm sure Google will carefully release details that
| paint them as the good guy. Certainly, we don't want to be
| needlessly unfair to them, but there is zero reason to give
| them free trust them at this point.
| BoorishBears wrote:
| Google will not release details because Google doesn't care
| if they look like the good guy (otherwise they wouldn't do
| stuff like this in the first place!)
|
| Best case is the right person sees this social media
| outcry, silently gets it fixed and Google moves onto
| destroying the next developer.
| dtx1 wrote:
| I think your thoughts on this are plausible, if not likely.
| However, the usual complete lack of communication by google
| is the actual problem. Perhaps droidscripts could mitigate
| googles concerns, if they had the decency to explain them.
| sofixa wrote:
| But if they do, a malicious actor can use that information
| to circumvent their restrictions, and its their walled
| garden, so they have very little incentive to tell everyone
| _exactly_ what they don 't like.
| marcinzm wrote:
| And we have very little incentive to not complain loudly
| and publicly about their practices.
| Jordrok wrote:
| I know this is standard practice for most big companies
| moderating lots of content, but it has always seemed like
| such an insane policy to me.
|
| Imagine if this were applied to actual laws enforced by
| the police. "You're under arrest but we won't tell you
| what law you've broken, because then other criminals
| might use that knowledge of the law to avoid being
| arrested. And by the way, a secret court has sentenced
| you to life imprisonment and all of your appeals have
| been denied."
| Dylan16807 wrote:
| Okay, but this developer isn't "everyone", and there
| seems to be no reason not to explain in this case.
| sofixa wrote:
| Unless the developer decides to share on Twitter or HN or
| w/e, and now malicious actors know as well.
| Dylan16807 wrote:
| I meant that this information is not a problem to share,
| and that sharing information in one case does not imply
| sharing it in all cases.
| ben509 wrote:
| That's the claim made by Google and many other big
| corporations. It's plausible enough, but I haven't seen
| any hard evidence that it's true.
|
| Suppose it is true that these companies can't reveal
| their decision making because there's so much to be
| gained by bad actors that game these highly centralized
| systems.
|
| Then it seems like a larger number of smaller firms could
| be more transparent and still achieve the same effective
| level of security.
| ajross wrote:
| > However, the usual complete lack of communication by
| google is the actual problem.
|
| Uh... Seems like the _actual_ problem (given that scenario)
| is that adware is being pushed to users, not whether or not
| Google defended its ban in public. Complaints about
| customer service (from everyone, not just Google) are a
| dime a dozen, actual user security is clearly more
| important, right?
|
| Your answer presupposes a frame where Droidscript is
| innocent. What if it's not, and it knowingly nodded to a
| community of junkware being pushed to its users (again, I
| have no evidence!). In that case you'd want it banned
| without "decency", right?
| wtetzner wrote:
| > Seems like the actual problem (given that scenario) is
| that adware is being pushed to users
|
| _Google_ itself is adware.
| dtx1 wrote:
| Banning it first is fine. banning it first, then not
| giving a reply to the concerns they have is not. Even if
| they have reasonable believe or proof that droidscript is
| indeed malware, it looks like at least a chunk of their
| userbase uses it for legitimate usecases and the devs,
| who likely invested at least a few hundred hours of work
| in it, deserve at least some communication.
| szopa wrote:
| I used to work at Google, and a friend reached out to me
| for help - his company's app was in a similar situation,
| with similar communication from Google. This was a good
| friend from high school, so I pressed the issue using
| internal channels. The person handling it on Google's
| side was very assertive about them violating a policy,
| and after some back and forth I received a _vague hint_
| about what was the supposed violation. I passed the hint
| along, and after some digging, lo and behold, it turned
| out one of their people had lifted someone else's images
| without permission, violating copyright (kudos to Google
| for figuring it out). My friend apologized profusely to
| me, to the support rep, his boss, and let the culprit go.
| They purged the app's assets, changed their processes,
| and eventually the app was reinstated.
|
| Now, this was a special situation. I had a personal
| relationship with the developer, and I was happy to vouch
| for their honesty. Yet it still turned out Google had
| been right all along. Now, it's a shame Google couldn't
| let them know what was the issue. However, it's a safe
| assumption that the vast majority of people Google
| support deals with _are_ spammers. And there 's a lot of
| them. If Google gave a detailed explanation to all of
| them it would mean a ton of additional work - which would
| create an unsustainable situation at this scale.
| Dylan16807 wrote:
| > Yet it still turned out Google had been right all
| along.
|
| No they weren't. It was not right to terminate the entire
| app because someone used an image wrong.
| munificent wrote:
| Caveat: I work at Google but know nothing about this area
| and my opinion here is entirely personal.
|
| _> which would create an unsustainable situation at this
| scale._
|
| Financial sustainability may have something to do with
| it, but I suspect the larger issue is that providing too
| much detail essentially trains malware authors to route
| around the company's defenses.
|
| Imagine the Play Store as a castle which has both good
| townsfolk coming and going as well as being perpetually
| under siege by a malicious lord. Sometimes, the castle's
| defenses inadvertently prevent a townsperson from getting
| to market to sell their onions. When the townsperson is
| like, "Hey, I can't get in to sell my onions." it's
| helpful for the castle defenses to be like, "Well, we
| have the portcullis raised from 9am-11am on Tuesdays and
| the gatekeepers listen for your accent to decide if
| you're a local or an enemy."
|
| But that's, like, exactly _not_ what you want to say if
| the "townsperson" you're talking to is actually an enemy
| spy taking notes.
| stickfigure wrote:
| That doesn't seem to be a problem in this case? Telling
| spammers they are blocked due to copyrighted images
| trains them not to upload copyrighted images. Win-win.
| spinny wrote:
| picking up copyrighted images is another indicator that
| user X is a spammer, providing that info would eliminate
| the signal
| zmmmmm wrote:
| Well, this is the essence of discrimination and we
| wouldn't tolerate it for a whole range of indicators
| (you're black, gay, if a particular race, etc etc). My
| guess is the real reason they won't tell people is that
| they would end up in court pretty quick.
| salawat wrote:
| Say it with me now:
|
| >"Rough consensus, and running code. We are not the
| Protocol Police."
|
| Half the problems we have nowadays is because we have
| manufacturers playing "the Program Police", which leads
| inevitably to the point you just made.
|
| You are now, like it or not, adversarial to any User
| looking to do anything you find unconformant with your
| bottom line. You cannot solve these issues by
| whitelisting, just like you can't solve the problem of
| crime by whitelisting, and hiding the conformance suite.
| If you can't know the test, you can spend infinite cycles
| changing the wrong thing to comply with it, and I do not
| find that to be a tenable state-of-affairs to push on
| users, even if intentionally aimed at the malicious ones.
| This is the same problem we have in meatspace with our
| overly byzantine legal system; but nobody accepts that
| secret laws are a good idea because if everyone can read
| the law, it's a national security risk. At least no one
| without some serious conflicts of interest.
|
| Do you really think that your company is going to nail
| down a good solution to a problem that society at large
| can't even handle reasonably? I mean, think about it.
| This really is a subset of the general question of how to
| keep everybody doing something productive. I don't even
| need an answer. I just want to encourage people to think.
| fencepost wrote:
| _I suspect the larger issue is that providing too much
| detail essentially trains malware authors to route around
| the company 's defenses._
|
| Perhaps so, but it seems not unreasonable to have SOME
| ability to work with the creator of an app that's been on
| the store for years with a substantial number of ongoing
| users and (speculating) a non troublesome patten of
| installs and purchases.
|
| Nobody believes that Google is technically out
| financially unable to do this, which leaves the other
| option - at a corporate level not giving a shit enough to
| even bother trying.
|
| Google will often do the right thing whether by plan or
| by happenstance, but it pays to be aware that when it
| does the wrong thing there is no recourse and will be no
| correction.
| shkkmo wrote:
| I'm sorry, but the "security" excuse is BS. You don't
| have to tell users what automated tool flagged them or
| how their violation was discovered.
|
| You do have an ethical obligation to inform them of what
| policy was violated with sufficient detail that a good
| actor has a reasonable chance of complying with your
| policy.
|
| I think that this should be required of any company that
| to provides publicly available goods/services, not just
| Google. This doesn't just help with monopolies, but also
| makes it harder to hide racism and censorship behind
| opaque policies.
| veeti wrote:
| > It's a safe assumption that the vast majority of people
| police deal with are criminals. And there's a lot of
| them. If they gave a detailed explanation of why they are
| under arrest it would mean a ton of additional work -
| which would create an unsustainable situation at this
| scale.
|
| But it's all good, Google is a private company(tm) and
| can do whatever they want(r).
| jldl805 wrote:
| Actually Google is a public corporation, not a private
| company.
| Aissen wrote:
| > Now, it's a shame Google couldn't let them know what
| was the issue. However, it's a safe assumption that the
| vast majority of people Google support deals with are
| spammers. And there's a lot of them. If Google gave a
| detailed explanation to all of them it would mean a ton
| of additional work - which would create an unsustainable
| situation at this scale.
|
| I don't think that's reasonable. What if most are
| spammers ? Better let a few spammers in than treat
| someone unjustly. Why would it become unsustainable ?
| I've seen this argument repeated ad nauseam, but have yet
| to see proper proof.
|
| In this particular example, a copyright violation was
| detected in a image, so an automated response "someone
| else's image was used without permission, violating
| copyright" seems entirely plausible.
| troyvit wrote:
| Google has the scale to do this, but they also have a
| large enough monopoly where they don't have to, so they
| won't. It's not that it's unsustainable, it's that it is
| entirely sustainable to continue doing things this way.
| JeromeLon wrote:
| Can you elaborate? I can see how Google can scale this
| automatically. But I don't see how Google can terminate,
| say, one million apps a day, if each termination entitles
| the spammer a one hour conversation with a technical
| representative.
| BoorishBears wrote:
| Why does it need to cost them an hour conversation?!
|
| Look at the tone-deaf example this employee just shared.
| All they had to do was say _in the same email that they
| used to ban someone_ "you have copyrighted images".
|
| The moment they find an infraction they could literally
| take a screenshot, say "the problem is X" and email it,
| which would incur the 5 seconds it takes to add a
| screenshot and say the problem you already identifies,
| but make a _world_ of difference for developers.
|
| This nonsense about "it's to stop spammers" isn't about
| the cost, the laughably bad logic Google uses is that by
| identifying what rules you broke, spammers will get
| better at not doing stuff Google catches...
|
| As if the spammers don't already know what they did to
| get caught!
| burnished wrote:
| Make the person but the hour, say $100. It's a very
| different value proposition for some one saving their
| business vs some one trying to game a system.
| splistud wrote:
| If proper support is unsustainable due to the model, it
| is the model that has to change.
| baq wrote:
| i disagree about unsustainability. there are real people
| on the other side of the business among these bots and
| spammers and if you ignore them because they might be
| bots and spammers, they'll leave and tell other real
| people that google can't be reasoned with because they
| assume everyone is a bot and a spammer.
|
| you see exactly this happening all the time here on HN.
| the sentiment for the past few years is abysmal. google
| is actively blowing up their power user/developer
| customer base. looks like a metric somewhere got
| optimized a bit too well.
| stjohnswarts wrote:
| I think so as well. As a duopoly Google and Apple owe it
| to their customers and 3rd party developers to know why
| something gets banned. Being in that position requires
| special consideration to hold that much power. Government
| has to do it, why don't huge corps?
| kentonv wrote:
| > However, it's a safe assumption that the vast majority
| of people Google support deals with are spammers. If
| Google gave a detailed explanation to all of them it
| would mean a ton of additional work - which would create
| an unsustainable situation at this scale.
|
| You describe a situation where Google was going to put a
| whole company out of business -- probably ending your
| friend's job, as well as that of many other honest people
| -- rather than give them the information they needed to
| fix the problem. And you think this is reasonable,
| because it would be "a ton of additional work" for
| Google? We just have to accept people losing their
| livelihoods as collateral damage in the war on spammers?
|
| Imagine if we applied the same logic to the government.
| If they think you committed a crime, they just toss you
| in jail and don't have to tell you why. They could catch
| a lot more criminals if they didn't have to waste time
| prosecuting them!
|
| No, we need a Habeas Corpus for tech companies. If you
| are banned, you have to be told why. Make it a law. I
| don't care if it results in more spam.
| richardfey wrote:
| I liked all of your comment, but this passage in
| particular:
|
| > No, we need a Habeas Corpus for tech companies. If you
| are banned, you have to be told why. Make it a law. I
| don't care if it results in more spam.
|
| The whole ordeal seems like an attempt to educate app
| developers by whipping, where the victims have to guess
| what they did wrong.
| cannabis_sam wrote:
| "The opaque email responses will continue until morale
| improves."
| specialist wrote:
| Yes, and: Efficient markets require fair & impartial
| courts, tort, transparency, accountability. Etc.
| pyrale wrote:
| > In that case you'd want it banned without "decency",
| right?
|
| Due process isn't really a sound concept if it's only for
| innocent people.
| ddtaylor wrote:
| > but it makes advertising fraud trivial to deploy.
|
| Compared to what? If someone wants to run a random APK that
| has some kind of ad fraud in it, they very easily can even if
| Droidscript doesn't exist.
| mdoms wrote:
| > So... having read through their marketing material, this is
| an on-device tool that opens up what appears to be most of
| the Android application API to at least the user of the
| device, and potentially to any Droidscript applications they
| grab from other sources, and... maybe to other apps on the
| device? It's not clear from a quick read how extensive the
| runtime control is.
|
| When did we collectively decide that programmable computers
| were a Bad Thing?
| NateEag wrote:
| Some of us realised that end users don't want to program
| and that they can be better protected from themselves by
| only allowing execution of arbitrary code when they
| explicitly say they want it.
| mdoms wrote:
| Presumably those end users aren't downloading
| Droidscript.
| antman wrote:
| Vetting process is just excuse for rent seeking, a better
| client ui for us to approve permissions would cost nothing.
| exyi wrote:
| Should the Chrome browser be also banned from Android since
| it is trivial to deploy ad fraud campaign on the web?
| bosswipe wrote:
| Whatever "open platform" might mean Android is becoming less
| and less of one as Google has made huge efforts to move more
| and more core operating system functionality into closed
| source Play Services and continues to remove developer access
| to many APIs in the name of security. In fact what you're
| advocating for in this comment is to make the platform less
| open.
|
| > (And it needs to be said: this is the kind of app that
| would never have been legal at all on any version of iOS.)
|
| Exactly, iOS is not an open platform and Google has decided
| they want to be more like iOS.
| throwawayffffas wrote:
| > Add to that that it's a closed source IDE for an open
| platform, and my intuition sides with Google here.
|
| If I can't ship my closed source IDE on the platform is the
| platform really open?
|
| > My guess is that when details come out it will turn out
| that at-least-plausibly harmful Droidscript garbage was being
| pushed to users and Google decided to kill it.
|
| Of course they will say it was because x, y, and z were done
| to protect the users. But is it really for the users' benefit
| or just about control over their walled garden?
| numpad0 wrote:
| Sounds like effective lack of means of production available
| inside the platform is fundamental to sustainable
| platform...
| ajross wrote:
| > If I can't ship my closed source IDE on the platform is
| the platform really open?
|
| For clarity: the Play Store is not an open platform. The
| Android API being exposed by Droidscript very much is.
| throwawayffffas wrote:
| Fair, I misinterpreted what you were saying.
| simias wrote:
| Was it used to publish malware? Given that it's a general
| purpose scripting tool I can imagine that some people would
| abuse it and use it as some sort of backdoor to get clueless
| users to run malware without having to publish it on the app
| store.
|
| _If_ that 's the argument I can sort of see Google's point
| here. The Play Store is supposed to be curated and the
| application should follow certain guidelines. This tool as I
| understand it effectively provides a loophole that lets people
| run non-curated code without jailbreak. I know that Apple
| removed apps for similar reasons in the past.
|
| TFA is a bit misleading, the whole "AD FRAUD" angle is frankly
| irrelevant, it's just that since Google considers that the app
| violates the guidelines it can't be eligible for the ad
| program.
| franga2000 wrote:
| > This tool as I understand it effectively provides a
| loophole that lets people run non-curated code without
| jailbreak.
|
| Installing non-curated apps has always been supported on
| Android - no jailbreaking required. Just get an APK either
| straight from the developer or through any number of
| alternative app stores, open it, click the "yes, I'm sure"
| option in the security popup and you've got yourself an app.
| MadWombat wrote:
| One of the specific features of DroidScript is that it is a
| remote IDE. That is, when you start DroidScript on your phone
| it will serve the IDE UI via HTTP and you can then connect it
| by using your phones IP address (DroidScript conveniently gives
| you a URL to use). Maybe that is the reason for Google's
| decision.
|
| Also, according to DroidScript itself, Google accused them of
| ad fraud, so maybe there is something there.
| progfix wrote:
| How convenient for Google.
| Arjuna144 wrote:
| Outch, they have done this sort of thing since quite a while now.
| A good friend of mine had a very big website (among top 200 Alexa
| raiting in ~2010) with adrevenue around 10k per month. Google
| just terminated the website without supplying additional much
| helpful information. Just an automatic generated email saying:
| you are done.... (that page was https://kriyayoga.com, which
| since has been closed down and made available for free download,
| only the tomb-site remains)
| cube00 wrote:
| Search the phrase "I made sure to include all the information
| available to me" and the tail of woe is incredible, all 79,000
| hits of it.
| fctorial wrote:
| So they created an app that works as a programming environment,
| one of their users abused the google play services and they are
| getting the flak for it.
| rjmunro wrote:
| Could Droidscript's remote IDE features have a security hole that
| is allowing people to remote install malware into Droidscript
| users?
|
| Google would see this malware coming from Droidscript;
| Droidscript would not see anything in their code that could be
| causing it.
| qyi wrote:
| We live in a world where people unironically put comments on top
| of every file in their projects (but only the ones they can
| easily insert a meaningless string into) like "you cannot
| disclose this file blah blah blah" and call themselves "grown
| ups". What's this Android nonsense, can't it just run programs
| like a normal computer? At the very least if it purports to not
| be a general purpose computer, then there should be no excuse for
| security vulnerabilities.
| unexaminedlife wrote:
| I like most people don't like the idea of a few large groups
| controlling entire ecosystems. Especially in technology if these
| companies have a complete stranglehold on the entire system it's
| not good.
|
| HOWEVER, I really don't think that's the case. I mean look at
| Hacker News! They built up their brand and product through grass
| roots efforts. Large ecosystems take notice and recognize, I
| think, reputation in smaller ecosystems.
|
| When a group gets banned like this and feel it's their only hope,
| I'm skeptical.
|
| My guess is either these guys are playing dumb or they don't
| understand why the best software engineers in the world think
| they're doing malicious stuff. Either way they don't appear to be
| ready for the "big time".
| blacklight wrote:
| This is the same story that HN readers have read hundreds of
| times over the past couple of years, just with different
| subjects.
|
| Independent developer/small organization gets their app/YouTube
| channel/Google account shut down overnight because of false
| positives triggered by their system.
|
| It takes weeks and insistence with bots to just get to speak to a
| human.
|
| When you get to speak to a human, they usually respond with
| template responses and refuse to provide further information.
|
| Rinse and repeat the same kafkanian process again and again.
|
| In all honesty, what the hell is everyone waiting to get off
| Google? Gmail accounts, app stores, YouTube, ad networks...
| Alternatives exist nowadays for all of the products developed by
| a shapeless and faceless corporation that listens to nobody.
|
| I wish a long and successful journey for the Droidscript guys on
| F-Droid or any alternative store. Time for Google to understand
| that without the content uploaded by us (users, creators and
| developers) they are nothing but a useless empty box.
| mleonhard wrote:
| Google is 1/2 of the mobile duopoly. No app developer can avoid
| Google Play Store (for publishing their apps) and Firebase
| Cloud Messaging (for sending push notifications to their apps).
| auiya wrote:
| The rest of industry have declared most Google products
| spyware... so I guess it all evens out?
| 7OVO7 wrote:
| the problem of a free market in the management of the important
| hubs of a sector (as is Google for most of the services of its
| type on the internet) is that they (the big names in the sector,
| those who reach the top with the free market), are which then
| once they arrive they can do as they prefer.
|
| the problem of a non-free market, in this matter, would be a
| government monopoly, with the same problem: they can do as they
| like.
|
| the alternative to this currently is not easily applicable, and
| does not give the current advantages of the "big" (whether they
| are companies or governments the result does not change; really,
| it is the same).
|
| if you think that Russia and its coming private Internet, or the
| American NSA security system, or even that I know ... Amazon and
| eBay, or Facebook and its network (not just the Social Network
| site, but all its additional services, and where it gets to
| manage what it manages), or even Chinese censorships on the
| Internet, are different from each other (to give random
| examples), think again.
|
| then of course comes troll-boss Trump (they ban him from Twitter
| and other similar sites) and everyone thinks (confused) that this
| is not real wath I am writing in this comment.
|
| we are beyond the conspiracy, here the conspiracy comes to life
| by itself, randomly, without anyone creating it; now in its own
| life.
|
| who is at the top decides for who is below the top, obviously the
| developers of Droidscript appeal, they do not like this decision,
| but they are like everyone else they are subject and subject to
| the "big".
|
| if you don't want big problems from the "bigs", don't support
| them, don't use them.
| warent wrote:
| On one side I'm being bombarded with news about Google's
| anticompetitive greedy practices and disregard for customers. On
| the other side I'm being bombarded with news about Apple's
| anticompetitive greedy practices and disregard for customers.
|
| Damned if you do, damned if you don't. Which to choose? About
| ready to just burn all of my electronics and live in a damn
| cabin.
| vntok wrote:
| Well, is it? The linked post is obviously biased, so I'd rather
| wait for more information instead of getting my pitchfork out
| immediately.
| marcinzm wrote:
| Since Google lacks any form of human feedback or customer
| service the only approach is to bring out pitchforks as soon as
| possible. Otherwise no clarity will ever be provided.
| croes wrote:
| "The Register asked Google to explain why DroidScript was
| removed and whether it's possible the policy violation
| allegations might have been made in error. We've not heard
| back."
|
| https://www.theregister.com/2021/04/27/droidscript_google_ba...
| lopis wrote:
| It could even be. Maybe Google found out they were hijacked in
| some way and the app contained malware. The main issue if that
| Google refuses to let publishers know the reason for bans and
| take-downs.
| Jaygles wrote:
| It seems to me that the nature of the app is whats causing the
| issue.
|
| From one of the emails they got from Google:
|
| > We don't allow apps with any code that could put a user, a
| user's data, or a device at risk.
|
| Maybe they think the ability to execute arbitrary code is too
| powerful of a feature?
| pjerem wrote:
| > Maybe they think the ability to execute arbitrary code is
| too powerful of a feature?
|
| Yes, probably.
|
| But maybe they can act and speak like humans, maybe even make
| a phone call before just deleting without notice a well
| established 7 years old app with more than 100k users,
| cancelling all revenue from user's subscriptions, and all
| that while sending bot-like mails just saying that they can't
| give more information about why they are killing an
| organisation.
|
| I think this is really serious. A respected business is going
| to be shut down, real people are going to be fired and Google
| isn't even able to answer to an email asking why it's
| happening ?
| richardwhiuk wrote:
| Maybe the business should have read the policy guidelines.
| ivoras wrote:
| Historically, that has been a major reason for banning apps
| for both Apple and Google.
|
| IIRC Apple even went to extremes and banned browsers which do
| not use their own JavaScript interpreter.
| CogitoCogito wrote:
| That could be the issue. It could also be something else
| entirely. It's a bit unfortunate that they are left guessing
| as to what the problem is.
| Jiocus wrote:
| "Hold my beer," - mobile Google Chrome.
|
| Trying to see it from Googles point of view though. Perhaps
| there is a useful distinction to be made between end-user
| apps, and apps and functionality targeting developers. There
| is developer tooling to be found outside the Play store. Far
| away from the general audience and the risk of causing them
| security issues.
|
| I can't say I agree with it, and Droidscript could well be a
| godsend to somebody making good use of it.
|
| There should be an avalanche of truly malicious apps and
| related dev malpractice they could root out from their
| platform before this.
| CivBase wrote:
| Part of me is amazed that so many apps continue to rely
| exclusively on the Google Play Store for distribution and
| monetization. With Google's track record, it's practically
| negligent to build a business which is completely dependent on
| their proprietary services.
|
| That said, there's also probably no money in Android apps it
| isn't on the Google Play Store. I doubt most Android users know
| how to install apps from anywhere else, much less search other
| app catalogs. So I guess I really shouldn't be amazed at all.
| darkwater wrote:
| And, ironically enough, they publish the announcement on Google
| Groups.
| yjftsjthsd-h wrote:
| Literally the second post is somebody suggesting that they
| really should move the forum ASAP.
| ur-whale wrote:
| Here's a prediction:
|
| Within 20 years, you will need the equivalent of a concealed
| carry permit to run Linux on a computer connected to the
| internet.
| melff wrote:
| nah, you don't need a permit for that... you'd just need a
| computer without a boot chain of trust, too bad those things
| exist only in museums and landfills nowadays, have fun digging
| through trash to find your slow-ass 5 year old 18-core RISC-V
| 256G RAM SoC for witch there is an exploit to break it's chain
| of trust. Oh and make sure nobody notices, breaking the chain
| of trust is obviously illegal, and for good reason you could
| try to break the DRM of a Neuralink-Entertainment-Stream, we
| can't have that.
| canada_dry wrote:
| The _Streisand effect_ at work. I 'd never heard of Droidscript
| before, but now I want it. Thanks Google.
| cortexio wrote:
| i hope one day someone hacks google and puts all their servers
| offline and puts a text saying: this service is not inline with
| our guidelines. Even if it's for 1 day, just to give them a small
| taste of their own non-sense. If you buy something, it should be
| yours to control. If i buy a plate, you dont get to decide what
| food i eat. The phone space is currently completely controlled by
| 2 giants... it's sad.
| unexaminedlife wrote:
| Here's a thought. One of the most frustrating things to me about
| this kind of thing is that Google (or any other major tech
| company) could just ignore me and just tell me "you're malware".
| I get it. Technology people cost a lot of money, so I would
| propose that companies who the public depend on MUST offer
| consulting out-of-band at an hourly (or daily?) rate. This way
| the real issues are squashed.
|
| Now I know that I can get the guidance I need to fix the problems
| my product is having. Also this helps reassure the public about
| the big companies intentions in that these FUD stories will
| become instantly irrelevant. You want your stuff fixed? Pay for
| the guidance. You don't want to spend the time fixing the issues?
| So be it. But don't expect anyone to listen to your problems.
|
| On top of this, if it's a small open-source project, create a way
| to streamline funding for the guidance. If a lot of people depend
| on your project they'll almost certainly chip in a small sum per
| person for the guidance you need.
| thih9 wrote:
| Wouldn't that encourage the big company to find more issues in
| apps, and then tell devs to buy consulting hours to figure out
| how to solve them?
| unexaminedlife wrote:
| Well, if that started happening I'm sure people would start
| posting stories of how disingenuous the company's practices
| had become. If they flagged some software as malware they
| should already know exactly what the reasons are. So we'll
| call that maybe a 1-2 hr session to get up to speed on
| exactly what the issues are. How someone goes about fixing it
| is another story.
|
| I'd say by default those sessions should be posted online for
| public viewing just so everyone can learn from the mistakes
| of the original team, or to make a judgment of how
| disingenuous Google is being about the issues. At the request
| of the project requesting those services they could make
| those sessions private.
|
| Also this could lead to real innovation in the tooling for
| example Google consultants could write unit tests that would
| need to pass in order to be allowed on the Google App store.
| Those unit tests would then, potentially become public so
| everyone could just download the unit tests from Github in
| order to confirm their software meets requirements.
|
| The other thing is Google would almost certainly see this as
| a cost center. Billing people at-cost (or slightly above
| that) for consulting services is way more labor intensive and
| tbh annoying for companies with a trillion dollar + market
| cap.
| jedimastert wrote:
| Except that ties access to these companies depend on to people
| who have the money to do so, which creates a huge imbalance
| unexaminedlife wrote:
| We're not talking a huge amount of money. I'm saying let
| these companies recoup the balance of the cost. For a small
| company it might seem unreasonable for a Google to bill them
| $100/hr for consulting services. Then again if 1,000,000
| people are asking for those services at 8 hrs a pop. You do
| the math.
| drummer wrote:
| Building and relying on Google and then complain when they pull
| the rug from under you. My fellow devs, when will you learn?
| Avoid Apple and Google.
| ddtaylor wrote:
| Google bans thing. Ban gets attention on HN and a few other
| social media sites. Google unbans thing. Repeat.
| pudmaidai wrote:
| You wish they unbanned things. I think content blocking will
| still suck in future Chrome versions.
| kjrose wrote:
| The second step only happens for a small select group of
| "things." There are myriad apps, people and organizations that
| Google has blindly banned with no recourse or reasonable appeal
| that we will never hear about.
|
| The bigger point is the system is clearly broken, but how in
| the world can you fix it?
| ddtaylor wrote:
| The problem is really just a matter of scale and the
| unwillingness of Google to sacrifice any of it's margins.
|
| There are plenty of other companies that have many more
| humans in the chain where problems like these eventually get
| resolved once proper appeals are conducted or someone
| physically walks into a business and participates in whatever
| verification method is required.
|
| The idea that Google is somehow special is laughable.
| Compared to some other industries that are directly consumer
| facing the number of apps and developers is actually small.
|
| Also, they're not doing it without pay. They're taking a 30%
| cut from an industry approaching a trillion dollars in annual
| revenue. Again, the idea they can't solve this problem if
| they were willing to spend the money is absurd.
| kjrose wrote:
| Well, when it's to purchase Google Adwords, there really
| isn't any competition on that front.
|
| As well, Google Play pretty much monopolizes the Android
| market for the general public.
| Aachen wrote:
| Not just Google, also Microsoft and others (see youtube-dl).
|
| The question is how we can break the cycle in favor of hackers
| rather than in favor of big corporations.
| cecja wrote:
| The Microsoft Community is the worst of the bunch most of the
| answers are from certified whatevers and are the same 3-4
| boilerplate responses AND there are techsupport/remotedesktop
| scams running wild on the platform. Infuriating.
| ericol wrote:
| TL;DR: They are being accused of ad fraud, without any evidence
| provided, and they are asked to reply with an analysis of why
| they think their traffic ?? is legit (when they have no idea what
| is it that Google considered "not legitimate").
|
| The biggest issue here I don't think is the malware tag, but the
| ad fraud accusation.
|
| Even thought as somebody pointed out the page linked can be
| biased, based only on what they state and the emails from Google,
| this is another case of David Against (automated) Goliath.
|
| From my point of view this is just another drop in the pound of
| what is already being built as a case against Google (and also
| Apple) for monopoly.
|
| P.S.: I've used Droidscript in the past, and I do think it's too
| powerful an app that can be abused. But that happens to a lot of
| things in life, right?
| frombody wrote:
| the ad-fraud accusation is my biggest concern as well.
|
| they provide no information or clues leaving the author to
| guess.
|
| the author guesses that somehow someone extracted their
| identifiers from the apk.
|
| google comes back and says more clearly that it's something to
| do with how the ads are positioned, essentially accusing them
| of trying to trick people to accidentally click.
|
| this information should have been provided before the appeal,
| and google gains literally nothing from hiding this information
| from the author.
|
| the malware claims have more validity, but the way they handled
| the ad-fraud claim is inexcusable.
| shadowgovt wrote:
| It is extremely possible that from Google's point of view, an
| inability to give such an analysis is itself justification to
| remove the app from the Play Store.
|
| If Droidscript is flexible enough to allow end-users to create
| an ad fraud engine, it's too flexible for the store. Play Store
| is relatively consistent in its position that a tool that
| bootstraps policy violations is itself a policy violation.
|
| But it would be great if Google could offer a concrete
| reproduction case, and from a developer-service standpoint it
| completely sucks that they don't.
| cwkoss wrote:
| Is there a service where I can host a raspi on my network and
| let people send it instructions about which ads should be
| clicked on and it gradually earns crypto over time?
|
| I'd love to make some money while fucking with ad networks...
| :)
| shadowgovt wrote:
| I'm not sure, but I'm going to note that click-fraud
| already exists and Google (as well as other ad networks)
| have countermeasures to determine whether your raspi is
| likely "clicking for fun" and chargeback the advertisers
| for the non-human clicks.
|
| Whether those countermeasures can be reliably defeated is
| left as an exercise for the raspi owner. ;)
| timnetworks wrote:
| Chrome.exe has been breaking the internet for years. There is no
| bigger malware producer than Google itself.
| qwertox wrote:
| Whatever their reasons may be, they may be legitimate.
|
| But using this sentence is simply not OK:
|
| > Because this information could be used to circumvent our
| proprietary detection system, we're unable to provide our
| publishers with information about specific account activity.
|
| The developer/publisher must be given a chance to correct the
| issues. This is simply not fair.
|
| I'm pretty sure Google can do better than to rely on security by
| obscurity.
|
| ---
|
| > Unfortunately we also have to inform our users that we could no
| longer support AdMob for use in their own apps either, because we
| can't test it anymore and can't guarantee that Google won't treat
| them in the same brutal way.
|
| Couldn't it be possible that one of those users was using AdMob
| in a fraudulent way, and that this was then linked to
| Droidscript? I don't know how Droidscript works, how it creates
| those apps, but it could be possible that Droidscript then was
| responsible for the fraudulent use a user did.
| cblconfederate wrote:
| > DroidScript has a user base of over 100,000 people world wide
|
| a user base built on such foundations is no base at all.
| unfortunately , only open platforms can be considered a solid
| enough base for building any kind of community
| thereddaikon wrote:
| Google is pretty infamous for the over reliance on automation for
| customer service. But ultimately the reason why they persist is
| because they can afford get away with it.
| teamspirit wrote:
| I think one day there will eventually be a class action lawsuit
| filed against one of these companies for their opaque customer
| response process.
|
| How did it get this way? How did we allow it and for so long? I
| really don't know. Here we are, the community involved yet
| somehow this method of customer [non]interaction grew out from
| underneath us.
|
| *spelling edit: fire -> for
| Taylor_OD wrote:
| What are you going to do? Stop using Google products? Good
| luck.
| lainga wrote:
| I could... take my travellers' cheques to a competing
| resort...
| tomjen3 wrote:
| I run firefox and use DDG.
| heywherelogingo wrote:
| Yes. Android and gmail are my last two to get rid of. I was
| wanting to play with mail in a box, but this morning had an
| alert on my phone demanding my birthdate within 14 days.
| So, I'll be expediting google out of my life within the
| next 14 days.
| e3bc54b2 wrote:
| If you don't use YouTube, I bow to you good netizen.
|
| But in all honesty, it is very very hard to avoid Google.
| Android, Gamil, YouTube and Search are big four left on
| my list.
| Igelau wrote:
| I'm using YouTube less and less. The ads have become
| intolerable, and I had my own bad experience with their
| copyright violation detection. That's the easiest one for
| me to abandon.
| dannyw wrote:
| Android is so bad for privacy.
| LegitShady wrote:
| Is AOSP bad for privacy as well? I've been migrating all
| my services and devices away from Google (I've owned
| nothing but pixels and nexus phones for a long time) but
| I was hoping flashing to lineage would work rather than
| buying a new phone.
| cecja wrote:
| Yes, AOSP is still calling home.
| danShumway wrote:
| Base Android with unmodified settings is terrible for
| privacy. If you're willing to put in the work to install
| LineageOS and move off of Google apps and jail/delete
| them, it can become a superior option over iOS, if for no
| other reason that that you can set up competent
| adblocking and take advantage of Open Source replacements
| for apps like Youtube that don't transmit as much data.
|
| This is part of why it's tricky to make phone
| recommendations to privacy-conscious people. iOS is the
| clear winner on privacy for nontechnical people, and the
| clear loser on privacy for highly technical people. But a
| lot of people fall in the middle of that spectrum --
| semi-technical -- and then it becomes complicated to
| figure out what they should do.
| pjerem wrote:
| Done.
|
| And it was way easier than i tought.
| passivate wrote:
| Google's business model is where they automate everything, and
| you keep running on the treadmill. From a business standpoint,
| its fabulous, and I'd probably applaud them if they weren't so
| awful.
| seanhunter wrote:
| It's sort of interesting how long this has worked, and as well
| as automated customer service the same or similar case can be
| made for automated moderation.
|
| You can often hear people on here excusing this by saying "if
| they didn't do this, their business model wouldn't scale". Well
| yes. If you can do the automation and it works then you have a
| business at scale. If not, perhaps your business shouldn't be a
| scale business. As is, the negative externalities of this
| imperfect automation are significant.
| patrakov wrote:
| So community lawyers and other interested parties should make
| sure that their business model doesn't scale this way.
| salawat wrote:
| _Especially_ those parties.
| NiceWayToDoIT wrote:
| It seems this is not a rare case, I know that my friend lost
| great portion of his investment in the app at the point when
| number of users on his app was enough to start getting braking
| even, Google just decided that some of his users are deliberately
| clicking on ads.
|
| I guess that is way when you deal with company with too much
| power, there is no way to appall, complain, or do anything that
| will save your business. So, I guess, and from few stories I read
| if they find out that you have type of business that is
| interesting for them, they can simply suffocate your business by
| standard mafia means, like in the movies first they send a
| "negotiator", then they beat you a bit, and if you do not comply
| they "burn" your place down.
|
| So, company that had slogan "Don't be evil!" what a joke...
| segfaultbuserr wrote:
| The keyword here is _had_. Google wasn 't that evil when it
| hasn't acquired today's power yet.
| pdkl95 wrote:
| The War On General Purpose Computing[1][2] is escalating. The war
| has moved past trivial fights over copyright/"DRM", and is now
| directly targeting programming environments.
|
| [1] https://boingboing.net/2012/01/10/lockdown.html
|
| [2] https://boingboing.net/2012/08/23/civilwar.html
|
| edit: fixed link - thanks for the bug report
| overgard wrote:
| This seems so self-defeating by these companies. All this will
| do is push people to learn to develop on the web (arguably
| where they already are learning), while completely bypassing
| any built-in API's and stores. Sure, there's stuff you can't
| access without native code, but at a certain point why would
| anyone want to risk making their primary codebase dependent on
| one of these stores?
|
| When FOSS tablets and phones become competitive, I'm really
| interested in getting one. Maybe even before they're
| realistically competitive.
| salawat wrote:
| It won't become so without your help, join the fight and make
| a stand. Every user lost by proprietary platforms tilts the
| scales more in FLOSS/H's favor. Scale makes all the
| difference.
| e3bc54b2 wrote:
| Web is being crippled too. Google is clenching its iron grip
| from both sides (search and browser), while Apple leaves it
| crippled on its own devices for obvious reasons.
| oblio wrote:
| You've posted the same link twice.
| TrianguloY wrote:
| I don't like the tone of the comment (feels like a tantrum) but
| unfortunately this happens more often that people think.
|
| What I find interesting is the little information they give you
| after a ban. Apparently if they explained the reasons of the
| banning then other people could use that information to find
| flaws and 'game the system'.
|
| This means that, if you deliberately made something against the
| rules and were banned, you can then 'explain your mistake and the
| measures to not do it again'. But if you don't do anything
| unusual and simply break one of the crazy rules they have by
| mistake, it's game over.
|
| P.S. If you have a blog and practically all of your visits come
| from a single source (perhaps a link in something popular) don't
| EVER use admob on that blog. You will be banned.
| arp242 wrote:
| You're not wrong that it's a bit of a tantrum, but after
| spending years working on a app and then being banned out of
| the blue without any recourse or even information, I think the
| author is entitled to a bit of a tantrum.
|
| It's true that giving all details might lead to people gaming
| the system, but c'mon, a _bit_ of details wouldn 't be so bad.
|
| This isn't some sort of fairly inconsequential website like HN
| or Reddit we're talking about, but literally people's
| livelihoods. This is like the cops walking in to your house to
| arrest you for theft, but they won't tell you what you stole,
| where you stole it, or how they know it was you. You now go to
| prison, have a nice day.
|
| Perhaps they're right 95% of the cases. But in 5% of cases
| they're wrong, and bye-bye livelihood and many years of work
| down the drain.
| kseifried wrote:
| Assigned CVE-2021-1000040 for this issue because a minimum
| DroidScript can no longer get updates out to users. They may also
| be doing bad things, as claimed by Google, but either way the
| ecosystem will start to get stale and security issues can't be
| easily fixed right now.
| SeriousM wrote:
| Why not just publish it on f-droid?
| thisisjustmine wrote:
| They have a subscription model and ads which are not allowed on
| FDroid. FDroid also requires the software to be opensource.
| ZiiS wrote:
| FDroid do allow subscriptions and ads. They label them
| 'AntiFeatures' which is not as bad as it sounds; many people
| will still happy install the App. However FDroid to strictly
| insist all code is free and open source; this dose mean you
| are rolling your own Ad and Subscription libraries.
| Aachen wrote:
| Correct. Newpipe on f-droid has the anti-feature of
| promoting a nonfree network service (YouTube) but that
| doesn't mean people don't install it or that it's banned
| from f-droid.
| AlstZam wrote:
| This is true for the official FDroid repository but
| independent repo can be created [0]. This helps manage
| independent signing as well.
|
| [0] : https://www.f-droid.org/en/docs/Setup_an_F-
| Droid_App_Repo/
| antman wrote:
| At this point Google is the malware. Bait and switch, I miss the
| era that I could freely customize with termux, now waiting for a
| decent linux phone.
| ben509 wrote:
| The writing style of the piece looks like a political mailer.
|
| > The Google Play system has declared DroidScript is Malware and
| accused us of committing Ad Fraud! Needless to say, we are
| extremely upset and totally flabbergasted at this shocking
| allegation!
|
| That kind of hyperbole sets off all my BS detectors.
|
| As I go through the back and forth, DroidScript speculates this:
|
| > Our main guess was that one of our users was experimenting with
| our AdMob ID after extracting it from our APK...
|
| What I don't see is that they ever went back to the policies to
| check if that was legit. If it wasn't and you tell Google,
| "right, that was totally a feature but we've removed it," then,
| you just indicated that you deliberately implemented a feature
| that violated the terms of your agreement.
|
| > How can they expect people to build organisations or businesses
| supported by advertising revenue, when they might be subject to
| this type of summary execution at any moment!
|
| I agree that Google's communication with their customers is
| awful, but this is not a new problem: _you have to read your
| contract_. And that means get a lawyer to go over it and explain
| to you what it really means and not what you'd like it to mean.
| indymike wrote:
| Perhaps the problem here is the monetization model (ads) is a
| mismatch? Perhaps try a subscription or just let users buy the
| app?
| yjftsjthsd-h wrote:
| > What I don't see is that they ever went back to the policies
| to check if that was legit. If it wasn't and you tell Google,
| "right, that was totally a feature but we've removed it," then,
| you just indicated that you deliberately implemented a feature
| that violated the terms of your agreement.
|
| A user reverse-engineering your app to pull out its AdMob ID is
| neither a feature nor something the app dev can reasonably be
| faulted for.
| fmajid wrote:
| It happens a lot more often than people think. By some
| estimates more than half of all ad clicks are bot-driven
| fraud.
| Jfuvjrnfjxje wrote:
| > The Google Play system has declared DroidScript is Malware
| and accused us of committing Ad Fraud! Needless to say, we are
| extremely upset and totally flabbergasted at this shocking
| allegation!
|
| How is this a hyperbole? The first sentence is literally and
| completely true. And the developer seems legitimately upset and
| shocked.
|
| It's not hard to imagine truely being extremely upset that
| something you probably spent hundreds of hours on got shut down
| for inscrutable reasons outside your control.
| jccalhoun wrote:
| I am not a programmer so I have no idea of the validity of
| anything they wrote. However, the style absolutely grates on
| me. It sounds like PR. and the random bold sentences seems like
| a calculated PR move.
| veeti wrote:
| Are you serious? It takes a minute to disassemble literally any
| APK with AdMob SDK and abuse their ID's. These values are not
| secrets. If a billion dollar company like Google can't detect
| simple fraudulent activity like this, how are their ads
| supposed to be worth a single dollar?
| mschuster91 wrote:
| > how are their ads supposed to be worth a single dollar?
|
| Hard truth: a _lot_ of internet ads is fraud. With paper,
| radio and TV, any ad buyer can cheaply verify that their ad
| spending ends up where it should by buying a paper at a
| random train station or listening to the airwaves.
|
| On the Internet, it's worse than the Wild West, with fraud
| and deception on every part of the chain.
| DaiPlusPlus wrote:
| Which is ironic because in the 1990s web-advertising was
| sold to marketeers' as _the best_ form of advertising
| because every view is logged and tracked: unlike a magazine
| ad you can know exactly how many people saw it and
| interacted with it (...right before middle-school kids
| realized they could make free money by clicking ads they
| put up on their geocities webpages)
|
| When Facebook launched their ad platform people were saying
| there would be even less fraud than open web advertising
| because FB (at the time...) was doing a good job of keeping
| bots out of Facebook - but I understand right now that
| Facebook advertising is the worst form of advertising you
| can spend money on...
|
| * https://news.ycombinator.com/item?id=25623858
|
| * https://news.ycombinator.com/item?id=26193544
| stjohnswarts wrote:
| If someone came along and pulled the rug out from under your
| ability to earn a paycheck you might be a bit excited and
| hyperbolic as well especially if all they told you was "you
| hurt our feelings" but wouldn't tell you why. The situation is
| ludicrous.
| [deleted]
| DarkmSparks wrote:
| simple solution for anyone considering funding their apps with
| advertising.
|
| Don't.
| TheCoelacanth wrote:
| Simple solution for anyone considering to build a business on
| top of the Google ecosystem. Don't.
| flyagaric wrote:
| If you think you have a business by relying on Google. You will
| learn it the hard way.
|
| You can't have business with Google when all the rules of
| engagement are set by them.
| exikyut wrote:
| I can't find it now, but I read a story that's been repeatedly
| posted here about someone who got an idea, dropped everything,
| built an MVP, showed it to potential customers _who loved it_...
| and was told "I definitely need this, but I wouldn't pay for
| it." And then the person realized that the customer was right
| (the worst kind of right), and that the idea was both awesome and
| unmonetizable.
|
| In the same vein... question.
|
| Google is absolutely terrible at customer support and handling
| these kinds of issues. I once read in a comment posted here that
| they apparently don't even regard issues as valid signal unless
| 10,000 users are affected. (I've personally always instinctively
| shied away from app/site feedback buttons myself, and now I know
| why.) I'm guessing it's because con$i$tent ridiculou$ adverti$ing
| revenue ("we can do no wrong") has caused the death/deselection
| of normal customer support feedback loops.
|
| Sooo... could a startup, or startups, fill the absolutely massive
| vacuum that is being created here?
|
| For every story that trends on HN, how many more false negatives
| of people being bankrupted are there that never see the light of
| day? :(
|
| I can only think that this number is probably remarkably high
| given that _stories have to trend on social media and /or popular
| websites, for multiple days, before a connection is made and the
| problem can be fixed._
|
| Once again, the more I look at this, the more I get the
| impression that this is a huge hole that could be filled to great
| benefit.
|
| But thinking about it, I don't think it would be monetisable:
|
| - It would ultimately be a company taking people's money to
| leverage a few private contacts. It doesn't take much squinting
| to see this as extortion and gatekeeping, which happens
| everywhere but would legally be very interesting to defend
| (especially against a company the size of Google). :/
|
| - The contact issues only exist because of process and
| organizational failure, so even if private contacts were
| successfully established, the signal/noise ratio was ideal, and
| this company did perfect triage, it wouldn't take long for
| manglement to hear of the situation and decree that no Google
| employee were allowed to interact with the company professionally
|
| - The whole thing would have to operate under the radar to
| operate at all... and maybe such operations exist and are
| successful, we've just never heard of them. Problem.
|
| Running the whole thing as a volunteer operation maybe sounds
| like it could work though.
|
| And if issues don't get fixed until >10,000 people "notice" maybe
| such an operation could have noticeable presence before being
| acknowledged.
|
| Just thinking out loud. What think?
| richardwhiuk wrote:
| The signal to noise ratio would still be terrible. The company
| would have no mechanism to work out who was actually being
| honest.
|
| For every story that trends on HN, 9 times out of 10, it turns
| out Apple/Google/Microsoft/Facebook were right, and the company
| was doing something dodgy.
| Causality1 wrote:
| _Our main guess was that one of our users was experimenting with
| our AdMob ID after extracting it from our APK_
|
| Is this mean anybody with a grudge has an easy way of destroying
| any developer's revenue stream?
| tjpnz wrote:
| The only thing approaching malware I've experienced on Android
| was delivered via Google's own ad network. Given what little
| happened after reporting said malware one can only assume that
| they apply a very different set of rules to app developers.
| j_barbossa wrote:
| As still so many people don't get it:
|
| 1) Don't make your business dependent on Google 2) Don't make any
| of your data dependent on Google (don't use Gmail, Workspace etc)
| 3) Don't make applications you build dependent on Google
|
| Hint: If you can't migrate away from Google within a working day,
| you're doing it wrong.
| JasonFruit wrote:
| And 'Google' here is shorthand for any entity from which you
| have no reasonable expectation of customer support which is
| both human and humane -- so don't make your business dependent
| on Google, Facebook, PayPal, or any similar entity.
| sjbr wrote:
| the title has to be 'Google has ...'
| dewert wrote:
| Probably a British English speaker. Not 100% sure on the rules,
| but see, for example,
| https://english.stackexchange.com/questions/1338/are-collect...
| victornomad wrote:
| This is very upsetting. Hopefully they could fix it soon!
|
| I worked on a very similar Open Source tool for really long time
| called PHONK https://phonk.app (priorly called Protocoder)
|
| It started around the same time as Droidscript but PHONK has been
| always a hobby project rather than a business.
|
| I can imagine how painful might be for the Droidscript devs if
| that's a part of their monthly income...
|
| This type of actions by big actors should keep us awake to
| protect the web with tech, companies and user diversity.
| eplanit wrote:
| It's seriously time to re-embrace the idea of ownership and
| control of our devices, and reject Android and iOS altogether.
| Developing for those platforms has become worse and more
| restrictive over the years, and this kind of crap is now just
| everyday news.
|
| How good are Pinephones[1]? Are there better alternatives?
|
| [1] https://www.pine64.org/pinephone/
| takeda wrote:
| When Mozilla was trying to get their OS for mobile phones, I
| think they stepped in too early. Right now it's probably a
| better time for an alternative.
| ehsankia wrote:
| > re-embrace the idea of ownership and control of our devices
|
| Overall I would agree, but I don't see how this specific
| example has anything to do with that sentiment.
|
| You still have control of your device and can install
| DroidScript from APK or F-Droid, it was only removed from Play
| Store, Google's own store.
|
| Obviously this is awful for DroidScript themselves, but you as
| a user didn't really lose any ownership over your phone due to
| this specific issue.
| loa_in_ wrote:
| Remember that you can still use Android without Google apps
| entirely. Depending on how popular your device is, you can
| retain close to 100% of functionality. You can also use banking
| apps etc. but methods are in constant flux and it's an ongoing
| battle
| phh wrote:
| Maybe don't scratch Android too fast.
|
| Android is opensource, and is technically really great. There
| is a great opensource community of people that are very capable
| in this area, and supports already the vast majority of devices
| in the world.
|
| You only need to get rid of Google. Which many custom Android
| provide. Personally my smartphone is a Pixel 5 (IMO best
| smartphone currently available that fit in a hand), running
| Android, without any Google application. I'm very happy with
| it, and from what I discussed with Pinephone users, it's
| lightyears more usable than what exists for Pinephone.
| johnbrodie wrote:
| More and more functionality is being shoved into Google Play
| Services. I have a deGoogled phone running Lineage, but even
| with that, no Google Play Services, and some custom settings
| (like changing the captive portal URLs), there's still
| network traffic to Google. Add in relative unknowns like AGPS
| and the situation gets even worse. I also have no push
| notifications for most apps, have to keep a static
| notification so Android doesn't kill apps like my email
| client, AND still run micro-G for basic functionality to
| work. Oh, and thanks to SafetyNet there are still apps that
| refuse to run, even with systemless "undetectable" root.
|
| Android itself might be really good, but it's pretty obvious
| that deGoogled phones have a strong chance of being
| functionally useless in the future.
| phh wrote:
| The ratio of available apps of Android without gapps over
| pinephone is still more than 1000 fold, despite SafetyNet
| or other reliances on Google.
|
| For push notifications, microg does fill the gap, so I'm
| not sure what you're talking about. UnifiedPush is coming
| to fill this gap without violating Google's ToC, with self-
| hosting, and fully FLOSS. Is anything like that coming to
| PinePhone or Librem?
|
| The Google phone-home "features" can be removed, and this
| is exactly the point of this thread. Android is opensource,
| you can control this platform however you want, especially
| removing all connections to Google services.
|
| I'm guessing what you're saying is that you installed some
| custom Android ROM, and expected it to remove any Google
| tracker, but that's a wrong assumption, most Android ROMs
| don't target deGoogling.
|
| Even my AOSP GSI, with FLOSS variant doesn't target
| removing Google phone-home features. Why? I don't approve
| of any data collection on Google's DNS, AGPS, or generate
| 204, which means it is illegal for them to use it to track
| me without my consent, and I believe that they are not
| total outlaws. Running a DNS, AGPS, or even generate 204
| reliable infrastructure is hard.
| Spakman wrote:
| > I have a deGoogled phone running Lineage, but even with
| that, no Google Play Services, and some custom settings
| (like changing the captive portal URLs), there's still
| network traffic to Google.
|
| I'm running LineageOS without Play Services too and didn't
| about know this!
|
| Do you have any reference materials (I guess getting busy
| with Wireshark and the source is my next step)? I found
| this Reddit thread[1] talking about a connectivity check
| but am keen to start tracking down any others.
|
| https://www.reddit.com/r/LineageOS/comments/5qnfxf/why_line
| a...
| Aperocky wrote:
| Maybe it's just time to see phones as what they are - a phone.
|
| I don't really care what software is ran in my truck, as long
| as it works (And that's why I'll not buy a Tesla). It's a
| phone, use it to call text and guide and browse some internet.
| That's it.
| dcow wrote:
| What's wrong with Tesla software?
| Aperocky wrote:
| The ratio of amount and significance of action it takes
| over my trust in it is too high.
| dcow wrote:
| You don't need to use any of the driver assistance
| features. It's not doing any of that if you don't
| explicitly engage it and sometimes even requires enabling
| settings toggles.
| harrierpigeon wrote:
| One thing that comes to mind is that the wiper
| functionality has to be accessed from the center console
| touchscreen, and generally when you need it on you need it
| right then.
| dcow wrote:
| Not on the Model 3,Y, it doesn't. You press the button on
| the left widget behind the steering wheel (the lever/knob
| you use for your turn signal).
| goda90 wrote:
| Phones are the only pocket computers that see quick advances
| in performance and battery use. For someone who wants a
| pocket sized computer, it's just most convenient to combine
| it with your phone.
| Aperocky wrote:
| But they are horrible as production machines, at least
| until when our brain is no longer using our body as
| interfaces.
|
| For pure pocket sized computing, why not use RPi? It's both
| much cheaper, more customizable, and it runs Linux. With
| enough tweaking you can make it run completely headless,
| plug-and-run mini computer that you can ssh over local
| network.
|
| I think the biggest problem with the combining idea is that
| computing in general is about productivity, and phone is
| about phone stuff.
| dividedbyzero wrote:
| Phones are kinda too small, but iPads (which are, in
| essence, oversized phones) are just fine for production
| machines if you don't equate productivity with
| programming.
|
| With a Pencil and Procreate, it's really hard to beat for
| drawing and illustrating. With an external keyboard and
| some kind of stand writing is a joy, I like it better
| than on a proper computer because of a ton of little
| things that help me keep focused and because the device
| is so portable and doesn't have the laptop form factor
| with a permanently attached keyboard, with bluetooth
| periphery it's more like a wireless battery-powered
| external screen.
|
| Light to medium spreadsheet work is also totally doable,
| and I've build dozens of slide decks in various apps,
| with hand-drawn illustrations.
|
| I use a Pi as a mini server, but doing creative work on
| one, I can't imagine that to be as nice and slick as on
| the iPad. Last time I tried the PiOS desktop, it
| definitely wasn't.
| Aperocky wrote:
| You're absolutely right about drawing and other 2D
| renders. I may have overlooked this because I have not a
| bone for arts in my body and prefers the terminal to UI.
| megous wrote:
| It's not much cheaper if you want battery, LCD with CTP,
| and perhaps a LTE modem for non-wifi mobile internet.
| Also it would have a horrible form factor.
|
| Pinephone is basically a smarthpone shaped SBC, with much
| better software situation than rpi, and you can use it as
| such. I ssh into mine all the time. You can connect
| anything you like to it via USB hub, incl. the full
| keyboard and mouse. You can use bluetooth keyboard, and
| just do normal computing you'd do on your dekstop, etc.
|
| Except for small display and lower performance there's no
| differnece.
| marcus_holmes wrote:
| I uninstalled all social media from my phone. I feel so much
| better.
|
| I use it for chat apps, phone calls (usually via chat apps),
| and occasionally wandering around Imgur when it would be
| socially awkward to not be on my phone.
|
| The rest of the time I've come to appreciate being present in
| the moment.
|
| So yeah, I'm looking at the new generation of Linux phones
| with interest. If I can run the chat apps in a browser OK,
| then I think it might work for me.
| ficklepickle wrote:
| In what kind of situations is it socially awkward to not be
| on your phone? Genuine question, I'm not great with social
| stuff.
| ShroudedNight wrote:
| When loitering, I've found that phones are a strong
| signal that distinguishes those uninterested in engaging
| with the strangers around them, from those that are. When
| trying to convey one's innocuousness to the wardens of a
| domain, it can be helpful to use your phone.
|
| Related, if in a group, everybody else disengages to be
| engrossed in their phone, it can be helpful to do the
| same if one does not want to demonstrate a vulnerable
| dependency on the generosity of their attention.
|
| A lot of awkwardness comes down to self-perception of
| vulnerability.
| marcus_holmes wrote:
| this, mainly.
|
| Though if everyone else is on their phone, and the crowd
| is large enough, I find it fascinating to people-watch.
| Vrondi wrote:
| A paperback book or something can give the same social
| signal. :)
| marcus_holmes wrote:
| I'm a middle-aged white guy. In situations where everyone
| else is 20 years younger and dressed in half the clothing
| I am, I come across as a total perv if I look at anything
| except my phone. Or at least that's how it plays out in
| my head.
|
| I do find it useful to sometimes be absorbed in my phone
| and not aware of what's going on around me. Or at least
| to have that impression.
| kaibee wrote:
| > I don't really care what software is ran in my truck, as
| long as it works
|
| I mean, exactly what recourse do you think you'll have once
| it stops working..?
|
| You'll sell your not working truck (to who?) and buy a new
| one (that is also soft-locked because it was the only way to
| stay competitive?)?
|
| Right to Repair: https://www.youtube.com/watch?v=nvVafMi0l68
| Aperocky wrote:
| That's a different topic though.
|
| Also, the software vended by traditional car companies are
| usually bound with hardware and readily replaceable if a
| reboot can't solve the problem.
| RHSeeger wrote:
| But for many people, maybe even most people, they're not just
| "a phone". They're a multi-purpose tool that comes in the
| form factor of a mobile phone. Camera, chat, web browser,
| games, social media, music player, access to nearly the sum
| total of human knowledge... Treating such as tool as merely
| "a phone" doesn't make any sense.
| SV_BubbleTime wrote:
| It's still a phone actually and colloquially even if I use
| the Phone App infrequently.
|
| The point isn't what you call it. OP's point was and I
| agree that you don't need to have full control over every
| device that can possibly run code. Just let it be a device
| that does its thing.
|
| It's the difference in people that want calm technology vs
| "power users". I want the device to exist waiting on my
| input and even though I have deep knowledge of its internal
| systems and processes, I don't care, I just want it to
| work, solve a problem for me, and I'll put it away.
|
| Go ahead and root your phone to do whatever actively
| complex thing you need... it's a tool for me and I
| personally want the walled garden to prevent it from
| possibly not working when I need it.
| RHSeeger wrote:
| > The point isn't what you call it. OP's point was and I
| agree that you don't need to have full control over every
| device that can possibly run code. Just let it be a
| device that does its thing.
|
| That's not how I read the op, who said "It's a phone, use
| it to call text and guide and browse some internet.
| That's it". The tone in that reads not like "you don't
| need to..." it reads like "you should not...", which I
| disagree with. I rarely use my phone to make calls. I use
| it as a multi-function tool of tremendous capability. If
| I wanted a simple flip phone, I would have bought one of
| those, instead.
| Aperocky wrote:
| I can't phrase myself better than you do!
| 3np wrote:
| > you don't need to have full control over every device
| that can possibly run code
|
| I argue that if the device sends data to third parties
| over radio/internet and/or the manufacturer can remotely
| push updates that changes the devices behavior then users
| must have full control.
|
| Something like that should become law.
|
| Then manufacturers can keep devices locked down as long
| as they stay out of the surveillance game.
| fmajid wrote:
| > Maybe it's just time to see phones as what they are - a
| phone.
|
| Maybe it's time to call phones what they really are: pocket
| computers with a legacy voice call functionality that is
| increasingly irrelevant to anyone who isn't a Boomer.
|
| Now, regarding the locked-down of both iOS and Android
| ecosystems, I can see both points of view. The majority of
| ordinary users need to be protected from increasingly
| sophisticated malware stealing their online banking
| credentials or other mischief, but power users also need to
| do whatever they want to do once they've signed a disclaimer
| badsectoracula wrote:
| > with a legacy voice call functionality that is
| increasingly irrelevant to anyone who isn't a Boomer.
|
| Sadly this requires mobile Internet prices to _at least_
| match voice call prices, which is not the case in many
| (developed or not) parts of the world.
| Aperocky wrote:
| > pocket computers with a legacy voice call functionality
|
| I don't necessarily agree with this, because this is the
| direction that everything is moving towards.
|
| It is so much cheaper to embed an SOC into everything that
| needs some form of automated/assisted control. Not
| necessarily a good thing, but that's what is going to
| happen regardless.
|
| Your fridge can become a pocket computer with refrigerating
| capability - but you'll still see it as a fridge. It's
| really about how you see and utilize these items.
| danans wrote:
| > Your fridge can become a pocket computer with
| refrigerating capability -
|
| Only if you have huge pockets ;)
| necovek wrote:
| Or a tiny fridge! :)
| danans wrote:
| Indeed! Half seriously, we just need thermoelectric
| generators to get efficient enough, and then our phones
| can be powered directly from our body heat, and also
| refrigerate us on a hot day!
|
| https://en.wikipedia.org/wiki/Thermoelectric_generator
| 2OEH8eoCRo0 wrote:
| I envy your chill. We all do need to take a deep breath at
| times and realize it's truly a first world problem.
|
| With that said your truck analogy isn't perfect. Your truck
| will last as long as you keep it going. That can be 20 years
| or more. It would be more like having a truck that the doors
| do not lock anymore after 2 years and you cannot fix that you
| must buy a new truck if you don't want thieves.
| karlicoss wrote:
| Also I think the analogy doesn't quite work because a truck
| is a truck. You can do some customization, you might (or
| not be) able to change some parts, or being a mechanical
| engineer you might even be able to repair it or enhance.
| But it will always fundamentally be a truck.
|
| The difference from phones is that a phone is a computer,
| and as such it has computer's endless potential. For some
| it can be just a phone, sure. But many people want to use
| it as an extension of their mind, as knowledge management
| tool, as a creative tool, etc. The frustrating bit is that
| is many aspects phones are much nicer and better suited for
| such tasks than regular desktop computers (think
| portability, having cameras & sensors etc), yet because of
| these walled gardens it's much harder for a knowledgeable
| person to leverage this potential.
| Vrondi wrote:
| You are displaying your ignorance of trucks. For decades
| now, all automobiles and trucks have included proprietary
| computer systems. Some are easy to hack and alter. Some
| are more expensive/challenging, but people do it. An EV
| is missing _most_ of the mechanical parts that defined a
| "truck" for a century, and is basically only four tiny
| motors, brakes, a computer system, and a battery with
| wheels. The sole characteristics of "truck" that still
| remain which Henry Ford would recognize are "has wheels"
| and "can carry cargo".
| Dylan16807 wrote:
| They _have_ computers but you can 't use them to compute
| in any effective way. You can tune it, great, just like
| if it didn't have a computer.
| 2OEH8eoCRo0 wrote:
| Exactly. You have almost complete control over it which
| is exactly why trucks can last so long IRL. If your radio
| stops working you don't need to buy a new truck.
| blimeymate wrote:
| I don't have or need software in a truck, statist apologist.
| detaro wrote:
| But that's not what vendors are selling, and what most people
| are buying.
| goda90 wrote:
| I haven't tried any Linux phone, but a couple of other
| alternatives include F(x)tex [0] and Librem 5[1]
|
| [0]https://www.fxtec.com/ [1]https://puri.sm/products/librem-5/
| d--b wrote:
| I bought one last week
| twobitshifter wrote:
| I'd be hesitant to jump on another platform unless it has a way
| of locking down app permissions similar to iOS. I think it's
| been shown that the app review process is a farce, but the
| permissions system like the new app tracking feature is great
| for privacy and security.
|
| If this droid script equivalent were going to start reading my
| emails watching me through the camera, reading my clipboard, or
| tracking my real world location, I'd definitely want something
| that alerted me to that before it happened.
| swiley wrote:
| There is a way to do that: don't run untrusted code outside
| the browser.
| joshuaissac wrote:
| > If this droid script equivalent were going to start reading
| my emails watching me through the camera, reading my
| clipboard, or tracking my real world location, I'd definitely
| want something that alerted me to that before it happened.
|
| Android has supported permissions since at least Froyo
| (2010), and these permission requests were made on-
| demand/runtime rather than pre-install with Marshmallow
| (2015). So Droidscript would be unable to do any of those
| things (except reading the clipboard) until you explicitly
| granted those permissions to the app.
| okaram wrote:
| It doesn't much matter how good they are, since you can't buy
| them (their products are usually out of stock for months at a
| time; right now, they are in pre-sales etc).
|
| I like what they are doing, but it is definitely not mainstream
| products.
| x86ARMsRace wrote:
| > Small numbers (1-3) of stuck or dead pixels are a
| characteristic of LCD screens. These are normal and should not
| be considered a defect.
|
| Their product line does not really inspire much faith. I can't
| say I've bought a device in the past 10 years which has dead
| pixels on the display. To me, this _is_ a defect, given that I
| can pick up a device, overwrite Windows with Linux, and have a
| device without dead pixels.
| [deleted]
| Jiejeing wrote:
| This warning is present, albeit in much smaller print, on all
| devices with a screen that you buy. The unofficial apple
| policy appears to be "repair starting from 1 dead pixel on
| iphone, 3 on ipad". Samsung has a policy which depends on the
| screen type: 1 for normal LCD, 3 for Super AMOLED, 4 for
| WVGA-resolution LCD. Every single manufacturer has this kind
| of clause, you cannot fault pine64 for this.
|
| Though of course as it is a much smaller venture, you can't
| hound a sales rep until they accept to repair it nonetheless.
| dmm wrote:
| They're selling at near-cost for developers. The pinephone is
| not ready for end users.
| goda90 wrote:
| Check out their philosophy[0]. They aren't exactly a company
| targeting end user consumers. They want to put affordable
| hardware in the hands of a community of tinkerers.
|
| [0]https://www.pine64.org/philosophy/
| x86ARMsRace wrote:
| Well, as both an end-user _and_ tinkerer, I 'd rather not
| have to own two devices when I can go out and get one that
| will cover all my bases.
| 3np wrote:
| Sounds like Purism Librem5 is more for you then?
| x86ARMsRace wrote:
| Possibly. Their laptop devices look excellent. On the
| list when my current device gives up the ghost.
| hutzlibu wrote:
| Good luck with that. See how long that last, if the
| current trend continues. Soon you might have to aquire a
| certified developerversion to unlock your device to
| tinker with it.
| x86ARMsRace wrote:
| Regardless, Pine does not look like a product I'd put my
| faith in. Perhaps someone else, sure, but Pine inspires
| no trust from me.
| blihp wrote:
| That warning is designed to scare away 'regular' consumers,
| so it's doing its job. If the prospect of a couple dead
| pixels scares someone, they are not the target customer for a
| PinePhone. It is _absolutely not_ a device for the average
| consumer.
|
| How do you know if you're the target customer for a
| PinePhone? You read the 'dead pixels' warning and think 'I
| don't care... I want a Linux phone'. People who would find a
| couple dead pixels unacceptable would also likely find the
| features and functionality of it unacceptable as well. For
| months it couldn't take pictures or (reliably) make phone
| calls/text.[1] Now we can take poor quality pictures and have
| marginal phone functionality and think life is good! It's not
| that we're nuts (ok, maybe a little ;-) but rather that we
| accept this a long term process/effort and not something that
| will be even remotely perfect anytime soon.
|
| [1] Hell, mine will never be able to reliably work with most
| USB-C chargers due to a hardware bug in the first iteration.
| Didn't care... I want a Linux phone! (and I'm too cheap to
| replace the board, I'll wait for a v2 to fix that and other
| issues)
| kllrnohj wrote:
| The platform doesn't give a flying fuck about Droidscript. It's
| play store that does.
|
| So just get serious about using alternate stores, which the
| platform fully lets you do (f-droid, amazon app store,
| whatever).
| shadowgovt wrote:
| Most users would prefer a mostly safe experience and gladly
| give up the option to run arbitrary code on their device for
| that experience (including arbitrary code they've written). In
| an all-out "this or that" between allowing IDEs on the Play
| Store in general and giving the average Play Store user what
| they want, the IDEs would lose.
|
| But it does suck if there is no legitimate way to release an
| IDE targeted to run on a mobile device via the Google Play
| Store.
| pydry wrote:
| Most users don't really understand what they're giving up
| when they give up the option to run arbitrary code
|
| As with privacy (Facebook privacy settings, cookie boxes),
| it's easy to bamboozle the general public with complexity and
| then interpret their confusion and (violated) trust as
| consent.
| shadowgovt wrote:
| I will burn karma forever on continuing to assert, on
| behalf of the average user, that even if they don't
| understand the details they do know what they want.
|
| It's not like people didn't have the experience of using
| Internet-enabled devices without an app store equivalent in
| the nascent days of the Internet, where many options were
| good, a few would inject malware onto your system, but
| (most importantly) all of the options were _equivalent_ and
| there wasn 't a "correct" one to choose.
|
| Don't make the mistake of assuming that people spend so
| much on Apple products for no reason. A major portion of
| the marketplace _likes_ the lack of choice paralysis. The
| ability to run arbitrary code is one giant choice-paralysis
| engine. Google has found a good middle ground in selling a
| device that is basically configured as "safe by default,
| but here's the break-glass button if you want to run
| arbitrary code and maybe be more vulnerable to someone
| tricking you into root-kitting your own device," but their
| average customer would still rather never worry about the
| risk of rootkits and they have the data to know that.
|
| If we are to be in the business of protecting the right to
| free(-as-in-speech) machines in the mobile ecosystem, we
| need to understand the average consumer that is paying the
| bill for that industry to exist, and asserting they just
| don't get it isn't how you start that process.
| wyattpeak wrote:
| This is one case though where that lack of understanding
| leads to the right conclusion. The average user is giving
| up nothing by losing the right to run arbitrary code,
| because they never were running arbitrary code.
| salawat wrote:
| Which is why it's all the more important to fight against
| it.
|
| Change your point a bit.
|
| People are fine with giving up Freedom because they were
| never really Free in the first place.
|
| Circular reasoning is sucha seductive fallacy because
| it'll fit any use case like a glove.
| shadowgovt wrote:
| Tweaking your wording slightly, it's basically the
| fundamentals of social contract theory.
|
| I may have the freedom to bash my neighbor's head with a
| rock, but they have the same freedom to do the same to
| me. This isn't as useful as the freedom to sleep at
| night, so we voluntarily give up this freedom.
|
| Reframing to the topic at hand: if the freedom to mutate
| the code on my mobile device makes it more likely that
| I'll get pwned by some clever social-engineering than the
| odds I'll improve my quality of life by tweaking some
| behaviors on the phone, then it's entirely rational for
| me to give up that freedom. And, indeed, millions of
| phone purchasers annually make that decision.
| simion314 wrote:
| >they never were running arbitrary code
|
| JavaScript is allowed on iOS and Android already. So if
| Goole or Apple do not allow you to run some scripting
| language you want then the reason is not security(the
| sandbox and permissions should be enough and if is not
| enough then it means the sand boxing is a lie).
| fsflover wrote:
| > The average user is giving up nothing by losing the
| right to run arbitrary code, because they never were
| running arbitrary code.
|
| "The average person is giving up nothing by losing the
| free speech, because they never were saying anything."
| pydry wrote:
| Plenty of users run f droid.
| shadowgovt wrote:
| Hard to say how many though.
|
| ... which is, unfortunately, a weakness of F-Droid's own
| making (for the right reasons!). Because they don't do
| stat-tracking on users, they don't have numbers. So Play
| Store is able to claim "1 billion active monthly users"
| (as of 2015) with some certainty, F-Droid can give an
| approximation and a shrug.
| edgyquant wrote:
| This is because most users aren't giving up anything, on
| the contrary, they're gaining a more secure phone.
| swebs wrote:
| >How good are Pinephones[1]? Are there better alternatives?
|
| I like mine, but the ancient CPU needs a serious upgrade.
| There's also the Librem 5, but it looks like they're heavily
| back ordered.
| johnbrodie wrote:
| I got my Pinephone last week, and have been fairly surprised
| that it's reasonably usable. I viewed the purchase more as a
| donation and a signal that there is a market, but I've been
| using it more and my Android phone less as the days go by.
|
| I'd encourage more people here to purchase one, even if just to
| tinker with. There's so many "I'll buy one when it's ready"
| replies, but that may never happen if there's no money to fund
| the companies trying to make an alternative to Android/iOS.
| arp242 wrote:
| The biggest problem with "alternative" platforms is just the
| lack of app support.
|
| I used to have a Nokia N9; great phone. But it didn't support
| WhatsApp and I was out on the loop on the WhatsApp chat all my
| other coworkers were in.
|
| Then there's things like banking apps, flight check-in apps,
| food ordering apps, dating apps, etc. etc. _Can_ you do without
| those? Sure, of course. But if I want to order food where I
| live then the only option is to use an app.
|
| No platform will have any chance of any sort of adoption unless
| it supports some way of running those apps. There are options
| here, for example Jolla/Sailfish OS can run Android apps (no
| idea how well that works in practice; the latest update says it
| supports "Android 9, and the support for Android 10 is already
| nicely on the way").
|
| It's a "vendor lock-in" ecosystem that's worse than the Windows
| lock-in of yesteryear IMO.
|
| Since I don't really use my phone all that much I decided to
| "just use an iPhone" (because it's the only phone that's not
| huge), even I think they're really horrible.
| summm wrote:
| No, it's the bad hardware. With high-end hardware, it would
| be no problem to just run something like anbox and
| immediately have most of the important apps running. Except
| asshole apps that require DRM/safetynet of course, but I
| don't use them on my current android phone anyway.
| [deleted]
| Calamity wrote:
| Unless PWAs really took off, in which case, you wouldn't need
| to develop for the custom linux phone - you would just need a
| supported browser.
| ficklepickle wrote:
| PWAs will continue to be neglected. They don't allow
| invasive tracking like native apps, and they don't get a
| 30% cut.
|
| The web is dead. Kids today grow up using the "google app".
| They did what AOL couldn't.
|
| I'd love to be wrong.
| swiley wrote:
| I keep hearing this and it's totally wrong. Desktop Linux has
| a huge app ecosystem and arguably has more high quality
| software than Android does. All of this works on the
| pinephone and other similar devices.
| arp242 wrote:
| Okay, so how can I chat to my friends or companies with
| WhatsApp on Linux? How can I order food similar to Grab or
| Gojek on Linux? How can I get a date on Linux like Tinder?
|
| You can't. Sure, there are technological solutions to all
| of those, but in the real world that alone is pretty much
| useless.
| Vrondi wrote:
| You can use Watshapp multiple ways on Linux, including
| the web browser version [https://itsfoss.com/whatsapp-
| linux-desktop/].
|
| Although, if you're using Whatsapp at all you're either
| massively ignorant or stupid. I mean, giving Facebook
| your phone number is just not wise.
| ribosometronome wrote:
| I think many would argue that thinking Facebook doesn't
| have your phone number is either massively ignorant or
| stupid. After all, it only takes one person you know
| signing up and allowing access to contacts.
|
| That said, I am considerably less concerned about
| Facebook having my phone number versus Facebook being
| able to mine all my conversations to create a pretty
| complete profile of who I am and what I do.
| vineyardmike wrote:
| > if you're using Whatsapp at all you're either massively
| ignorant or stupid.
|
| Lets not name call here. Many people have different
| motivations and concerns different than you. Most people
| likely already gave facebook their number, or someone
| else did for them through contact book sharing.
| arp242 wrote:
| And you still need the phone app for that Linux client;
| everything is routed through that.
|
| Good grief, I keep bloody repeating this. Do you people
| actually read anything?
|
| > Although, if you're using Whatsapp at all you're either
| massively ignorant or stupid. I mean, giving Facebook
| your phone number is just not wise.
|
| I'm a normal human being who values social contact and
| doesn't want to pester all my friends in using some other
| app, and a lot of businesses use WhatsApp here too.
|
| I am neither "ignorant" nor "stupid". This is literally
| the worst of HN right here. Do you even listen to what
| people have to say and consider perspectives outside of
| your own?
| ogurechny wrote:
| I can't help but notice that it's not a "Linux"'s job to
| do something about WhatsApp demanding this and that from
| you. It's a problem (let's not belittle it), and it's
| yours (well, you share it with others).
|
| Also, people who can't get in touch with you because you
| don't use some fad-of-the-year app are not your real
| friends. Tell them that you still use MySpace (wearing a
| Myspace T-shirt), or prefer WeChat (a billion of users
| can't be wrong), and see how it goes.
| fsflover wrote:
| You can use Anbox if you _really_ need some Android app.
| ta9999 wrote:
| Tinder does have a web interface, so does doordash (I've
| never head of Gojek but I'd imagine it does too.)
|
| I thought WhatsApp also had a web interface but I
| wouldn't use it anyway and there are similar chat apps
| that do so why would you?
| arp242 wrote:
| > I've never head of Gojek but I'd imagine it does too.
|
| You imagine wrong.
|
| > I thought WhatsApp also had a web interface but I
| wouldn't use it anyway and there are similar chat apps
| that do so why would you?
|
| The web interface is just a proxy to the phone app. The
| other "similar apps" don't have all my contacts on it.
| skykooler wrote:
| I use Sailfish OS and the android compatibility layer is
| decent, but not perfect. Some apps have issues understanding
| the network connectivity state, and photos taken with the
| Sailfish camera app sometimes don't show up in the Android
| file selector until the compatibility layer is restarted.
| Other than that, most apps work fine. (I mainly use it for
| spotify, slack and maps.)
| megous wrote:
| > It's a "vendor lock-in" ecosystem that's worse than the
| Windows lock-in of yesteryear IMO.
|
| For regular companies, if they want to shoot themselves in
| the foot by not being on the web, they're welcome. It's not
| such a huge issue as it would be with government for example.
|
| Also "any chance of any form of adoption" is a bit
| overstatment. I still use a dumbphone, and if I migrated to
| pinephone, lack of the kind of apps you mention would
| certainly not concern me. Even then, many apps have web
| alternatives here, or alternative GPLed clients for Linux
| (that includes whatsapp, apparently), that can be made native
| on pinephone.
| arp242 wrote:
| "Not being on the web" doesn't seem like a huge footgun.
| There are probably more people with a mobile phone and no
| traditional computer than the other way around, especially
| if you go outside of the US and Europe.
|
| Revolut, Grab, Gojek, Tinder, WhatsApp, and many more are
| all successful that offer a mobile-first solution, with
| either no web/desktop client or just as a an additional
| client (usually with fewer features, and/or still requiring
| access to a smartphone).
|
| > Also "any chance of any form of adoption" is a bit
| overstatment. I still use a dumbphone
|
| Of course it's possible; but depending on what your
| interests in life are you will pay a price, and in practice
| for the vast majority of people the price is too large to
| use a non-Android/iOS compatible device.
|
| > many apps have web alternatives here, or alternative
| GPLed clients for Linux (that includes whatsapp,
| apparently), that can be made native on pinephone.
|
| Unless they somehow hacked the encryption, you're still
| going to need a connection to the phone's WhatsApp client.
| necovek wrote:
| > Unless they somehow hacked the encryption, you're still
| going to need a connection to the phone's WhatsApp
| client.
|
| Apologies if I sound a bit naive, but what would be there
| to "hack"?
|
| WhatsApp clients are available for many platforms,
| whatever encryption they might be using can easily be
| figured out by decompiling the code, and if they are
| using a key on the client side to do any encryption, that
| key is available for extraction from the distributed
| client too.
|
| Basically, my question is what can a closed source
| downloadable client do to protect the encryption it uses
| to connect to a public network?
| arp242 wrote:
| Yes, technically I'm sure there are ways around it if you
| try hard enough. No one does that though AFAIK.
| Vrondi wrote:
| If you're using Whatsapp, you've got zero interest in
| privacy anyhow, and so you're never going to consider
| these issues in the first place.
| mdoms wrote:
| Well first of all that's just total BS, but secondly this
| thread isn't even about privacy. None of this is. In fact
| your comment is the very first mention of that word in
| this thread.
| Vrondi wrote:
| You can do the banking (from most banks) and food ordering
| from a web browser on your smartphone. No apps required.
| Grubhub, Uber Eats, Doordash, all those sorts of things. Most
| of them have a web version, and you can use that instead of
| an app most of the time. Just shake loose the Apple-induced
| app mentality that keeps you locked in.
| arp242 wrote:
| Aside from that most of those specific services aren't
| available in my location, you really can't. Do you think
| I'm stupid and haven't tried?
| sneak wrote:
| A lot of hardware devices require use of an app these days.
| Any with wifi will also require use of location on ios and
| are thus unusable if you have location services disabled
| systemwide.
|
| I just returned some IP cameras recently because of this.
| meltedcapacitor wrote:
| I dream of a dual phone (conceptually 2 phones glued back to
| back) where you do web and open stuff on one side, and the
| inevitable proprietary apps on googled-android on the other
| side, with a quick button to freeze the prop side (for power
| saving and mitigating spying).
|
| (Or same where the 2 phones are somewhat multiplexed on a
| single screen, preferably in hardware.)
| fsflover wrote:
| You can do it on Pinephone with two different independent
| operating systems, one on the eMMC storage and the other on
| the microSD card. When you put in the microSD card, the
| devices boots from it. Otherwise it boots from the internal
| storage.
| pmlnr wrote:
| > The biggest problem with "alternative" platforms is just
| the lack of app support.
|
| Websites.
| franga2000 wrote:
| Ditching Android is not a good solution - see the application
| support problem on Linux for why. What we need is a serious and
| well-funded Android "distro" that lifts Google's dumb
| restrictions and reimplements Google's proprietary APIs for
| compatibility. MicroG is doing very well on that second part,
| but due to lack of funding still has far too many holes.
| meltedcapacitor wrote:
| No amount of funding can fix this, at least for all use cases
| where apps communicate via google services between phone and
| app HQ. The average bank is not going to send data between
| bank and user via microg-operated pipes instead of google-
| operated pipes because 0.1% of their users don't like google.
| nromiun wrote:
| > We don't allow apps with any code that could put a user, a
| user's data, or a device at risk.
|
| If Google thinks the ability to execute arbitrary code puts
| users' data at risk why don't they go the full iOS route and ban
| everything, from scripting apps to other JS engines beside
| Chromium?
|
| I am so sick of their behaviour, the only reason I am still on
| Android because things like F-Droid still exists and iOS is even
| more closely guarded.
| cookiengineer wrote:
| Technically, f-droid is a walled garden of sorts, too.
|
| The difference is that fdroid is actually helping users through
| being transparent about it. The other stores and their policies
| usually are not transparent, and therefore nobody knows whether
| there were financial motivations involved in the decisions.
|
| What I don't like is google claiming droidscript harms Android
| through a malicious AdMob ID. Even if that were the case, what
| happens to the 100.000+ installs that are rolled out already?
| And the Apps built with DroidScript?
|
| If there's no support you can contact (at Google) and no
| changelog on what happened, the policies get intransparent and
| look more like a financial motivation rather than a decision
| that seemed to be beneficial for the end-users.
| CivBase wrote:
| I can add third-party repositories to F-Droid. The default
| F-Droid repository may be a walled garden but as far as I can
| tell the app and protocol are definitely not.
| cookiengineer wrote:
| A walled garden doesn't necessarily exist solely of
| proprietary protocols and code. In the case of fdroid, apps
| that violate open source licenses are not allowed.
|
| So, technically, from the perspective of a company like
| Facebook, fdroid is a walled garden they cannot enter
| without open sourcing their code.
|
| (I'm not saying fdroid's policies are bad. I'm just trying
| to make an argument for the counterside and am playing the
| devil's advocate here.)
|
| PS: I know about third-party repositories. That's not the
| point, it's differences in policies and their effects on
| the ecosystem I want to discuss because I think they're
| more important.
|
| Google advocates always make the argument that endusers
| "can just root their phones and install the APKs anyways"
| which is similar to f-droid with an external repository.
| Most non-technical endusers simply won't do that.
| _ZeD_ wrote:
| no, literally: you can add any repository you want, even
| with proprietary code.
| CivBase wrote:
| "In the case of fdroid, apps that violate open source
| licenses are not allowed" ...on the main repository.
| AFAIK, there's nothing stopping Google or anyone else
| from setting up their own F-Droid repository to
| distribute apps with proprietary code. The normal F-Droid
| app should be able to use a repository like that just
| fine.
|
| EDIT: Addressing the "PS" that was added...
|
| > Google advocates always make the argument that endusers
| "can just root their phones and install the APKs anyways"
| which is similar to f-droid with an external repository.
| Most non-technical endusers simply won't do that.
|
| Android skirts around the criticisms fielded towards iOS
| by technically allowing users to install and distribute
| third-party apps. The real problem with Android is that
| the default distribution platform (Google Play Store) is
| a walled-garden, proprietary app with such a massively
| disproportionate market share that most users don't even
| realize there are alternatives. And Google ensures their
| store will always be the default because they hold their
| proprietary Google Play Services for ransom. And Google
| Play Services is so valuable because it provides many
| convenient features and functions, including some which
| used to be part of the operating system itself.
| cookiengineer wrote:
| I totally agree with your points there.
|
| But I think that the main issues of Android (or AOSP) are
| even a level deeper than just the Play Services.
|
| There are lots of initiatives that try to create a free
| ecosystem for themselves (Lineage, /e/, Carbon, et al),
| with their own stores and sources for Apps. Most of them
| have varying degrees of success, due to gapps
| counterparts like microG [1] not being able to keep up
| with what Google's Play Services provide API-wise.
|
| It's an absurd amount of features, and a lot of API
| workflows to consider. Bugs and crashes everywhere down
| the user experience...but hopefully they're getting
| slowly to a stable state.
|
| Coming back to the real problem: I think it's actually
| the Vendor deals that Google did. Most of the
| manufactured devices are almost impossible to flash
| without reverse engineering skills, and this is
| intentional. Having to wait more than 3 months to unlock
| a smartphone's bootloader because the manufacturer
| doesn't give a damn about you is just one of many
| examples; setting aside that most of the unlock
| procedures are meant to be understandable by developers-
| only.
|
| I think that in order to "really free Android" the
| creation, flashing, updating of ROMs has to be
| standardized in a more homogenic way (partition fatigue,
| anyone?), because it would allow a graphical and easy-to-
| use software to be built. That would allow to flash a ROM
| without e.g. losing all /data and more importantly - be
| usable by end-users without technical knowledge.
|
| In my social circles I'm the guy that flashes LineageOS
| to their devices, because most of the terminology is so
| far away from the reality of most users that they have no
| single clue where to start. The amount of knowledge that
| is required to flash your device (and be Google-free,
| even in Apps with e.g. with Appwarden [2]) is absurd and
| as long as this is the case it will be a niche that's
| being ignored by politics (and potential regulation laws
| that would force Google's policies to change).
|
| [1] https://lineage.microg.org/
|
| [2] https://gitlab.com/AuroraOSS/AppWarden
| CivBase wrote:
| I kind of agree, although I'm not sure it's fair to say
| that the problem with Android is that you can't easily
| replace it with another OS. That's not really an
| _Android_ problem.
|
| It's incredible what a smartphone can do given its form
| factor and a lot of that is thanks to their use of SOCs.
| I have no experience with OS development for SOCs, but I
| hear it is much more involved because a new version of
| the OS must be created for each SOC - specialized to work
| with the device tree supported by that chip. As I
| understand, Google doesn't do that work. Manufacturers
| have to fork Android and implement support for their SOCs
| on their own, then they have to maintain that fork as new
| Android releases keep coming. It's no surprise then that
| manufacturers don't want to invest addition support into
| other operating systems like LineageOS.
|
| There's probably a better way to do things. I'm sure
| manufacturers could make information more available to
| OSS communities which would allow them to do the work
| themselves more quickly and effectively. Like you
| mentioned, standardization would also go a long way
| towards making our current smartphone ecosystem more
| friendly to third-party OSes. But ultimately, none of
| that is really _Android 's_ fault.
|
| Even without Google's vendor deals, I doubt the likes of
| Samsung, Motorola, or any other major smartphone
| manufacturer would start supporting LineageOS. It's hard
| enough to even get Linux suppport from desktop/laptop
| manufacturers. LineageOS is a really amazing project, but
| I don't think it's the one paving the way for open source
| operating systems on smartphones. I think most of that
| work has to come from the hardware side with projects
| like the PinePhone.
| donio wrote:
| Would you call a Debian system a walled garden too then?
| Phylter wrote:
| You may not realize this but Apple allows scripting apps on
| their platform now. There are two notable Python language
| interpreters Pyto and Pythonista. There are some shell
| environments too that include Unix style command shells and
| different interpreters.
| pdkl95 wrote:
| >> "Can't you just make us a general-purpose computer that runs
| all the programs, except the ones that scare and anger us?
| Can't you just make us an Internet that transmits any message
| over any protocol between any two points, unless it upsets
| us?"[1]
|
| The War On General Purpose Computing continues. Far too many
| business models depend on selling general purpose computers as
| "appliances". They presume it is possible to sell a computer
| that isn't Turing complete.
|
| [1] https://boingboing.net/2012/01/10/lockdown.html
| therealjumbo wrote:
| I think the more interesting cases are 3D printing of
| weapons, and in the future programmable biological material.
| One of his statements is that he himself, may not like the
| applications enabled by general purpose computing, but that
| even if he personally doesn't like them they shouldn't be
| outlawed or banned.
|
| Google messing around with their app store is peanuts
| compared to the government banning or restricting 3D printers
| because they could be used to evade gun control for example.
| FredFS456 wrote:
| There's nothing wrong with the appliance business model -
| embedded devices that use microcontrollers are Turing
| complete and yet no one complains about those. It's only when
| devices are marketed as general-purpose (i.e. smartphones,
| PCs) but are locked down to prevent running arbitrary user-
| loaded code that it becomes a problem.
| glsdfgkjsklfj wrote:
| > no one complains about those
|
| _YOU_ do not complain about those.
|
| I complain about my TV showing me ads. I complain about my
| car not resetting one annoying light when i change the oil.
| I complain about the proprietary connectors on my generic
| batteries that restrict me to one brand of power tools
| (that get's discontinued for new proprietary connectors
| every 2 years).
|
| It's fine if you love exploitation capitalism. But don't go
| assuming crap about others.
| CivBase wrote:
| As far as I'm concerned, as soon as you've publically
| released an SDK and invited third parties to form
| businesses off of developing software for your device, you
| have no right to represent the device as an appliance. At
| that point it is obviously a general purpose computer.
| criddell wrote:
| Would you call things like the Amazon Echo and Sony
| Playstation general purpose computers?
| CivBase wrote:
| Yes.
| horsawlarway wrote:
| I disagree.
|
| I also mind when things like my tractor or my car are
| locked down to prevent my ability to use a 3rd party repair
| shop, repair it myself, or make changes so the item better
| suits me: The person who fucking owns that computer.
|
| I think there's a very real risk that the concept of
| "ownership" is going to die if we continue in this fashion.
|
| Do you own a thing if you're prohibited, intentionally - by
| the manufacturer - from making any changes? I'd say no.
|
| Do you own a thing if it has to check in to an online
| service controlled by someone else before it works? I'd say
| no.
|
| Instead you're just renting, and these companies are
| intentionally rent-seeking (in the worst possible way).
| Grimm1 wrote:
| Add that on to the fact that almost everything is rent to
| buy with "incentives" shoved in your face for never
| actually finishing out the contract to own something,
| like your phone. I think ownership for everyone outside
| of some select few is in very real danger and I've
| thought so for some time.
| adreamingsoul wrote:
| I agree.
| kube-system wrote:
| I still like my car to have an immobilizer, and locks on
| the ignition and doors. There is certainly some level of
| access controls that most people definitely want.
| dTal wrote:
| And who owns the keys to those things? You, or the
| manufacturer?
| kube-system wrote:
| Many vehicles have the keys stored in their
| ECU/Immobilizer signed/encrypted with the manufacturers'
| key.
|
| There are some (mostly older) where you can directly
| reprogram the eeprom but those cars are easier to steal,
| because anyone can also do this.
| salawat wrote:
| Those are still "yours" in a sense, so don't fall into
| the feature set the poster you are replying to is talking
| about. Though the immobilizer somewhat skirts the line.
| (Or at least from my personal view).
|
| Think John Deere implementing software lockouts in the
| tractor ECU. That is nothing more than forcing their
| business model onto the end user through digital logic.
| stjohnswarts wrote:
| Those are the sorts of things that need to be legislated.
| You should not be able to lockout people from ECU for
| example, but the person would have to be willing that a
| compromised ECU can blow up/damage their engine and they
| will have to accept that the warranty is invalid the
| second they mess with the ECU programming.
| Jiro wrote:
| That's no good because the car can malfunction for
| reasons other than damage caused by the ECU, and the
| warranty covers those reasons too. You shouldn't have to
| lose your warranty on part A because you modified
| unrelated part B.
| [deleted]
| kube-system wrote:
| They're just as much "mine" as an iPhone is. It is
| extremely common for digital authentication of physical
| keys to be protected by encryption or signing by the
| manufacturer.
| horsawlarway wrote:
| Sure, but to be as blunt as possible - You don't own your
| iPhone. Full stop.
|
| You are renting it from Apple. They control what you run,
| when you run it, what you can install, what you can
| remove.
|
| By default, they're shipping you a device where you're
| literally not the root user. I can't possibly think of a
| clearer argument that you're renting, and entirely at the
| whim of Apple (which does have root access, and actually
| owns the device you happen to be using).
|
| The issue to me is that ownership implies the right to
| modify and change a thing, especially in ways that the
| original manufacturer doesn't support or agree with.
|
| If the manufacturer is still calling all the shots on
| your device, you don't own the device!
| kube-system wrote:
| Sure. No matter what your definition of "own" is -- I am
| saying, my car is already the same thing.
|
| The question is, do we have a good solution to enable the
| average user to own their device while also ensuring
| security _and_ availability?
|
| We have two options with cars, either intentionally
| implement a security hole, or let the manufacturer "own"
| it. Because the other option -- tell the customer they're
| SOL when they lose their private key, is not a solution
| that is practical (grandma will lose hers) or possibly
| even legal (manufacturers' obligation under lemon law).
| kelnos wrote:
| That's not what people are taking about, though.
| Certainly people want security features that make it more
| difficult for someone else to steal their car. But those
| features should be under the control of the owner of the
| car, not the manufacturer.
| kube-system wrote:
| It's really hard to do that _and_ make the thing a
| consumer-friendly product. We 've been trying to solve
| this problem for most of the history of computers, yet,
| attacking authentication (often indirectly) is still the
| #1 way that computers are compromised.
|
| Most people simply are unable to properly handle private
| keys. All of the systems with the highest levels of
| consumer satisfaction have third parties that manage (or
| at least can override) keys on the user's behalf. Systems
| that do what you're suggesting are notoriously plagued
| with issues surrounding key management to the point where
| they never reach mainstream use. i.e. PGP, bitcoin, etc.
| stjohnswarts wrote:
| I think as long as you're willing to give up your
| warranty on your tractor/car/whatever because you're
| hacking on it with 3rd party tools/firmware you should be
| able to do whatever you want with it. Just remember it's
| a two way street and everything has a price, you will
| have to give up something to get something.
| dalbasal wrote:
| >> There's nothing wrong with the appliance business model
|
| Do you mean that literally? There is daylight between
| "appliances shouldn't exist" and "there's nothing wrong
| with appliances." I mean, I agree that microcontrollers and
| smartphones/PCs are different. There's obviously
| _something_ wrong if problems emerge at some point along a
| scale. There 's no real defining line between GPCs and
| microcontrollers.
|
| I also don't think it's a problems if someone somewhere has
| a locked down PC. It is a problem if most people do.
| pdkl95 wrote:
| https://en.wikipedia.org/wiki/Tivoization
|
| So many people complained about not being able to run their
| on firmware on the TiVo that it caused the GPL to be
| updated to version 3.
|
| While Turing machines are universal, there are practical
| limitations of the hardware. A tiny embedded
| microcontroller with _kilobytes_ (or _less_ ) of memory is
| not an attractive target for customization or repurposing.
| Today it is probably easier/cheaper to simply buy a
| Rasberry PI or similar.
|
| Also, some companies understand that they are in the
| business of selling _hardware_ and don 't particularly care
| what you do with it.
| dalbasal wrote:
| It's useful to see through a principles/fundamentals lens.
| General Purpose Computing that isn't Turing complete, or
| whatnot. Genuinely useful.
|
| But, the "freedom is indivisible" take is not _always_
| useful, particularly not on its own. There are practical
| realities to contend with and the world of appliance-
| computing is big and complicated. A lot of issues relate to
| back competition, or lack thereof, for example.
|
| >> an Internet that transmits any message over any protocol
| between any two points, unless it upsets us?
|
| Look... The problems coming to fruition today have been
| talked about on HN/etc. for decades. They're hitting the
| political stage, and all those discussions have near zero
| impact. The ideas were never translated to general
| consumption form. We always prefered to be right over
| effective.
|
| The average politician has never stops to think about how
| www, linux, email, gnu, wikipedia and such are possible, what
| that means. If they did, they don't have the vocabulary for
| it. We didn't give it to them. Just let them read "cathedral
| & bazaar" or somesuch. Instead of working we snarked our
| incomprensible principled platitudes. Worse, we arrogantly
| assumed we'd win anyway. The internet couldn't be locked
| down. A country who tried to make Great Firewall would fail.
| Property rights would be redefined^ because digital copyright
| is impossible and the internet is more important than Beatles
| royalties. How wrong we were. How seldom we remember it.
|
| Classic ideologies like Marx, Rand & such tend to fall into
| this exact arrogant trope. I am so right about everything
| that it's all inevitable. History will conspire. The arrogant
| fools. Us too.
|
| Think of all the pull that Disney, EMI, etc have. Every
| politician can recite the case for copyright verbatim, along
| with the other talking points. Protecting their interests is
| literally one of the main things the US uses its might for.
| It's always a non negotiable demand in trade relations. Every
| politician or hack commentator knows to cite "stealing
| intellectual property" as a complaints against china or
| whatnot. Major digital legislation (eg DMCA) was written by
| and for them, along with other laws.
|
| Conversely, very few politicians or hack commentators could
| articulate a digital freedom case, a case against copyright
| militancy, or a case the against software patents. Those that
| can will be freestyling it. No "talking point" sheets. No
| consistency. No real lobby. No solidarity. No effectiveness.
|
| How the f##k do EMI & Disney have much more influence than
| us, or at least Google & such? We are arrogant fools. That's
| how. They're entertainment industries. We're the engine of
| modern economies. DMCA affected the tech business just as
| much as Disney. We even had status quo on our side, so all we
| needed was a hung jury. How did we lose this? It's a joke.
| Like Mike Tyson losing to McBride.
|
| Right to Repair should have been long won. We should be
| battling for OS _mandates_ on the back of it by this point.
|
| So... where are we now? Politicians and journalist-types are
| literally starting to think of regulating social media as a
| "common carrier." Concepts recycled from early 20th century
| Telcom sagas. Not "neutral" carriers. Not "open" networks. No
| "free as in freedom." In fact, it seems like no idea from the
| personal computing age has influenced anything. No one who
| understands FOSS or how the www works is even in the room...
| the room where decentralising an internet-based
| communications network is being strategized. Do we realize
| how big a failure this is?
|
| ^No shade intended. I agreed ATT. I still do in the abstract.
| But, the lack of "what we need to do" was a mistake, IMO.
| History does not drive itself:
| http://www.paulgraham.com/property.html
| Aperocky wrote:
| It's inevitable, given the scale that has to happen before
| ASIC become remotely profitable and how cheap general purpose
| computers are today.
|
| Just buy some cheap SOC from the market and load the
| software, close it in a blackbox and call it a day. It's
| going to be the future now. God forbid they also talk to
| internet and runs an OS version from 2014 and never gets
| patched. It's a botnet paradise.
| viro wrote:
| the issue is we as a market expect them to be responsible for
| the security of the OS and its apps. Its very difficult to
| manage security without control.
| kelnos wrote:
| Only from certain perspectives.
|
| If I'm a network engineer at a company, I need full control
| of the network to ensure security. As just a user of that
| network, I would have to understand that I don't have full
| control for security reasons. But it's not _my_ network.
|
| When it comes to consumer devices, there's no reason why
| security requires locked down devices that the so-called
| "owner" of the device can't control. The end-user should
| always be in charge. If the manufacturer chooses to put
| escape hatches in front of features that could lead to
| security compromise, then that's fine. But those escape
| hatches should exist, and I refuse to buy a general-purpose
| computing device that doesn't have them.
|
| The Google vs. Apple argument here is specious; the locked-
| down nature of Apple's devices is not necessary for their
| better (but honestly still not great) security, and the
| less-locked-down nature of Android is not what makes it a
| security minefield.
| leowbattle wrote:
| From the article parent linked: "It doesn't take a science
| fiction writer to understand why regulators might be nervous
| about the user-modifiable firmware on self-driving cars"
|
| It's not just regulators who are nervous! What if someone
| modifies the firmware in their self-driving car and
| introduces a bug that causes the car to crash and kill
| someone?
| adrianN wrote:
| Then presumably we do the same for that as we do for other
| illegal modifications or reckless driving today.
| seany wrote:
| You mean, like people can do on purpose right now?
| ballenf wrote:
| The battle really parallels the larger right to repair
| debate. (Especially if we realize the latter is probably is
| better called the right to exercise control over purchased
| goods.)
| oneplane wrote:
| Does it? Everyone is quick to judge but coming up with an
| alternative is hard enough that nobody has done it so far.
|
| With scale comes scaling issues; general purpose computing
| and repairability need a different commercial model that
| doesn't match with the currently used models.
|
| This leaves two avenues:
|
| - Make it worse for everyone but keep it going
|
| - Make it worse for everyone in a different way and keep it
| going
|
| I don't know of a good solution here, but I do know that
| it's a sucky situation and the many "good ideas" to fix it
| aren't actually making it that much better.
|
| Current scenario:
|
| - Manufacturer on the hook for most things but also
| controls most things
|
| - End-users that fall within the 90% bell-curve are fine
|
| - End-users that fall outside of that are royally screwed
| and they don't even know it
|
| - Users that are not end-users are screwed, but they know
| they are
|
| So far all I have seen is:
|
| - Manufacturers still on the hook for everything but they
| get to control less
|
| - Everyone gets a little better but also a little screwed
| now
|
| - The 10% outside of the curve don't get as screwed as they
| did but they still don't really know that they are screwed
|
| - The non-users don't get screwed the way they used to but
| still get screwed
|
| To clarify:
|
| If I were to manufacture something, express what user
| experience comes with my 'thing' and warrant that
| experience to a certain degree, I don't want to be on the
| hook for any service or cost outside of that. The more I
| get to control, the smaller I can make the risk. That means
| I can also plan ahead better and reserve resources, but not
| so much that I don't have resources for something else left
| over.
|
| This also means that if someone wants a different
| experience (i.e. they are not my targeted audience) or if
| someone wants to do something I cannot verify, I really do
| not want to be on the hook for that.
|
| In total that means:
|
| - If what I want and what my customer wants is similar
| enough, we're both happy
|
| - If a small percentage wants something else, I cut my
| losses and simply don't serve their needs as soon as the
| cost of maintaining that deviation is bigger than what I
| would make off of it (short term and long term)
|
| - If someone does something I don't have control over, but
| they do come to me to fix their problem, I don't want to be
| responsible for that, and I don't want to do any research
| on the possibility that something I made happened to break
| at the same time the customer broke something else; I just
| want a blanket "I am the captain of my UX" rule and be done
| with it
|
| Now, I'm not saying this is ideal, or that I am an actual
| manufacturer, or that this is specifically what Google is
| doing (or Apple is doing for that matter), but I am saying
| that you can't have it both ways. Want something cheap and
| abundant? Gotta have scale. Can't have scale if you make a
| bunch of risk, add a lot of differences and support more
| than your middle-of-the-bell-curve. This sucks, but it's
| also not easy as saying "let me do what I want", because
| what happens to you and your device has side-effects, and I
| really don't want to get affected by something someone on
| the mobile network (or wifi network) I'm on did to their
| 'personal' and 'owned' and 'freedom' and 'muh righz'
| device.
|
| Or in a high contrast (black-and-white/good-or-evil) line:
| If you want to be on a shared service, play by the rules or
| get out. (reality isn't that high of a contrast obviously,
| but it drives the point of externalities home a lot
| quicker)
| EvanAnderson wrote:
| If the network can be adversely affected by a "muh righz"
| device then the network's threat model is shoddy. Taking
| away freedom to prop up a badly engineered product isn't
| fixing the bad engineering.
|
| The Internet is a good example. The threat model has been
| far too trusting, historically. We're paying for that in
| a variety of different ways. Burning it all down and
| starting over is impossible, so we're stuck in a mess.
| Maybe we can do better in the future.
| oneplane wrote:
| Indeed. I would perhaps formulate it slightly differently
| but it is what it is.
|
| This is also something that feeds the 'it used to be
| better back in the day' feeling, because some aspects
| might actually have been better because too many possible
| threat actors back then wouldn't take internet seriously
| and as such weren't an actual threat. So it wasn't safer,
| it was just less-attacked. As a result where was less
| pressure to make hardened clients and servers, and as a
| result of that, it meant that things like digital
| signatures were extremely optional (and computationally
| too expensive to include for the sake of it).
|
| On the other hand, it's also the openness that brought
| its success, and may very well cause its downfall. (that
| said, nobody has been able to come up with a worthy
| replace ment so far) Having no single owner makes it
| better in that regard, but also worse.
| ShroudedNight wrote:
| Your primary alternative already sounds materially better
| than the 'Current Scenario' you describe:
|
| 1 - I'm not sure I've encountered anybody that
| universally falls within the 90% 'ideal' coverage. The
| more hostile things are to outliers, the more difficult
| everyone's life becomes.
|
| 2 - As far as I can tell, the slack that allows the
| bottom and top vigesimile (? 1/20th) to survive is also
| what allows the flexibility to foster the discovery of
| novel technical and societal configurations that are
| materially better than the status quo. That's how a kid
| from a family of coal miners has a path to making
| significant contributions to NASA.
| oneplane wrote:
| As for point 1: that depends; if your business operates
| on keeping the center of the bell curve happy, and you
| don't like to risk that, than implementing something that
| degrades that doesn't seem like a sound business
| decision. Keep in mind that this is from the 'producer'
| perspective.
|
| As for point 2: that should indeed be how it works, but
| the circumstances have changed, especially for large
| scale general purpose computing, and for various reasons
| and stakeholders as well. This is also the (wrong) fuel
| on the (wrong) fires in the current discussions on
| ownership, repairability and shared systems; it often
| tries to compare the "now" with a chosen "back then", and
| leaves out externalities causing the whole comparison to
| be useless.
|
| For example: it used to be that you could run whatever
| code you wanted and you didn't need anyones permissions
| and nobody could stop you. Now, at scale, that means
| everyone from teenagers at schools circumventing the
| implementation of a usage policy to state-level actors
| extracting information would run whatever they want. They
| are of course already doing that to some degree, but this
| would be so much bigger and so much easier when you just
| 'run whatever code appears at the JMP', we might as well
| not have an internet.
|
| This, in turn, means that you have to have some form of
| control, and some form of distribution or supply of such
| control as neither the will, nor the skill exists at the
| required scale to have everyone do this individually. How
| does one assert such control? Cryptographically. And now
| you're in PKI hell, or you're in DRM hell with DRM
| servers that go offline and render systems unusable. Oh,
| and you get DMCA and Legal requirements for free too.
|
| It would be amazing if we could figure out a way to
| operate shared systems, and have some form of delegated
| control without having a PKI-like authority as the only
| way to ensure it. But I haven't seen it yet :-(
|
| And this is just one of the many issues.
|
| Take hardware for example; you can do plenty of nefarious
| things with hardware, and the user would never know about
| it. Want to backdoor an audio module so it constantly
| streams what the microphone picks up to an actor of
| choice (a social media company, advertising company, your
| abusive spouse, the government of a state that will hurt
| you on detection of dissent), you can do that and no
| normal user would ever notice. How would you then prevent
| such modification? Well, you could make hardware hard to
| access or hard to modify without visible marks. That's
| one area (slightly) covered, but then there is the
| software, imagine hacking that remotely. So how would you
| do something about that? Perhaps signing the software and
| checking the signature. Bam, back in PKI hell.
|
| And if you were to make hardware hard to access, now you
| have a bad UX when someone comes to your service
| department and gets presented with a huge bill because
| your device had to be rebuilt because your kid put puke
| in the microphone hole. But if you make it unsafe you
| have the other problems again. No winning deal there. Or
| what if you use seals, now you have no idea why the seals
| are broken. Did someone tamper with it? Was it just a
| service call that's not registered in your system because
| it was done elsewhere? Who can you trust? What if you fix
| the reported issue but now something else breaks and you
| don't know if you did it or the previous tech did it?
| Guesses everywhere, everyone is sad, nothing works. yay.
|
| Again, no real solution here. Say you do the (not very
| often implemented) secure boot method where you insert
| your own CA; that's great for yourself, not great for a
| shared system, because now everything else that requires
| you to be securely booted needs to trust that CA too.
| This, hoever, is an area where you can do a partial fix:
| if you just want local verification and you have the CA
| and CT you can at least know for yourself. But that
| doesn't work at scale. We can't expect billions of people
| to be PKI experts. And we can't expect them to understand
| the ramifications of the lack of verification either.
| (which includes effects on them, but also effects on
| everyone else they are in contact with by proxy) So now
| you still need that 'magic' central authority making a
| policy and a verification for that policy and
| enforcement. PKI hell all over again!
|
| (keep in mind, I don't name PKI hell a hell because PKI
| is bad, I think it's great and I love me some hashing,
| public-key cryptography and root-of-trust chains -- it's
| just that there is no solution right now where you don't
| end up having an authority that can use it for good and
| bad at the same time)
|
| There are a lot of scenarios where we could mitigate
| 'some' of it:
|
| - Authenticated core but leave peripherals alone (your
| mainboard and CPU and AV chain would be on its own, but
| your keyboard can be key logging you as much as you want)
|
| - Unauthenticated mode but no interaction with shared
| systems (would work great for things like farming
| equipment)
|
| - Offline or do-it-yourself mode (again, no interaction,
| but you'd be offline anyway)
|
| But then you're still in the realm of real-world abuse
| (want to know your ex'es password? backdoor the keyboard!
| steal your boss's documents? backdoor the printer!).
|
| I don't know how to fix all of this, but removing all
| forms of authentication and still having shared systems
| isn't the way.
| ShroudedNight wrote:
| > just 'run whatever code appears at the JMP', we might
| as well not have an internet.
|
| I'm old enough to have used the internet with a computer
| running Windows 98SE. As far as I can tell, besides data
| throughput, only webmail, maps, and media streaming have
| gotten materially better since that time, and even those
| peaked in an era when people were still running Windows
| XP SP3.
|
| Despite all this froth about how we need to lock stuff
| down within an inch of its life with manufacturer-
| specified code verification, (North American) banks still
| seem to mostly be using the same terrible authentication
| policies they were 10, even 20 years ago.
|
| The hardware problem isn't new; phone taps have been easy
| to install for decades. The world didn't end, nor did we
| shut down the telephone network.
|
| In re software, we could easily strengthen owner trust in
| systems without having manufacturers ensnare us in
| straitjackets. Trust on first use could allow an
| infrequently-updated chain loader to verify subsequent
| components without depriving the owner of using the
| system as they desire. Hardware tokens, or physical
| buttons with dedicated circuitry could prevent certain
| system functions from being configured / updated without
| direct user intervention. 'Trusted' execution
| environments could be used to run software of particular
| significance to the device owner. We have an enormous
| quantity of tools in our tool box to improve the security
| of systems without relinquishing ultimate control.
|
| Ultimately, though, liberty will always have some
| irreducible risk. It's not obvious to me why we should be
| valuing status-quo business plans to its detriment.
| oneplane wrote:
| The issue is that the users are not capable of overseeing
| the consequences of their actions, and when you function
| in a shared system that is not great. (understatement of
| the year)
|
| Even technically skilled users won't benefit from a
| construction of 'trust on first use', when was the last
| time you verified the host key of a system you SSH'ed
| into for the first time? How do you trust a system purely
| on something like that? And even then, when you got an
| error that the host key no longer matched, did you go on
| a research run to figure out how this might have
| happened, or did you just replace the key in your local
| known hosts cache and went on with your day?
|
| What about websites, do you disable all CA's and just use
| local key pinning on all the websites that you visit?
| This is something you could do right now. But you won't,
| and neither will anyone else because it is far too
| inconvenient. It makes the entire thing useless. And
| every time you send an email, are you going to verify the
| fingerprint of the supplied certificate as well?
|
| While it might not obvious to you, the feasibility of
| this at scale is something you can figure out by simply
| talking to users, looking at A/B test, comparative
| research, and looking at the security configuration of
| various user's systems and asking why they might have
| chosen the configuration as it is, and what the impact to
| them, the people they interface with and the internet as
| a whole might be.
|
| wrt phone taps: it's possible and not the point (and not
| useful; the Americans did plenty of local and global taps
| and almost none of the broad taps yielded anything useful
| over 10 years, it was only the highly targeted taps that
| yielded real results). It's also not froth, "locking up
| stuff" and "straight jackets". It's about a hard problem,
| with everybody having an opinion but nobody having a
| solution. And the only thing people seem to want to do in
| such a scenario is apply a scorched earth policy which
| besides the obvious destruction doesn't yield a solution
| either. With the current devices and services there is so
| much personal data, proximity and interaction that the
| value and impact is much higher than your landline at
| home. The point isn't to make it perfect or perfectly
| secure, but to make it hard enough that it isn't an
| attractive broad-spectrum target anymore. Making it
| cryptographically hard to hack into a baseband, a bootrom
| or kernel is a very effective method to make this
| protection a reality, and so far there has not been a
| successful alternative presented by anyone, anywhere.
|
| Ultimate absolute liberty is a fallacy, externalities
| exist, and society doesn't work in anarchy (but doesn't
| flourish in strict hierarchy either). Until you can
| manipulate time and space, and modify matter at a
| subatomic level, you are and will always be dependant on
| externalities, and as such you have to work with those.
| How hard you make it for yourself or others depends on
| the degree of society and civilisation you can live with.
| You don't control the BGP tables on your ISP's routers,
| but that seems to be fine for all the millions of users.
| But all of this is straying away from the topic at hand
| quite significantly.
|
| (Edit;) As to the 'value status-quo business plans': that
| is not something we value, but something the producers of
| some large-scale hardware and software manufacturers
| value. They aren't society's friend, but they do need it
| to buy its products. And if the USP of the product is
| something you want to remove, then the manufacturer is
| probably going to try to prevent that. This would be
| 'fixed' by you getting what you want and they getting
| what they want, but that is not technically feasible (or:
| has not been shown to be technically feasible yet), hence
| the long blocks of text describing that problem.
| wwarner wrote:
| Agreed. I would feel better about this if I didn't think
| apps and local computing were really important. The
| alternative to phone apps is the web, but the web will
| never be fast (imo) and is simultaneously getting less open
| every day as well.
| bakatubas wrote:
| The web is the way for universal exposure. Regardless of
| speed it's the only standardized, universal and widely
| used interface.
|
| WebAssembly will be the ticket there--once it's developed
| a bit more.
|
| That being said, nothing compares to native. You could
| have shitty hardware by today's standard with amazingly
| performant software if there weren't so many damn layers
| in-between.
|
| People are fickle with hardware though and we devs need
| things to slow down a bit to appreciate the nuances of
| each device!
| MayeulC wrote:
| The right to purchase.
|
| It's become an issue of defining "purchasing". But
| companies don't want us to purchase appliances, they would
| be much happier if we could rent them.
| utexaspunk wrote:
| Gotta get that steady income. We're quickly becoming a
| society split between rentier capitalists and renters
| MayeulC wrote:
| On the other hand, if they expected us to rent phones, I
| imagine they would be a lot sturdier... And probably find
| a second life for them, though that's happening:
| https://arstechnica.com/gadgets/2021/04/samsung-starts-
| offic...
| ticviking wrote:
| And I would. At much much much lower prices
| throwaway_4747 wrote:
| Soon you will own nothing and be happy! According to the
| great reset and the WEF.
| Loughla wrote:
| I have had my same fridge for 10 years, with no signs of
| failure. Unless the monthly payment was $3.00 or less, I
| would be paying more than I should starting in June.
|
| The rental/do not own anything model is just awful, in my
| opinion.
| sdenton4 wrote:
| For appliances, the vulture capitalists are building
| things to break sooner to get you to buy more often.
| Loughla wrote:
| White goods are relatively easy to repair, though, and
| the parts tend to be relatively easy to find as well.
| brobdingnagians wrote:
| Totally agree. The more time passes, the more I realize
| that I want to own what I have. I've grown more selective
| about what I purchase in general and I've become more
| minimalistic; but if I want to have it at all, then I
| want it to be mine free and clear. Especially when it
| comes to tools, land, and personal items. I want Good
| Quality and paid for with cash.
|
| I tend to use things until they completely wear out, and
| I get really good life out of them. This makes them very
| cheap compared to the usage pattern of upgrading all of
| the time. Renting would be very expensive lifestyle; and
| my usage pattern is more environmentally friendly to
| boot.
| spicybright wrote:
| Couldn't agree more. Anything you don't own 100% can be
| put in jeopardy totally at randomly. If it's something
| important that can be incredibly stressful.
| colonelpopcorn wrote:
| I think the trend of soft social credit score via big
| tech makes this an even dicier proposition.
| [deleted]
| zerd wrote:
| Leasing usually isn't cheaper than owning long term
| though. So your total cost will most likely be higher.
| echelon wrote:
| Apple is guilty of this too.
|
| No general computing company should be the single ingress
| point to running on their platform. For platforms with
| significant penetration, this is a market monopoly. [1]
|
| For Apple, it's iOS and, increasingly, MacOS.
|
| For Google, it's Android, and as has become glaringly
| obvious, Chrome. They shouldn't be allowed to run a
| browser.
|
| The DOJ needs to stamp out this anti-competitive, anti-
| consumer behavior.
|
| You can "protect" consumers with a permissions model and
| malware signature warnlist regardless of whether you
| enforce a store. Microsoft does it. Microsoft is the only
| company playing fairly.
|
| ([1] And no, this doesn't apply to game consoles. They're
| toys with lots of alternatives. You don't do business,
| banking, dating, note taking, drawing, stock trading, etc.
| on them.)
| lotsofpulp wrote:
| > You can "protect" consumers with a permissions model
| and malware signature warnlist regardless of whether you
| enforce a store.
|
| I'll believe it when I see an alternative to iOS devices
| that my dad can't get malware on and only need a few
| seconds to fix by uninstalling an app or power cycling
| the device.
| anoncake wrote:
| > You don't do business, banking, dating, note taking,
| drawing, stock trading, etc. on them.)
|
| Because it's artificially made impossible. No computer
| should be artificially restricted - let's not keep any
| loopholes open for no reason.
| ncann wrote:
| Even as a casual Android dev I've noticed it becoming more
| and more restrictive over the years, from restricting apps
| from reading storage, to restring apps from accessing
| clipboard, to restring apps from running in background, and a
| ton of other things all in the name of protecting customer.
| Every time I update to a new phone with a new Android version
| my hobby apps (which only I use, not published anywhere) are
| broken in some ways because of this. The end goal of Android
| seems to be a closed system like iOS and that makes me sad.
| You can make things harder or hard by default but at least
| give the power user some choices damn it.
| lallysingh wrote:
| That's how platforms evolve. First they work to attract
| developers, and later they work to reduce abuse.
| criddell wrote:
| > at least give the power user some choices damn it
|
| At some point it just doesn't make economic sense to do
| that.
| stjohnswarts wrote:
| That's the way only bean counters should think, not
| developers, it should be a problem to solve since it
| helps keep us honest and not just a cog in the system.
| jabroni_salad wrote:
| You can still do things, its just that now the user has to
| approve it. Maybe a 'let every app have every permission by
| default' checkbox would make you happy but I'm not going to
| advocate for it. And you can still sideload an APK without
| even having to jailbreak the device.
| mattowen_uk wrote:
| Re read the parent post. They write hobby apps that they
| clearly sideload themselves. They are also right, each
| iteration of the SDK takes away another feature of the
| device the app can access, regardless of whether you ask
| the user, in this instance the author of the app, for
| permission.
|
| The end state is for apps on Android to be either
| pointless fluff that basically do nothing useful, or mega
| apps written by big corps where the rules don't apply.
| Hobbiest coders are not wanted, or accommodated.
| ncann wrote:
| Exactly. To give an example, I have a dictionary app that
| I wrote to facilitate my French learning that runs in the
| background and automatically looks up word copied to the
| clipboard (e.g. from Play Books or Chrome) and brings up
| the definition. Starting with Android 10 or so they
| disabled clipboard listener for apps in the background so
| the whole functionality is toasted. There is no
| permission to enable this "clipboard listener in
| background"
| austincheney wrote:
| Weak.
|
| The console tab of Chrome's developer tools allow arbitrary
| code execution. That example is not a security violation, ergo
| arbitrary code execution is potentially but not necessarily a
| security violation.
|
| A valid remediation requires more than just _arbitrary code
| execution_ , such as privilege escalation or leaking
| containment.
| yjftsjthsd-h wrote:
| Given the issues that termux has hit, they're certainly moving
| that way.
|
| https://github.com/termux/termux-packages/wiki/Termux-and-An...
| pjmlp wrote:
| Only because Termux developers refuse to use Java APIs and
| don't accept Android isn't a POSIX clone.
| higerordermap wrote:
| Chill dude. How do I run gcc in java beanshell?
| pjmlp wrote:
| https://play.google.com/store/apps/details?id=com.aide.ui
| nulld3v wrote:
| Can you elaborate on how this link is relevant?
| yjftsjthsd-h wrote:
| Android certainly has an acceptable POSIX component when
| it's not artificially broken.
| nromiun wrote:
| Yep, Termux is the most used app on my phone and I don't know
| what I will do when they have to migrate to SDK 29. I will
| probably buy another phone and install LineageOS.
| negativegate wrote:
| This is the first I've heard of Termux and now I'm curious
| what you use it for. Like are you SSHing into other
| environments?
| nromiun wrote:
| https://www.passwordstore.org
|
| Here is a popular CLI app to manage passwords. I use it
| on my desktop, laptop and phone.
| terseus wrote:
| You don't need Termux for that, there are native clients
| for Android, I use this one: https://play.google.com/stor
| e/apps/details?id=dev.msfjarvis....
| donio wrote:
| For me ssh to access my main Emacs session is a big part
| of it but I also run some shell scripts and CLI tools and
| services written in Go. ssh-ing back into the phone for
| file transfer is another important use.
| dheera wrote:
| SSH, and also when you're on the road and want to write a
| simple Python script to process something, or do
| something with your sensor data logging. Termux has a
| Python API to access sensor data, it has numpy, it has
| requests, so you can do a lot.
| diogenesjunior wrote:
| >I don't know what I will do
|
| >I will probably buy another phone and install LineageOS
| nromiun wrote:
| It was just a figure of speech and if you know how Termux
| works even a rooted phone is no alternative. (Termux
| exposes Android APIs, like camera and GPS.)
| femiagbabiaka wrote:
| Curious, is the Librem 5 an alternative you would consider?
| nromiun wrote:
| Sure, it is a good alternative. But I still need a phone
| to do some work, like Whatsapp and banking apps (which I
| don't think Librem supports). So I am waiting for it to
| become stable and a little mature.
| femiagbabiaka wrote:
| Makes sense!
| edrxty wrote:
| Does LineageOS provide a workaround for this?
| nromiun wrote:
| Unfortunately there is no good alternative to Termux (its
| Android API). But with a rooted phone you can use chroot
| to install a Linux distribution. LineageOS is just a
| popular ROM for rooted phones.
| edrxty wrote:
| I run lineage but I don't typically use my terminal on my
| phone unless I'm using it for SSH. I hadn't though of the
| chroot angle though. That's rather interesting...
| donio wrote:
| Once there is no way to run Termux that will be the end of
| the line for me and I've been on the Android train since the
| G1 days. I am ok with installing it from F-Droid or adb as
| long as it remains runnable. (I guess I am in the bargaining
| phase)
|
| I don't think that I am ok with not being able to easily run
| my own executables since I rely on running a few Go utilities
| in the Termux CLI.
| yjftsjthsd-h wrote:
| I'm personally planning to replace termux with a full
| chroot; my phone is rooted, so all I need is an app to give
| me the actual terminal emulator and I'm good. This would be
| fine for running the odd Go utility, but is likely to be
| insufficient if you're doing anything with the actual
| Android API (which termux has been great at). And of
| course, in the long term this is just another reason for me
| to hope the pinephone gets to prod-ready ASAP:)
| suifbwish wrote:
| I am curious what root kit you use for rooting your
| droid? I've always been hesitant to trust 3rd party kits
| like that.
| yjftsjthsd-h wrote:
| I use magisk; it's open source and reputable.
| rhinoceraptor wrote:
| Arbitrary code isn't banned on iOS, there isn't anything (yet)
| that can create fully fledged apps like Droidscript, but a few
| cool apps are:
|
| - iSH: an Alpine Linux shell environment, powered by an x86 to
| ARM JIT emulator
|
| - Scriptable: an iOS automation tool using Javascript, it can
| even integrate with native iOS APIs like photos and calendars,
| create native UIs, etc.
|
| - Pythonista: a Python IDE, you can create 2D games, use it as
| a REPL, integrate with native APIs, and much more
|
| And of course, there are the 1st party apps, Playgrounds and
| Shortcuts.
| glsdfgkjsklfj wrote:
| > Arbitrary code isn't banned on iOS
|
| It is.
|
| Even mozilla firefox is banned on the premise that it can run
| arbitrary code and yes, that is the official apple instance.
|
| The fact that they apply it when they see fit and allow other
| times, and that it is totally _arbitrary and opaque based on
| their own private interests_ , is exactly what everyone with
| common sense tried to explain when criticizing the walled
| garden.
| rhinoceraptor wrote:
| Firefox isn't banned, Gecko and SpiderMonkey are. For a few
| reasons, Apple doesn't want Blink/V8 demolishing users'
| batteries, and they have the excuse that allowing 3rd party
| browser engines is a security risk.
| mrtranscendence wrote:
| My understanding is that what's banned on iOS is not
| arbitrary code per se, it's arbitrary code downloaded from
| the internet. Code you enter yourself, like in Pythonista,
| is just fine.
| tomp wrote:
| Isn't the problem JITing? Mozilla could ship Firefox,
| even with the JS engine, it would simply be unusable
| (compared to Safari) because they wouldn't be allowed to
| run JIT (only interpreter).
| lurkerasdfh8 wrote:
| Really? you are you going to defend that point as not
| arbitrary?
|
| If you want to split hair, where would you draw the line?
| Should pythonista go out of the way to prevent copy paste
| from the browser/email?
|
| Or should apple, being non-arbitrary, also blocks adobe
| PDF reader since it can open PDFs from the web with
| javascript just like a browser would do?
| danShumway wrote:
| > it's arbitrary code downloaded from the internet
|
| That's a huge caveat though.
|
| How far does that restriction extend? Can I share or
| import Pythonista projects from other people?
|
| What's the difference between interpreting a file I
| downloaded from the Internet and visiting a website?
| caleb-allen wrote:
| I believe Pythonista is interpreted, not compiled, and
| outside of Apple's Swift app you are not able to run
| compiled code
| Oddskar wrote:
| Firefox is in the AppStore.
| kmeisthax wrote:
| This is actually worse than the full iOS route, because Apple
| is likely to at least listen to appeals and implement bright-
| line rules between "things the app does" and "things users do".
| They ultimately _do_ want to have developer tools on the App
| Store and are willing to accommodate them to a point. Even the
| "no competing browser engine" thing has a technical
| explanation: Apple wants to be able to update that part of your
| app without you being involved.
|
| Google just doesn't care about what your app does until they
| start seeing click fraud, upon which they ban your app, delete
| your Gmail, and ghost you. They've even done this to paying
| GSuite customers, game studios they were working on, and their
| own employees' spouses. As far as I can tell, antispam is at
| the top of the org chart and can overrule all other layers of
| management. I would never trust Google with anything I can't
| backup or migrate to another service.
| clownpenis_fart wrote:
| Classifying javascript code execution as malware makes sense
| Decabytes wrote:
| I feel like we see these stories more and more often. Where an
| App is removed from an App store for nebulous reasons. I feel for
| the developers. This is their lively hood.
|
| I would also like to stress that this is why we should give more
| effort to alternative platforms, even if they are "worse than the
| current offerings". For example I don't see people jumping ship
| off of YouTube and managing their own PeerTube instances anytime
| soon, but it is sooo important that something like that exists,
| and it should be looked at by people making content on YouTube
| more seriously.
| tobyjsullivan wrote:
| I have no prior knowledge of Droidscript or even android
| development. I did, however, manage to find this page
| https://symdstools.github.io/Docs/docs/app/CreateAdView.htm
|
| This presents a component which Droidscript developers can use to
| display AdMob ads in their apps. AdMob appears to be a Google
| property.
|
| Some interesting quotes:
|
| > The AdView shows advertisement banners from the popular AdMob
| platform.
|
| > Ads are not touchable when running in the DroidScript IDE.
|
| So there's a confirmed experience where actual ads are displayed
| in a non-standard way? Any guesses if this violates Google's ad
| fraud policy?
|
| > Warning: Don't repeatedly click on your own ads unless you are
| using a valid testId, or Google may suspend your Admob account!
|
| So it's the responsibility of individual users to correctly
| configure their ads to avoid committing click fraud (accidental
| or otherwise).
|
| I can see how Google might come to the conclusion that
| Droidscript has built a platform for committing click fraud,
| whether that's their intention or not.
|
| This seems incongruent with the wording in the original post:
|
| > they ask you for a "complete analysis of your traffic or other
| reasons that may have led to invalid activity in your appeal".
| Well, we had no idea what could have caused this and couldn't
| think of anything we could do
|
| Really? No idea?
|
| Edit to add: I get that there's a larger debate here around the
| general fight over device ownership and access to general purpose
| computing. I'm side-stepping that because I don't have much to
| add. What I do believe is that this particular piece is hardly
| concrete enough to bolster the case against Google.
| EricE wrote:
| Neither Google or Apple have demonstrated they deserve continued
| trust to be the sole gatekeepers of their respective platforms :(
| Zillion wrote:
| I can think of at least two other apps that do this--which I
| won't name in case Google is watching. 'Not to mention Termux,
| which I can't live without. Why is Droidscript being singled out?
|
| Off topic: I won't be buying a new phone for a looong time so I
| can keep Termux's functionality.
| freeFromGoog wrote:
| This thread got me to try fdroid and bromite.
|
| Highly recommend.
|
| I'm ready for the detachment from Google. This is why I got an
| Android.
| luismedinautah wrote:
| Test1
___________________________________________________________________
(page generated 2021-04-27 23:00 UTC)